Solved

Problem with firewall accepting mail

Posted on 2011-03-24
17
736 Views
Last Modified: 2012-05-11
We recently moved to new office.  I had a consultant set up the firewall.  He was supposed to configure it exactly as the old one.  He didn't and now he can not be reached.
Our MX record points to a SPAM filtering company.  They then send our mail to us.  For the first day they could not send us any mail.  Then I finally got the consultant to put in a change to fix it.  This morning I received this message from the SPAM company.

Still having issues delivering mail to your server consistently.  I currently have 85 messages in queue for your domain.  They have been slowly climbing.  

I see most mail is going through ok but some seems to be getting an error from your server/firewall:
 
2011-03-23T16:34:40.351358-04:00 dpout01 postfix/smtp[417]: 4E9E41C781FB: to=<drocha@rgrayclamps.com>, relay=mail.rgrayclamps.com[12.204.121.3]:25, delay=1013, delays=680/0/0.1/333, dsn=4.4.2, status=deferred (lost connection with mail.rgrayclamps.com[12.204.121.3] while sending end of data -- message may be sent more than once)
 
If you have ‘smtp fixup’ set on your firewall, you will want to disable that, it definitely could cause these types of issues.

I do not have smtp fixup set on the firewall.
0
Comment
Question by:jtennyson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206340
Hi there :)

Could be a number of things so let's see. Looking at the config from your previous question I see no smtp fixup indeed. By the way, it is called 'inspect' in the ASA.
You do have an inspect esmtp which might be the issue.

On the other hand I see that you are only allowing smtp traffic in from a number of ip ranges. Are you sure that all the ip addresses from where your SPAM filtering company could send you mail are covered?
0
 

Author Comment

by:jtennyson
ID: 35206371
I am going to check with them right now.
0
 

Author Comment

by:jtennyson
ID: 35206401
The company is in California so I am sure they will not be in for a couple of hours.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206437
Always nice, different timezones :)

Allright, let's just wait then for now and let me know when they are in.
0
 

Author Comment

by:jtennyson
ID: 35206514
They did get back to me and they said those are the correct addresses.

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35206588
Ok, in that case let's remove the line 'inspect esmtp'. That's used for smtp and esmtp. See if that helps.

To remove it:

conf t
policy-map global_policy
class inspection_default
no inspect esmtp
exit


Oh, it might be an idea to change those lines to:

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 host 12.204.121.3 eq smtp

Assuming 12.204.121.3 is the public address of the mailserver and the only host where you would want to allow smtp connections to.
0
 

Author Comment

by:jtennyson
ID: 35206776
Thanks again.  I made the changes and will let you know what happens.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206787
I'll be here :)
0
 

Author Comment

by:jtennyson
ID: 35206822
Should I reboot the firewall?
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35206871
disabling ESMTP Inspection should solve the issue...
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206880
Not really. Those changes should be effective immediatly.
0
 

Author Closing Comment

by:jtennyson
ID: 35209339
Once again you are the best.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35209378
Thx, only I'm afraid you awarded the wrong one :-(
0
 

Author Closing Comment

by:jtennyson
ID: 35223017
I'm so sorry.  I would double the points for you if I could.  I hope your reading on Monday I will need more help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35223156
Never mind, I was convinced it wasn't your intention.
See you on monday :)
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question