Windows 2008 connect remote port 25 problem

M

Max

I'm hoping someone here has some suggestions on this problem.

Basicall I have a Windows 2008 server with Exchange 2007 installed.
Emails to certains domains (but not all) get stuck in the queue and
are never delivered. After troubleshooting the issue, I determined
that from a command prompt on this Windows 2008 server, I could not
successfully connect to the email domains by doing 'telnet
mail.domain.com 25'. Telnet looks like it connects, but then just sits
there with a dash on the screen. Telnet eventually closes and goes
back to the command line. Again, this only happens with a few domains,
the others connect fine via telnet from the command line, and of
course Exchange delivers email to these domains just fine. I also
thought it might be a Cisco Pix issue, but from other servers in the
same network, but with a different public IP, I can connect to
problematic domains by telnetting on port 25. I've also checked with
tech support on these problematic domains, and they are not blocking
our IP or filtering us in any way.

So the issue to me seems to be somehow with Windows 2008.

Has anyone else seen this problem or have any idea of where to look to
resolve?

Thanks in advance.

Max
 
A

Ace Fekay [MCT]

"Max" wrote in message
news:674149be-8166-408a-8007-e70de407fe3f@r36g2000vbn.googlegroups.com...
> I'm hoping someone here has some suggestions on this problem.
>
> Basicall I have a Windows 2008 server with Exchange 2007 installed.
> Emails to certains domains (but not all) get stuck in the queue and
> are never delivered. After troubleshooting the issue, I determined
> that from a command prompt on this Windows 2008 server, I could not
> successfully connect to the email domains by doing 'telnet
> mail.domain.com 25'. Telnet looks like it connects, but then just sits
> there with a dash on the screen. Telnet eventually closes and goes
> back to the command line. Again, this only happens with a few domains,
> the others connect fine via telnet from the command line, and of
> course Exchange delivers email to these domains just fine. I also
> thought it might be a Cisco Pix issue, but from other servers in the
> same network, but with a different public IP, I can connect to
> problematic domains by telnetting on port 25. I've also checked with
> tech support on these problematic domains, and they are not blocking
> our IP or filtering us in any way.
>
> So the issue to me seems to be somehow with Windows 2008.
>
> Has anyone else seen this problem or have any idea of where to look to
> resolve?
>
> Thanks in advance.
>
> Max


I have several Exchange 2007 installations on 2008 with no problems.

However, since you said you have a Pix, from what you are seeing sounds like
it is indicative of the way a Pix handles ESMTP. Therefore, if you have not
done so already, you would want to disable SMTP fixup, otherwise it will
block ESMTP, which is a Pix feature that is enabled by default as its
"Mailguard" feature, which it looks at EMSMTP as a spoof or attack.

no fixup protocol smtp 25

Read the following for more info:

E-mail and Cisco PIX firewalls
http://www.debian-administration.org/articles/382

If you have an AV app on the Exchange server, make absolutely sure you've
exclude the Exchange folders, databases, translog folders, etc, otherwise
expect problems.

I cross-posted this to the microsoft.public.exchange.admin newsgroup for
better exposure. Follow-ups (responses) will return to both newsgroups.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
 
M

Max

Ace, thanks for the response.

My Pix already had 'no fixup protocol smtp 25'. I always thought that
was only relevant for inbound connections, but maybe I'm wrong.

I also have other Windows 2008/Exchange 2007 installation that have no
problem connecting with any mail servers, so this one is bit puzzling.
However, as I said in the previous post, I don't think it has anything
to do with Exchange 2007 as I cannot simply telnet to port 25 to the
problematic email servers using Windows 2008's telnet, or even Putty.
It just hangs with a dash.

I am starting to lean more towards the Pix unit at this point, however
it must have something to do with Windows 2008 and the Pix combined.
As I also said, I have a linux server on the same internal network,
that can telnet on port 25 to any of the problematic email hosts that
Windows 2008 fails with. This linux server connects through the same
Pix, and is using the same type of Pix static inside/outside IP
configuration as Windows 2008. This is what removed the Pix for me as
a variable to begin with. What is making me think it's more Pix
related now, is that the Pix is using a very old PixOS version of 6.1.
Still doesn't make any sense as to why linux can do it and Windows
2008 can't, but that's all I can think of for now.

Any other suggestions?

