On Tue, 8 Jan 2002, Network Operations wrote: > At first glance I was about to dump this as being an OT mail (Exchange server) issue >however, I seem to recall a similar problem some time ago.
Im still not convinced it is not your original interpretation, though it has been a long long time since I played with exchange and I could well be wrong. Yet, if I read properly, their exchange servers is semi exposed on the DMZ, and thus has a different subnet address. This might be a congif issue on exchange that could be fixed there in it's config, or an addition might well function for them, still requiring some congiguration with the exchange on the DMZ. They way I might go about this would be to add an inside relay server, such that the DMZ box frwards all mails to the inside SMTP machine only and the inside machine is only able to talk to the outside DMZ box, internal users can all talk to the inside server. > > I think the reason why your internal email is getting bounced is because when >IDENT/auth lookups (port 113 udp/tcp authentication) are enabled, your firewall is >probably denying the IDENT lookups to your internal hosts. > > Check for the rejected port 113 traffic to your internal hosts in your syslog, this >should clear things up.. This might work different for exchange systems, but, if I recall, for sendmail and other unix like SMTP implimentations it only results in extremely slow traffic as the SMTP gateway hangs for periods. Does a sendmail or other implimentation actually start rejecting traffic in such a auth-ess environment? Thanks, Ron DuFresne > > Cheers.. > > Marc > > >>> "Prathabacimman.M" <[EMAIL PROTECTED]> 01/07 9:56 PM >>> > Thanks to Henry Sieff > > Adding more to the above problem yesterday we solved the problem but > temporarily. As we remove "ip inspect name 'name' smtp" things have started > moving smoothly. But our situation forces us to implement smtp monitoring. > How to go about it.. > > Prathabacimman.M (call me prathab) > > Hi, > > I have a got a very peculiar problem with Cisco IOS Firewall 21.4 on Cisco > 2621 Router. Our mail server recides on the DMZ and We have got CBAC and > Access lists enabled on the Router. There's no problem with the traffic > except SMTP. When the authentication is enabled for SMTP relay on our > Exchange Server, the internet clients are unable to send mails thru the > server. The mails get bounced. When the authentication is removed the server > is vulnerable to open relay. There's certainly a problem with the > router/image/CBAC/ACL but we cannot identify where it lies. Can any one help > me in troubleshooting. > > > > Prathabacimman.M > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
