Posts Tagged ‘451 5.7.3’

Cannot send or receive e-mail messages behind a Cisco PIX firewall

April 11, 2008 4 comments

I face problem with Exchange server mail flow.

My client has PIX firewall facing the Internet and ISA 2006 behind it.

I placed my edge server in the DMZ zone and 2 HUB and 2 CAS and SCC mailbox in the internal domain. Suddenly all mail flow stopped and stuck in the Queue in the HUB and the Edge servers.

On the hub server, the get-queue | fl command give the following output

Identity : HUBCAS01\4
DeliveryType : SmtpRelayWithinAdSiteToEdge
NextHopDomain : edgesync – so1-moi to internet
NextHopConnector : 1758a6af-6ef1-4b74-a978-494f28088105
Status : Retry
MessageCount : 1
LastError : 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted
failover to alternate host, but that did not succeed. Eithe
r there are no alternate hosts, or delivery failed to all al
ternate hosts.
LastRetryTime : 4/7/2008 1:18:59 PM
NextRetryTime : 4/7/2008 1:23:59 PM
IsValid : True
ObjectState : Unchanged

Identity : HUBCAS01\Submission
DeliveryType : Undefined
NextHopDomain : Submission
NextHopConnector : 00000000-0000-0000-0000-000000000000
Status : Ready
MessageCount : 0
LastError :
LastRetryTime :
NextRetryTime :
IsValid : True
ObjectState : Unchanged

You can make these changes to work around a specific problem.

1.Establish a Telnet session to log on to the Cisco PIX firewall. Alternatively, use the console to log on to the Cisco PIX firewall.

2.Type enable, and then press ENTER.

3.When you are prompted for your password, type your password, and then press ENTER.

4.Type configure terminal, and then press ENTER.

5.Type no fixup protocol smtp 25, and then press ENTER.

6.Type write memory, and then press ENTER.

7.Reload the Cisco PIX firewall.

The PIX Software Mailguard feature filters SMTP traffic. This feature was also referred to as Mailhost in earlier versions. In PIX Software versions 4.0 and 4.1, you use the mailhost command to configure Mailguard. In PIX Software version 4.2 and in later versions, you use the fixup protocol smtp 25 command. Mailguard allows connections to an e-mail host only through Transport Control Protocol (TCP) port 25. It logs all SMTP activity. Additionally, it allows only the minimum SMTP server commands found in Request for Comments (RFC) 821, Section 4.5.1.These SMTP server commands are the following seven commands:








Note In addition to the Cisco PIX firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are described earlier in this article.

%d bloggers like this: