1

Not sure how to title this question...

We run an Exchange server with around 80 internal users. All outgoing mail is relayed through a smart host (ISP SMTP server), so nothing is actually sent to the world directly from our server. I wanted to check the server. Locally I can telnet to port 25 with no issues and receive the ESMTP service ready reply. Whenever I do it from an external address (off our local network) I receive unable to connect error 10060.

Can this be because of problems with SPF records or reverse DNS? Should my Exchange server be able to accept SMTP requests, requiring authentication before I am able to send from external addresses? If so, how?

Also, the Exchange server is behind a NAT (asa) device. I'm thinking that the NAT is not configured to route the SMTP port 25 request to the Exchange server.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
Jeff
  • 1,089
  • 5
  • 26
  • 46

3 Answers3

3

If your Exchange server is successfully receiving emails from the outside world, then port 25 has already been forwarded on your NAT device to the internal Exchange server. You should be able to telnet to your server on port 25 from the outside world - if not then you wouldn't be able to receive any emails from outside the network.

So it sounds like you want to know how to use your server as a relay from the outside. You need to configure that in the SMTP virtual server settings in Exchange (depedns on the version of Exchange).

You will want to be careful that you don't create an open relay - otherwise you will be slammed by spammers, black-listed and your ISP will probably shut down that port.

charnley
  • 577
  • 3
  • 14
  • thats how i discovered this, checking to see if my mail server may be an open relay (double check..) and could not connect to it via smtp from an outside network. i'm using the wifi of a coffee shop across the street to telnet to my servers external ip using 25 and getting the connection refused.. whenever i do it locally using its internal address (192.168.x.x) i can connect fine. any ideas why this would be? – Jeff Jan 08 '11 at 16:30
  • Just log into your NAT device and see how its set up. Sounds to me like it might be configured to accept and forward inbound traffic on port 25 ONLY from the mxlogic server(s). Another possibility is the coffee shop wifi is blocking outbound port 25 (connect to another smtp server and see if it works to test that). – charnley Jan 08 '11 at 16:45
  • ok - asa firewall only accepts connections from mxlogic servers on port 25, the nat then forwards to local exchange server. as in the original question, could this cause issues with spf, or matching host dns to server name for ehlo/helo messages. ? apologize if im not wording this correcting - im learning as i go with mail server technology – Jeff Jan 08 '11 at 16:52
  • Okay so you are having problems receiving emails from some hosts? I think your exact question is not so clear... – charnley Jan 08 '11 at 16:57
  • no.. sorry for the unclear question. due to issues that we where having being classified as spammers, it has been pushed on to me to make our mail server more.. secure, proper configuration, and best practice enabled.. as i dig into things (setting up spf, reverse dns, and so on) i discovered that i can not telnet remotely (smtp) into the exchange server - wondering if this is an issue i need to address or if it fine the way it is. – Jeff Jan 08 '11 at 17:32
  • Okay now I see. Well you have it set up perfectly. Your email is routed through a smart-host, and there is no way to enter your internal server from the outside (except by mxlogic). So you are indeed properly protected from being used as a relay. It might be possible that your smart host has been blacklisted somewhere. Do you have the message that says you are blacklisted? Can you post that here? – charnley Jan 08 '11 at 18:51
  • the black list is fixed.. its actually a long process to explain .. what brought this review up: we have a third party marketing company that handles all mass emails. we sent out a 20,000 list before christmas, 'cloudmark' footprinted our telephone number from the email. our smarthost used cloudmark to filter all incoming mail to there server, finding out footprint, and dropping our mail without alert. i feel this was due more to bad list hygene than anything, however i want to make sure the exchange server is setup correctly for future use. – Jeff Jan 08 '11 at 19:49
  • Yep - you have it set up correctly. Your Exchange server is not and cannot be an open relay. If you need to prove that to anyone, just describe your setup, including port 25 access can only come from mxlogic. – charnley Jan 09 '11 at 07:30
2

In the United States and in many other parts of the world, it's quite common for residential broadband connections to have traffic filters preventing access to port 25 on any other server than the broadband provider's. To be clear, this is a very good thing. This prevents people from directly connecting and attempting to deliver spam directly to your email servers. It's most likely that this is the packet filtering you're experiencing while at the coffee shop. I'd suggest you try connecting to other mail servers on port 25. If you can't reach them, then it's most likely the internet provider has that blocked.

Hosts to try would be sncwsrelay1.nai.com and sncwsrelay2.nai.com at McAfee or mail.messaging.microsoft.com at microsoft.

Further, you indicated in the follow up to another answer that your Cisco ASA was configured to accept email from the mxlogic servers. Also, you indicate that no email is sent from the server directly but is instead forwarded via a Smart Host. What does this mean with regards to SPF and reverse DNS?

Well, any SPF records should authorize all the machines that whomever your emailsmarthost you're using has as external smtp servers. Remember, SPF is for advising the world what servers on the internet should be trying to send mail from your domain. Since you're not actually attempting the final delivery of the email yourself - you're sending all your outgoing emails to your smarthost - your SPF records should list all of the smarthost provider's external servers. If you contact them, they should be able to supply you with a list of hosts for inclusion in your SPF record.

With regards to reverse dns, since you're never directly receving or directly sending any email, it should not be an issue.

Also, presumably, you have MX records in DNS that list the mxlogic email servers as the email exchangers for your domain. That's great.

Also, most modern email software requires considerable effort to be configured to operate as an open relay. I'd have someone at mxlogic or your commercial internet provider verify your exchange server's open relay setup. To be honest, though, with a smarthost and assuming the smarthost has reasonable sender address filtering, I would say that you're very likely not an open relay.

Cheers.

Sorry this is so long, I'm waiting for tape backups to finish.

etherfish
  • 1,757
  • 10
  • 12
  • thanks i appreciate the length it explained things better. not being familiar with these technologies i was confused with a bit a of things - mostly spf, and reverse dns. based on your response however i feel that i am doing things the correct way. thanks again – Jeff Jan 08 '11 at 18:13
1

Which IP address are you actually connecting to, when you try this from outside your network? If you're using the server's internal (private) address, this will of course not work, as that address is unreachable from the outside.

You should do a simple DNS query for the MX record of your e-mail domain, and see which public IP address is registered as your mail server; then you should telnet to port 25 of that address, and see who is answering. If your firewall's NAT is configured correctly, you will receive a reply either from Exchange itself, or from some other device that could be pre-processing your mail before it's allowed into your mail server, such as an antispam/antivirus appliance.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • ... we use macafee mxlogic (cloud spam scrub system) that filters all incoming mail, then forwards to our exchange server. so our mx records point to the mxlogic servers, however no mail is ever sent to these records.. – Jeff Jan 08 '11 at 16:35
  • sorry, no mail is ever sent from these servers * – Jeff Jan 08 '11 at 16:43