SMTP Telnet test fails from DMZ to inside via PIX 515

Discussion in 'Cisco' started by Dave Foster, Aug 6, 2004.

  1. Dave Foster

    Dave Foster Guest

    SMTP connections time out from a server in my DMZ to an SMTP server on my
    inside LAN.

    I'm trying to set up an SMTP server in my DMZ on a Windows 2000 Server so
    that my MX record will point to that server and it will be my public MTA and
    relay email for my domain to my Exchange 2003 (SBS Premium) server on my
    inside LAN. I have a PIX 515 with an outside, DMZ, and an inside LAN
    interface.


    |-------| |-------| |-------|
    |Cisco | | DMZ | |Inside |
    |Pix - |------>| Win2K |------>|Win2k3 |
    |515 | | SMTP | |SBS |
    |-------| |-------| |-------|

    When I try to telnet into the Exchange server from the DMZ I can the HELO
    command will be accepted, but the subsequent MAIL command times out.

    e.g. mail from:

    My SMTP log only has one entry:

    2004-08-04 20:01:10 [Win2K test server IP] testdomain.com SMTPSVC1 [Exchange
    server name] [Exchange server IP] 0 HELO +test.com 250 0 57 13 0

    Why would the second command time out?

    I don't think I have a permissions problem on my Exchange server? I'm
    allowing
    anonymous authentication and connection control lists the Win2K test server
    IP as an allowed connector.

    Is the PIX between the DMZ and the inside causing the timeout?
    I've read some things about path MTU discovery and ICMP feedback messages
    getting lost. I only have one router/firewall device though.

    Using Microsoft Network Monitor, I do not see subsequent packets come into
    the destination NIC after the first helo command.

    The only thing I see in the PIX log is:
    302001: Built inbound TCP connection 5396326 for faddr [DMZ server IP]/37293
    gaddr
    [inside server with static DMZ NAT IP]/25 laddr [inside server with static
    inside IP]/25

    I am able to successfully Telnet (via port 25) to the Exchange server from a
    domain computer on the same inside LAN. Gotta be the PIX, right? Port 25 is
    open. There must be some other limitation.

    I'm NATing the inside server to the DMZ with a static:
    static (inside,DMZ) [DMZ address] [inside address] netmask 255.255.255.255 0
    0

    This is a Cisco PIX-515E Firewall Version 6.1(2).

    Any insight would be appreciated.

    Thanks,
    Dave
     
    Dave Foster, Aug 6, 2004
    #1
    1. Advertisements

  2. Dave Foster

    Rik Bain Guest


    I would check to see if you have fixup enabled for SMTP. At some point
    (or has it always done it) the pix would disallow interactive telnet
    sessions to SMTP servers.

    Rik Bain
     
    Rik Bain, Aug 6, 2004
    #2
    1. Advertisements

  3. Dave Foster

    Dave Foster Guest

    I do have a fixup config line:
    fixup protocol smtp 25

    I see in the cisco doc that Telnet is not supported:
    "Also, doing Telnet to port 25 may not work with the fixup protocol smtp
    command, especially with a Telnet client that does character mode."
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml

    I'll have to find another telnet client (other than the windows standard) to
    test with, I guess.

    When I look at the SMTP logs of my MTA server when it tries to forward
    inbound mail to the internal mail server I see the following 3 lines:

    #Software: Microsoft Internet Information Services 5.0
    #Version: 1.0
    #Date: 2004-08-06 02:04:10
    #Fields: cs-username s-sitename s-computername s-ip s-port cs-method
    cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes
    time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)

    OutboundConnectionResponse SMTPSVC1 [MTA server] - 25 - -
    220+*****0****0*************************************************************
    0****0*0+*********************200**20*0**0***0*00+ 0 0 126 0 0 SMTP - - - -

    OutboundConnectionCommand SMTPSVC1 [MTA server] - 25 EHLO - [MTA server] 0 0
    4 0 10 SMTP - - - -

    OutboundConnectionResponse SMTPSVC1 [MTA server] - 25 - -
    500+5.3.3+Unrecognized+command 0 0 30 0 10 SMTP - - - -

    Is EHLO blocked by the PIX mailguard feature?
     
    Dave Foster, Aug 6, 2004
    #3
  4. Dave Foster

    Dave Foster Guest

    I see in the cisco doc that Telnet is not supported:
    Anyone know of such a Telnet client (windows) that will work through the PIX
    on port 25? Putty?

    There is a setting on Windows IIS 5 SMTP service where you can say HELO
    instead of EHLO. See remote domain properties.
     
    Dave Foster, Aug 6, 2004
    #4
  5. Haven't tried it, but PuTTY 'raw' mode might work, yes.

    From the PuTTY docs:
    Regards,

    Marco.
     
    M.C. van den Bovenkamp, Aug 6, 2004
    #5
  6. :Is EHLO blocked by the PIX mailguard feature?

    Yes, but as I recall the newly released 6.3(4) finally supports
    ESMTP, so upgrading may help.
     
    Walter Roberson, Aug 7, 2004
    #6
  7. Don't have a PIX to try this out on, however we're running IOS w/ the
    firewall feature set. Prior to putting that in place, I was able to telnet
    to our mail server on port 25 now problem. With the FW feature set, an
    attempt to telnet to the mail server on port 25 results in immediate
    disconnection from the mail server as soon as you try to issue an SMTP
    command. Along with that, you get something like this in your log:

    %FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command (H)(total 1 chars) from
    initiator

    Since this discovery, I've used PuTTY in raw mode to connect to our mail
    server on port 25 and found that it works great, no problems at all.

    Cletus
     
    Cletus Van Damme, Aug 7, 2004
    #7
  8. Dave Foster

    Frank Fegert Guest

    Walter,

    i take it from the above, that you've been playing around with
    6.3(4)? I'd like to update my PIXens too, but decided to wait a
    little in case some horrible "features" emerge in field use ;-)
    Can you or anyone else provide a feedback about the 6.3(4)'s
    stability and known limitations resp. issues - besides the ones
    mentioned in the release notes?

    Thanks & regards,

    Frank
     
    Frank Fegert, Aug 7, 2004
    #8
  9. :i take it from the above, that you've been playing around with
    :6.3(4)? I'd like to update my PIXens too, but decided to wait a
    :little in case some horrible "features" emerge in field use ;-)
    :Can you or anyone else provide a feedback about the 6.3(4)'s

    I have only upgraded one system so far, and that's the one I use
    at home (i.e., not in production use.) I have not noticed any
    operational differences compared to 6.3(3).

    There was a day where I thought that the PIX was perhaps somehow
    introducing large pauses into my remote X and VNC displays, but
    as I had not seen that behaviour before or since, my current
    belief is that it was an issue with my local ISP.
     
    Walter Roberson, Aug 7, 2004
    #9
  10. Dave Foster

    Les Mikesell Guest

    Yes, if you have 'fixup' enabled for smtp, it will block esmtp.
     
    Les Mikesell, Aug 9, 2004
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.