Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on troubleshooting SMTP Server Publishing
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 3:35:00 PM
|
|
|
tinto
Posts: 225
Joined: 9.Sep.2004
From: Italy
Status: offline
|
quote:
Why would you allow the ISA firewall's IP address to relay mail? If the Exchange Server is the endpoint of the email, then there is no reason to allow the ISA firewall or any other host to relay mail through the Exchange Server!
hi Tom,
making it easy, in my company all users (IPs like 10.x.x.x) have their Outlook configured with the IP of exchange server in "SMTP server" field.
The exchange server is configured to allow relay to all IPs like 10.x.x.x. The Internal NIC of ISA is 10.a.b.c. and so the damage was done, because any public IP could connect to our IP and relay mail through our server because it was seeing a connection from an internal IP.
I think this kind of configuration is frequent around little offices and so on, so the risk to create an unwanted open relay (very bad thing) with ISA publishing rule is high in my humble opinion.
thanks
[ December 14, 2004, 03:36 PM: Message edited by: Tinto ]
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 14.Dec.2004 6:18:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tinto,
Very interesting! I think I'll do an article on this issue, since I wasn't aware of how common it was.
Thanks!
Tom
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 15.Dec.2004 2:24:00 AM
|
|
|
Fire
Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline
|
quote:
Originally posted by tshinder:
quote:
Originally posted by Fire:
Do not enable SMTP filter on ISA 2004. The default setting will block some exchange 2000/2003 command and cause some mail problem.
Note for Exchange Server 2000/2004 and ISA2004 Users.
Hi Fire,
I'm not aware of, nor have I experienced, any issues with the SMTP filter and Exchange.
HTH,
Tom
It will, I already confirmed with 2 company.
Both of them have exchange 2000/2003 and one has ISA2004. After I disable the smtp filter, the mail can go through.
Otherwise, we have to force the exchange 2000 not using the advance command.
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 26.Dec.2004 10:49:00 PM
|
|
|
orchidman
Posts: 16
Joined: 4.Apr.2004
Status: offline
|
Tom,
When we try to use the 'Printable Version' it doesn't format correctly for standard letter format. Just wondering if you will be changing this in the future?
Gary
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 27.Dec.2004 12:36:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by orchidman:
Tom,
When we try to use the 'Printable Version' it doesn't format correctly for standard letter format. Just wondering if you will be changing this in the future?
Gary
Hi Orchid,
It might be related to the figure sizes. I'll try to keep them down in the future.
Thanks!
Tom
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 9.Feb.2006 4:40:42 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
Tom - I'm having trouble exactly as described in your article; I went through the suggested steps, but nothing seems to help. When I have the rule pointing to my Exchange server, it connects, but I get those "enter" lines, telnet times out and and then terminates. (When the termination occurs, I see the appropriate failed SMTP rule messages in ISA manager.)
I did the network capture on the internal NIC and performed the appropriate filtering... and NO frames are captured.
When I change the rule to point to the ISA server's internal NIC, I can no longer telnet to the external NIC - telnet terminates instantly.
Under no conditions can I get email to flow from the outside. However, if I telnet to the internal NIC on the ISA server I can send email to my Exchange server successfully; likewise, if I telnet to my Exchange server on port 25... so it seems that the ISA relay can talk to the Exchange Virtual SMTP server, etc... but nothing from the outside can come in, and vice-versa.
Looking for advice... desperately.
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 11.Feb.2006 5:47:42 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
Hi, Tom - things have gotten a bit stranger since I wrote my post...
First, let me provide you with a topographical idea of my network.
1) I have a Sonicwall TZ170 connected to a broadband modem.
2) All my servers are connected to the Sonicwall
3) The Sonicwall has a DMZ port called the "Opt" port which can be isolated from the LAN ports - which it is.
4) My ISA firewall is a dual-nic configuration; one nic is on the LAN and the other one is on the isolated OPT port.
5) Previously, all incoming WAN traffic was restricted to the Opt port; traffic from the WAN to the LAN was blocked, something which I confirmed.
6) All my client workstations are configured to go strictly through the ISA firewall; I've watched the traffic and confirmed this.
The above configuration is the one I introduced my HTTP and SMTP publishing rules on the ISA server. First I did the HTTP... this required the creation of the standard HTTP publishing rule on the ISA server, as well as an HTTP publishing rule on the Sonicwall directing all incoming port 80 to the ISA server on the Opt port.
This worked perfectly fine for several days... then I tried to do Exchange and SMTP.
After being unable to get SMTP to work, I searched both Microsoft and here and then posted my above post.
While waiting for a response, I decided that the best thing to do was to restart "from scratch", so I deleted the SMTP rules, the listener and deinstalled the IIS/SMTP accessory entirely off the ISA server. Then - just out of paranoia, I suppose - I decided to confirm that my other published server on the ISA server - the http website - was still accessible.
