E-mail stuck in queue with new firewall

Archived from groups: comp.security.firewalls (More info?)

My office has a Windows 2003 Server network as a test platform. I run
Exchange Server 2003 on my Windows 2003 server. I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server. When I had my Netopia R910 router/firewall
installed, this configuration worked flawlessly. I have since installed a
Netsreen 5XP 10-user, and I cannot sent any e-mail out. Incoming e-mail is
working fine, but outgoing e-mail is backing up in the queue.

In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:

Error 4006
Message delivery to the host '209.226.175.63' failed while delivering to the
remote domain 'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.

If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host. It is scheduled for retry. Relaying is only enabled for
clients that authenicate to the domain.

All of my e-mail is backing up in the Queue. Every remote host is dropping
the connection, including Sympatico.ca, my ISP. I have an inexpesive
Startech DSL broadband router with the firewall feature disabled. As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.

For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.

I am using the default Outgoing rule to allow everything out. No additional
outgoing rules have been added. I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP. I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP. I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out.

I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes. This did not change anything.

Do I need an incoming rule for port 53?

Archived from groups: comp.security.firewalls (More info?)

Mike,

I can telnet into the SMTP server, my ISP only gives me a dynamic IP so I
can't map it, and I only have incoming policies for HTTP, FTP and DNS. No
SMTP incoming.

"Mike" <mike@notherematey.com> wrote in message
news:c5bns9$k1u$1@thorium.cix.co.uk...
>
> "Bob Walker" <r042wal@no.spam.sympatico.ca> wrote in message
> news:tc0ec.17083$BF2.1465590@news20.bellglobal.com...
>
> Two simple tests and a possibly stupid question.
>
> Can you ping an external website by name i.e. ping www.microsoft.com?
>
> Can you telnet to port 25 of your ISP's mail sever?
>
> Why have you enabled inbound SMTP when you are collecting via POP3?????
>
>