General discussion
-
CreatorTopic
-
March 8, 2004 at 9:41 am #2285734
Telnet to port 25
Lockedby choppit · about 19 years, 2 months ago
I’m experiencing difficulty connecting to my mail server by telnet on port 25. This problem only occurs if I connect from the LAN, in which case the connection is dropped instantly. If I connect from the internet to the firewall IP, the connection is successful. Server is Exchange 5.0(SP2) on NT4(SP6a). TCP Port 25 is forwarded from firewall/router. Any ideas?
Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
March 8, 2004 at 9:48 am #2684120
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Telnet to port 25
I can successfully telnet to port 110 from the LAN side.
-
March 8, 2004 at 10:04 am #2684114
Reply To: Telnet to port 25
by cg it · about 19 years, 2 months ago
In reply to Telnet to port 25
well you got a problem if you can not telnet exchange.
need some information. What shows up in the event viewer for exchange under applications and under system? Next is how is your SMTP virtual server properties configured? Under SMTP connector properties, general tab, what shows for local bridgeheads? Under the Access tab, access control, what are the settings for authentication, connection control? Next what are the settings listed for conntectors, SMTP connector, properties, General tab? What are the settings for Address space tab?
-
March 8, 2004 at 10:22 am #2684104
Reply To: Telnet to port 25
by cg it · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
I’m gonna add this question. When you run the telnet test what are you using? an IP address or the Domain name? IMHO without any information, the problem might be with DNS rather than exchange itself, if exchange is configured properly.
-
March 8, 2004 at 10:43 am #2684089
Reply To: Telnet to port 25
by cg it · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
last comment, are you using POP3? or SMTP? port 25 is SMTP you mention being able to telnet port 110 which is POP3. So the question really is what mail service is Exchange?
-
March 8, 2004 at 3:12 pm #2683962
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
Authentication is not enabled.
Address space is SMTP * (i.e. anything)
SMTP virtual server is mapped WAN IP TCP 25 > EXCHSVR IP TCP 25
All tests have been performed using the host relevant IPs
I can’t find any settings relating to SMTP. (Are later versions of exchange different?)
Server is SMTP, I used the reference to port 110 to illustrate that telnet connection to the IMC was possible from the LAN (on ports other than SMTP). Thanks for your input.
-
-
March 8, 2004 at 10:14 am #2684108
Reply To: Telnet to port 25
by jim-h · about 19 years, 2 months ago
In reply to Telnet to port 25
It does sound like an access level problem. Not knowing your topology it is hard to point you in a direction to troubleshoot.
You mention that port 25 is forwarded from your router/firewall. From the wording I am assuming your doing a static NAT or PAT? If this is the case when you telnet from your Local LAN are you using the publicly known IP or the privately known IP as the destination address? Try using the private address only to bypass your firewall/router if possible.
You might also want to consider running a sniffer on the LAN to see if it the Sever ever gets the packet at all. The problem may not be that the packet from your machine is not getting to the mail server but the reply from the mail server is not coming back correctly.
Good Luck and we can investigate with more information about the setup.
-jim
-
March 8, 2004 at 2:04 pm #2683987
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
I’d agree that this appears to be an access level problem (the IMC is rejecting all connections from the LAN to the SMTP port). I’ve added more information to the post.Thanks for your input.
-
-
March 8, 2004 at 12:09 pm #2684043
Reply To: Telnet to port 25
by jimmy · about 19 years, 2 months ago
In reply to Telnet to port 25
Are you able to send/receive mail?
If not may well be that another application is listening on port 25 on the LAN.-
March 8, 2004 at 1:36 pm #2684005
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
I am able to send and receive mail (i.e the IMC is functioning for SMTP). I have posted more detail to clarify this. Thanks for your input.
-
-
March 8, 2004 at 1:08 pm #2684020
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Telnet to port 25
To clarify:
The IMC is working OK. (i.e I can send and receive mail). Exchange is listening on port 25 which is forwarded from the NAT router/firewall.
