• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on troubleshooting SMTP Server Publishing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Discussion about article on troubleshooting SMTP Server Publishing Page: [1] 2 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on troubleshooting SMTP Server... - 13.Dec.2004 1:57:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on troubleshooting SMTP Server Publishing rules at http://isaserver.org/articles/2004troubleshootsmtp.html.

Thanks!
Tom

[ December 13, 2004, 02:20 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on troubleshooting SMTP Se... - 13.Dec.2004 4:10:00 PM   
Guest
I have my SMTP published through ISA 2000. I have , on the IIS Virtual server, my two domains listed as being able to forward to. In the IIS logs when the domain is reolved it always shows the ip as being a local address (127.0.0.1) and therefore I can not set up RDNS failure blocking rules. Any ideals?

(in reply to tshinder)
  Post #: 2
RE: Discussion about article on troubleshooting SMTP Se... - 13.Dec.2004 5:37:00 PM   
minerat

 

Posts: 142
Joined: 19.Mar.2003
From: Philadelphila
Status: offline
Tom,

Is it normal in 2004 for the SMTP Publishing Wizard to only allow inbound access to SMTP?

When I ran the publishing wizard in 2000, it correctly assumed that I wanted to be able to SEND mail from the SMTP server I was publishing.

It doesn't look like 2004 does that. With a similar setup to what you have (published server rule & a deny all rule), my outgoing SMTP sends are denied by the deny all rule. This is a pretty important and not obvious change.

(in reply to tshinder)
Post #: 3
RE: Discussion about article on troubleshooting SMTP Se... - 13.Dec.2004 5:44:00 PM   
uhhuhyea

 

Posts: 11
Joined: 13.May2004
Status: offline
Follow up to my previous question:

We have isa 2000 as the firewall/gateway. I have IIS SMTP configured to forward emails just for my domain to a smart host (Trends IMS.) Is there something special I have to do to get RDNS filtering to work correctly? As it stands all RDNS fails becasue the IIS SMTP service says all domains resolve to the local ip of 127.0.0.1.

[ December 13, 2004, 05:45 PM: Message edited by: uhhuhyea ]

(in reply to tshinder)
Post #: 4
RE: Discussion about article on troubleshooting SMTP Se... - 13.Dec.2004 6:07:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by uhhuhyea:
Follow up to my previous question:

We have isa 2000 as the firewall/gateway. I have IIS SMTP configured to forward emails just for my domain to a smart host (Trends IMS.) Is there something special I have to do to get RDNS filtering to work correctly? As it stands all RDNS fails becasue the IIS SMTP service says all domains resolve to the local ip of 127.0.0.1.

Hi Uh,

The problem is that you have the SMTP server on the ISA firewall itself. That's one of the drawbacks of putting the SMTP server on the ISA firewall and publishing the co-lo SMTP server, the source will show up as the localhost address.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on troubleshooting SMTP Se... - 13.Dec.2004 6:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by AndrewM:
Tom,

Is it normal in 2004 for the SMTP Publishing Wizard to only allow inbound access to SMTP?

When I ran the publishing wizard in 2000, it correctly assumed that I wanted to be able to SEND mail from the SMTP server I was publishing.

It doesn't look like 2004 does that. With a similar setup to what you have (published server rule & a deny all rule), my outgoing SMTP sends are denied by the deny all rule. This is a pretty important and not obvious change.

Hi Andrew,

In this article we created a Server Publishing Rule using the New Server Publishing Rule Wizard. Then we explicitly selected the SMTP Server Protocol. There is a Mail Server Publishing Wizard, but we didn't use that in this example.

However, even when you use the Mail Server Publishing Wizard, it doesn't handle outbound connections, because it doesn't assume that the published server requires outbound access.

For example, if you're using an inbound-only SMTP relay, there's no reason to allow it outbound access.

HTH,
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion about article on troubleshooting SMTP Se... - 13.Dec.2004 8:29:00 PM   
erickmiller

 

Posts: 37
Joined: 2.Mar.2002
From: Lake Zurich, IL
Status: offline
I think the default gateway for the Exchange Server in the graphic of the network should show "10.0.0.10"?

Eric

(in reply to tshinder)
Post #: 7
RE: Discussion about article on troubleshooting SMTP Se... - 13.Dec.2004 10:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Eric,

That's the point of the entire troubleshooting article. The default gateway was misconfigured, and we used the tools to figure this out.

Thanks!
Tom

(in reply to tshinder)
Post #: 8
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 1:22:00 AM   
Fire

 

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
Do not enable SMTP filter on ISA 2004. The default setting will block some exchange 2000/2003 command and cause some mail problem.

Note for Exchange Server 2000/2004 and ISA2004 Users.

(in reply to tshinder)
Post #: 9
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 1:45:00 AM   
uhhuhyea

 

Posts: 11
Joined: 13.May2004
Status: offline
Thanks Tom,

Should I forward the emails to another box running iis smtp?

