Dennis Janson
asked on
edge server stops receiving email with mcafee firewall on
I have been having a problem with being blacklisted for some reason. I am try to lock down my Edge exchange server to resolve the problem so I have install my McAfee client from my Sonicwall device but whenever the firewall is enable I cannot receive outside email. I have enable the following TCP ports but still not working. What am I missing?
53, 389, 143, 110, 25, 443, 445, 465, 80, 993-995, 3268-3269, 50386-50636
53, 389, 143, 110, 25, 443, 445, 465, 80, 993-995, 3268-3269, 50386-50636
Can you try testexchangeconnectivity.c om and see what happens? I would test connecting to your server from the outside. Try telnetting to port 25
ASKER
I am not sure what has changed. I just re-enabled the firewall with the same settings this morning and I am receiving messages with no problem. I tested with the tool as you suggested with my firewall on and it passed. I will keep a watch full eye on it but I am still having issues with being blacklisted and I can't figure out why.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out mxtoolbox and see what the reports say about your domain
ASKER
Auric1983, I have been using mxtoolbox, thats how I know I have been blackisted.
Digitap, I have added the firewall rules as suggested. However, I found that with these settings I have a personal account in my outlook that I cannot send email from. Possibly this is what I need to do.
I guess all I can do now is wait to see if the blacklist removes me.
Digitap, I have added the firewall rules as suggested. However, I found that with these settings I have a personal account in my outlook that I cannot send email from. Possibly this is what I need to do.
I guess all I can do now is wait to see if the blacklist removes me.
How do you have your infrastructure configured?
Is it actually an Edge server setup in your DMZ with a subscription back to your main exchange server? Or is this just your primary exchange server with a NAT rule ??
Is it actually an Edge server setup in your DMZ with a subscription back to your main exchange server? Or is this just your primary exchange server with a NAT rule ??
This is the part I don't like. You have them remove you and then wait to see if it comes back. If you have cases where hosts NEED to get out, then you can create an address group, adding those hosts to the group. Use the address group in your firewall rule.
ASKER
Auric1983: I have a Exchange and Edge server usingn NAT through a Sonicwall NSA240 device. I am not using DMZ.
Digitap:Luckily I don not have any host that "need" to get out other than through EDGE. I was blacklisted 7 times. I have been removed off one already (and not added back yet) and I am waitng on requests submitted to 3 others to be removed. The remaining either depend on the requested blacklist or will autoremove after so many hours of no spam traffic detected.
What a pain!
Thanks all your responses, they have been helpful.
Digitap:Luckily I don not have any host that "need" to get out other than through EDGE. I was blacklisted 7 times. I have been removed off one already (and not added back yet) and I am waitng on requests submitted to 3 others to be removed. The remaining either depend on the requested blacklist or will autoremove after so many hours of no spam traffic detected.
What a pain!
Thanks all your responses, they have been helpful.
Yes, it's a pain. Keep in mind you can at least possibly detect who might be mass emailing out by the connections monitor. Also, have you gotten feedback that it's spamming that has gotten you blacklisted and not just an incorrectly configured Exchange server? Perhaps running the BPA for Exchange on your servers might be a good step while you wait.
ASKER
I have 3 results from the connections monitor on Sonciwall. These addresses are not familial to me or my network. Any ideas?
