Cannot get Telnet to por 25 from the outside after database restore

Dear Experts,

We had a terrible day today in where we had to restore from a backup. Our exchange 2003 system was corrupt. Nothing was working, etc..  

Because of this now after we "fix" the email server. We cannot telnet to port 25 from the outside. In another words external email is not coming in. Internally the email server is fine. We can telnet to it using port 25.

I need to know what could be wrong with the filtering systems that we have here. We have first a cisco ASA firewall then a smart host Linux box that run spamassin. Both were fine until the exchange corruption.

There was nothing wrong with the firewall until today. It is extremely bizarre  the chain of events.

Any thoughts? I have attached the ASA 5510 configuration for your review.

Again we need to telnet to port 25 our email server from the outside.


asa1220.txt
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MadParCommented:
access-list outside_access_in extended permit tcp any object-group Mail-Inside eq smtp inactive  what this mean? Disabled rule in ASA config?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Viral RathodConsultantCommented:
Please go to http://testexchangeconnectivity.com ,run the "Inbound SMTP E-Mail" test and post the results.
0
Vaseem MohammedCommented:
I hope this is the port where you are configuring your public IP address (source of internet)
-----------
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 75.148.179.161 255.255.255.248
----------

This is the port for your LAN
-------------
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.102.5 255.255.255.0
------------

This is your mail server? if it is, can you check the IP address of your mail server? can you ping the IP address from console?

------------------
object-group network Mail-Inside
 description *** Mail servers on the inside
 network-object host 75.148.179.165
------------------
Is you mx records set to this IP address.


Even this line is suspicious to me.
***
access-list outside_access_in extended permit tcp any object-group Mail-Inside eq smtp inactive
***
Does this means this rule is currently inactive?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

marceloNYCMiddle-Tier AdministratorAuthor Commented:
What is the rule for me to bypass the linux spam filter and just have it go directly to the email servers for a while.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
The IP address of the email server is 172.16.100.12
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I didn't work on the firewall or any of the servers here. I am new in the company so I am very much like you. trying to figure it out.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting the Autodiscover and Exchange ActiveSync test (if requested).
       Testing of Autodiscover for Exchange ActiveSync failed.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://dowley.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name dowley.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 67.192.243.112
      Testing TCP port 443 on host dowley.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server dowley.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US, Issuer: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name dowley.com doesn't match any name found on the server certificate E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Attempting to test potential Autodiscover URL https://autodiscover.dowley.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.dowley.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 67.192.243.112
      Testing TCP port 443 on host autodiscover.dowley.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.dowley.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US, Issuer: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name autodiscover.dowley.com doesn't match any name found on the server certificate E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.dowley.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 67.192.243.112
      Testing TCP port 80 on host autodiscover.dowley.com to ensure it's listening and open.
       The port was opened successfully.
      ExRCA is checking the host autodiscover.dowley.com for an HTTP redirect to the Autodiscover service.
       ExRCA failed to get an HTTP redirect response for Autodiscover.
       
      Additional Details
       A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
      Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.dowley.com in DNS.
       The Autodiscover SRV record wasn't found in DNS.
        Tell me more about this issue and how to resolve i
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I took that line out and still nothing...
access-list outside_access_in extended permit tcp any object-group Mail-Inside eq smtp inactive
0
MadParCommented:
You run wrong test :)
Your domain is dowley.com
MX record for your domain is relay.dowley.com. It's IP 75.148.179.164
In your config you have static nat from this address to object CentOS_Spam_Gateway
(static (inside,outside) 75.148.179.164 CentOS_Spam_Gateway netmask 255.255.255.255)
This object described as name 172.16.100.23 CentOS_Spam_Gateway
Try telnet to 172.16.100.23:25 from your internal network (more like from your Exchange Server) and post result.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Yes! 172.16.100.23 is the internal IP address of the Linux Spam box
0
MadParCommented:
This address is reply to SMTP? Can you telnet to this from internal network (bypass firewall)?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
No I can't telnet to it. I can telnet internally to the actual exchange servers no problem and even send me emails. I need help figuring out a way to bypass the linux box so is just the firewall and the exchange servers.
0
MadParCommented:
May be you just restart Linux Gateway? If no - you must change static nat on ASA from Linux IP to Exchange IP
0
MadParCommented:
Also may be linux's smtp listener is restricted by source IP, can you try connect to it from ASA?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Yes I can ping from the ASA the Linux box.
0
MadParCommented:
ping is ICMP, not SMTP traffic. If you cann't telnet from ASA - you maust sure that SMTP service on Linux host is up. Or change static NAT as I describe above (in this case you must made some change in Virtual SMTP Server properties on your Exchange Server)
0
MadParCommented:
Also if you exclude linux GW from your mail routing - you lose anti-spam defence.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
We ended up changing the MX record IP address. That did it. We have two offices instead of coming the email from office A now the email is coming from office B. I am going to ask for us to get MX logic....
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Thank you for your help guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.