Home > Exchange 2007 > Cannot send or receive e-mail messages behind a Cisco PIX firewall

Cannot send or receive e-mail messages behind a Cisco PIX firewall

I face problem with Exchange server mail flow.

My client has PIX firewall facing the Internet and ISA 2006 behind it.

I placed my edge server in the DMZ zone and 2 HUB and 2 CAS and SCC mailbox in the internal domain. Suddenly all mail flow stopped and stuck in the Queue in the HUB and the Edge servers.

On the hub server, the get-queue | fl command give the following output

Identity : HUBCAS01\4
DeliveryType : SmtpRelayWithinAdSiteToEdge
NextHopDomain : edgesync – so1-moi to internet
NextHopConnector : 1758a6af-6ef1-4b74-a978-494f28088105
Status : Retry
MessageCount : 1
LastError : 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted
failover to alternate host, but that did not succeed. Eithe
r there are no alternate hosts, or delivery failed to all al
ternate hosts.
LastRetryTime : 4/7/2008 1:18:59 PM
NextRetryTime : 4/7/2008 1:23:59 PM
IsValid : True
ObjectState : Unchanged

Identity : HUBCAS01\Submission
DeliveryType : Undefined
NextHopDomain : Submission
NextHopConnector : 00000000-0000-0000-0000-000000000000
Status : Ready
MessageCount : 0
LastError :
LastRetryTime :
NextRetryTime :
IsValid : True
ObjectState : Unchanged

You can make these changes to work around a specific problem.

1.Establish a Telnet session to log on to the Cisco PIX firewall. Alternatively, use the console to log on to the Cisco PIX firewall.

2.Type enable, and then press ENTER.

3.When you are prompted for your password, type your password, and then press ENTER.

4.Type configure terminal, and then press ENTER.

5.Type no fixup protocol smtp 25, and then press ENTER.

6.Type write memory, and then press ENTER.

7.Reload the Cisco PIX firewall.

The PIX Software Mailguard feature filters SMTP traffic. This feature was also referred to as Mailhost in earlier versions. In PIX Software versions 4.0 and 4.1, you use the mailhost command to configure Mailguard. In PIX Software version 4.2 and in later versions, you use the fixup protocol smtp 25 command. Mailguard allows connections to an e-mail host only through Transport Control Protocol (TCP) port 25. It logs all SMTP activity. Additionally, it allows only the minimum SMTP server commands found in Request for Comments (RFC) 821, Section 4.5.1.These SMTP server commands are the following seven commands:

•HELO

•MAIL

•RCPT

•DATA

•RSET

•NOOP

•QUIT

Note In addition to the Cisco PIX firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are described earlier in this article.

Advertisements
  1. Bill
    June 5, 2009 at 4:02 am

    Totally bailed us out on this one. We have been straching our head on the ASA (but it’s the Inspect statement on the ASA). Thanks for the great post. Let us know where we can send you something nice for your help!!!!

  2. Mohamed Fawzi
    June 5, 2009 at 8:24 am

    LOL.. Can I give you my bank account number for your gift ?!!!! 🙂

    Thanks Bill for your kind words.

  3. Shawn
    July 10, 2009 at 5:37 am

    I have 2 sites, each with an Exchange 2007 server. I installed new Cisco ASA firewalls, and for the life of me could not get mail to flow between sites. Before the new firewalls everything worked great. After upgrading, site to site (internal) mail was piling up in the queue. This post was the fix! I can now stop banging my head against the wall!!!

    Thanks!!!

  4. Mohamed Fawzi
    August 4, 2009 at 2:40 pm

    🙂

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: