Re: SMTP and tcp ports

On Wed, 30 Apr 2008 15:46:25 -0400, News Reader <user@xxxxxxxxxxx>
wrote:

Bob Simon wrote:
On Wed, 30 Apr 2008 12:30:35 -0400, News Reader <user@xxxxxxxxxxx>
wrote:

Bob Simon wrote:
I have an access list applied inbound on the outside interface of a
2600 connected to the edge router. I found that I needed smtp ACEs
for both the source port and for the destination port to our exchange
server.
50 permit tcp any eq smtp host 192.168.0.20 (99012 matches)
60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)

Why is this? I thought inbound traffic to the server would be on
random destination ports allocated by PAT on the edge router; no?
You have static NAT setup for the SMTP server don't you?

e.g.: ip nat inside source static tcp 192.168.0.20 25 interface
<external-interface> 25

Yes, but NAT is handled by the edge router, which is managed by the
ISP, so I can't see exactly what is going on in that box.

The information you provided lead me to believe that you were
successfully connecting to your internal SMTP server from outside
clients and servers. Correct me if I am wrong.

We've got two sub-threads going here which makes this a bit ackward.
I will avoid this in the future. In addition, I believe I reported
incorrectly earlier. Please let me try again.

Two days ago, the only smtp ACE was "access-list 102 permit tcp any
host 192.168.0.20 eq smtp". With this, we were able to receive mail
but could not send mail out.

Yesterday, I removed that statement and replaced it with "access-list
102 permit tcp any eq smtp host 192.168.0.20". I can't recall whether
this resulted in not being able to send mail or not being able to
receive mail but it was one of these. When I added "access-list 102
permit tcp any host 192.168.0.20 eq smtp log" everything worked.

If you don't mind, please explain why the various ACEs blocked either
inbound or outbound mail. What is the simplest safe way to set up the
ACL properly?

There are two MX records. Does that mean that *all* incoming mail
will be sourced from one of these hosts?

Will outbound mail exchange sessions always be with *only* the ISP's
smtp server?


Has the ISP provided you with a pool of IP addresses, and are they
performing static one-to-one translation with your internal hosts? If
so, you would want to take steps to minimize the ports available on the
SMTP server from outside hosts. A one-to-one mapping would expose all
ports on the SMTP server.

We have a block of 16 public IP addresses. About half of these are
mapped to inside servers, including the Exchange server. I understand
the issue you raised about all the ports being open. This is why I
want to implement a better ACL.

In addition to the static translations, the ISP configured "ip nat
inside source list 1 NAME overload" for all the PCs on the inside. We
are doing no translation on our routers.


With an edge router managed by the ISP, I would assume that Port Address
Translation (PAT) is not being used. PAT (NAT overload) translates all
(or a subset of) internal addresses to a single external IP address. In
such a scenario, you would need to establish a port specific translation
such as the one above, which would forward inbound connections to TCP
port 25, to the internal SMTP server.

PAT can be used along side static and dynamic NAT pools as well, but it
is doubtful that this scenario would exist without your
knowledge/involvement).


That port is being committed for that purpose.

Any inbound connection setup would be directed at port 25.

Outbound SMTP connections from your server to an Internet-residing
server would be from source port 25 with returning traffic coming to
destination port 25.


With regard to random PAT ports, consider the following:

An internal client initiates a connection with source port 1200 to a
server on the web. The packet is forwarded by the NAT router with source
port 1200.

A second client initiates a connection with source port 1200
(coincidence) to any resource on the web. The NAT router will forward
the packet with a "random unused source port" NOT involved in a
pre-existing translation.

A random port is used when the desired source port is already being
translated.

The random source ports (destination ports on the return path) aid PAT
in associating returning packets with the correct internal host.

Thank you. This was helpful, but I still have a bit of confusion
about source and destination well-known ports that I mentioned in the
previous reply. Can you help me clear this up?

Please see my reply to the other post.

Best Regards,
News Reader

.

Relevant Pages

  • Exchange issues
    ... IP address that the MX record points, port forwarding is configured to route ... all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... All the Exchange services are running and all looks fine. ...
    (microsoft.public.exchange2000.admin)
  • RE: SMTPS - Exchange
    ... the newsgroups are staffed weekdays by Microsoft Support professionals to ... If the Exchange server is listening on other port rather than ... the external email server will not send emails to your SMTP ...
    (microsoft.public.windows.server.sbs)
  • Re: SMTP and tcp ports
    ... This ACL would permit access to the internal SMTP server (listening on TCP port 25) from external clients and servers. ... The mail clients would be using a TCP source port>1023, and external mail servers would be using TCP source port 25, or TCP source port>1023. ...
    (comp.dcom.sys.cisco)
  • Re: outlook express wont connect using ssl
    ... my smtp VS which is on 587 to the same settings as my default server ... the only difference is the port #. ... As soon as the cert has been added, SSL ...
    (microsoft.public.exchange.admin)
  • Re: OE 6& SP2 CORRECTION TO PREVIOUS
    ... >> The strange thing is that Port 25 is used for both my MSN ... Even my server uses port 25. ... > standard port for SMTP clients to connect when passing SMTP messages. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)