SMTP Telnet test fails from DMZ to inside via PIX 515

Discussion in 'Cisco' started by Dave Foster, Aug 6, 2004.

  1. Dave Foster

    Dave Foster Guest

    SMTP connections time out from a server in my DMZ to an SMTP server on my
    inside LAN.

    I'm trying to set up an SMTP server in my DMZ on a Windows 2000 Server so
    that my MX record will point to that server and it will be my public MTA and
    relay email for my domain to my Exchange 2003 (SBS Premium) server on my
    inside LAN. I have a PIX 515 with an outside, DMZ, and an inside LAN
    interface.


    |-------| |-------| |-------|
    |Cisco | | DMZ | |Inside |
    |Pix - |------>| Win2K |------>|Win2k3 |
    |515 | | SMTP | |SBS |
    |-------| |-------| |-------|

    When I try to telnet into the Exchange server from the DMZ I can the HELO
    command will be accepted, but the subsequent MAIL command times out.

    e.g. mail from:

    My SMTP log only has one entry:

    2004-08-04 20:01:10 [Win2K test server IP] testdomain.com SMTPSVC1 [Exchange
    server name] [Exchange server IP] 0 HELO +test.com 250 0 57 13 0

    Why would the second command time out?

    I don't think I have a permissions problem on my Exchange server? I'm
    allowing
    anonymous authentication and connection control lists the Win2K test server
    IP as an allowed connector.

    Is the PIX between the DMZ and the inside causing the timeout?
    I've read some things about path MTU discovery and ICMP feedback messages
    getting lost. I only have one router/firewall device though.

    Using Microsoft Network Monitor, I do not see subsequent packets come into
    the destination NIC after the first helo command.

    The only thing I see in the PIX log is:
    302001: Built inbound TCP connection 5396326 for faddr [DMZ server IP]/37293
    gaddr
    [inside server with static DMZ NAT IP]/25 laddr [inside server with static
    inside IP]/25

    I am able to successfully Telnet (via port 25) to the Exchange server from a
    domain computer on the same inside LAN. Gotta be the PIX, right? Port 25 is
    open. There must be some other limitation.

    I'm NATing the inside server to the DMZ with a static:
    static (inside,DMZ) [DMZ address] [inside address] netmask 255.255.255.255 0
    0

    This is a Cisco PIX-515E Firewall Version 6.1(2).

    Any insight would be appreciated.

    Thanks,
    Dave
    Dave Foster, Aug 6, 2004
    #1
    1. Advertising

  2. Dave Foster

    Rik Bain Guest

    On Thu, 05 Aug 2004 18:25:53 -0500, Dave Foster wrote:

    > SMTP connections time out from a server in my DMZ to an SMTP server on
    > my inside LAN.
    >
    > I'm trying to set up an SMTP server in my DMZ on a Windows 2000 Server
    > so that my MX record will point to that server and it will be my public
    > MTA and relay email for my domain to my Exchange 2003 (SBS Premium)
    > server on my inside LAN. I have a PIX 515 with an outside, DMZ, and an
    > inside LAN interface.
    >
    >
    > |-------| |-------| |-------| Cisco | | DMZ |
    > ||Inside | Pix - |------>| Win2K |------>|Win2k3 | 515 | |
    > |SMTP | |SBS | -------| |-------| |-------|
    >
    > When I try to telnet into the Exchange server from the DMZ I can the
    > HELO command will be accepted, but the subsequent MAIL command times
    > out.
    >
    > e.g. mail from:
    >
    > My SMTP log only has one entry:
    >
    > 2004-08-04 20:01:10 [Win2K test server IP] testdomain.com SMTPSVC1
    > [Exchange server name] [Exchange server IP] 0 HELO +test.com 250 0 57 13
    > 0
    >
    > Why would the second command time out?
    >
    > I don't think I have a permissions problem on my Exchange server? I'm
    > allowing
    > anonymous authentication and connection control lists the Win2K test
    > server IP as an allowed connector.
    >
    > Is the PIX between the DMZ and the inside causing the timeout? I've read
    > some things about path MTU discovery and ICMP feedback messages getting
    > lost. I only have one router/firewall device though.
    >
    > Using Microsoft Network Monitor, I do not see subsequent packets come
    > into the destination NIC after the first helo command.
    >
    > The only thing I see in the PIX log is: 302001: Built inbound TCP
    > connection 5396326 for faddr [DMZ server IP]/37293 gaddr [inside server
    > with static DMZ NAT IP]/25 laddr [inside server with static inside
    > IP]/25
    >
    > I am able to successfully Telnet (via port 25) to the Exchange server
    > from a domain computer on the same inside LAN. Gotta be the PIX, right?
    > Port 25 is open. There must be some other limitation.
    >
    > I'm NATing the inside server to the DMZ with a static: static
    > (inside,DMZ) [DMZ address] [inside address] netmask 255.255.255.255 0 0
    >
    > This is a Cisco PIX-515E Firewall Version 6.1(2).
    >
    > Any insight would be appreciated.
    >
    > Thanks,
    > Dave



    I would check to see if you have fixup enabled for SMTP. At some point
    (or has it always done it) the pix would disallow interactive telnet
    sessions to SMTP servers.

