Re: Exchange server behind firewall can't send outgoing

From: Erik (erik@geenspam.vanwesten.net)
Date: 05/04/02 

From: Erik <erik@geenspam.vanwesten.net>
Date: 04 May 2002 13:50:00 GMT

In comp.security.firewalls Antony Gelberg <ag@no_spam.antgel.co.uk> wrote:
> Hi all,

> Sorry for the cross-post, I think it is relevant.

> I am having some problems with a firewall, and specifically the Exchange
> server communicating with the outside world. Here is a description of the
> system.

> ADSL router -> Red Hat 7.0 PC, 32MB, configured with ipchains and
> sendmail -> hub -> rest of LAN, including Exchange server (10.*.*.*).

> Our ISP manages DNS for us - the MX record is set to the firewall. Sendmail
> (on the firewall) is configured to masquerade as the domain, and forward all
> non-local users email to the Exchange server. I do this with an entry in
> /etc/hosts, there is no need, as far as I can see, to run BIND on the
> firewall, our network is quite small.

Correct. However, did you think of putting the the forward dns records
in your /etc/resolv.conf:

nameserver 1.2.3.4
nameserver 5.6.7.8

Depending on the DNS servers of your ISP.

> So incoming email appears to work ok. It's outgoing, external email that
> causes problems.

Which could be explained if the sendmail cannot do lookups. You do not
need to run your own dns for this, rely on your ISP.

> At first, I had the Exchange server running DNS, and attempting to send mail
> via DNS. This appeared to cause some firewall-related problems - reverse
> DNS lookups on a machine behind the firewall, perhaps. It was actually
> pings getting caught, but I guess that could be part of some handshaking
> procedure?

Mail through DNS? That must be a new concept ;-).

> So I had the idea of setting Exchange to always forward outgoing mail to the
> firewall, rather than use DNS to send. Then sendmail would send it, I
> thought.

Which is a much better solution in your situation.

> However, when I try this configuration, I get sendmail problems which crash
> the whole Linux box! Unfortunately I don't have the exact message (form
> /var/log/messages) here now, it definitely included something like
> SMTP-MAIL: died on signal 11. I got this several times. The whole Linux
> box slowed to a crawl, with many running sendmail processes. In the end, I
> had to reboot it. This is consistent behaviour, and the Exchange outgoing
> queue is just getting larger. :-(

Signal 11 usually is hardware related. Bad ram?

> So... Is this some kind of bug in sendmail on RH 7.0? My first thought is
> to upgrade to 7.2. Maybe the Linux box is running out of resources? 32MB
> isn't much, but it does have 128MB swap. I wouldn't expect such a grand
> failure if that was the case.

This is not typical linux behaviour. 32 MB should be sufficient for
normal purposes. Check with 'free' how much of the ram and the swapspace
is used. It also depends on the amount and size of mail you are trying
to send. Calculate if your uplink is really able to transport the amount
of mail.

However, RH 7.0 is not particularly known for being very safe, you did
update the box did you?

> Lastly, am I making this over-complicated?

Most definitively not! It is a good and solid setup and protects your
exchange mail server.

> Could I (more easily) achieve
> mail transfer to/from Exchange by ditching sendmail and using NAT, e.g.
> configuring the firewall so that anything coming in from outside on port 25
> just gets re-directed to the private Exchange box, and configuring Exchange
> to use DNS to send mail?

NOOOOOOOOOOOOO, please don't do this. You might as well remove the
firewall then.

> And if I can, and that is easier, how do I get
> around the original problem I had with the firewall when trying to send
> Exchange mail via DNS?

You would have to run a forwarding dns server on your firewall, or pass
dns requests directly to your isp (natting the results)

> Hope this is fairly clear, if anyone can shed any light on this at all, I
> would be ever so grateful...

Without the configuration files of sendmail, and the firewall rules you
use it is very hard to see what is going on.

DO NOT POST THESE IN THE NG

My advise:

1 check the ram, and other hardware
2 do the maths if the uplink can really carry the amount of mail
3 put additional ram in the box

HTH,

EJ 

-- 
For OpenBSD pf en nat rule examples: http://www.vanwesten.net

Relevant Pages

  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
    (microsoft.public.dotnet.general)
  • Re: Exchange 2003 installation
    ... Configured on the NIC of the server. ... "Meinolf Weber" wrote: ... Is the ISP's DNS ... Old exchange removed - I don't know the ...
    (microsoft.public.win2000.active_directory)
  • Re: loss of SOME connectivity
    ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
    (microsoft.public.windows.server.sbs)
  • RE: Exchange Fails to start after a reboot.
    ... this problem appears to be caused by DNS ... please try the steps below on Exchange server. ... Microsoft Online Partner Support ...
    (microsoft.public.exchange.admin)
  • Exchange 2003 SP2 - able to send but not receive email
    ... OWA already setup and running - My whole goal is to setup this server to ... DNS has example.org setup in Forward lookup zone along with MX record / A ... Now onto Exchange System Manager ... SMTP - Started - Settings below ...
    (microsoft.public.exchange.admin)
Loading