Forwarding port 25 for Exchange Server NOT Working

chpalmer

I thought there was an RFC stipulation that mail servers should receive and send on the same port but I cant find it so may be off base…

On your nat rule you should only need tcp.

Can you show your firewall rules?

marcelloc

Monitor wan port 25 via tcpdump at console.

If you receive the "S win" package, your isp Does not block 25.
If you don't, then isp is guilty.

If your isp allow smtp, you can also try postfix Forwarder package to add security to your internal exchange server.

tomf

Thanks for the answers.

@Podilarius: I had one package installed Open-VM-Tools, which I removed, restarted pfSense and tested again, with no change.

This jogged my brain that I have failed to explain that my setup here is on VMware ESXi 4.1. The pfSense is in VM, as well as the Exchange Server. Sorry. I've been too consumed with trying to figure this out otherwise that I haven't said that.

@Metu69salemi: I've been checking the Firewall logs and haven't seen anything. But then I realized that I don't see any entries for my IP 208.x.x.88, but only for two other IPs on my subnet (both my systems) .75 and .68.

Both .75 and .68 are other pfSense VMs. I checked .68 logs and it is receiving log entries for .88 and .75, but not for itself.

Same for .75. It only has firewall log entries for .88 and .68, but none for itself.

These are all on the same ESXi host, using the same network interface.
Each has a static IP.

Oddly, while testing a test message suddenly came through fine. But not again. So it seems that some things get through, but rarely, like 1 in a hundred.

I've tried tailing the logs from shell, but its not working, nor is cat. Is something corrupt on my system, or is there some sort of binary in raw log files?

@chpalmer: I'm not seeing where to set static port to yes. I've been using mxtoolbox and it says I'm fine on all tests. Fixed that tcp/udp to tcp, tks.
Attaching my current firewall RULES.

@marcelloc: tcpdump on port 25 shows:

11:36:39.095409 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags {S}, seq 201717168, win 5720, options [mss 1430,sackOK,TS val 2471252779 ecr 0,nop,wscale 6], length 0

11:36:39.102707 IP wcss.co.smtp > mail-qw0-f46.google.com.45383: Flags [S.], seq 401759787, ack 201717169, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 25358328 ecr 2471252779], length 0

11:36:39.182389 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags [R], seq 201717169, win 0, length 0

This email never shows up, and I'm sure I'll get a delayed email notification from Gmail in a few hours.

I'm not keen at interpreting the tcpdump so not sure what it all means, but it seems gmail calls, there is an ack, then not sure. I don't see the "S win".
My ISP at home (where I'm working from) is Frontier.
My hosting environment where the servers are located are under Startouch Networks. I have 2 other mail servers there and they have no issues.

If Gmail is getting my mail and attempting to send it out, rarely succeeding, how can it be my ISP blocking port 25? If I log onto gmail directly and compose and send, that should bypass any ISP blocking.

Status: Still stuck, but wondering if my multiple pfSense routers/firewalls on the same physical network interface on an ESXi host might be an issue, OR misconfigurations on pfSense.

![Screen Shot 2011-10-10 at 11.27.11 AM.png](/public/imported_attachments/1/Screen Shot 2011-10-10 at 11.27.11 AM.png)
![Screen Shot 2011-10-10 at 11.27.11 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2011-10-10 at 11.27.11 AM.png_thumb)

marcelloc

@tomf:

11:36:39.095409 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags {S}, seq 201717168**, win** 5720, options [mss 1430,sackOK,TS val 2471252779 ecr 0,nop,wscale 6], length 0

11:36:39.102707 IP wcss.co.smtp > mail-qw0-f46.google.com.45383: Flags [S.], seq 401759787, ack 201717169, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 25358328 ecr 2471252779], length 0

11:36:39.182389 IP mail-qw0-f46.google.com.45383 > wcss.co.smtp: Flags [R], seq 201717169, win 0, length 0

you have s win.

Now you have to check you nat settings.

your wan rules are all open, this is dangerous.

check if there is a wrong or duplicated nat setup sending to another host on your network.

the reject package means that somebody received this comunication and rejected it.

chpalmer

@chpalmer: I'm not seeing where to set static port to yes. I've been using mxtoolbox and it says I'm fine on all tests. Fixed that tcp/udp to tcp, tks.
Attaching my current firewall RULES.

http://mxtoolbox.com/diagnostic.aspx What does this say?