    Rik Bain
    Rik Bain, Aug 6, 2004
    #2
    1. Advertising

  3. Dave Foster

    Dave Foster Guest

    I do have a fixup config line:
    fixup protocol smtp 25

    I see in the cisco doc that Telnet is not supported:
    "Also, doing Telnet to port 25 may not work with the fixup protocol smtp
    command, especially with a Telnet client that does character mode."
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml

    I'll have to find another telnet client (other than the windows standard) to
    test with, I guess.

    When I look at the SMTP logs of my MTA server when it tries to forward
    inbound mail to the internal mail server I see the following 3 lines:

    #Software: Microsoft Internet Information Services 5.0
    #Version: 1.0
    #Date: 2004-08-06 02:04:10
    #Fields: cs-username s-sitename s-computername s-ip s-port cs-method
    cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes
    time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)

    OutboundConnectionResponse SMTPSVC1 [MTA server] - 25 - -
    220+*****0****0*************************************************************
    0****0*0+*********************200**20*0**0***0*00+ 0 0 126 0 0 SMTP - - - -

    OutboundConnectionCommand SMTPSVC1 [MTA server] - 25 EHLO - [MTA server] 0 0
    4 0 10 SMTP - - - -

    OutboundConnectionResponse SMTPSVC1 [MTA server] - 25 - -
    500+5.3.3+Unrecognized+command 0 0 30 0 10 SMTP - - - -

    Is EHLO blocked by the PIX mailguard feature?

    > I would check to see if you have fixup enabled for SMTP. At some point
    > (or has it always done it) the pix would disallow interactive telnet
    > sessions to SMTP servers.
    >
    > Rik Bain
    Dave Foster, Aug 6, 2004
    #3
  4. Dave Foster

    Dave Foster Guest

    > I see in the cisco doc that Telnet is not supported:
    > "Also, doing Telnet to port 25 may not work with the fixup protocol smtp
    > command, especially with a Telnet client that does character mode."

    Anyone know of such a Telnet client (windows) that will work through the PIX
    on port 25? Putty?


    > Is EHLO blocked by the PIX mailguard feature?

    There is a setting on Windows IIS 5 SMTP service where you can say HELO
    instead of EHLO. See remote domain properties.
    Dave Foster, Aug 6, 2004
    #4
  5. Dave Foster wrote:

    > Anyone know of such a Telnet client (windows) that will work through the PIX
    > on port 25? Putty?


    Haven't tried it, but PuTTY 'raw' mode might work, yes.

    From the PuTTY docs:

    > 3.6 Making raw TCP connections
    >
    > A lot of Internet protocols are composed of commands and responses
    > in plain text. For example, SMTP (the protocol used to transfer e-
    > mail), NNTP (the protocol used to transfer Usenet news), and HTTP
    > (the protocol used to serve Web pages) all consist of commands in
    > readable plain text.
    >
    > Sometimes it can be useful to connect directly to one of these
    > services and speak the protocol `by hand', by typing protocol
    > commands and watching the responses. On Unix machines, you can do
    > this using the system's `telnet' command to connect to the right
    > port number. For example, `telnet mailserver.example.com 25' might
    > enable you to talk directly to the SMTP service running on a mail
    > server.
    >
    > Although the Unix `telnet' program provides this functionality, the
    > protocol being used is not really Telnet. Really there is no actual
    > protocol at all; the bytes sent down the connection are exactly the
    > ones you type, and the bytes shown on the screen are exactly the
    > ones sent by the server. Unix `telnet' will attempt to detect or
    > guess whether the service it is talking to is a real Telnet service
    > or not; PuTTY prefers to be told for certain.
    >
    > In order to make a debugging connection to a service of this
    > type, you simply select the fourth protocol name, `Raw', from the
    > `Protocol' buttons in the `Session' configuration panel. (See
    > section 4.1.1.) You can then enter a host name and a port number,
    > and make the connection.


    Regards,

    Marco.
    M.C. van den Bovenkamp, Aug 6, 2004
    #5
  6. In article <41139b9d$0$22719$>,
    Dave Foster <> wrote:
    :Is EHLO blocked by the PIX mailguard feature?