Created: 2011/09/16 15:06:07.736
Source IP: 213.199.154.204
Source Port: 43144
Destination IP: 208.17.117.13
Destination Port: 25
Protocol: TCP
Src Interface: X1
Dst Interface: X1
Status: Active
Flow: SMTP
IPS Category: N/A
Expiry: 131
Bytes - Tx: 2292214
Bytes - Rx: 44132
Packets - Tx: 1627
Packets - Rx: 955
-------------------------- ---------- ---------- ---------- -------
Created: 2011/09/16 15:05:26.176
Source IP: 213.199.154.207
Source Port: 38481
Destination IP: 208.17.117.13
Destination Port: 25
Protocol: TCP
Src Interface: X1
Dst Interface: X1
Status: Active
Flow: SMTP
IPS Category: N/A
Expiry: 131
Bytes - Tx: 5216596
Bytes - Rx: 100160
Packets - Tx: 3699
Packets - Rx: 2173
-------------------------- ---------- ---------- ---------- -------
Created: 2011/09/16 15:06:39.496
Source IP: 63.240.94.249
Source Port: 62230
Destination IP: 208.17.117.13
Destination Port: 25
Protocol: TCP
Src Interface: X1
Dst Interface: X1
Status: Active
Flow: SMTP
IPS Category: N/A
Expiry: 131
Bytes - Tx: 583540
Bytes - Rx: 11104
Packets - Tx: 418
Packets - Rx: 237
-------------------------- ---------- ---------- ---------- -------
Created: 2011/09/16 15:06:07.736
Source IP: 213.199.154.204
Source Port: 43144
Destination IP: 208.17.117.13
Destination Port: 25
Protocol: TCP
Src Interface: X1
Dst Interface: X1
Status: Active
Flow: SMTP
IPS Category: N/A
Expiry: 131
Bytes - Tx: 2292214
Bytes - Rx: 44132
Packets - Tx: 1627
Packets - Rx: 955
--------------------------
Created: 2011/09/16 15:05:26.176
Source IP: 213.199.154.207
Source Port: 38481
Destination IP: 208.17.117.13
Destination Port: 25
Protocol: TCP
Src Interface: X1
Dst Interface: X1
Status: Active
Flow: SMTP
IPS Category: N/A
Expiry: 131
Bytes - Tx: 5216596
Bytes - Rx: 100160
Packets - Tx: 3699
Packets - Rx: 2173
--------------------------
Created: 2011/09/16 15:06:39.496
Source IP: 63.240.94.249
Source Port: 62230
Destination IP: 208.17.117.13
Destination Port: 25
Protocol: TCP
Src Interface: X1
Dst Interface: X1
Status: Active
Flow: SMTP
IPS Category: N/A
Expiry: 131
Bytes - Tx: 583540
Bytes - Rx: 11104
Packets - Tx: 418
Packets - Rx: 237
--------------------------
This just looks like someone trying to send email to you. They are not originating internally. I assume Destination IP is the IP of your WAN interface. Yes?
ASKER
No, the destination IP is not in my address block. Mine Public IPs start in 65.216.xxx.xxx
ASKER
Some good news, I have gone down from 7 to 4 blacklistings.
The question would be if the firewall logs show those as dropped connections. This would indicate that your firewall is doing it's job. Just to make sure, I'd check your firewall rules WAN > LAN (and any other production zones you're using) to make sure there isn't anything open. I saw a question recently where someone had left an RDP port open and someone was trying to hack their server. I encountered that myself. Left the port open for the vendor and they never told me they were done. A couple of months later, I see failed login attempts in routine security checks.
Hopefully, the blacklist number goes down and stays down.
Hopefully, the blacklist number goes down and stays down.
ASKER
digitap,
So fare so good. We have not been added to anymore blacklist over the weekend, however there are still 4 that I'm waiting on removal. I think your firewall settings suggestion was the answer. However today one of my manager incurred the following messages when trying to email one of our customers. Any ideas?