(in reply to tshinder)
Post #: 10
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 3:03:00 AM   
jac_goudsmit

 

Posts: 9
Joined: 14.Dec.2004
From: AZ
Status: offline
Interesting article, Tom, and thanks for the hints about the Network Monitoring tool!

I just set up an ISA server 2004 and I'm a little stumped by a similar problem (or maybe not).

My box has 3 networks, LAN, WAN and DMZ. I use NAT network rules from LAN->WAN and DMZ->WAN; there is no network rule that connects LAN and DMZ. For various reasons, I prefer not to use a route rule between DMZ and WAN. You could say I just have two LANs, one that has published servers on it and one that doesn't. The addresses inside the LAN and DMZ don't overlap.

I've set up an SMTP server publishing rule, which works perfectly: no matter where you are (LAN or WAN), you can make a connection to the SMTP server connected to the DMZ, by using one of the ISA server's WAN addresses (it uses two IP addresses on the same WAN port).

I also want to publish the same SMTP server on port 2525, so that off-site workers don't have to deal with ISP-imposed port-25 filtering. So I created a server publishing rule that publishes the same SMTP server on port 2525 on the same external address, and overrides the incoming port to 2525.

The problem is that this works great for connections that come from the External network, but for some reason not from the inside. When I do a telnet from a computer on the LAN to the ISA server's external address, I seem to get connected but all I get is an empty screen, no SMTP signon message. As soon as I type something, the connection is closed without message. ISA monitoring says the connection from my computer is initiated (because of the unrestricted Internal->External rule) but it shows "Unidentified IP Traffic" as protocol. Network Monitor doesn't see any port 25 or 2525 traffic on the DMZ, and no relevant traffic on the LAN (I can paste some data if that helps).

Something similar happens with two other publishing rules that I use to publish an HTTP and HTTPS server on alternate ports: when I connect to them from the outside, no problem. But from the inside: Page could not be displayed.

It appears that any publishing rules that change the port number between source and destination, don't work if the connection is made from another network than the address of the listener. If the packet has to do a three-way hop inside ISA server (from LAN to WAN, then from WAN to DMZ), the ISA server apparently drops the packet if the destination port needs to be changed.

Is this a bug or am I overlooking something? I thought, maybe I should add a rule from internal network to local host, but this is not allowed. Adding a route between LAN and DMZ is not an option: the SMTP server in the DMZ doesn't listen on port 2525.

I also tried allowing incoming connections on ALL networks for the port 2525 listener (instead of just on the one address on the External network) but this has no effect. I tried telnetting to the LAN address of the ISA server instead, no effect either.

Am I forced to use a route rule between DMZ and WAN, instead of a NAT? This would be devastating because I only have two IP addresses available for this particular setup, and I would like to use more than two machines to publish services (actually dividing the services over more than one machine is one of the main reasons I'm setting up the ISA server in the first place).

===Jac

(in reply to tshinder)
Post #: 11
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 3:30:00 AM   
dslaby

 

Posts: 24
Joined: 21.Jan.2003
Status: offline
Excellent article as to be expected from this site. I have the opposite problem in that my email is queued up and failing to send. The error message I get is that 'the remote server did not respond to a connection attempt'. I have just installed ISA 2004 standard. Forcing connection does not process the email. Any suggestions would be appreciated. Thanks.

(in reply to tshinder)
Post #: 12
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 7:35:00 AM   
uhhuhyea

 

Posts: 11
Joined: 13.May2004
Status: offline
I figured out that it does work if you use IP Packet filters instead of Server Publishing.

Thanks for your help.

(in reply to tshinder)
Post #: 13
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 12:01:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Jac Goudsmit:
Interesting article, Tom, and thanks for the hints about the Network Monitoring tool!

I just set up an ISA server 2004 and I'm a little stumped by a similar problem (or maybe not).

My box has 3 networks, LAN, WAN and DMZ. I use NAT network rules from LAN->WAN and DMZ->WAN; there is no network rule that connects LAN and DMZ. For various reasons, I prefer not to use a route rule between DMZ and WAN. You could say I just have two LANs, one that has published servers on it and one that doesn't. The addresses inside the LAN and DMZ don't overlap.

I've set up an SMTP server publishing rule, which works perfectly: no matter where you are (LAN or WAN), you can make a connection to the SMTP server connected to the DMZ, by using one of the ISA server's WAN addresses (it uses two IP addresses on the same WAN port).

I also want to publish the same SMTP server on port 2525, so that off-site workers don't have to deal with ISP-imposed port-25 filtering. So I created a server publishing rule that publishes the same SMTP server on port 2525 on the same external address, and overrides the incoming port to 2525.