    Yes, but as I recall the newly released 6.3(4) finally supports
    ESMTP, so upgrading may help.
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
    Walter Roberson, Aug 7, 2004
    #6
  7. Don't have a PIX to try this out on, however we're running IOS w/ the
    firewall feature set. Prior to putting that in place, I was able to telnet
    to our mail server on port 25 now problem. With the FW feature set, an
    attempt to telnet to the mail server on port 25 results in immediate
    disconnection from the mail server as soon as you try to issue an SMTP
    command. Along with that, you get something like this in your log:

    %FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command (H)(total 1 chars) from
    initiator

    Since this discovery, I've used PuTTY in raw mode to connect to our mail
    server on port 25 and found that it works great, no problems at all.

    Cletus

    "M.C. van den Bovenkamp" <> wrote in message
    news:41140149$0$132$4all.nl...
    > Dave Foster wrote:
    >
    > > Anyone know of such a Telnet client (windows) that will work through the

    PIX
    > > on port 25? Putty?

    >
    > Haven't tried it, but PuTTY 'raw' mode might work, yes.
    >
    > From the PuTTY docs:
    >
    > > 3.6 Making raw TCP connections
    > >
    > > A lot of Internet protocols are composed of commands and

    responses
    > > in plain text. For example, SMTP (the protocol used to transfer

    e-
    > > mail), NNTP (the protocol used to transfer Usenet news), and HTTP
    > > (the protocol used to serve Web pages) all consist of commands in
    > > readable plain text.
    > >
    > > Sometimes it can be useful to connect directly to one of these
    > > services and speak the protocol `by hand', by typing protocol
    > > commands and watching the responses. On Unix machines, you can do
    > > this using the system's `telnet' command to connect to the right
    > > port number. For example, `telnet mailserver.example.com 25'

    might
    > > enable you to talk directly to the SMTP service running on a mail
    > > server.
    > >
    > > Although the Unix `telnet' program provides this functionality,

    the
    > > protocol being used is not really Telnet. Really there is no

    actual
    > > protocol at all; the bytes sent down the connection are exactly

    the
    > > ones you type, and the bytes shown on the screen are exactly the
    > > ones sent by the server. Unix `telnet' will attempt to detect or
    > > guess whether the service it is talking to is a real Telnet

    service
    > > or not; PuTTY prefers to be told for certain.
    > >
    > > In order to make a debugging connection to a service of this
    > > type, you simply select the fourth protocol name, `Raw', from the
    > > `Protocol' buttons in the `Session' configuration panel. (See
    > > section 4.1.1.) You can then enter a host name and a port number,
    > > and make the connection.

    >
    > Regards,
    >
    > Marco.
    >
    Cletus Van Damme, Aug 7, 2004
    #7
  8. Dave Foster

    Frank Fegert Guest

    Walter,

    Walter Roberson wrote:
    > Yes, but as I recall the newly released 6.3(4) finally supports
    > ESMTP, so upgrading may help.


    i take it from the above, that you've been playing around with
    6.3(4)? I'd like to update my PIXens too, but decided to wait a
    little in case some horrible "features" emerge in field use ;-)
    Can you or anyone else provide a feedback about the 6.3(4)'s
    stability and known limitations resp. issues - besides the ones
    mentioned in the release notes?

    Thanks & regards,

    Frank
    Frank Fegert, Aug 7, 2004
    #8
  9. In article <>,
    Frank Fegert <> wrote:
    :i take it from the above, that you've been playing around with
    :6.3(4)? I'd like to update my PIXens too, but decided to wait a
    :little in case some horrible "features" emerge in field use ;-)
    :Can you or anyone else provide a feedback about the 6.3(4)'s

    I have only upgraded one system so far, and that's the one I use
    at home (i.e., not in production use.) I have not noticed any
    operational differences compared to 6.3(3).

    There was a day where I thought that the PIX was perhaps somehow
    introducing large pauses into my remote X and VNC displays, but
    as I had not seen that behaviour before or since, my current
    belief is that it was an issue with my local ISP.
    --
    Warhol's Law: every Usenet user is entitled to his or her very own
    fifteen minutes of flame -- The Squoire
    Walter Roberson, Aug 7, 2004
    #9
  10. Dave Foster

    Les Mikesell Guest

    "Dave Foster" <> wrote in message
    news:41139b9d$0$22719$...

    > Is EHLO blocked by the PIX mailguard feature?
    >


    Yes, if you have 'fixup' enabled for smtp, it will block esmtp.

    ----
    Les Mikesell
    Les Mikesell, Aug 9, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MAXIMUS
    Replies:
    1
    Views:
    3,486
    mcaissie
    Apr 27, 2004
  2. Scott Townsend
    Replies:
    8
    Views:
    661
    Roman Nakhmanson
    Feb 22, 2006
  3. Guest

    test test test test test test test

    Guest, Jul 2, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    879
    halfalifer
    Jul 2, 2003
  4. morten
    Replies:
    4
    Views:
    1,148
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    637
Loading...

Share This Page