Static port- Go to your outbound nat rule, edit/ down to translation… click the box that says static port.

tcp/udp wont break you but just safer to have what you need...

If you want to see port activity getting through go to your firewall rule and click the "Log packets that are handled by this rule" box.

chpalmer

Blot out your IP and DNS if you dont want those out…

So your box is connecting.

5.429 seconds makes me wonder... I generally see under 100ms on my hmail box here. Have you ever had postfix or any other proxy installed on or between your units?

tomf

- - Repost * * *

s win – didn't know what I was looking for.

mxtoolbox.com results:

220 exch.domain.com Microsoft ESMTP MAIL Service ready at Mon, 10 Oct 2011 13:09:04 -0700

OK - 208.xx.xx.88 resolves to mail.domain.com, domain.com, exch.domain.com
OK - Reverse DNS matches SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
5.429 seconds - Warning on Transaction time

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 exch.domain.com Hello [xxx.xxx.xxx.xxx] [62 ms]
MAIL FROM: supertool@mxtoolbox.com250 2.1.0 Sender OK [78 ms]
RCPT TO: test@example.com550 5.7.1 Unable to relay [5086 ms]/test@example.com /supertool@mxtoolbox.com

tomf

I have not had any postfix or proxy of any sort on there.

marcelloc

try this:

remove port 25 nat
install postfix forwarder
configure package general tab (enable, select wan and add your domain/exchange ip)
save config
redo smtp check from http://mxtoolbox.com/diagnostic.aspx

tomf

That gets a much better Transaction time.
No incoming mail. I'm guessing there are more configurations that need to be done the postfix forwarder?

220 vrouter.domain.com ESMTP Postfix

OK - 208.xx.xx.88 resolves to mail.domain.com, domain.com, exch.domain.com
OK - Reverse DNS matches SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
0.827 seconds - Good on Transaction time

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 vrouter.domain.com [62 ms]
MAIL FROM: supertool@mxtoolbox.com250 2.1.0 Ok [172 ms]
RCPT TO: test@example.com554 5.7.1 test@example.com: Relay access denied [265 ms]
QUIT
221 2.0.0 Bye [62 ms]/test@example.com /test@example.com /supertool@mxtoolbox.com

chpalmer

try this:

remove port 25 nat
install postfix forwarder
configure package general tab (enable, select wan and add your domain/exchange ip)
save config
redo smtp check from http://mxtoolbox.com/diagnostic.aspx

marcelloc- you read my mind…

"0.827 seconds - Good on Transaction time" Could be something in your system spinning up... Probably not a deal killer either... My backup email server on a desktop at a location far from my datacenter does the same thing till it gets woke up after sitting a while. Since its XP, on a desktop...

I was actually going to send an email to postmaster@"your domain" and see what my server logged but did a copy paste after I hit the copy key on your earlier post... Are you in a position to try that from another email server you have?

tomf

I can only send from another system that is on my main subnet 208.xx.xx.xx:

With this postfix forwarder I'm getting really fast return error messages now.

###########

This is the mail system at host vrouter.domain.com

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

tommyf@domain.com: mail for 208.xx.xx.88 loops back to myself
Reporting-MTA: dns; vrouter.domain.com
X-Postfix-Queue-ID: 5F50517047
X-Postfix-Sender: rfc822; tommy@domain2.com
Arrival-Date: Mon, 10 Oct 2011 15:57:23 -0700 (PDT)

Final-Recipient: rfc822; tommyf@domain.com
Original-Recipient: rfc822;tommyf@domain.com
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail for 208.xx.xx.88 loops back to myself

#########/tommyf@domain.com

tomf

If you want to send a message to postmaster, please go ahead, if you still have that domain info.

I'm trying to figure out the looping issue. This is definitely not my forte, but improving.

tomf

I'm confused over this looping back to self error.

I have DNS set up as:
mail.domain.com
exch.domain.com (also the name of the exchange server and what comes up in the banner)
domain.com

All three resolve to the same IP: 208.xx.xx.88

But the router is set as vrouterdomain.domain.com.
There is no DNS set for this host name vrouterdomain.

IF I change the domain on the router from domain.com to somethingelse.com, then I get: Warning - Reverse DNS does not match SMTP Banner.
The only thing that has changed is the domain name of the router, which is not configured for DNS anyway, and is not the name of the exchange server.
I don't see why the name of the router affects the reverse DNS to not match what is in the exchange banner.