Thanks,
Max


> > I'm hoping someone here has some suggestions on this problem.
>
> > Basicall  I have a Windows 2008 server with Exchange 2007 installed.
> > Emails to certains domains (but not all) get stuck in the queue and
> > are never delivered. After troubleshooting the issue, I determined
> > that from a command prompt on this Windows 2008 server, I could not
> > successfully connect to the email domains by doing 'telnet
> > mail.domain.com 25'. Telnet looks like it connects, but then just sits
> > there with a dash on the screen. Telnet eventually closes and goes
> > back to the command line. Again, this only happens with a few domains,
> > the others connect fine via telnet from the command line, and of
> > course Exchange delivers email to these domains just fine. I also
> > thought it might be a Cisco Pix issue, but from other servers in the
> > same network, but with a different public IP, I can connect to
> > problematic domains by telnetting on port 25. I've also checked with
> > tech support on these problematic domains, and they are not blocking
> > our IP or filtering us in any way.
>
> > So the issue to me seems to be somehow with Windows 2008.
>
> > Has anyone else seen this problem or have any idea of where to look to
> > resolve?
>
> > Thanks in advance.
>
> > Max
>
> I have several Exchange 2007 installations on 2008 with no problems.
>
> However, since you said you have a Pix, from what you are seeing sounds like
> it is indicative of the way a Pix handles ESMTP. Therefore, if you have not
> done so already, you would want to disable SMTP fixup, otherwise it will
> block ESMTP, which is a Pix feature that is enabled by default as its
> "Mailguard" feature, which it looks at EMSMTP as a spoof or attack.
>
> no fixup protocol smtp 25
>
> Read the following for more info:
>
> E-mail and Cisco PIX firewallshttp://www.debian-administration.org/articles/382
>
> If you have an AV app on the Exchange server, make absolutely sure you've
> exclude the Exchange folders, databases, translog folders, etc, otherwise
> expect problems.
>
> I cross-posted this to the microsoft.public.exchange.admin newsgroup for
> better exposure. Follow-ups (responses) will return to both newsgroups.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.- Hide quoted text -
>
> - Show quoted text -
 
A

Ace Fekay [MCT]

"Max" wrote in message
news:3596d109-cdd5-41c1-8381-a2ff6555dd9d@d21g2000vbm.googlegroups.com...
>
> Ace, thanks for the response.
>
> My Pix already had 'no fixup protocol smtp 25'. I always thought that
> was only relevant for inbound connections, but maybe I'm wrong.
>
> I also have other Windows 2008/Exchange 2007 installation that have no
> problem connecting with any mail servers, so this one is bit puzzling.
> However, as I said in the previous post, I don't think it has anything
> to do with Exchange 2007 as I cannot simply telnet to port 25 to the
> problematic email servers using Windows 2008's telnet, or even Putty.
> It just hangs with a dash.
>
> I am starting to lean more towards the Pix unit at this point, however
> it must have something to do with Windows 2008 and the Pix combined.
> As I also said, I have a linux server on the same internal network,
> that can telnet on port 25 to any of the problematic email hosts that
> Windows 2008 fails with. This linux server connects through the same
> Pix, and is using the same type of Pix static inside/outside IP
> configuration as Windows 2008. This is what removed the Pix for me as
> a variable to begin with. What is making me think it's more Pix
> related now, is that the Pix is using a very old PixOS version of 6.1.
> Still doesn't make any sense as to why linux can do it and Windows
> 2008 can't, but that's all I can think of for now.
>
> Any other suggestions?
>
> Thanks,
> Max
>



Hmm, interesting. Maybe it is the Pix. FWIW, the latest I have on two
installations (a 501 and a 506) is 6.3(5) with PDM 3.0(4).

Just in case you've overlooked something, take another peek at the Windows
installation. Is there an AV on it? Assuming you've excluded Exchange
folders, keep in mind some AVs will block SMTP. Any third party spam filter
installed on it? How about the Windows firewall? Disable all three instances
of it, as a test.

One difference between Linux (assuming you are using SendMail or similar),
is that Windows defaults to sending using ESMTP, however that shouldn't stop
telnetting to other systems. So then it may possibly point back to the
Pix...

Ace
 
L

lmckeega

Did you ever figure this out? We have the same problem with our Lotus Server
and have tried to telnet to comcast.net without success. We can telnet to
other email services though.

