Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Problem with firewall accepting mail

Posted on 2011-03-24
17
Medium Priority
?
744 Views
Last Modified: 2012-05-11
We recently moved to new office.  I had a consultant set up the firewall.  He was supposed to configure it exactly as the old one.  He didn't and now he can not be reached.
Our MX record points to a SPAM filtering company.  They then send our mail to us.  For the first day they could not send us any mail.  Then I finally got the consultant to put in a change to fix it.  This morning I received this message from the SPAM company.

Still having issues delivering mail to your server consistently.  I currently have 85 messages in queue for your domain.  They have been slowly climbing.  

I see most mail is going through ok but some seems to be getting an error from your server/firewall:
 
2011-03-23T16:34:40.351358-04:00 dpout01 postfix/smtp[417]: 4E9E41C781FB: to=<drocha@rgrayclamps.com>, relay=mail.rgrayclamps.com[12.204.121.3]:25, delay=1013, delays=680/0/0.1/333, dsn=4.4.2, status=deferred (lost connection with mail.rgrayclamps.com[12.204.121.3] while sending end of data -- message may be sent more than once)
 
If you have ‘smtp fixup’ set on your firewall, you will want to disable that, it definitely could cause these types of issues.

I do not have smtp fixup set on the firewall.
0
Comment
Question by:jtennyson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206340
Hi there :)

Could be a number of things so let's see. Looking at the config from your previous question I see no smtp fixup indeed. By the way, it is called 'inspect' in the ASA.
You do have an inspect esmtp which might be the issue.

On the other hand I see that you are only allowing smtp traffic in from a number of ip ranges. Are you sure that all the ip addresses from where your SPAM filtering company could send you mail are covered?
0
 

Author Comment

by:jtennyson
ID: 35206371
I am going to check with them right now.
0
 

Author Comment

by:jtennyson
ID: 35206401
The company is in California so I am sure they will not be in for a couple of hours.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206437
Always nice, different timezones :)

Allright, let's just wait then for now and let me know when they are in.
0
 

Author Comment

by:jtennyson
ID: 35206514
They did get back to me and they said those are the correct addresses.

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35206588
Ok, in that case let's remove the line 'inspect esmtp'. That's used for smtp and esmtp. See if that helps.

To remove it:

conf t
policy-map global_policy
class inspection_default
no inspect esmtp
exit


Oh, it might be an idea to change those lines to:

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 host 12.204.121.3 eq smtp

Assuming 12.204.121.3 is the public address of the mailserver and the only host where you would want to allow smtp connections to.
0
 

Author Comment

by:jtennyson
ID: 35206776
Thanks again.  I made the changes and will let you know what happens.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206787
I'll be here :)
0
 

Author Comment

by:jtennyson
ID: 35206822
Should I reboot the firewall?
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35206871
disabling ESMTP Inspection should solve the issue...
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206880
Not really. Those changes should be effective immediatly.
0
 

Author Closing Comment

by:jtennyson
ID: 35209339
Once again you are the best.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35209378
Thx, only I'm afraid you awarded the wrong one :-(
0
 

Author Closing Comment

by:jtennyson
ID: 35223017
I'm so sorry.  I would double the points for you if I could.  I hope your reading on Monday I will need more help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35223156
Never mind, I was convinced it wasn't your intention.
See you on monday :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question