Cisco :: Why ESMTP Corrupts Emails So Badly From Exchange Server
Mar 18, 2011
since upgrading to 8.4(1) on our ASA 5520 I've had nothing but issues with our email server not being able to send out emails (timeouts,corruption, etc) and tried everything and then it dawned on me to turn off ESMTP inspection on the ASA's.Since I've down that our Exchange server SMTP works perfectly again.Why is it that ESMTP corrupts emails so badly from exchange server? (ours is a 2010 sp1)does anyone actually use ESMTP inspection at all?
Our ASA 5510 has been in place for nearly two years, we never have any issue what so ever with it. All along the ASA has been using the default policy. Lately, we beeen getting email deferred in our Barracuda Spam firewall. Google quickly reveals that ESMTP does not play nice with Barracuda witch i disabled eventhough we haven't had any issue with it before. However, the issue remains, we still getting email deferred in the barracuda.
While doing more troubleshooting on the ASA, I constated when issue the command show local-host + IP of the Barracuda, there is an IP address in outside of the interface that can get up to 96 UDP port 53 connections with the Barracuda, this connection never get lower than 20! However, when checking the default setup for the Barracuda, i have the values below:
Incoming SMTP Timeout: 20 Message per SMTP Session : 8 Maximum SMTP Error SMTP Session: 2 Maximum Connection per Client 30m:40
My question is if that ASA show up to 96 DNS session with an outside host to my barracuda, won't that push the barracuda to play email deferred timeout ? Should I change the barracuda default setting? Or should i change the connections limits for the Barracuda in the ASA?
I am new to Exchange Server 2007 . I want to know that in order to implement Exchange Server do I need to register Domain name like [url]... ? OR A FQDN of Active Directory can work.Is it compulsory to register domain ?
We use microsoft exchange for outlook. I want to know which ports are being used by our exchange server to receive and send emails. Is it possible to check that?
We have a ASA5510 with a webserver in the DMZ network 10.2.2.0/24. We now want this web server to be able to access the Exchange server in the Inside network 10.1.1.0/24. I researched this and it seemed straight forward according the the Cisco document below:
[URL]
I'm looking to do this with smtp so I added these lines to the config:
Currently, my company runs a DC and exchange server in the building. It is also hosting our website with IIS7. All AD users currently have @company1.com.au email addresses.We have just started an off shoot company and would like to setup emails in exchange so that we can automatically assign and manage emails on the same exchange server. so that each user hasWhat is the best way to do this?At the moment, company2.com - company is hosted outside with someone else. Is there a way that he can direct the mail to us so that he hosts the website but we host the email server?
The Exchange can receieve emails but it will not send them. It cannot make connection to any of the smart hosts on port 25 or can't even send mail using DNS. When I run telnet my.smarthost.com 25 it will not connect but if I run that from the router then it connects fine.
I am deploying a Cisco 1841 in place of our basic DSL router.I have an ADSL WIC and FA0/0 connected to our LAN.LAN IP ADDRESS range is 192.168.1. 0/ 24 I have dynamic and static NAT configured. At this point although I have ACL's configured I have NOT implemented them as yet for the following reason. I am unable to recieve inbound SMTP traffic - now know my MX records are correct as this all owrks happily on our basic DSL router. I can send external emails no problem and all internal email works fine. [code] I am in the process of defaulting the router and programming the barbones to get the link working and see if inbound SMTP works then start building the blocks again.
My customer has SSL certificate already installed on microsoft exchnage 2010 servers and now wanted to import that certificate to cisco ACE4710.
How to trace the exact procedure to import the SSL Cert to ACE from microsoft exchange server and how about the KEY, from where I should get the KEY to cross verify for SSL Cert?
I just recently installed a RV220W at my office and (almost) everything works fine. I have noticed that when my iPhone is connected to the RV220 wi-fi network, I get the message "The connection to the server failed" when checking my email. If I disable the wireless on my iPhone, it connects up to the exchange server perfectly fine so it must be a setting with the wireless somewhere but I cannot find it anywhere.....
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
I'm hosting my email on an Exchange Server 2003 box and have my laptop (Vista Ultimate 32 bit) setup to connect to the exchange server for my email. This works fine through a LinkSys RV042 in one location and a LinkSys WRT54GC in another, but fails through the DIR-615 B2 (2.24 firmware) at home. I'm guessing it's blocking something needed for the MAPI connection.
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
I have an ASA 5505 with the base license,When I setup the DMZ interface I had to add the deny access to the inside VLAN. The DMZ works fine with WiFi on it, but user's iPhones can't get email unless they turn WiFi off.Is there a simple way to allow HTTPS traffic through the DMZ interface to our internal Exchange server which is NAT'd on the 5505's external IP?
Since I have installed my new router, a Linksys EA6500, I have many problems to connect to my Exchange Server, which is located in my house, via Wifi. I tried to synchronize my Iphone and my Samsung tablet but it won't work. Most of the times I get the message that the Exchange server cannot be connected. When I turn off my Wifi en connect via my mobile provider I have no problems. When I am on a third party wifi I also can connect my server. Seems my own wifi causes lots of problems.