I CAN telnet to the mail server on port 25 but ONLY from outside the local network using the WAN IP. I CANNOT telnet to port 25 from any host on the LAN using the server IP. -
March 8, 2004 at 1:23 pm #2684014
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Telnet to port 25
Here’s what I’m trying to achieve;
The server is an open relay which as I understand it cannot be prevented with Exch 5.0. I’m trying to implement a 3rd party mail proxy (Sophos MailMonitor SMTP) to prevent relaying and provide AV. However, the Exchange IMC appears to be rejecting connections from MailMonitor and also apparently Telnet connections. Hence I find myself in a situation whereby any host on the WWW can relay through my server except those that I have control of (i.e those on my LAN) -
March 8, 2004 at 2:53 pm #2683972
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Telnet to port 25
I should add that the only reason I have added the fact that I can telnet to port 110 is to illustrate that the problem only occurs on the SMTP port.
-
March 8, 2004 at 3:14 pm #2683961
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Telnet to port 25
Point value changed by question poster.
-
March 8, 2004 at 3:46 pm #2681173
Reply To: Telnet to port 25
by cg it · about 19 years, 2 months ago
In reply to Telnet to port 25
yes later versions of exchange are different in that most are run with Active Directory.
You HAVE to be able to telnet to exchange on the LAN. WAN doesn’t mean diddly in so far as public people can find your meaning the MX record in DNS points correctly to your IP address and Exchange. That means mail will find you. Getting mail out LAN. Do you have a firewall on somewhere? or some sort of packet filtering?
-
March 8, 2004 at 4:30 pm #2681159
Reply To: Telnet to port 25
by cg it · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
telenet test at the command prompt is telnet.exe press enter. next, at the telnet comman prompt type in: set
local_echo press enter. next is type in open 25 this is for Exchange 2000 testing via telnet on TCP port 25 to verify exchange is listening. you should get a reply “blah blah ESMTP Mail Service Version: blah blah. I want to say, I believe you have a DNS error in the MX record, that the IP address specified in the record for the LAN is wrong or some other DNS records, ptr or CName, Host name A record has to a wrong ip address in it.
-
March 8, 2004 at 5:29 pm #2681144
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
The issue I have is that I CANNOT telnet to the exchange server IP on port 25 from the local subnet. The exch server receives mail over SMTP without problems provided that the connection is initiated from another subnet. Under normal circumstances this would not be a problem, however I need to use the 3rd party product to relay mail to the exchange server.6
-
-
March 8, 2004 at 4:17 pm #2681167
Reply To: Telnet to port 25
by sgt_shultz · about 19 years, 2 months ago
In reply to Telnet to port 25
Hi, did you see this already?
XIMS: Microsoft SMTP Servers May Seem to Accept and Relay E-Mail Messages in Third-Party Tests
View products that this article applies to.
This article was previously published under Q304897
SYMPTOMS
If you use some third-party tests to test Microsoft Simple Mail Transfer Protocol (SMTP) servers for relay, the SMTP server may seem to fail the test and your Microsoft SMTP product may seem to be open for relay, even though it is not.Common tests exist that you can use to test SMTP servers for relay. You can use third-party Web sites and tools, for example:
http://www.abuse.net/relay.html-and-
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
At first, your SMTP server may seem to fail some of these tests, and your Microsoft SMTP product may seem to be open for relay. However, after you examine the server more closely, you see that your Microsoft SMTP product is not open for relay.
CAUSE
Every TO or FROM address in an SMTP protocol conversation contains two parts: the local part (or mailbox), and the domain part. If the domain part (in other words, the part immediately following the at sign [@]) is not specified, the e-mail message is assumed to be local. In fact, some Microsoft SMTP products append the local domain because some users configure their SMTP clients to use only a user name as the e-mail address. By adding the default local domain, the Microsoft server can add what is most likely to be the default to reduce the support cost.-
March 8, 2004 at 4:17 pm #2681166
Reply To: Telnet to port 25
by sgt_shultz · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
This behavior occurs because Microsoft SMTP products do not perform a directory lookup before accepting SMTP e-mail messages for delivery. Microsoft SMTP products only check the recipient’s domain to see if it is a local or explicitly allowed domain. If the recipient’s domain is not a local or allowed domain, the server responds with an error message that is similar to:
550 5.7.1 Relaying prohibited
All that is required to prevent relay is a verification that the domain part of the TO address is local. Checking the mail server’s directory to see if the recipient is valid is an option, but is not required. If a mail server accepts a message, and then later decides that it cannot deliver the message, the server must generate a non-delivery report (NDR). (See the Request for Comments [RFC] 2821 document, section 3.7 and the RFC 1123 document, section 5.2.7.) The Microsoft SMTP products comply with this requirement. The Microsoft SMTP server seems to accept the message for relay, but later the server does not deliver the message and generates an NDR. -
March 8, 2004 at 4:23 pm #2681161
Reply To: Telnet to port 25
by sgt_shultz · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
MORE INFORMATION
If you must have the ability to perform directory lookups during the SMTP protocol conversation, you can write a Windows 2000 SMTP protocol event sink.For additional information, see the following MSDN Platform SDK SMTP Server Events Web site:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/smtpevt/html/_smtpevt_protocol_event_interfaces.aspThe recommended RFC-compliant response is a response that is similar to:
550 5.1.1 user@northwindtraders.com… User unknown
Microsoft chose not to perform the directory lookups during the SMTP protocol conversation for the following reasons:
If you return a 5xx error to a fake user, a user who is sending bulk, unsolicited commercial e-mail messages (spam or UCE) to your server knows instantly which addresses are real and which are fake. If that user plays a dictionary of names through the SMTP protocol, that user can easily harvest a list of valid e-mail addresses. This may also be a security risk to your local users because user names are often the same as e-mail addresses.