I have another exchange server installation, which I've compared settings, DNS, NAT, routing, and it works ok, but uses a hardware SonicWall.
This exchange server works if I take the pfsense out of the picture.

So I'm thinking the loopback problem has to do with how the pfsense router is named.

marcelloc

Postfix do a lot of checks to validate email.

dns is one of the most used checks. if you have exchange, you may also have internal dns configured.

set pfsense dns to this internal server and set mx name/domain/ip to your exchange and also create a host entry for pfsense.

To end postfix forwarder configuration, check other tabs like antispam and valid recipients.

to see the server log, choose /var/log/maillog option at gui and do a tail -f on it at console.

tomf

I'm not clear on what you mean by "set pfsense dns to my internal server".

I have a host entry in the internal DNS for pfsense, pointing to 192.x.x.1

I'm tailing logs, and only get the same error of looping back to self no matter what options I change and try.

In these logs it shows
message-id=20111011183805.90A2C1704D@vrouter.domain.com

I think I'm confused as to why the vrouter.domain.com is even in the picture as all the ports are supposed to be forwarded directly to the internal exch.domain.com.

marcelloc

@tomf:

I'm not clear on what you mean by "set pfsense dns to my internal server".

set pfsense box dns to your internal ad dns.
create an A record for pfsense and assign it at pfsense box.

@tomf:

I think I'm confused as to why the vrouter.domain.com is even in the picture as all the ports are supposed to be forwarded directly to the internal exch.domain.com.

The postfix test was a suggestion to test your scenario and improve many times your mail security.

The problem maybe at your exchange box.

Finish postfix forwarder setup and see if it work.

To test pfsense to exchange communications, do this:

Go to your pfsense console and telnet your exchange at port 25 and see if you get instant access to port or not.
Then type smtp comands you saw at mxtoolbox.com

HELO please-read-policy.mxtoolbox.com
MAIL FROM:
RCPT TO:test@example.com /test@example.com
QUIT

tomf

pfSense DNS is set to my internal DNS, using the 192.168.1.201 IP address of the internal DNS.
I have an entry in that local DNS for the pfsense.

From console on my exchange server, and on pfsense, I can do nslookup on pfsense and the exchange server and get correct responses.

I can telnet from pfsense to the exchange server port 25 and run those commands from mxtoolbox.

I can run mxtoolbox smtp check and all comes back green.
All mxtoolbox tests come out good.

If I send email from my gmail account it does not arrive.
Nothing shows in tailing the maillog.

It took about 30 minutes to get an error back from gmail:

Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 tf@domain.com: Relay access denied (state 14)./tf@domain.com

When this 30 minute mark hit, then the maillog shows (vrouter is my pfsense hostname):

Oct 12 11:01:28 vrouter postfix/postscreen[34753]: CONNECT from [209.85.161.174]:42489
Oct 12 11:01:34 vrouter postfix/postscreen[34753]: PASS OLD [209.85.161.174]:42489
Oct 12 11:01:34 vrouter postfix/smtpd[34859]: connect from mail-gx0-f174.google.com[209.85.161.174]
Oct 12 11:01:34 vrouter postfix/smtpd[34859]: NOQUEUE: reject: RCPT from mail-gx0-f174.google.com[209.85.161.174]: 554 5.7.1 tf@domain.com: Relay access denied; from= tf@gmail.comto= tf@domain.comproto=ESMTP helo= <mail-gx0-f174.google.com>Oct 12 11:01:34 vrouter postfix/smtpd[34859]: disconnect from mail-gx0-f174.google.com[209.85.161.174]</mail-gx0-f174.google.com>/tf@domain.com /tf@gmail.com /tf@domain.com

I appreciate the patience here with my questions. I like using the postfix forwarder and I want to take advantage of the additional features it has, so I'm going to keep working on this.

tomf

Finally working. Thanks all for the help and guidance.

In the postfix forwarder tab for Domains to Forward, I had listed the exchange server and its internal IP, which was exch.domain.com. The not relaying error finally clicked with me that the mail was coming in as mail.domain.com. So I added that with the same internal IP to the Domains to Forward and things began to work. For good measure I added the root domain also.

I am still having odd issues which I'll take to an exchange forum.

I'm jazzed about pfSense, and hope to use it more. Great work!