General discussion

  • Creator
    Topic
  • #2285734

    Telnet to port 25

    Locked

    by choppit ·

    I’m experiencing difficulty connecting to my mail server by telnet on port 25. This problem only occurs if I connect from the LAN, in which case the connection is dropped instantly. If I connect from the internet to the firewall IP, the connection is successful. Server is Exchange 5.0(SP2) on NT4(SP6a). TCP Port 25 is forwarded from firewall/router. Any ideas?

All Comments

  • Author
    Replies
    • #2684120

      Reply To: Telnet to port 25

      by choppit ·

      In reply to Telnet to port 25

      I can successfully telnet to port 110 from the LAN side.

    • #2684114

      Reply To: Telnet to port 25

      by cg it ·

      In reply to Telnet to port 25

      well you got a problem if you can not telnet exchange.

      need some information. What shows up in the event viewer for exchange under applications and under system? Next is how is your SMTP virtual server properties configured? Under SMTP connector properties, general tab, what shows for local bridgeheads? Under the Access tab, access control, what are the settings for authentication, connection control? Next what are the settings listed for conntectors, SMTP connector, properties, General tab? What are the settings for Address space tab?

      • #2684104

        Reply To: Telnet to port 25

        by cg it ·

        In reply to Reply To: Telnet to port 25

        I’m gonna add this question. When you run the telnet test what are you using? an IP address or the Domain name? IMHO without any information, the problem might be with DNS rather than exchange itself, if exchange is configured properly.

      • #2684089

        Reply To: Telnet to port 25

        by cg it ·

        In reply to Reply To: Telnet to port 25

        last comment, are you using POP3? or SMTP? port 25 is SMTP you mention being able to telnet port 110 which is POP3. So the question really is what mail service is Exchange?

      • #2683962

        Reply To: Telnet to port 25

        by choppit ·

        In reply to Reply To: Telnet to port 25

        Authentication is not enabled.
        Address space is SMTP * (i.e. anything)
        SMTP virtual server is mapped WAN IP TCP 25 > EXCHSVR IP TCP 25
        All tests have been performed using the host relevant IPs
        I can’t find any settings relating to SMTP. (Are later versions of exchange different?)
        Server is SMTP, I used the reference to port 110 to illustrate that telnet connection to the IMC was possible from the LAN (on ports other than SMTP). Thanks for your input.

    • #2684108

      Reply To: Telnet to port 25

      by jim-h ·

      In reply to Telnet to port 25

      It does sound like an access level problem. Not knowing your topology it is hard to point you in a direction to troubleshoot.

      You mention that port 25 is forwarded from your router/firewall. From the wording I am assuming your doing a static NAT or PAT? If this is the case when you telnet from your Local LAN are you using the publicly known IP or the privately known IP as the destination address? Try using the private address only to bypass your firewall/router if possible.

      You might also want to consider running a sniffer on the LAN to see if it the Sever ever gets the packet at all. The problem may not be that the packet from your machine is not getting to the mail server but the reply from the mail server is not coming back correctly.

      Good Luck and we can investigate with more information about the setup.

      -jim

      • #2683987

        Reply To: Telnet to port 25

        by choppit ·

        In reply to Reply To: Telnet to port 25

        I’d agree that this appears to be an access level problem (the IMC is rejecting all connections from the LAN to the SMTP port). I’ve added more information to the post.Thanks for your input.

    • #2684043

      Reply To: Telnet to port 25

      by jimmy ·

      In reply to Telnet to port 25

      Are you able to send/receive mail?
      If not may well be that another application is listening on port 25 on the LAN.

      • #2684005

        Reply To: Telnet to port 25

        by choppit ·

        In reply to Reply To: Telnet to port 25

        I am able to send and receive mail (i.e the IMC is functioning for SMTP). I have posted more detail to clarify this. Thanks for your input.

    • #2684020

      Reply To: Telnet to port 25

      by choppit ·

      In reply to Telnet to port 25

      To clarify:
      The IMC is working OK. (i.e I can send and receive mail). Exchange is listening on port 25 which is forwarded from the NAT router/firewall.
      I CAN telnet to the mail server on port 25 but ONLY from outside the local network using the WAN IP. I CANNOT telnet to port 25 from any host on the LAN using the server IP.

