The Rant
I don't usually write about networking, but I'm having to do a bit more of it lately. Today we found that a new Cisco Firepower ASA broke our e-mail servers.
The Problem
SMTP Mail queues are backing up. Mail is not transferring. Now this isn't the internal, within the domain mail. This is going to another domain in the org. Still managed, sort of, by us, but separate. Complaints abot Non-delivery receipts start coming in.
You go to the Exchange Management Console, go to tools, click Queue Viewer and yup. A bunch of e-mail in the queue. This isn't dial-up days, mail shouldn't be in there unless they have bypassed your great e-mail attachment rule that limits sending Windows ISO images via e-mail. (thank you Jim!!) So you start to look around to see what is causing it.
Normal Problem
Usually this is cause my McAffee AV 8.8 and the Block Mass Mailing Worm rule. Enabled by default and applied by lazy busy admins to Exchange Servers. This is the main cause of intra domain e-mail backups. In McAfee Endpoint Manager there is a rule that you CAN enable, but is not enabled by default.
The Other Problem
OK, so to figure out if this is your problem, telnet to both exchange servers. (OK, I was stupid, so I'll put this in here. If you run putty, make sure to change the radio button to telnet because SSH will NOT work.) When you telnet in, You will get one of two things:
220 ************************************************************
or
220 SVR-LAB-EXC-01, Microsoft <blah blah blah>
The ***s are wrong. That is coming from the Firewall. You need to remove the SMTP block on there. A google search will turn up a "fixup protocol smtp 25" command. That's what broke it and seems to be in there by default, but doing a "no fixup protocol smtp 25" just doesn't work like other cisco commands should. This should work to remove the ESMTP Inspection.
# policy-map global_policy
# class inspection_default
# no inspect esmtp
Be happy today!!
No comments:
Post a Comment