To my dismay, it wasn't. I went through enormous gyrations to determine what was wrong, to no avail. No matter what I did, I saw no incoming HTTP traffic on the external nic of the ISA server. Worried that perhaps it was an ISP issue, I contacted my ISP and had them help me review the DNS setup, etc. Everything seemed fine.
I then decided to try to rule out the ISP entirely... since I've learned over many years that even the most well-meaning competent technical folks can overlook or misunderstand something. :)
I disable the HTTP server rule on the ISA server, and then modified the Sonicwall publishing rule to take incoming port 80 requests and send them to the LAN (specifically to my webserver!) and not the Opt port.
Bingo - web traffic resumed.
I then reconfigured my SMTP listener and Sonicwall rules, and I was now able to receive incoming email from outside, although I'm still struggling with outbound traffic.
My clients are all going through the ISA server for all traffic; I now need to establish if the external nic is actually passing traffic to and from the Internet, or if it's sneaking out somehow via the Sonicwall - and that's where I am now. If the ISA server's external nic is indeed operating for clients, then the problem is either a Sonicwall issue with rules pointing to Opt or something on the ISA server.
Any suggestions or advice would be MOST welcome. :)
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 11.Feb.2006 6:08:59 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
Hi, Tom - got the inbound and outbound SMTP fully resolved by going directly through the Sonicwall firewall. At least I've eliminated any ISP issues; that leaves the Opt port and the ISA server as the two remaining possiblities.
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 12.Feb.2006 10:37:50 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
There was an available Sonicwall upgrade; some of the "fixes" appeared to have symptoms similar to some of the issues I was having, but nothing explicitly directed at the problems. I uploaded and installed the new release; everything seemed stable, so I "reconstructed" the published web server, since that's the simplest thing I could do.
My web page is now accessible via the ISA server at http://www.mercerhome.org ... I'm going to let this configuration run for a day or so and do some more testing. If the web service remains stable, then I'll try the SMTP/ISA link again. In the meantime, my SMTP connectivity is working fine straight through the Sonicwall.
Tom, I was re-reading your book on the subject, and I'm a little confused about the location of the relay and the ISA message scanner, etc. I'm going to spend the next day or so reviewing things (and probably pick up an Exchange book or two), and then I may post some questions here, if that's ok with you.
Thanks!
Jim Mercer
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 14.Feb.2006 5:00:18 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi J,
I think the problem is with your setup. What you need to do is implement a back to back configuration, so that the sonicwall is connected ONLY to the Internet and the DMZ between itself and the ISA firewall. Then all the machines on the internal network use the ISA firewall's internal address as their default gateway.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 14.Feb.2006 9:42:49 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
Hmm... ok, I can do that. I assume that all I need to do to point the servers explicitly at the ISA server is change the gateway address on the TCP/IP stack, correct?
Thanks
Jim
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 14.Feb.2006 10:33:45 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jim,
Yes, have the internal clients use the ISA firewall as their default gateway, and have the ISA firewall's external interface use the LAN interface on the sonicwall as its default gateway.
Make sure that the internal and external interfaces on the ISA firewall as on different network IDs.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 17.Feb.2006 4:24:45 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
Hi, Tom - good news! I have the SMTP ISA issue partially resolved. My SMTP traffic - inbound and outbound - is now going through my ISA server with no problems. Here's the rundown:
When I configured SMTP to go out directly via the Sonicwall router, I had configured the SMTP virtual server on Exchange to use my ISP's SMTP server as a smart gateway. This did NOT work, although (according to my understanding) it should have. After much trial and error, I put the ISP's SMTP server in as a smart gateway in the SMTP connector - and that (for whatever reason) got mail flowing properly.
With a fully working bi-directional SMTP email flow being demostrated (eliminating any questions about the ISP or Exchange configurations being wrong), I then reconfigured the ISA server, Sonicwall router and Exchange server to strictly use the ISA server as inbound/outbound.
Inbound mail worked perfectly fine; outbound mail stalled.
I then ran the ISA logging mechanism to study what was going on, using an SMTP only filter. Everything appeared normal... so I removed the filter, and discovered something very strange. DNS requests from the Exchange server were being denied! (The nic is pointing to the ISA server as it's first choice for DNS, and I have DNS on the ISA server set up so that unresolved requests are forwarded to the ISP's DNS servers to resolve.)
I put in a rule specifically allowing DNS queries from the Exchange server to be permitted... and all of a sudden, outbound email was flowing as well.
Apparently - for some reason - Exchange doesn't talk to my DNS infrastructure when trying to resolve an external smarthost... either that, or my ISA DNS isn't capable of resolving it by using the ISP's DNS servers, which (to me) makes no sense since they're obviously resolving a direct request from the Exchange server.