    • #2684014

      Reply To: Telnet to port 25

      by choppit ·

      In reply to Telnet to port 25

      Here’s what I’m trying to achieve;
      The server is an open relay which as I understand it cannot be prevented with Exch 5.0. I’m trying to implement a 3rd party mail proxy (Sophos MailMonitor SMTP) to prevent relaying and provide AV. However, the Exchange IMC appears to be rejecting connections from MailMonitor and also apparently Telnet connections. Hence I find myself in a situation whereby any host on the WWW can relay through my server except those that I have control of (i.e those on my LAN)

    • #2683972

      Reply To: Telnet to port 25

      by choppit ·

      In reply to Telnet to port 25

      I should add that the only reason I have added the fact that I can telnet to port 110 is to illustrate that the problem only occurs on the SMTP port.

    • #2683961

      Reply To: Telnet to port 25

      by choppit ·

      In reply to Telnet to port 25

      Point value changed by question poster.

    • #2681173

      Reply To: Telnet to port 25

      by cg it ·

      In reply to Telnet to port 25

      yes later versions of exchange are different in that most are run with Active Directory.

      You HAVE to be able to telnet to exchange on the LAN. WAN doesn’t mean diddly in so far as public people can find your meaning the MX record in DNS points correctly to your IP address and Exchange. That means mail will find you. Getting mail out LAN. Do you have a firewall on somewhere? or some sort of packet filtering?

      • #2681159

        Reply To: Telnet to port 25

        by cg it ·

        In reply to Reply To: Telnet to port 25

        telenet test at the command prompt is telnet.exe press enter. next, at the telnet comman prompt type in: setlocal_echo press enter. next is type in open25 this is for Exchange 2000 testing via telnet on TCP port 25 to verify exchange is listening. you should get a reply “blah blah ESMTP Mail Service Version: blah blah.

        I want to say, I believe you have a DNS error in the MX record, that the IP address specified in the record for the LAN is wrong or some other DNS records, ptr or CName, Host name A record has to a wrong ip address in it.

      • #2681144

        Reply To: Telnet to port 25

        by choppit ·

        In reply to Reply To: Telnet to port 25

        The issue I have is that I CANNOT telnet to the exchange server IP on port 25 from the local subnet. The exch server receives mail over SMTP without problems provided that the connection is initiated from another subnet. Under normal circumstances this would not be a problem, however I need to use the 3rd party product to relay mail to the exchange server.6

    • #2681167

      Reply To: Telnet to port 25

      by sgt_shultz ·

      In reply to Telnet to port 25

      Hi, did you see this already?
      XIMS: Microsoft SMTP Servers May Seem to Accept and Relay E-Mail Messages in Third-Party Tests
      View products that this article applies to.
      This article was previously published under Q304897
      SYMPTOMS
      If you use some third-party tests to test Microsoft Simple Mail Transfer Protocol (SMTP) servers for relay, the SMTP server may seem to fail the test and your Microsoft SMTP product may seem to be open for relay, even though it is not.

      Common tests exist that you can use to test SMTP servers for relay. You can use third-party Web sites and tools, for example:
      http://www.abuse.net/relay.html

      -and-

      http://mail-abuse.net

      Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

      At first, your SMTP server may seem to fail some of these tests, and your Microsoft SMTP product may seem to be open for relay. However, after you examine the server more closely, you see that your Microsoft SMTP product is not open for relay.
      CAUSE
      Every TO or FROM address in an SMTP protocol conversation contains two parts: the local part (or mailbox), and the domain part. If the domain part (in other words, the part immediately following the at sign [@]) is not specified, the e-mail message is assumed to be local. In fact, some Microsoft SMTP products append the local domain because some users configure their SMTP clients to use only a user name as the e-mail address. By adding the default local domain, the Microsoft server can add what is most likely to be the default to reduce the support cost.

      • #2681166

        Reply To: Telnet to port 25

        by sgt_shultz ·

        In reply to Reply To: Telnet to port 25

        This behavior occurs because Microsoft SMTP products do not perform a directory lookup before accepting SMTP e-mail messages for delivery. Microsoft SMTP products only check the recipient’s domain to see if it is a local or explicitly allowed domain. If the recipient’s domain is not a local or allowed domain, the server responds with an error message that is similar to:

        550 5.7.1 Relaying prohibited
        All that is required to prevent relay is a verification that the domain part of the TO address is local. Checking the mail server’s directory to see if the recipient is valid is an option, but is not required. If a mail server accepts a message, and then later decides that it cannot deliver the message, the server must generate a non-delivery report (NDR). (See the Request for Comments [RFC] 2821 document, section 3.7 and the RFC 1123 document, section 5.2.7.) The Microsoft SMTP products comply with this requirement. The Microsoft SMTP server seems to accept the message for relay, but later the server does not deliver the message and generates an NDR.

