SMTP from DMZ to Exchange server not working

Posted on 2011-05-05
Last Modified: 2012-05-11
I have a windows web server 2008 R2 Sp1 inside a DMZ that uses PHP to send emails to a windows server 2003 running MS Exchange 2003 and is on one of my internal networks.  i have an ACL permitting port 25 (SMTP) traffic going from my web server to my exchange server.  on the web server when i try and "telnet exchangerserver 25" i get some giberish: "220 ***************....." and am unable to create emails.  When i move the web server out of the DMZ onto the local network i see the normal greating when i telnet to exchange: "220 Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 read
y at  Thu, 5 May 2011 15:25:02 -0500" and now (not in the DMZ) i can create emails viz command line and all the mail features on my web site are working.

I am not that great with exchange... at all; but this is what i have done so far: drilled down through the mail server->protocols->smtp to "Default SMTP Virtual Server", went to access, made sure the IP scope that my web server is in, is permitted on the "relay restrictions", also tried opening "relay restrictions" and giving full permissions to the user(computer) "WebServer$".  My log in account that im telneting in with is a member of the administrator group on the web server, and it is a domain enterprise admin.

Went to the first routing group->connectors-> SMTP and made sure there is nothing blocking my DMZ IP scope or user account there.

again, i don’t know much about exchange so id appreciate detailed ideas on what to look at and troubleshoot.

Question by:sdmarek
    LVL 32

    Assisted Solution

    the issue is with a firewall between your web server and exchange which is blocking the smtp verbs
    I believe for cisco devices it is called mailguard
    LVL 2

    Author Comment

    looks like you are correct with it being a problem with the cisco firewall.  it looks like it could be the SMTP or ESMTP traffic inspections causing the problem:

    policy-map global_policy
     class inspection_default
      inspect dns maximum-length 512
      inspect esmtp

    I am about to do a presentation to the company right now, so i dont want to risk breaking anything.  too allow work right now all i did was installed a second NIC (VM servesr so np there) and put that second NIC on the internal LAN with a persisted route on the server, this allows the demo site to be internet facing and still access emails.  i know theres a securty hole there, so once i am avalible, i will look into resolving any issues with the cisco ASA.

    i'll let you know how it goes in a day or two

    LVL 8

    Accepted Solution

    the pix or asa firewall is inspecting the smtp traffic, obfuscating all but the status code from the server. this is done to protect the smtp server and works fine for most sites. you can provent this by removing "inspect esmtp" or "inspect smtp" from which-ever policy its coming from - in your case it looks like its the default policy.

    to remove smtp inspection, access the firewall via telnet or ssh, login and then
    <enter the enable password>
    conf t
    policy-map global_policy
    no inspect esmtp
    then control-z, "write mem" and you're done.
    LVL 2

    Author Closing Comment

    Sorry it took me so long to get back to this.  The problem was with the ASA filterting traffic, and the "no inspect" fixed it.


    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Use email signature images to promote corporate certifications and industry awards.
    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now