SMTP Telnet test fails from DMZ to inside via PIX 515

SMTP connections time out from a server in my DMZ to an SMTP server on my
inside LAN.

I'm trying to set up an SMTP server in my DMZ on a Windows 2000 Server so
that my MX record will point to that server and it will be my public MTA and
relay email for my domain to my Exchange 2003 (SBS Premium) server on my
inside LAN. I have a PIX 515 with an outside, DMZ, and an inside LAN
interface.


|-------| |-------| |-------|
|Cisco | | DMZ | |Inside |
|Pix - |------>| Win2K |------>|Win2k3 |
|515 | | SMTP | |SBS |
|-------| |-------| |-------|

When I try to telnet into the Exchange server from the DMZ I can the HELO
command will be accepted, but the subsequent MAIL command times out.

e.g. mail from:

My SMTP log only has one entry:

2004-08-04 20:01:10 [Win2K test server IP] testdomain.com SMTPSVC1 [Exchange
server name] [Exchange server IP] 0 HELO +test.com 250 0 57 13 0

Why would the second command time out?

I don't think I have a permissions problem on my Exchange server? I'm
allowing
anonymous authentication and connection control lists the Win2K test server
IP as an allowed connector.

Is the PIX between the DMZ and the inside causing the timeout?
I've read some things about path MTU discovery and ICMP feedback messages
getting lost. I only have one router/firewall device though.

Using Microsoft Network Monitor, I do not see subsequent packets come into
the destination NIC after the first helo command.

The only thing I see in the PIX log is:
302001: Built inbound TCP connection 5396326 for faddr [DMZ server IP]/37293
gaddr
[inside server with static DMZ NAT IP]/25 laddr [inside server with static
inside IP]/25

I am able to successfully Telnet (via port 25) to the Exchange server from a
domain computer on the same inside LAN. Gotta be the PIX, right? Port 25 is
open. There must be some other limitation.

I'm NATing the inside server to the DMZ with a static:
static (inside,DMZ) [DMZ address] [inside address] netmask 255.255.255.255 0
0

This is a Cisco PIX-515E Firewall Version 6.1(2).

Any insight would be appreciated.

Thanks,
Dave

 

I would check to see if you have fixup enabled for SMTP. At some point
(or has it always done it) the pix would disallow interactive telnet
sessions to SMTP servers.

Rik Bain

 

I do have a fixup config line:
fixup protocol smtp 25

I see in the cisco doc that Telnet is not supported:
"Also, doing Telnet to port 25 may not work with the fixup protocol smtp
command, especially with a Telnet client that does character mode."
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml

I'll have to find another telnet client (other than the windows standard) to
test with, I guess.

When I look at the SMTP logs of my MTA server when it tries to forward
inbound mail to the internal mail server I see the following 3 lines:

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2004-08-06 02:04:10
#Fields: cs-username s-sitename s-computername s-ip s-port cs-method
cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes
time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)

OutboundConnectionResponse SMTPSVC1 [MTA server] - 25 - -
220+*****0****0*************************************************************
0****0*0+*********************200**20*0**0***0*00+ 0 0 126 0 0 SMTP - - - -

OutboundConnectionCommand SMTPSVC1 [MTA server] - 25 EHLO - [MTA server] 0 0
4 0 10 SMTP - - - -

OutboundConnectionResponse SMTPSVC1 [MTA server] - 25 - -
500+5.3.3+Unrecognized+command 0 0 30 0 10 SMTP - - - -

Is EHLO blocked by the PIX mailguard feature?

 

I see in the cisco doc that Telnet is not supported:

Anyone know of such a Telnet client (windows) that will work through the PIX
on port 25? Putty?

There is a setting on Windows IIS 5 SMTP service where you can say HELO
instead of EHLO. See remote domain properties.

 

Haven't tried it, but PuTTY 'raw' mode might work, yes.

From the PuTTY docs:

Regards,

Marco.

 

:Is EHLO blocked by the PIX mailguard feature?

Yes, but as I recall the newly released 6.3(4) finally supports
ESMTP, so upgrading may help.

 

Don't have a PIX to try this out on, however we're running IOS w/ the
firewall feature set. Prior to putting that in place, I was able to telnet
to our mail server on port 25 now problem. With the FW feature set, an
attempt to telnet to the mail server on port 25 results in immediate
disconnection from the mail server as soon as you try to issue an SMTP
command. Along with that, you get something like this in your log:

%FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command (H)(total 1 chars) from
initiator

Since this discovery, I've used PuTTY in raw mode to connect to our mail
server on port 25 and found that it works great, no problems at all.

Cletus

 

Walter,

i take it from the above, that you've been playing around with
6.3(4)? I'd like to update my PIXens too, but decided to wait a
little in case some horrible "features" emerge in field use ;-)
Can you or anyone else provide a feedback about the 6.3(4)'s
stability and known limitations resp. issues - besides the ones
mentioned in the release notes?

Thanks & regards,

Frank

 

:i take it from the above, that you've been playing around with
:6.3(4)? I'd like to update my PIXens too, but decided to wait a
:little in case some horrible "features" emerge in field use ;-)
:Can you or anyone else provide a feedback about the 6.3(4)'s

I have only upgraded one system so far, and that's the one I use
at home (i.e., not in production use.) I have not noticed any
operational differences compared to 6.3(3).

There was a day where I thought that the PIX was perhaps somehow
introducing large pauses into my remote X and VNC displays, but
as I had not seen that behaviour before or since, my current
belief is that it was an issue with my local ISP.

 

Yes, if you have 'fixup' enabled for smtp, it will block esmtp.