Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Specific SMTP domain is being blocked

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> Specific SMTP domain is being blocked Page: [1]
Login
Message << Older Topic   Newer Topic >>
Specific SMTP domain is being blocked - 6.Mar.2003 6:22:00 PM   
mapman

 

Posts: 15
Joined: 6.May2002
From: California
Status: offline 		Hi All,

I think IÆve got a good one for ya. Our ISA server is not allowing SMTP mail to send to a specific domain. Yet, we can get mail from that domain. HereÆs where it really gets interesting. I can TELNET ( Per mskb:Q153119 ) to the remote SMTP domain from a client machine and successfully send a manual e-mail to it. But, I canÆt do this from any of our servers.

To see if this was a configuration problem, I tried a TELNET session to another unrelated SMTP server and successfully connected to it from our server. So, itÆs not a configuration problem.

Looking at the Packet Filter log it states that the connection is being blocked by ISA. However, I canÆt find a single rule that has that IP/Hostname in it.

There is one caveat to this scenario that may be related, but not likely. We have a VPN connection with the same domain. It is a router-to-router VPN connection and only one port is allowed through the ISA with an IP address that isnÆt the SMTP serverÆs address.

Any ideas on where else to look would be a great help.

[ March 06, 2003, 06:27 PM: Message edited by: mapman ]
Post #: 1
RE: Specific SMTP domain is being blocked - 6.Mar.2003 11:42:00 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		Greetings mapman from down under, [Cool]
That is a good one...

A guess a few questions to start things off. Has this always been the caase? Recently strated? What's changed recently then?

You say you can't manually send to the remote mail server from your server (I presume you mean the ISA box?), does the remote mail server respond to a ping packet?
Check out the SMTP header of inboudn mail from the domain and see if the source IP is the same as where your trying to send to. If not, try the sender IP.
When all else fails, suggest to teh remote end that they set upa secondary MX record at their ISP/wherever in case their mail server or connection dies.... and all mail you send to them will be routed thru that 2ndary mail server...

HTH.

(in reply to mapman)
Post #: 2
RE: Specific SMTP domain is being blocked - 7.Mar.2003 12:41:00 AM   
mapman

 

Posts: 15
Joined: 6.May2002
From: California
Status: offline 		Hi Tolk,

IÆve tried TELNET sessions from the ISA and Exchange servers. Neither one allows a TELNET session to this specific domain. However, from a client machine it works. The remote host doesn't respond to ping requests (they're blocked).

You mention a secondary MX record for the remote host. Well, they have a secondary one. Looking at NETMON traces, the secondary is always tried too. ItÆs on a separate IP space and fails as well. Also, looking at the NETMON logs, I can see EHLO/HELO negotiations with other SMTP hosts, but not the one in question.

IÆve run the ISAInfo tool found at ISA Tools and IÆm looking through the results now.

As far as, when did this happen? It seems that it was around the time of the VPN connections we were attempting. But, from what I can see, all the ôtest configurationsö have been removed or disabled. IÆll know more when I finishing checking the ISAInfo results.

Thank you for your reply and suggestions/questions. It gets my mind working on other scenarios to research.

(in reply to mapman)
Post #: 3
RE: Specific SMTP domain is being blocked - 7.Mar.2003 12:04:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Mark,

is the router-to-router VPN connection outside to ISA server?

Have you modified the routing or LAT on ISA server to support the VPN connection?

What is the Firewall log telling you? Just make sure you enable the logging of all fields and pay particular attention to the fields sc-status, rule#1 (protocol) and rule#2 (site&content).

HTH,
Stefaan

(in reply to mapman)
Post #: 4
RE: Specific SMTP domain is being blocked - 7.Mar.2003 6:27:00 PM   
mapman

 

Posts: 15
Joined: 6.May2002
From: California
Status: offline 		Hi Stefaan,

The router-to-router VPN is outside the ISA server. I have a packet filter allow rule that allows traffic to/from one specific port for that connection. It is using the IP address thatÆs on the private interface of the router via a static route on the router. Thus, the router is resolving the private/public address pair, not the ISA server. ISA is using only the private address and port number for the packet filter.

Checking the FW log, it shows ôMail wizard rule - SMTP. Internal IP: x.x.x.x Allow ruleö. But, the sc-status = 10060 (connection timed out). I have no LAT entry for the connection. IÆm still analyzing the results of the ISAInfo script. With nearly 100 pages of results, itÆs a bit overwhelming.

I donÆt know if this helps, but hereÆs what the IP logs shows (pseudo-IP addresses and payload removed)
quote:
2003-03-05 23:28:40 66.1.1.1 206.1.1.1 Udp 1025 137 - BLOCKED 66.1.1.1
Thank you very much for your questions and any direction you offer is extremely appreciated.