Diagnostic information for administrators:
Generating server: Edge.GMSMRM.local
lweaverling@mellotts.com
CH1EHSMHS002.bigfish.com #550 5.7.1 Service unavailable; Client host [65.216.203.210] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft .com. ##
Original message headers:
Received: from Exchange.GMSMRM.local (xx.xx.xx.xx) by mail.mymailserver.com
(xx.xx.xx.xx) with Microsoft SMTP Server (TLS) id 8.2.255.0; Mon, 19 Sep 2011
11:31:41 -0400
Received: from Exchange.GMSMRM.local ([10.0.0.6]) by exchange ([10.0.0.6])
with mapi; Mon, 19 Sep 2011 11:31:40 -0400
From: Josh Helbig <xxxx@pioneerconveyor.com>
To: "Weaverling, Larry" <xxxxxx@mellotts.com>
Date: Mon, 19 Sep 2011 11:33:48 -0400
Subject: RE: Consol Project
Thread-Topic: Consol Project
Thread-Index: Acx232M6hBff1FsKSDWSV1lpga WJugAAe2EQ AAAJKuA=
Message-ID: <F834BFAC6D717141950C9FC23 2456624952 6E6C792@ex change>
References: <F834BFAC6D717141950C9FC23 2456624952 6E6C785@ex change>
<07C194184C442D4DB71BA11D0 36F97E00AA 0A2514B@ME LWARAS3EML .CORP.MELL OTTS.COM>
In-Reply-To: <07C194184C442D4DB71BA11D0 36F97E00AA 0A2514B@ME LWARAS3EML .CORP.MELL OTTS.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
boundary="_004_F834BFAC6D7 17141950C9 FC23245662 49526E6C79 2exchange_ ";
type="multipart/alternativ e"
MIME-Version: 1.0
Return-Path: xxxxxx@pioneerconveyor.com
<Edited by SouthMod to remove sensitive info>
So fare so good. We have not been added to anymore blacklist over the weekend, however there are still 4 that I'm waiting on removal. I think your firewall settings suggestion was the answer. However today one of my manager incurred the following messages when trying to email one of our customers. Any ideas?
Diagnostic information for administrators:
Generating server: Edge.GMSMRM.local
lweaverling@mellotts.com
CH1EHSMHS002.bigfish.com #550 5.7.1 Service unavailable; Client host [65.216.203.210] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft
Original message headers:
Received: from Exchange.GMSMRM.local (xx.xx.xx.xx) by mail.mymailserver.com
(xx.xx.xx.xx) with Microsoft SMTP Server (TLS) id 8.2.255.0; Mon, 19 Sep 2011
11:31:41 -0400
Received: from Exchange.GMSMRM.local ([10.0.0.6]) by exchange ([10.0.0.6])
with mapi; Mon, 19 Sep 2011 11:31:40 -0400
From: Josh Helbig <xxxx@pioneerconveyor.com>
To: "Weaverling, Larry" <xxxxxx@mellotts.com>
Date: Mon, 19 Sep 2011 11:33:48 -0400
Subject: RE: Consol Project
Thread-Topic: Consol Project
Thread-Index: Acx232M6hBff1FsKSDWSV1lpga
Message-ID: <F834BFAC6D717141950C9FC23
References: <F834BFAC6D717141950C9FC23
<07C194184C442D4DB71BA11D0
In-Reply-To: <07C194184C442D4DB71BA11D0
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
boundary="_004_F834BFAC6D7
type="multipart/alternativ
MIME-Version: 1.0
Return-Path: xxxxxx@pioneerconveyor.com
<Edited by SouthMod to remove sensitive info>
It's hard to tell. A client sending email from mellotts.com appears to have been blocked by client 65.216.203.210. If I look up your MX record, I see that it points to mail.gmsminerepair.com, but the IP for this A record is 65.216.203.214. Although it doesn't match the IP of the client performing the block, it appears it's possibly within the same subnet. I assume this is your public IP subnet. Neither 65.216.203.210 or 214 are in any spam DB that I've been able to find (I subscribe to DNSSTUFF.com so this is the tool I used to do the spam DB lookup).
However, the MX record for mellotts.com points to mail.global.sprint.com which points to public IP of 213.199.180.150. This IP address didn't show up in the spam DB either.
Then, there is CH1EHSMHS002.bigfish.com who's MX record points to mail.global.bigfish.com which points to the public IP of 65.55.88.22. This IP wasn't on the spam DB either.
bigfish.com, from what I've been able to find on the Internet, is Microsoft's Office 360 or Exchange hosting service. My best guess is someone is using this service to pull email from a sprint POP account and somehow it's going out through the MS Exchange hosting service.
Someone's IP was on a Microsoft ban list. I don't know who's and the DB searches I use don't search Microsoft's DB. There is an email address in the NDR above that you can send a removal request to. I'm just not sure who's IP was blocked.
Hope that helps.
However, the MX record for mellotts.com points to mail.global.sprint.com which points to public IP of 213.199.180.150. This IP address didn't show up in the spam DB either.