Very, very strange, but at least it's now working properly. Any thoughts on why this might be needed?
One last challenge for me, but not at this moment... I want to set up an SMTP relay as an intermediary to Exchange and implement the SMTP screener. However, I'm satisfied (for the moment) with having what I have now. I'll get back to that in a week or so. Baby steps. :)
I'm now going to post in the OWA forum, because I cannot get OWA to work through the ISA server no matter what I do. (It works fine directly through the Sonicwall firewall, though.)
Thanks for your suggestion - you put me on the right track! :)
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 20.Feb.2006 2:58:55 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jim,
Great! That's some excellent progress.
It seems strange that the ISA firewall can't resolve the name of the smart host. If the ISA firewall is configured to use itself as DNS server, then run an nslookup on the ISA firewall for the ISP smart host name and see what comes up.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 20.Feb.2006 8:25:15 PM
|
|
|
jmercer54
Posts: 85
Joined: 25.Oct.2004
From: NY
Status: offline
|
Hi, Tom -
Yes, and it's stranger than it appears. NSLOOKUP resolves the name with no problem at all, in fact... whether I run it from my ISA server or anywhere else in my network. (The ISA server uses itself as it's primary DNS lookup - the internal nic DNS refers to only 127.0.0.1, while the external nic has no DNS servers configured at all.) I verified the IP gotten from nslookup by using www.samspade.org to do an independent lookup on mail.optonline.net... and it did indeed resolve to the same address.
So nslookup and pings resolve to the correct address regardless of where they are executed... but Exchange required access to an external DNS server to resolve it. Very odd, indeed. (Actually, I shouldn't blame Exchange specifically - I managed to create an SMTP relay on another server to keep Exchange from directly hitting the Internet... and IIS's SMTP did exactly the same thing. Until I created a rule permitting DNS queries to the external network from that server, the IIS relay couldn't resolve the smarthost, either.)
The only thing I can think of is that the ISA DNS server is strictly a forwarding DNS (no recursion), and is non-authoritative... and is not published to the ISP as a public DNS server for my network, although I can do that.
The other weird thing , of course, is that using mail.optonline.net in Exchange's virtual server as a smarthost failed... but as soon as I put it into the SMTP connector, mail started flowing. IIS had no problem with the smarthost in the virtual server, though.
Now all I have to do is either move the intermediate IIS relay to a different server or figure out how to get ISA's install process to permit message screener to be installed on a Windows 2003 Web Edition server. Right now it insists that it won't do it. Annoying...
< Message edited by jmercer54 -- 20.Feb.2006 8:32:02 PM >
|
|
|
|
|
RE: Discussion about article on troubleshooting SMTP Se... - 3.Mar.2006 5:32:22 AM
|
|
|
bitconfused
Posts: 2
Joined: 3.Mar.2006
Status: offline
|
Hey Tom,
I have been fighting with something similar to jmercer54 and would like your thoughts. My network is as follows:
I have my ISP into a Cisco 1841 and to the LAN side of the Cisco (172.16.x.254) represents my DMZ witch is a 172.16.x.0/24 network.
Then I have my ISA Standard Edition Server (SP2) running Windows Server 2003 (all patches and updates). I used the Back Firewall template for the network section of the ISA Server (I also tried the Edge Firewall template as well). The external side of the ISA Server is represented by 172.16.x.253 and the internal side is 192.168.x.254/22. Now it seems that with my experience with ISA 2000 all the same things that I used to do work fine, except publishing SMTP to port 25.
When I am inside the 192.168.x.x network, all works like a charm and out going mail is fine. When I am on the local host I am able to telnet to the exchange server, on port 25, without issue as well.
Now here is where the weird begins...when I publish IMAP, POP3 or HTTP (on their default ports) on the ISA Server they work fine from the ISP, DMZ and internally, too the Exchange server and IIS box respectively. However when I am in the 172.16.x.0 network I can not telnet to Exchange box on port 25 for the life of me. Turning on SMTP server monitoring yields nothing. In addition, I tried mirroring the port on the switch and dumping my Network General Sniffer on it to find that no traffic is hitting 172.16.x.253. I have also tried this from different clients, XP, W2K Pro and Server in my DMZ, all with the same result.
Now, if I change the incoming port to "anything" else on my SMTP publishing rule and let ISA translate it to port 25 on my 192.168.x.x network all works well; this is my current work around, but I am still at a loss as to why this is occurring.
Lastly, I have no blocking software (anti-virus or IDS/IPS) running on the ISA server or any filtering on the either NIC in the server as well.
Your thoughts would be greatly appreciated.
Many thanks,
bit. :D
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
Still stumped...