Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Exchange email not getting through to server

Posted on 2012-04-01
Medium Priority
Last Modified: 2012-08-13
We have a 2003 exchange server internal.  We were contracting Postini but have chosen to let the contract lapse.    In the meanwhile, we are trying now to route email directly to the internal server.   DNS Pointer "MX" records have been changed.  

I've added access-list commands to the Cisco ASA firewall.  I've created an MX record in the local DNS server along with an A record.

Still no email.  It's been 8 plus hours so the DNS changes (at networksolutions) are probably good by now?

Can someone look at my firewall config and tell me if it looks correct?  

Of particular interest is the entries concerning ipaddress 209.XXX.XXX.147
e.g.  access-list outside extended permit tcp any host 209.XXX.XXX.147 eq smtp

Also, I've telneted to the server internally and made a connection on port 25.    But when I try to do this from outside, my putty terminal closes on me immediately - not sure if it worked or not.  Not sure why it closes.

ourASA(config)# show run
: Saved
ASA Version 7.2(3)
hostname ourASA
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
name Domain2
name Domain1
name Domain1VPN
name CicDomain01
name CicRouter
name cosDomain01
name cosRouter
name CWDomain1
name CWDomain2
name CWRouter
name HQRouter
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 66.XXX.XXX.18
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif Providerdata
 security-level 0
 ip address 209.XXX.XXX.146
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd XXXXXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside extended permit icmp any any echo-reply
access-list outside remark "Microsoft VPN"
access-list outside extended permit tcp any host 66.XXX.XXX.19 eq pptp
access-list outside extended permit tcp any host 66.XXX.XXX.19 eq 47
access-list outside remark "Microsoft Exchange OWA"
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq www
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq https
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq smtp
access-list outside extended permit tcp any host 209.XXX.XXX.147 eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in remark "Microsoft VPN"
access-list outside_in extended permit tcp any host 209.XXX.XXX.148 eq pptp
access-list outside_in extended permit tcp any host 209.XXX.XXX.148 eq 47
access-list outside_in remark "Postini"
access-list outside_in remark "Microsoft Exchange OWA"
access-list outside_in extended permit tcp any host 209.XXX.XXX.147 eq www
access-list outside_in extended permit tcp any host 209.XXX.XXX.147 eq https
access-list inside extended permit icmp any any echo
pager lines 24
mtu outside 1500
mtu inside 1500
mtu ProviderData 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 1440020
global (outside) 1 interface
global (ProviderData) 1 interface
nat (inside) 1
static (inside,outside) 66.XXX.XXX.19 Domain1VPN netmask
static (inside,outside) 66.XXX.XXX.20 Domain2 netmask
static (inside,outside) 66.XXX.XXX.21 Domain1 netmask
static (inside,outside) 66.XXX.XXX.29 HQRouter netmask
static (inside,ProviderData) 209.XXX.XXX.148 Domain1VPN netmask
static (inside,ProviderData) 209.XXX.XXX.147 Domain2 netmask
access-group outside in interface outside
access-group outside_in in interface ProviderData
route inside 1
route ProviderData 209.XXX.XXX.145 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor websense host timeout 30 protocol TCP v
ersion 1 connections 5
filter url http allow
http server enable
http management
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh outside
ssh ProviderData
ssh timeout 60
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect http
service-policy global_policy global
url-block url-mempool 1500
url-block url-size 4
url-block block 128
prompt hostname context
: end
Question by:egalois
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Expert Comment

by:Seth Simmons
ID: 37794245
I would first do a sanity check on your external DNS.  Do an nslookup to and check your MX records and verify it's pointing to your public address for the Exchange server and not postini.  If it is, then make sure you have your nat setup correctly for that public address to your Exchange server.

I'm not a cisco expert, but if you had your rules locked down so that smtp was only allowed from postini, you would need to open it so port 25 is open from all (assuming you are allowing all mail to go directly to exchange).

Author Comment

ID: 37794255
Thanks for the quick reply.   nslookup shows our server so that part looks right.

The access list command that I pasted into my question is the one I'm using to allow all mail to go directly to my server.

I'm using a static route to the server and I think that takes care of the Nat that you mention. But I'm not certain of this.
LVL 31

Accepted Solution

Frosty555 earned 2000 total points
ID: 37794445
Make sure your Exchange server is configured to allow all incoming mail. A hardened Exchange server that used to use Postini for mail relay should have been configured to only accept incoming mail from the Postini servers' IP range, probably on a non-standard port.

By default Exchange running the Hub Transport role doesn't accept email from just anybody - it only accepts mail from an authenticated Edge server, or from specific whitelisted servers (e.g. the Postini servers).

I'm not that familiar with Exchange 2003, but in Exchange 2010 the relevant setting is in Exchange Management Console->Server Configuration->Hub Transport->Receive Connectors->[Your connector], and you need to specify that any remote IP address may deliver mail and that it may connect unauthenticated and unencrypted over port 25.
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

LVL 14

Expert Comment

ID: 37794635
Try this:

Take out the following line:
inspect esmtp

Basically, tell the ASA to leave SMTP traffic alone.

(If that doesn't work, you can always put it back)

Author Closing Comment

ID: 37797264
The server was configured to allow emails from only a specific block of addresses.  Excellent answer - thanks so much.
LVL 31

Expert Comment

ID: 37874404
I strongly recommend some kind of gateway between your Hub Exchange server and the internet, though. The previous configuration of only allowing mail from the Postini servers is the right way to go about it.

If Postini is too expensive there are other gateway services - e.g. DynDNS's Email Gateway.

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question