The problem is that this works great for connections that come from the External network, but for some reason not from the inside. When I do a telnet from a computer on the LAN to the ISA server's external address, I seem to get connected but all I get is an empty screen, no SMTP signon message. As soon as I type something, the connection is closed without message. ISA monitoring says the connection from my computer is initiated (because of the unrestricted Internal->External rule) but it shows "Unidentified IP Traffic" as protocol. Network Monitor doesn't see any port 25 or 2525 traffic on the DMZ, and no relevant traffic on the LAN (I can paste some data if that helps).

Something similar happens with two other publishing rules that I use to publish an HTTP and HTTPS server on alternate ports: when I connect to them from the outside, no problem. But from the inside: Page could not be displayed.

It appears that any publishing rules that change the port number between source and destination, don't work if the connection is made from another network than the address of the listener. If the packet has to do a three-way hop inside ISA server (from LAN to WAN, then from WAN to DMZ), the ISA server apparently drops the packet if the destination port needs to be changed.

Is this a bug or am I overlooking something? I thought, maybe I should add a rule from internal network to local host, but this is not allowed. Adding a route between LAN and DMZ is not an option: the SMTP server in the DMZ doesn't listen on port 2525.

I also tried allowing incoming connections on ALL networks for the port 2525 listener (instead of just on the one address on the External network) but this has no effect. I tried telnetting to the LAN address of the ISA server instead, no effect either.

Am I forced to use a route rule between DMZ and WAN, instead of a NAT? This would be devastating because I only have two IP addresses available for this particular setup, and I would like to use more than two machines to publish services (actually dividing the services over more than one machine is one of the main reasons I'm setting up the ISA server in the first place).

===Jac

Hi Jac,

Create a NAT or route relationship (I think route is much better) because the DMZ and internal network. Then publish the SMTP server on the DMZ to the hosts on the Internal Network using a listener on the Internal Network.

HTH<
Tom

(in reply to tshinder)
Post #: 14
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 12:03:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Fire:
Do not enable SMTP filter on ISA 2004. The default setting will block some exchange 2000/2003 command and cause some mail problem.

Note for Exchange Server 2000/2004 and ISA2004 Users.

Hi Fire,

I'm not aware of, nor have I experienced, any issues with the SMTP filter and Exchange.

HTH,
Tom

(in reply to tshinder)
Post #: 15
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 12:04:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by uhhuhyea:
Thanks Tom,

Should I forward the emails to another box running iis smtp?

Hi Uh,

You can do that. Create a server publishing rule that publishes the SMTP relay. That's my preferred config.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 12:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by uhhuhyea:
I figured out that it does work if you use IP Packet filters instead of Server Publishing.

Thanks for your help.

Hi Uh,

The problem with packet filters is you lose all your security, just like what you would have if you used a simple hardward stateful packet inspection firewall. I would *never* use packet filters to allow inbound access to *anything* running on the firewall.

HTH,
Tom

(in reply to tshinder)
Post #: 17
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 12:45:00 PM   
tinto

 

Posts: 247
Joined: 9.Sep.2004
From: Italy
Status: offline
Hi Tom,

I think you should put a RED ALERT in your article, to avoid people falling in a very dangerous pitfall.

If the exchange server is used by internal clients as SMTP server to send mail to the world (as many organizations do) and you configure the publishing rule with "requests appear to come from ISA computer" you can easily get an OPEN RELAY because ISA's internal IP probabily is among the IPs Exchange Server grants mail relaying to.

I know this because the expert who did the first installation of the two isa server in our organization made this mistake... two times [Smile]
Because of this our public IPs were listed in Spammer's black lists in a few hours.

HTH

[ December 14, 2004, 02:02 PM: Message edited by: Tinto ]

(in reply to tshinder)
Post #: 18
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 2:13:00 PM   
uhhuhyea

 

Posts: 11
Joined: 13.May2004
Status: offline
In my case where I have the firewall to the Trend IMSS to Exchange, I want to block out ,by ip, before spam ever reaches trend and if they do have it get them.

(in reply to tshinder)
Post #: 19
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 2:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Tinto:
Hi Tom,

I think you should put a RED ALERT in your article, to avoid people falling in a very dangerous pitfall.

If the exchange server is used by internal clients as SMTP server to send mail to the world (as many organizations do) and you configure the publishing rule with "requests appear to come from ISA computer" you can easily get an OPEN RELAY because ISA's internal IP probabily is among the IPs Exchange Server grants mail relaying to.

I know this because the expert who did the first installation of the two isa server in our organization made this mistake... two times [Smile]
Because of this our public IPs were listed in Spammer's black lists in a few hours.

HTH

Hi Tinto,

Why would you allow the ISA firewall's IP address to relay mail? If the Exchange Server is the endpoint of the email, then there is no reason to allow the ISA firewall or any other host to relay mail through the Exchange Server!

Thanks!
Tom

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Discussion about article on troubleshooting SMTP Server Publishing Page: [1] 2 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts