Sign in with
Sign up | Sign in
Your question

E-mail stuck in queue with new firewall

Last response: in Networking
Share
Anonymous
April 11, 2004 12:21:47 AM

Archived from groups: comp.security.firewalls (More info?)

My office has a Windows 2003 Server network as a test platform. I run
Exchange Server 2003 on my Windows 2003 server. I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server. When I had my Netopia R910 router/firewall
installed, this configuration worked flawlessly. I have since installed a
Netsreen 5XP 10-user, and I cannot sent any e-mail out. Incoming e-mail is
working fine, but outgoing e-mail is backing up in the queue.

In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:

Error 4006
Message delivery to the host '209.226.175.63' failed while delivering to the
remote domain 'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.

If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host. It is scheduled for retry. Relaying is only enabled for
clients that authenicate to the domain.

All of my e-mail is backing up in the Queue. Every remote host is dropping
the connection, including Sympatico.ca, my ISP. I have an inexpesive
Startech DSL broadband router with the firewall feature disabled. As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.

For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.

I am using the default Outgoing rule to allow everything out. No additional
outgoing rules have been added. I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP. I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP. I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out.

I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes. This did not change anything.

Do I need an incoming rule for port 53?
April 11, 2004 8:23:41 PM

Archived from groups: comp.security.firewalls (More info?)

"Bob Walker" <r042wal@no.spam.sympatico.ca> wrote in message
news:tc0ec.17083$BF2.1465590@news20.bellglobal.com...

Two simple tests and a possibly stupid question.

Can you ping an external website by name i.e. ping www.microsoft.com?

Can you telnet to port 25 of your ISP's mail sever?

Why have you enabled inbound SMTP when you are collecting via POP3?????
Anonymous
April 11, 2004 10:26:56 PM

Archived from groups: comp.security.firewalls (More info?)

Mike,

I can telnet into the SMTP server, my ISP only gives me a dynamic IP so I
can't map it, and I only have incoming policies for HTTP, FTP and DNS. No
SMTP incoming.

"Mike" <mike@notherematey.com> wrote in message
news:c5bns9$k1u$1@thorium.cix.co.uk...
>
> "Bob Walker" <r042wal@no.spam.sympatico.ca> wrote in message
> news:tc0ec.17083$BF2.1465590@news20.bellglobal.com...
>
> Two simple tests and a possibly stupid question.
>
> Can you ping an external website by name i.e. ping www.microsoft.com?
>
> Can you telnet to port 25 of your ISP's mail sever?
>
> Why have you enabled inbound SMTP when you are collecting via POP3?????
>
>
!