Forwarding port 25 for Exchange Server NOT Working

chpalmer

Contact your ISP and make sure that they are not blocking port 25. Many do.

Can you RDP your server at .10 and see if you can reach it from there?

tomf

I checked my ISP and they say they do not block port 25.

I logged into a remote system outside my home office and did a telnet from there and it did work properly.

I'm fairly convinced that pfSense is not the problem and that it is working properly. I still suspect my ISP.

I am having some other strange issues with the server receiving email, so I'm going to shift my focus to the exchange server and my ISP as possible problems.

Thanks for the reply.

~ tommy

chpalmer

If you have ever had Qwest then yes they did block 25. And Centurylink who bought them probably has not reversed that.

I was told many times that Qwest did not and only when I pushed did they admit they did.  I had to call in to unblock about every 3 months until I switched ISP's…

Good Luck!

kapara

Log the rule.  Are you seeing it hit the firewall in the firewall log.

Metu69salemi

Is there any other rule (above this) which may do something concerning smtp trafic?

tomf

I finally took the pfSense router/firewall out of the picture and put the Exchange server directly on a public IP.
Everything worked great.
But I really want the pfSense there for other reasons as well, so I put it back on determined to find the problem.

Once I had it back on, everything was working properly with it in place as well.
I tested for about 30 minutes, sending emails from Gmail and others. All was happiness.
I notified a few of my co-workers that they could begin testing the exchange server, gave them working email accounts.

Then 10 minutes later it suddenly started refusing email again. I had not changed anything at all since it started working.

The email not arriving did begin to come back to me a few days ago from GMAIL:
"The recipient server did not accept our requests to connect. Learn more at http://mail.google.com/support/bin/answer.py?answer=7720
[mail.wcss.co. (10): No route to host]"

• note: this does not happen if I take the pfSense out, so I'm thinking I've got something misconfigured in pfSense or there is some odd incompatibility going on.

MX records are tested and correct
Reverse DNS is tested and correct

I am not seeing anything hit the firewall logs when I send test mail.

I'm attaching my current NAT configs Inbound and the Outbound.
All suggestions appreciated.

Thanks.

~ Tom


podilarius

Do you have any extra packages installed into the firewall?

Metu69salemi

is there any logs which may tell the cause

chpalmer

Set static port to yes and try it that way..    You can just make a rule for the server if you want.

mxtoolbox.com can be used to help you diagnose also…  Use the server test link.

chpalmer

I thought there was an RFC stipulation that mail servers should receive and send on the same port but I cant find it so may be off base…

On your nat rule you should only need tcp.

Can you show your firewall rules?

marcelloc

Monitor wan port 25 via tcpdump at console.

If you receive the "S win" package, your isp Does not block 25.
If you don't, then isp is guilty.

If your isp allow smtp, you can also try postfix Forwarder package to add security to your internal exchange server.

tomf

Thanks for the answers.

@Podilarius: I had one package installed Open-VM-Tools, which I removed, restarted pfSense and tested again, with no change.

This jogged my brain that I have failed to explain that my setup here is on VMware ESXi 4.1. The pfSense is in VM, as well as the Exchange Server. Sorry. I've been too consumed with trying to figure this out otherwise that I haven't said that.

@Metu69salemi: I've been checking the Firewall logs and haven't seen anything. But then I realized that I don't see any entries for my IP 208.x.x.88, but only for two other IPs on my subnet (both my systems) .75 and .68.

Both .75 and .68 are other pfSense VMs. I checked .68 logs and it is receiving log entries for .88 and .75, but not for itself.

Same for .75. It only has firewall log entries for .88 and .68, but none for itself.

These are all on the same ESXi host, using the same network interface.
Each has a static IP.

Oddly, while testing a test message suddenly came through fine. But not again. So it seems that some things get through, but rarely, like 1 in a hundred.

I've tried tailing the logs from shell, but its not working, nor is cat. Is something corrupt on my system, or is there some sort of binary in raw log files?

@chpalmer: I'm not seeing where to set static port to yes. I've been using mxtoolbox and it says I'm fine on all tests. Fixed that tcp/udp to tcp, tks.
Attaching my current firewall RULES.

@marcelloc: tcpdump on port 25 shows:

11:36:39.095409 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags {S}, seq 201717168, win 5720, options [mss 1430,sackOK,TS val 2471252779 ecr 0,nop,wscale 6], length 0

11:36:39.102707 IP wcss.co.smtp > mail-qw0-f46.google.com.45383: Flags [S.], seq 401759787, ack 201717169, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 25358328 ecr 2471252779], length 0

11:36:39.182389 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags [R], seq 201717169, win 0, length 0

This email never shows up, and I'm sure I'll get a delayed email notification from Gmail in a few hours.