[ March 07, 2003, 08:15 PM: Message edited by: mapman ]

(in reply to mapman)
Post #: 5
RE: Specific SMTP domain is being blocked - 8.Mar.2003 12:14:00 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Mark,

if you post an excerpt from the log files, please make sure you have enabled the logging of *all* fields and post them unmodified. Otherwise it is rather hard to read them. [Big Grin]

With the available info it sounds that the request is allowed by ISA server (no blocked packets for TCP port 25 in the IP log), but no return traffic is seen. On the other hand, it seems to work from an internal client, just not from the server. Right?

I suggest the following:

1) make sure you enable the logging of *all* fields on the ISA server for *all* the logs.
2) take a network monitor trace at the ISA external interface. I would use an external network monitor in this situation. Check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000062 for a very good and free one.
3) run a telnet smtpserver 25 from an internal client.
4) run a telnet smtpserver 25 from the server.

With that info, you should be able to determine if the request definitely leaves the ISA server and what is the difference between the packets sent by the client and the server. Seen from the outside, both requests should be sent with the same source IP of the ISA external interface.

BTW --- what packet filter have you put in place for that VPN connection?

HTH,
Stefaan

(in reply to mapman)
Post #: 6
RE: Specific SMTP domain is being blocked - 10.Mar.2003 12:55:00 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		With the successful connection from the internal clients but NOT from the ISA machine, it almost appears like a DNS naming issue.
Do both clients and the server resolves the name to the same IP? Steffan's suggestion of network tracing of client and server connection attempts will also verify both are trying to get to the same remote IP.

(in reply to mapman)
Post #: 7
RE: Specific SMTP domain is being blocked - 10.Mar.2003 5:55:00 PM   
mapman

 

Posts: 15
Joined: 6.May2002
From: California
Status: offline 		Hi Stefaan and Tolk:

I hadnÆt thought about comparing the traffic from a client to the remote mail server to the traffic from a server. You can bet IÆll do that as soon as this is sent. [Wink]

As for the packet filter, it allows TCP traffic from any remote port of a specific IP address (the one the external router is mapping the remote public IP address to) to a specific port on the external NIC of the ISA server. Then I have a Server Publishing rule that re-directs that traffic to an internal IP address on a machine that responds to that traffic.

Also, I am logging all fields for all the logs. I just truncated the header and payload information on the log information I posted. If that information will help, I'll be happy to post it. But, I'm no longer getting "BLOCKED" log records. Now, I'm getting "10060" in the cs-status field. Looking at Microsoft's - Firewall and Web Proxy log fields page it states that "10060" means "Connection timed out".

Thank you guys for the feedback and tips. They are tremendously helpful.

IÆm off to trace the traffic. [melody=Wizard of Oz]

(in reply to mapman)
Post #: 8
RE: Specific SMTP domain is being blocked - 11.Mar.2003 1:47:00 AM   
mapman

 

Posts: 15
Joined: 6.May2002
From: California
Status: offline 		Hi All,

Just an update on this whole mess. I installed Firewall client and disabled "Auto Detect ISA" and now I'm able to Telnet from the mail server. But, regular SMTP mail is still failing with 10060 in the cs-status field.

Still searching...

(in reply to mapman)
Post #: 9
RE: Specific SMTP domain is being blocked - 11.Mar.2003 6:28:00 PM   
mapman

 

Posts: 15
Joined: 6.May2002
From: California
Status: offline 		Since I've been focused on resolving this issue, I added email notification of most errors. This particular SMTP error concerns me. It's an "An unknown SMTP command" error.

quote:
ISA Server name: ISASRVR

XEXCH50 1020
Does anyone know what this means? My pal Google doesn't.

(in reply to mapman)
Post #: 10
RE: Specific SMTP domain is being blocked - 14.Mar.2003 9:07:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Mark,

any evolution in this topic?

Thanks,
Stefaan

(in reply to mapman)
Post #: 11
RE: Specific SMTP domain is being blocked - 14.Mar.2003 11:11:00 PM   
mapman

 

Posts: 15
Joined: 6.May2002
From: California
Status: offline 		Hi Stefaan,

Yes there's a resolution. The remote host had a rule on their firewall that was blocking inbound traffic because of the VPN. This was conclusively verified when we had to swap our IP addresses.

All is up and running good now. The ISA Logs and Netmon traces were extremely critical in troubleshooting this problem. It was proof positive that the problem was not on our side.

Thank you to you and Tolk for all your assistance with resolving this.

(in reply to mapman)
Post #: 12
RE: Specific SMTP domain is being blocked - 14.Mar.2003 11:19:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Mark,

very glad to hear your problem is solved and thanks for the follow up! [Smile]

BTW --- never underestimate the power of the logs and a good netmon trace! [Cool]

Thanks,
Stefaan

(in reply to mapman)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> Specific SMTP domain is being blocked Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts