• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1256
  • Last Modified:

SMTP from DMZ to Exchange server not working

I have a windows web server 2008 R2 Sp1 inside a DMZ that uses PHP to send emails to a windows server 2003 running MS Exchange 2003 and is on one of my internal networks.  i have an ACL permitting port 25 (SMTP) traffic going from my web server to my exchange server.  on the web server when i try and "telnet exchangerserver 25" i get some giberish: "220 ***************....." and am unable to create emails.  When i move the web server out of the DMZ onto the local network i see the normal greating when i telnet to exchange: "220 mail.blah.company Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 read
y at  Thu, 5 May 2011 15:25:02 -0500" and now (not in the DMZ) i can create emails viz command line and all the mail features on my web site are working.

I am not that great with exchange... at all; but this is what i have done so far: drilled down through the mail server->protocols->smtp to "Default SMTP Virtual Server", went to access, made sure the IP scope that my web server is in, is permitted on the "relay restrictions", also tried opening "relay restrictions" and giving full permissions to the user(computer) "WebServer$".  My log in account that im telneting in with is a member of the administrator group on the web server, and it is a domain enterprise admin.

Went to the first routing group->connectors-> SMTP and made sure there is nothing blocking my DMZ IP scope or user account there.

again, i don’t know much about exchange so id appreciate detailed ideas on what to look at and troubleshoot.

thanks,
Steven
0
sdmarek
Asked:
sdmarek
  • 2
2 Solutions
 
endital1097Commented:
the issue is with a firewall between your web server and exchange which is blocking the smtp verbs
I believe for cisco devices it is called mailguard
0
 
sdmarekAuthor Commented:
looks like you are correct with it being a problem with the cisco firewall.  it looks like it could be the SMTP or ESMTP traffic inspections causing the problem:

policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect esmtp
  ...

I am about to do a presentation to the company right now, so i dont want to risk breaking anything.  too allow work right now all i did was installed a second NIC (VM servesr so np there) and put that second NIC on the internal LAN with a persisted route on the server, this allows the demo site to be internet facing and still access emails.  i know theres a securty hole there, so once i am avalible, i will look into resolving any issues with the cisco ASA.

i'll let you know how it goes in a day or two

thanks,
Steven
0
 
pgolding00Commented:
the pix or asa firewall is inspecting the smtp traffic, obfuscating all but the status code from the server. this is done to protect the smtp server and works fine for most sites. you can provent this by removing "inspect esmtp" or "inspect smtp" from which-ever policy its coming from - in your case it looks like its the default policy.

to remove smtp inspection, access the firewall via telnet or ssh, login and then
enable
<enter the enable password>
conf t
policy-map global_policy
no inspect esmtp
then control-z, "write mem" and you're done.
0
 
sdmarekAuthor Commented:
Sorry it took me so long to get back to this.  The problem was with the ASA filterting traffic, and the "no inspect" fixed it.

thanks,
Steven
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now