I'm not keen at interpreting the tcpdump so not sure what it all means, but it seems gmail calls, there is an ack, then not sure. I don't see the "S win".
    My ISP at home (where I'm working from) is Frontier.
    My hosting environment where the servers are located are under Startouch Networks. I have 2 other mail servers there and they have no issues.

If Gmail is getting my mail and attempting to send it out, rarely succeeding, how can it be my ISP blocking port 25? If I log onto gmail directly and compose and send, that should bypass any ISP blocking.

Status: Still stuck, but wondering if my multiple pfSense routers/firewalls on the same physical network interface on an ESXi host might be an issue, OR misconfigurations on pfSense.


marcelloc

@tomf:

11:36:39.095409 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags {S}, seq 201717168**, win** 5720, options [mss 1430,sackOK,TS val 2471252779 ecr 0,nop,wscale 6], length 0

11:36:39.102707 IP wcss.co.smtp > mail-qw0-f46.google.com.45383: Flags [S.], seq 401759787, ack 201717169, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 25358328 ecr 2471252779], length 0

11:36:39.182389 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags [R], seq 201717169, win 0, length 0

you have s win.

Now you have to check you nat settings.

your wan rules are all open, this is dangerous.

check if there is a wrong or duplicated  nat setup sending to another host on your network.

the reject package means that somebody received this comunication and rejected it.

chpalmer

@chpalmer: I'm not seeing where to set static port to yes. I've been using mxtoolbox and it says I'm fine on all tests. Fixed that tcp/udp to tcp, tks.
Attaching my current firewall RULES.

http://mxtoolbox.com/diagnostic.aspx    What does this say?

Static port-   Go to your outbound nat rule, edit/ down to translation…   click the box that says static port.

tcp/udp wont break you but just safer to have what you need...

If you want to see port activity getting through go to your firewall rule and click the "Log packets that are handled by this rule" box.

chpalmer

Blot out your IP and DNS if you dont want those out…

So your box is connecting.

5.429 seconds  makes me wonder...  I generally see under 100ms on my hmail box here.  Have you ever had postfix or any other proxy installed on or between your units?

tomf

• • • Repost * * *

s win – didn't know what I was looking for.

mxtoolbox.com results:

220 exch.domain.com Microsoft ESMTP MAIL Service ready at Mon, 10 Oct 2011 13:09:04 -0700

OK - 208.xx.xx.88 resolves to mail.domain.com, domain.com, exch.domain.com
OK - Reverse DNS matches SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
5.429 seconds - Warning on Transaction time

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 exch.domain.com Hello [xxx.xxx.xxx.xxx] [62 ms]
MAIL FROM: supertool@mxtoolbox.com250 2.1.0 Sender OK [78 ms]
RCPT TO: test@example.com550 5.7.1 Unable to relay [5086 ms]/test@example.com/supertool@mxtoolbox.com

tomf

I have not had any postfix or proxy of any sort on there.

marcelloc

try this:

• remove port 25 nat

• install postfix forwarder

• configure package general tab (enable, select wan and add your domain/exchange ip)

• save config

• redo smtp check from http://mxtoolbox.com/diagnostic.aspx

tomf

That gets a much better Transaction time.
No incoming mail. I'm guessing there are more configurations that need to be done the postfix forwarder?

220 vrouter.domain.com ESMTP Postfix

OK - 208.xx.xx.88 resolves to mail.domain.com, domain.com, exch.domain.com
OK - Reverse DNS matches SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
0.827 seconds - Good on Transaction time

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 vrouter.domain.com [62 ms]
MAIL FROM: supertool@mxtoolbox.com250 2.1.0 Ok [172 ms]
RCPT TO: test@example.com554 5.7.1 test@example.com: Relay access denied [265 ms]
QUIT
221 2.0.0 Bye [62 ms]/test@example.com/test@example.com/supertool@mxtoolbox.com

chpalmer

try this:

remove port 25 nat
    install postfix forwarder
    configure package general tab (enable, select wan and add your domain/exchange ip)
    save config
    redo smtp check from http://mxtoolbox.com/diagnostic.aspx

marcelloc- you read my mind…

"0.827 seconds - Good on Transaction time"  Could be something in your system spinning up...  Probably not a deal killer either...  My backup email server on a desktop at a location far from my datacenter does the same thing till it gets woke up after sitting a while.  Since its XP, on a desktop...

I was actually going to send an email to postmaster@"your domain" and see what my server logged but did a copy paste after I hit the copy key on your earlier post...  Are you in a position to try that from another email server you have?