I had a pair of Dell R710's and need to revamp our battery backups badly. Having almost no budget has its difficulties.These are 2x 120v 2200 smart ups. The servers both run win2k8r2. Not looking for run time, looking for safe shut down. Thinking 1 server per.
whenever i try to download anything it currupts all the files its nothing to do with RAM or virus or malware as ive had 5 other peoples laptops in my hiouse and it only does it while connected to my internet as theres works perfect else where and ive just been out and bought an o2 dongle and it works fine downloads everything perfect.this ios the errors i get when trying to install winrar:
Extracting files to "C:Program FilesWinRAR" folder CRC failed in WinRAR.exe CRC failed in Formats7zxa.dll CRC failed in RarExt.dll CRC failed in RarExt64.dll
I just recently replaced an older linksys pre-N router with a RV 120W. I thought this would be a good choice as a more professional router. I installed this router last week and things seemed to be working normally for web browsing, though I was receiving more incomplete pages and broken graphics. Yesterday, I tried to watch a youtube video a friend had sent me and it would not play. I tried several other videos from youtube and other sources with the same result: stalled videos, partial played videos followed by a spinning wheel. It was late, so I figured something was going on with Comcast and went to sleep. This morning, I was trying to download Anti-virus updates. The updates failed multiple times. I then tried some videos again with the same results. I tried downloading .ZIP files from several sources, and while the file completely downloaded, each and every file was corrupted and unusable. Before I called Comcast to complain about my Internet being flaky, I unplugged the Comcast Arris TM502G device from the Cisco router and plugged it directly into my computer fully expecting the problem to persist, but the problem immediately dissapeared. The immediate evidence is that the problem lays with the Cisco Router. It appears that I can't make any changes on the Comcast device as it has a comcast public IP address and does not seem to have any web or telnet interface to change the settings.
- On the Cisco router, I disabled every non-essential service: VLAN, QOS (bandwidth profiles), IPV6, etc
- I updated the FW to the newest version the day I installed the router
- I power cycled the router
- I power cycled the comcast device
I need to resolve this issue as soon as possible, but I'm not sure what to try next, and I'm confused about my support options after trying to navigate Cicso's support pages. It offers live chat, e-mail support, etc, but everything I go into requires a contract number.
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it. When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped. When I went to see ASA log and see this log report: ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100 tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet. So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?
I have a client that is running an ASA5512-X. When I initially installed it, they were having issues sending out emails. I disabled ESMTP inspection and thought it resolved the issue. Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue. If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout.
I am not sure why this would happen since ESMTP is disabled. They are running 8.6(1) on the ASA.
I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.
I've taken multiple inside and outside packet traces.Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.
Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.
Most everything I find when searching on this subject says to disable ESMTP inspection. [code]
I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version Cisco Adaptive Security Appliance Software Version 8.6(1)10 Device Manager Version 7.1(2) Baseboard Management Controller (revision 0x1) Firmware Version: 2.4 lbjinetfw# config t lbjinetfw(config)# ssh
We updated our business website in December and moved the hosting to our web designer's servers.Very shortly afterwards, we discovered that we could not view our own website, nor access our emails, which are hosted through our web domain name via cPanel.We run two Apple Macs through a Linksys router connected by two ethernet cables. We also have a Vonage internet phone connected to the network, which works either connected directly to the modem, or routed through the Linksys.We had this set up since March and had never had any problems until we had the new website. We don't know if its related, or just a coincidence.
We first went through a process of elimination:
First we connected the computers directly to the modem (one at a time, as obviously both can't connect directly) and we could access our emails and website absolutely fine. Not a solution though, as we need access on two machines.This led us to believe the problem was with the router. Both the Linksys and the Vonage device (box that the phone is plugged into, which is in turn connected to the internet) work as routers and we could view both router's home pages through their ip addresses.
We first called Vonage customer support, and no matter what they suggested in the nearly 2 hour call, nothing worked.We found a solution that suggested changing the MAC address of our router. After looking at the settings of the Vonage box, we couldn't work out how to change the MAC on this, so we changed the MAC of the Linksys instead - and it worked. We could view our emails and website again.However, plugging the Vonage box back in resulted in us losing access to our emails and website again. The set up solution worked for about a day before the same problems came back.
So we again unplugged the Vonage phone device and just ran our two Macs from the Linksys router - all fine, for a bit.A couple of days later the emails and website became inaccesible again. In desperation I changed the Mac address of the Linksys router and we were up and running again.
This solution worked for another day or so, until the old problems arose again.Now, whenever we reset the Mac address of the Linksys, it works, but emails and the website become inaccesible sometimes as soon as half an hour afterwards, sometimes longer, but however long we can gain access to the emails for, we constantly have to stop to reset the router, then restart everything.We now know that its nothing to do with the Vonage phone, so I'm discounting that from the equation now. Also, we've just tried running each of our computers in turn when plugged directly into the modem via an ethernet cable. Interestingly, one machine works fine, and can access the emails and our website, but the other machine now can't access the email or the website, but loads all other sites fine. Is this significant?
We've been reading up on our problems again, and it has been suggested that the issues are being caused by the website/email server blocking our ip address and that we can solve this issue by having a static ip address instead of the dynamic one that Virgin Media assigns. As we are on a home broadband service, we understand that this isn't possible though. Surely, if Virgin reassigns ip addresses every session, our ip would be constantly changing, therefore if we were blocked by the website server, wouldn't it be more likely to be blocking a static one, not one that is constantly changing? And also, how come one of our machines can access the emails etc when directly connected to the modem, but the other can't?
Other solutions proposed have been: -Get a new router -Move our website to a new server -Move our emails to a new server and access our own website through a proxy.