      • #2681161

        Reply To: Telnet to port 25

        by sgt_shultz ·

        In reply to Reply To: Telnet to port 25

        MORE INFORMATION
        If you must have the ability to perform directory lookups during the SMTP protocol conversation, you can write a Windows 2000 SMTP protocol event sink.

        For additional information, see the following MSDN Platform SDK SMTP Server Events Web site:
        http://msdn.microsoft.com/library/default.asp?url=/library/en-us/smtpevt/html/_smtpevt_protocol_event_interfaces.asp

        The recommended RFC-compliant response is a response that is similar to:

        550 5.1.1 user@northwindtraders.com… User unknown
        Microsoft chose not to perform the directory lookups during the SMTP protocol conversation for the following reasons:
        If you return a 5xx error to a fake user, a user who is sending bulk, unsolicited commercial e-mail messages (spam or UCE) to your server knows instantly which addresses are real and which are fake. If that user plays a dictionary of names through the SMTP protocol, that user can easily harvest a list of valid e-mail addresses. This may also be a security risk to your local users because user names are often the same as e-mail addresses.
        A malicious user can use the FROM address to gain unauthorized access into a system (spoof), and then use the victim’s server to send NDRs to the intended recipient. This attack only hits this server with as much data as the attacker sends to it. In other words, if the malicious user wants to send 1 megabyte (MB) of data to a third party, the malicious user must spend 1 MB of his or her own bandwidth to send 1 MB of data to the SMTP server. Typically, such a malicious user tries to send 1 MB of data, but still cause tens or hundreds of MBs of data to hit a victim or set of victims throughout the Internet. The best way to stop this behavior would be to validate FROM addresses across all of the Internet. However, there is no standard to validate FROM addresses across the Internet; therefore, the best way to deal with this behavior is to look at message headers.
        If a directory lookup is performed during th

      • #2681145

        Reply To: Telnet to port 25

        by choppit ·

        In reply to Reply To: Telnet to port 25

        Thanks for your input. I had read this information and have already determined that the server is indeed being used as a relay. Once I’ve established why the IMC refuses local but not remote connections I can then stop the relaying and implement AV.

    • #2681117

      Reply To: Telnet to port 25

      by cg it ·

      In reply to Telnet to port 25

      ya know what, first the question was, “hey, I can’t telnet Exchange on the LAN. What could be the problem?”

      It’s now turned into “Hey, My Exchange 5.X is an open relay and I’m trying to use 3rd party proxy server [sophos mail monitor and antivirus programs] to prevent open relay and virses. After installin the 3rd party proxy server I can’t telnet test locally”. Whatever could be the problem?”

      Now looking up sophos mail monitor and the web site, theres stuff for exchange 2000 and exchange 2003 but nothing on exchange 5.X. Since sophos is a proxy, Sophos is causing your problems on the LAN. Would have been nice of you to mention this in your intial question.

      Good luck. I would suggest you contact Sophos or check on their boards.

      • #2681110

        Reply To: Telnet to port 25

        by cg it ·

        In reply to Reply To: Telnet to port 25

        this is like playing 20 questions to narrow down the problem and pry out more information that originally should have been included. What a waste of time and effort.

      • #2681060

        Reply To: Telnet to port 25

        by choppit ·

        In reply to Reply To: Telnet to port 25

        I’m sorry you feel that way. Yes you’re correct, my goal is to get Sophos Mail Monitor to work but that was not the question I asked. Somewhere along the line you have assumed that I cannot receive mail via SMTP, despite my statements to the contrary. The problem is that MMSMTP is not communicating withthe IMC for SMTP. I have verified that there is indeed a problem hence the telnet question. My thinking is that once I can connect via telnet there should be no problem for MMSMTP(which incidentally is NOT Exchange specific and is also NOT the cause of the problem). I posted a question specifically about MMSMTP some time ago to which there were no replies, Sophos tech support have been unable to resolve this hence I look to knowledgable guys like yourselves for inspiration.

    • #3382003

      Reply To: Telnet to port 25

      by choppit ·

      In reply to Telnet to port 25

      Problem solved. I turned off reverse lookup for IMC in the registry and have implemented MMSMTP. (No more relaying). Seems there’s more to SMTP than I realised. Thanks all for your participation.

    • #3382002

      Reply To: Telnet to port 25

      by choppit ·

      In reply to Telnet to port 25

      This question was closed by the author

Viewing 12 reply threads