2

We cannot send mail to one particular domain. When we do, we get a 'message delayed' message from Exchange, then a #550 4.4.7 QUEUE.Expired; message expired ## message from Exchange. I can send to that domain from gmail.com. I can do a local nslookup for the MX record, and ping the host from the MX record. When I try to telnet to host.domain.com 25, I get a 220 response with all asterisks. Helo and Ehlo both trigger a response '500 What? I don't understand'

The domain did experience a firewall issue last weekend, but the sysadmin there says that the firewall has been replaced, and is working properly, and my PING tests seem to support that. He insists that there have been no changes to their mail server.

Any ideas?

We are on Exchange 2007

BillN
  • 1,503
  • 1
  • 13
  • 31

2 Answers2

3

From Cisco's docs:

As of [PIX] version 5.1 and higher, the fixup protocol smtp command changes the characters in the server SMTP banner to asterisks except for the "2", "0", "0" characters.

and also

"Microsoft Exchange server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP commands such as EHLO ... This may cause Microsoft Outlook clients and Exchange servers to function unpredictably when their connection passes through PIX Firewall."

Just about everything out there says the only way to fix this is for the admin at that domain to turn off fixup or upgrade to a Cisco that allows ESMTP. The only thing you can do, apparently, is not use Exchange for outgoing email (perhaps forward outgoing mail to another mailserver that then delivers it outside your network).

DerfK
  • 19,493
  • 2
  • 38
  • 54
  • This makes some sense, I know the 'new' firewall is a Cisco. However, a telnet session does not respond correctly to either a HELO or EHLO, so its not just extended SMTP, it seems to be all SMTP. I'll ask the admin if he is running fixup protocol smtp. – BillN Oct 15 '10 at 22:28
1

If you can, you might consider turning off the application filter on the Cisco. There are various issues with Cisco's implementations of their application-level filters.

We had a situation where the Cisco filters would cause a SIP video session to consistently disconnect after a hour into the session. The situation was finally corrected by disabling the Cisco filters.

user48838
  • 7,431
  • 2
  • 18
  • 14
  • Unfortunately the Cisco FW that was added is on the receiving end, so its no under my control. Technically, this makes the issue not my problem, but since my users cannot send to this vendor, I need to assist with the diagnosis. – BillN Oct 18 '10 at 17:06
  • If you can (have) make contact with them, it might shed light with any other issues that they might be having with other folks... – user48838 Oct 19 '10 at 05:42