Cannot get Telnet to por 25 from the outside after database restore

marceloNYC
marceloNYC used Ask the Experts™
on
Dear Experts,

We had a terrible day today in where we had to restore from a backup. Our exchange 2003 system was corrupt. Nothing was working, etc..  

Because of this now after we "fix" the email server. We cannot telnet to port 25 from the outside. In another words external email is not coming in. Internally the email server is fine. We can telnet to it using port 25.

I need to know what could be wrong with the filtering systems that we have here. We have first a cisco ASA firewall then a smart host Linux box that run spamassin. Both were fine until the exchange corruption.

There was nothing wrong with the firewall until today. It is extremely bizarre  the chain of events.

Any thoughts? I have attached the ASA 5510 configuration for your review.

Again we need to telnet to port 25 our email server from the outside.


asa1220.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
access-list outside_access_in extended permit tcp any object-group Mail-Inside eq smtp inactive  what this mean? Disabled rule in ASA config?
Viral RathodConsultant
Commented:
Please go to http://testexchangeconnectivity.com ,run the "Inbound SMTP E-Mail" test and post the results.
I hope this is the port where you are configuring your public IP address (source of internet)
-----------
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 75.148.179.161 255.255.255.248
----------

This is the port for your LAN
-------------
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.102.5 255.255.255.0
------------

This is your mail server? if it is, can you check the IP address of your mail server? can you ping the IP address from console?

------------------
object-group network Mail-Inside
 description *** Mail servers on the inside
 network-object host 75.148.179.165
------------------
Is you mx records set to this IP address.


Even this line is suspicious to me.
***
access-list outside_access_in extended permit tcp any object-group Mail-Inside eq smtp inactive
***
Does this means this rule is currently inactive?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

marceloNYCMiddle-Tier Administrator

Author

Commented:
What is the rule for me to bypass the linux spam filter and just have it go directly to the email servers for a while.
marceloNYCMiddle-Tier Administrator

Author

Commented:
The IP address of the email server is 172.16.100.12
marceloNYCMiddle-Tier Administrator

Author

Commented:
I didn't work on the firewall or any of the servers here. I am new in the company so I am very much like you. trying to figure it out.
marceloNYCMiddle-Tier Administrator

Author

Commented:
ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting the Autodiscover and Exchange ActiveSync test (if requested).
       Testing of Autodiscover for Exchange ActiveSync failed.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://dowley.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name dowley.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 67.192.243.112
      Testing TCP port 443 on host dowley.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server dowley.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US, Issuer: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name dowley.com doesn't match any name found on the server certificate E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Attempting to test potential Autodiscover URL https://autodiscover.dowley.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.dowley.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 67.192.243.112
      Testing TCP port 443 on host autodiscover.dowley.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.dowley.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US, Issuer: E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name autodiscover.dowley.com doesn't match any name found on the server certificate E=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, S=Virginia, C=US.
      Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.dowley.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 67.192.243.112
      Testing TCP port 80 on host autodiscover.dowley.com to ensure it's listening and open.
       The port was opened successfully.
      ExRCA is checking the host autodiscover.dowley.com for an HTTP redirect to the Autodiscover service.
       ExRCA failed to get an HTTP redirect response for Autodiscover.
       
      Additional Details
       A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
      Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.dowley.com in DNS.
       The Autodiscover SRV record wasn't found in DNS.
        Tell me more about this issue and how to resolve i
marceloNYCMiddle-Tier Administrator

Author

Commented:
I took that line out and still nothing...
access-list outside_access_in extended permit tcp any object-group Mail-Inside eq smtp inactive
Commented:
You run wrong test :)
Your domain is dowley.com
MX record for your domain is relay.dowley.com. It's IP 75.148.179.164
In your config you have static nat from this address to object CentOS_Spam_Gateway
(static (inside,outside) 75.148.179.164 CentOS_Spam_Gateway netmask 255.255.255.255)
This object described as name 172.16.100.23 CentOS_Spam_Gateway
Try telnet to 172.16.100.23:25 from your internal network (more like from your Exchange Server) and post result.
marceloNYCMiddle-Tier Administrator

Author

Commented:
Yes! 172.16.100.23 is the internal IP address of the Linux Spam box
Commented:
This address is reply to SMTP? Can you telnet to this from internal network (bypass firewall)?
marceloNYCMiddle-Tier Administrator

Author

Commented:
No I can't telnet to it. I can telnet internally to the actual exchange servers no problem and even send me emails. I need help figuring out a way to bypass the linux box so is just the firewall and the exchange servers.
Commented:
May be you just restart Linux Gateway? If no - you must change static nat on ASA from Linux IP to Exchange IP
Commented:
Also may be linux's smtp listener is restricted by source IP, can you try connect to it from ASA?
marceloNYCMiddle-Tier Administrator

Author

Commented:
Yes I can ping from the ASA the Linux box.
Commented:
ping is ICMP, not SMTP traffic. If you cann't telnet from ASA - you maust sure that SMTP service on Linux host is up. Or change static NAT as I describe above (in this case you must made some change in Virtual SMTP Server properties on your Exchange Server)
Commented:
Also if you exclude linux GW from your mail routing - you lose anti-spam defence.
marceloNYCMiddle-Tier Administrator

Author

Commented:
We ended up changing the MX record IP address. That did it. We have two offices instead of coming the email from office A now the email is coming from office B. I am going to ask for us to get MX logic....
marceloNYCMiddle-Tier Administrator

Author

Commented:
Thank you for your help guys

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial