I have server that is only running ISA, behind this I have an IIS 5 web server which is publishing my web site and intranet through ISA with no problems.

I am using the JMail ASP component to send email through ISA but I keep getting the following - I should point out that I'm routing mail through Messagelabs Antivirus ASP and they have their services configured to recieve mail from the external IP of my ISA server.

This is the error log from JMail:

ClientLogging enabled: Client Remote Address: 192.168.3.2
Number of attachments: 1
attachments:
{
Encoding "D:\TMP\24104832\LFM8FormsUpdate.Zip"
}
.execute()
{
Trying server mail:mail4.messagelabs.com
<- 220 server-6.tower-4.starlabs.net ESMTP
-> EHLO lfmweb.laserform.co.uk
<- 250-server-6.tower-4.starlabs.net
250-SMURFING
250-PIPELINING
250 8BITMIME
-> MAIL FROM:
<- 250 OK
-> RCPT TO:
<- 553 (#5.7.1)
-> DATA
<- 503 RCPT first (#5.5.1)
Error: 503 RCPT first (#5.5.1)

1 of 1 servers failed
}

On the ISA server I have rules to allow SMTP traffic from the web servers internal IP and the ISA servers external IP.

If anyone can help I'd be v. greatful!

Danny

From what you have posted this looks more like an SMTP problem than ISA. However, I say that with my fingers crossed.

The SMTP filter causes problems with the AUTH command, and thatÆs how you send authentication strings to servers, so disable that first and try again. Other than that caveat, here is what I have for you...

I looked at the error codes you posted and came up with the following:

From Q248204:

"Numerical Code: 5.7.1
Possible Cause:
General access denied, sender access denied û the sender of the message does not have the privileges necessary to complete delivery.

You are trying to relay your mail via another SMTP server and it does not permit you to relay.

The recipient might have mailbox delivery restrictions enabled. For example, a recipientÆs mailbox delivery restriction was sent to receive from a Distribution List only and non-memberÆs email will be rejected with this error.

Troubleshooting: Check system privileges and attributes for the contact and retry the message. Also make sure you are running Exchange 2000 Service Pack 1 or later for other potential known issues. "

And from Q256321
"5.5.1 Invalid command"

This looks like MessageLabs is not accepting your RCPT to: field as an acceptable address to relay to. While I doubt they are using Ex2k for their server, the codes are fairly standard.

In Q274638 it states that servers that try to send mail without authentication will get a 5.7.3 error as well, so you may need ask MessageLabs what authorization method they have set for you to relay through them.

Also, this error can be linked to a server whose external address changes. You don't mention how your external interface is configured, but if it uses DHCP the IP declared relay at MessageLabs would fail when your IP changes.

Hope this helps,

Happy computing

[This message has been edited by Dominicon (edited 24 September 2001).]

My money is on your first explanation as I've been assured that the Messagelabs setup is fine.

How do I disable the SMTP filter? Also out of curiosity(!) am I right in thinking that I have to run the Secure Mail Server wizard to allow SMTP mail from my web server (192.168.3.200) through the ISA server, and that the external IP I specify is the actual IP address the mail comes from?

Danny

Under the ISA Management mmc you go to \yourserver\Extentions\Application Filters and right click on SMTP filter (if it doesnÆt have a red arrow on it already û if it does, something else is wrong) and select disable. You will need to restart the firewall service, but I think it offers to do it for you, and then try to send again.

The mail server wizard will configure your outbound smtp for the server as well, but I blew that away and did it by scratch for more practice. :>

For some reason the first external IP is used to send the mail out, so if you have multiple IPs bound external, your mail will appear to come from the first one. IÆve included a truncated header from a mail file so you can see what I mean. My mail related DNS entries point to 65.xxx.xxx.101, but the mail comes out 65.xxx.xxx.99, the first IP on my external card.

Received: from my.exchange.server ([65.xxx.xxx.99]) by durocom.com
with ESMTP
id <200@my.exchange.server>
for <mytestaddress@home>; Wed, 26 Sep 2001 16:41:17 -0400
Received: from me ([192.168.xxx.xxx]) by my.exchange.server with Microsoft SMTPSVC(5.0.2195.3779);
Wed, 26 Sep 2001 15:41:14 û0500

Unfortunately, Ex2k lists my internal IP as where the mail was received from, with the external interface on my ISA listed as where the receiving server got the mail.

Let me know if this helps, and we can bounce it around more if it doesnÆt.

Should the SMTP filter be disabled from the word go, because mine is!?

Danny

I turned it on when I was setting up my Ex2k server and then tracked an authentication problem to it. So, I turned it off again.

Just thinking of all we have talked about, did MessageLabs use the IP to define the relay rule at thier end. If so, and you have specified an IP higher than your first, then it could be the problem.

quote:

---

Originally posted by beanz:
So if my main Exchange 5.5 server is on 195.167.xxx.xx1 and the isa server is 195.167.xxx.xx2, that could be the problem?

---

If MessageLabs is allowing a relay from 195.167.xxx.xx1 and your ASP is going out 195.167.xxx.xx2 (By default), then yep, that could be the problem.

But earlier you stated:

ôand they have their services configured to receive mail from the external IP of my ISA server.ö

So, I may be wrong. If MessageLabs is set up to allow relay through ISA (xx1), then this should be working.

Hmmmmà.

From another thread you stated that the Ex5.5 server was exposed, and you are moving it behind the ISA server.

Is it there yet? If so, and you defined the Ips on the external interface of ISA in this order:
195.167.x.2
195.168.x.1

Then it would make sense that it fails. ISA will use the first defined IP (xx2) to send outgoing traffic.

Sorry if this jumped around a bit, I am just trying to make sure I have it all strait, and the coffee hasnÆt kicked in yet.

[This message has been edited by Dominicon (edited 27 September 2001).]

At the mo the main website is on 195.167.xxx.194
At the mo my exchange is on 195.167.xxx.196
At the mo the ISA primary ext IP is 195.167.xxx.197

Messagelabs is configured to RECIEVE mail from 196 and 197 but only forward any incoming mail to 196.

How did the migration go?

At the cost of showing my ignorance, what is "mo"?

Much of the following is brainstorming, so some of it may be moot...

If there is no smtp forwarder on the ISA server (not a smart idea anyway, as this involves "unnecessary" services on the firewall), then your asp may be using your client IP as the source.

From the first post:
Client Remote Address: 192.168.3.2

MessageLabs will not allow relay from this address. I would think that x.197 should have been written to the header, as evidenced by my mail header having the external IP.

Received: from my.exchange.server ([65.xxx.xxx.99])

By chance did you send mail from the asp to your exchange server through ISA for testing? That would show us what IP was written to the header and we would know for sure.

asp -> ISA -> Ex5.5 Local mailbox

When the Ex5.5 server is behind ISA and running, try to relay the asp through your Ex5.5 to MessageLabs. I'd be interested if that works or not.

asp -> Ex5.5 -> ISA -> MessageLabs

First send one to a local mailbox on the Ex5.5 machine so you can see the exact headers the asp is sending. That will help if this continues to not work.

asp -> Ex5.5 Local mailbox

I keep getting the feeling that the solution to this is quite simple, but we just haven't hit the right question to ask.

Jay

The migration was cancelled! Instead it is being done tonight as part of a multi-site Active Directory upgrade which will involve lots of messing around with server roles so I thought it best to wait!

As part of the AD stuff we'll be going with Exchange 2K. Do you know if this would cause/cure any problems??

Danny

When you bite off a chunk, you make it a big one!

Right off hand I can't think of any problems this may generate/fix related to the thread, but there are a bunch of Win2k problems that could come up.

Make sure you set up a BDC before you upgrade to AD and keep it offline. That saved my proverbial butt when I upgraded. Had some permissions problems on my DCs that hosed the upgrade, and the BDC let me down it all and start again.

Also pull your PDC off the network during the upgrade so no machine accounts get changed. I had client machines whose accounts I had to reset when the upgrade failed. Big pain in the rear.

I've got a description of my Ex2k and ISA settings up here. It is rather lean, but I can fill in any parts if you need me to.

I'll try to get on the board tonight and several times this weekend, so if you have any problems I may be able to help. I'll be on and off all day today too.

YouÆre going to be busy this weekend, good luck.

Jay

Once I'm happy with that I will then begin to monkey around with server roles, adding them to the AD as I go.

The plan is that if all goes to pot we'll have only shafted the isolated network.

That sound ok?

You will want to promote the BDC to PDC before you isolate the servers. That way no changes can be made to the domain until you are done. (remaining BDCs being read only.) Otherwise you will end up with mis-matched account data when you bring the AD DC back online.

One of the things that got me was I needed to give the "Access this computer from the network" user right to the domain controllers group on the Domain controllers you create. IE, give the DC group permission to access the other DCs over the network.

I thought this would have happened automatically, but for some reason it didn't. I found the problem using repadmin (on the Win2k cd, support tools dir) and replication monitor. If you are going to go for W2k MCSE, get to know these tools.

I don't know what your position is, but make sure you have the correct permissions on your admin account before you get started. If you don't have Enterprise (god mode) or Schema admin rights some things will fail and not give a very informative error message.

Then, if all goes well, you can bring your AD DCs online and the BDCs should gracefully hand over control. If it goes bad, just promote your favorite BDC on the main network, and start over.

All the operations roles will be assigned to the first AD DC you create (Promoted PDC), and you will have to move them to other AD DCs if you don't want them all on one machine.

Take care in moving Operations roles. There are some rules about what roles can be held by what servers depending on the servers applications. There are some good Q articles on the subject in the Knowledge base, just search for "Operations Roles".

After ousting all NT 4 BDCs you can go to native mode AD and start to really have fun.

It's a sick, painful kind of fun, but that's why I'm in the business. :>

Jay

One thing I failed to mention in my previous post was that I plan to retire the NT4 PDC (or set it up as a fax server) as it really isn't up to the job as it handles Exchange as well.

Danny

My old PDC now serves as a backup DNS/Wins server. Old SQL server is now my ISA server.

Old computers never die, they just get reformatted and redeployed.

How do I set the "Access this computer form the network" permission to the Domain Controllers group?

Apart from this problem everything is now going fine with the upgrade - had a few problems finding spare pc's up to the job but thats about it so far!

Danny

The domain migration has been scrapped for a re-think!

Is there any other way I can contact you as we need some advise!

Danny

In Admin Tools, local security policy on the servers themselves, or better, in Domain Controlers Security Policy, Local Policy, User Rights, Access this computer... Look for/Add the Domain Controlers Group.

Sometimes our best laid plans bite us back.

Mail me at armstrong@isdnet.org

Jay