Then, there is CH1EHSMHS002.bigfish.com who's MX record points to mail.global.bigfish.com which points to the public IP of 65.55.88.22. This IP wasn't on the spam DB either.
bigfish.com, from what I've been able to find on the Internet, is Microsoft's Office 360 or Exchange hosting service. My best guess is someone is using this service to pull email from a sprint POP account and somehow it's going out through the MS Exchange hosting service.
Someone's IP was on a Microsoft ban list. I don't know who's and the DB searches I use don't search Microsoft's DB. There is an email address in the NDR above that you can send a removal request to. I'm just not sure who's IP was blocked.
Hope that helps.
ASKER
Digitap,
Thanks for your input. The 2 IPs as you discussed above are in my block. One is directed to my firewall for NAT and the other is the firewall itself. Thanks for running my IP through your tools. It is most likely at this point that my IP is listed on Microsoft's list. The last SPAM recoreded from my IP was on 9/15/2011. I am trying to find an effective way to contact the correct person to handle being removed from bigfish,com's list.
Thanks for your input. The 2 IPs as you discussed above are in my block. One is directed to my firewall for NAT and the other is the firewall itself. Thanks for running my IP through your tools. It is most likely at this point that my IP is listed on Microsoft's list. The last SPAM recoreded from my IP was on 9/15/2011. I am trying to find an effective way to contact the correct person to handle being removed from bigfish,com's list.
ASKER
I have forwarded some of the returned emails to "delist@messaging.microsof t.com" hoping that I get a reply and removed from their list. I'm not sure how long to expect it will take. My boss is about to rip my head off because we can't communicate with our largest customer.
I understand. It can be frustrating. The fact that MS doesn't have their own DB makes me think MS uses a different spam DB to populate their own IP block lists. The fact that they have a delist email address tells me that they use them to add IP addresses not remove them. I think it's a ridiculous way of managing spam, but it's what they've chosen.
ASKER
Wow Digitap. I actually just received an email from MS. Here it is.
Hello Dennis,
Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number 1162147765, which was opened in regards to your delisting request for 65.216.203.210
The IP address you submitted has been reviewed and removed from our block lists. Please note that there may be a 1-2 hour delay before this change propagates through our entire system.
We apologize for any inconvenience this may have caused you. As long as our spam filtering systems do not mark a majority of email from the IP address as spam-like, your messages will be allowed to flow as normal through our network. However, should we detect an increase in spam-like activity, the IP address may be placed on our block lists again.
Should you have any further questions or concerns, please feel free to respond to this email.
Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.
Sincerely,
Jennifer Garfutt
Microsoft Online Services Technical Support
Hello Dennis,
Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number 1162147765, which was opened in regards to your delisting request for 65.216.203.210
The IP address you submitted has been reviewed and removed from our block lists. Please note that there may be a 1-2 hour delay before this change propagates through our entire system.
We apologize for any inconvenience this may have caused you. As long as our spam filtering systems do not mark a majority of email from the IP address as spam-like, your messages will be allowed to flow as normal through our network. However, should we detect an increase in spam-like activity, the IP address may be placed on our block lists again.
Should you have any further questions or concerns, please feel free to respond to this email.
Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.
Sincerely,
Jennifer Garfutt
Microsoft Online Services Technical Support
Sweet! Looks like you're clean.
One final note, remember that your posts can be found on the Internet so information here is essentially part of the public domain. The post you made here: http:#a36561057 has - in my opinion - sensitive information. I'd recommend using the Request Attention link in your question above and ask a moderator to remove the post. Remember to sanitize your posts.
One final note, remember that your posts can be found on the Internet so information here is essentially part of the public domain. The post you made here: http:#a36561057 has - in my opinion - sensitive information. I'd recommend using the Request Attention link in your question above and ask a moderator to remove the post. Remember to sanitize your posts.
ASKER
Digitap, I think you deserve more points for all of your support on this case. I have awarded the post that gave me the most help in resolving being blacklisted in the first place. Though I have not been removed off all of the black list, the trend is heading that way. Thanks for your support. Your awesome!
You're welcome and glad I could help. Thanks for the points!