Starting about three weeks ago, some outbound emails stopped flowing properly (large emails to some domains with ip addresses very close to ours were not being delivered). Inbound email is fine. The PIX (version 6.3(3)) syslog messages looked like this:
3/31/2006 19:38 built outbound tcp connection 268422 for outside:<RecipientMailserverIP>/25 (<RecipientMailserverIP>/25) to inside:<ExchangeServerPrivateIP>/9112 (<OurOutsideIP>/34960)
3/31/2006 19:39 teardown tcp connection 268422 for outside:<RecipientMailserverIP>/25 to inside:<ExchangeServerPrivateIP>/9112 duration 0:01:04 bytes 36129 tcp reset-o
3/31/2006 19:39 inbound tcp connection denied from <RecipientMailserverIP>/25 to <OurOutsideIP>/34960 flags rst on interface outside
3/31/2006 19:39 deny tcp (no connection) from <ExchangeServerPrivateIP>/9112 to <RecipientMailserverIP>/25 flags ack on interface inside
Further examination of the Exchange Server smtp logs shows that the smtp conversation was not completing ...
Does this mean anything to you? Is the reset-o significant? Or is it the inbound tcp connection denied that is the problem?
On Saturday I upgraded the firmware on our PIX 501 firewall to 6.3(5) and checked the configuration to be certain that the "Mailguard" feature was disabled. (no fixup protocol smtp 25) Still no improvement, so I replaced the PIX firewall by a Linksys router as a test, and email flowed perfectly! Then, I put the PIX back in place and went home. On Monday morning, mail was flowing perfectly through the PIX and is still fine today (Tuesday). So I'm not sure if the firmware upgrade solved the problem or if it was something else. Our ISP claims that they did not change anything over the weekend, but now the SMTP conversation completes properly and the firewall reports:
4/3/2006 10:15 built outbound tcp connection 2309 for outside:<RecipientMailserverIP>/25 (<RecipientMailserverIP>/25) to inside:<ExchangeServerPrivateIP>/26715 (<OurOutsideIP>/2133)
4/3/2006 10:15 teardown tcp connection 2309 for outside:<RecipientMailserverIP>/25 to inside:<ExchangeServerPrivateIP>/26715 duration 0:00:10 bytes 5212799 tcp fins
I would love to know for sure if the problem is really fixed, or will it come back? Is there something wrong with my PIX configuration? Do you have any ideas?
This problem is only occuring when sending e-mail's to certain domains/IP's rather than all IP's?
Perhaps the problem isn't on your end, it could be a result of a router/firewall on the end that emails are going to.
I don't believe its a access-list problem PIX. Obviously you have static NAT address for that server and outgoing email probably isn't filtered too heavily. Before I changed too much on your end you should definitely look into the network to which the emails go to.
If you know an address on the destination network (such as the destination email server) try telnetting to the IP address on port 25.
I don't know if these forums deal with Cisco devices.
Thanks for the quick reply - I will have a look at experts exchange. Yes, I am happy it's working - all mail has been flowing perfectly for over a week now. I will continue to monitor it, but it looks like the firmware update did the trick.