A malicious user can use the FROM address to gain unauthorized access into a system (spoof), and then use the victim’s server to send NDRs to the intended recipient. This attack only hits this server with as much data as the attacker sends to it. In other words, if the malicious user wants to send 1 megabyte (MB) of data to a third party, the malicious user must spend 1 MB of his or her own bandwidth to send 1 MB of data to the SMTP server. Typically, such a malicious user tries to send 1 MB of data, but still cause tens or hundreds of MBs of data to hit a victim or set of victims throughout the Internet. The best way to stop this behavior would be to validate FROM addresses across all of the Internet. However, there is no standard to validate FROM addresses across the Internet; therefore, the best way to deal with this behavior is to look at message headers.
If a directory lookup is performed during th -
March 8, 2004 at 5:29 pm #2681145
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
Thanks for your input. I had read this information and have already determined that the server is indeed being used as a relay. Once I’ve established why the IMC refuses local but not remote connections I can then stop the relaying and implement AV.
-
-
March 8, 2004 at 7:35 pm #2681117
Reply To: Telnet to port 25
by cg it · about 19 years, 2 months ago
In reply to Telnet to port 25
ya know what, first the question was, “hey, I can’t telnet Exchange on the LAN. What could be the problem?”
It’s now turned into “Hey, My Exchange 5.X is an open relay and I’m trying to use 3rd party proxy server [sophos mail monitor and antivirus programs] to prevent open relay and virses. After installin the 3rd party proxy server I can’t telnet test locally”. Whatever could be the problem?”
Now looking up sophos mail monitor and the web site, theres stuff for exchange 2000 and exchange 2003 but nothing on exchange 5.X. Since sophos is a proxy, Sophos is causing your problems on the LAN. Would have been nice of you to mention this in your intial question.
Good luck. I would suggest you contact Sophos or check on their boards.
-
March 8, 2004 at 7:50 pm #2681110
Reply To: Telnet to port 25
by cg it · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
this is like playing 20 questions to narrow down the problem and pry out more information that originally should have been included. What a waste of time and effort.
-
March 9, 2004 at 1:27 am #2681060
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Reply To: Telnet to port 25
I’m sorry you feel that way. Yes you’re correct, my goal is to get Sophos Mail Monitor to work but that was not the question I asked. Somewhere along the line you have assumed that I cannot receive mail via SMTP, despite my statements to the contrary. The problem is that MMSMTP is not communicating withthe IMC for SMTP. I have verified that there is indeed a problem hence the telnet question. My thinking is that once I can connect via telnet there should be no problem for MMSMTP(which incidentally is NOT Exchange specific and is also NOT the cause of the problem). I posted a question specifically about MMSMTP some time ago to which there were no replies, Sophos tech support have been unable to resolve this hence I look to knowledgable guys like yourselves for inspiration.
-
-
March 10, 2004 at 5:53 am #3382003
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Telnet to port 25
Problem solved. I turned off reverse lookup for IMC in the registry and have implemented MMSMTP. (No more relaying). Seems there’s more to SMTP than I realised. Thanks all for your participation.
-
March 10, 2004 at 5:53 am #3382002
Reply To: Telnet to port 25
by choppit · about 19 years, 2 months ago
In reply to Telnet to port 25
This question was closed by the author
-
-
AuthorReplies