"Ace Fekay [MCT]" wrote:

> "Max" wrote in message
> news:3596d109-cdd5-41c1-8381-a2ff6555dd9d@d21g2000vbm.googlegroups.com...
> >
> > Ace, thanks for the response.
> >
> > My Pix already had 'no fixup protocol smtp 25'. I always thought that
> > was only relevant for inbound connections, but maybe I'm wrong.
> >
> > I also have other Windows 2008/Exchange 2007 installation that have no
> > problem connecting with any mail servers, so this one is bit puzzling.
> > However, as I said in the previous post, I don't think it has anything
> > to do with Exchange 2007 as I cannot simply telnet to port 25 to the
> > problematic email servers using Windows 2008's telnet, or even Putty.
> > It just hangs with a dash.
> >
> > I am starting to lean more towards the Pix unit at this point, however
> > it must have something to do with Windows 2008 and the Pix combined.
> > As I also said, I have a linux server on the same internal network,
> > that can telnet on port 25 to any of the problematic email hosts that
> > Windows 2008 fails with. This linux server connects through the same
> > Pix, and is using the same type of Pix static inside/outside IP
> > configuration as Windows 2008. This is what removed the Pix for me as
> > a variable to begin with. What is making me think it's more Pix
> > related now, is that the Pix is using a very old PixOS version of 6.1.
> > Still doesn't make any sense as to why linux can do it and Windows
> > 2008 can't, but that's all I can think of for now.
> >
> > Any other suggestions?
> >
> > Thanks,
> > Max
> >
>
>
>
> Hmm, interesting. Maybe it is the Pix. FWIW, the latest I have on two
> installations (a 501 and a 506) is 6.3(5) with PDM 3.0(4).
>
> Just in case you've overlooked something, take another peek at the Windows
> installation. Is there an AV on it? Assuming you've excluded Exchange
> folders, keep in mind some AVs will block SMTP. Any third party spam filter
> installed on it? How about the Windows firewall? Disable all three instances
> of it, as a test.
>
> One difference between Linux (assuming you are using SendMail or similar),
> is that Windows defaults to sending using ESMTP, however that shouldn't stop
> telnetting to other systems. So then it may possibly point back to the
> Pix...
>
> Ace
>
>
>
 
G

Grant Taylor

On 10/19/2009 11:11 PM, lmckeega wrote:
> Did you ever figure this out? We have the same problem with our Lotus
> Server and have tried to telnet to comcast.net without success. We
> can telnet to other email services though.

To both the OP and lmckeega:

Do your multiple systems at your respective sites share a common
(external) IP? Or do different systems have different IPs? Have you
verified that none of the systems are on any (common) black lists?

I don't know how to translate this to SMTP at this hour of the morning,
but I want to question if this is an SMTP problem similar to HTTP's
problems with TCP MTU / MSS sizes with some IIS servers years ago. I.e.
Windows 2008 is trying to initiate a connection with parameters that
will not work while other systems are using different parameters that
will work.

Try sniffing traffic and comparing traffic between systems that do and
do not work.



Grant. . . .
 
A

Ace Fekay [MCT]

"Grant Taylor" wrote in message
news:hbjltk$gf3$1@tncsrv01.tnetconsulting.net...
> On 10/19/2009 11:11 PM, lmckeega wrote:
>> Did you ever figure this out? We have the same problem with our Lotus
>> Server and have tried to telnet to comcast.net without success. We can
>> telnet to other email services though.
>
> To both the OP and lmckeega:
>
> Do your multiple systems at your respective sites share a common
> (external) IP? Or do different systems have different IPs? Have you
> verified that none of the systems are on any (common) black lists?
>
> I don't know how to translate this to SMTP at this hour of the morning,
> but I want to question if this is an SMTP problem similar to HTTP's
> problems with TCP MTU / MSS sizes with some IIS servers years ago. I.e.
> Windows 2008 is trying to initiate a connection with parameters that will
> not work while other systems are using different parameters that will
> work.
>
> Try sniffing traffic and comparing traffic between systems that do and do
> not work.
>
>
>
> Grant. . . .


Or it's simply that Comcast has them blocked.

Ace
 
A

Ace Fekay [MCT]

"lmckeega" wrote in message
news:E137CF9E-4952-4711-B83D-B522A3DE7B34@microsoft.com...
> Did you ever figure this out? We have the same problem with our Lotus
> Server
> and have tried to telnet to comcast.net without success. We can telnet to
> other email services though.

Do you get any responses from the telnet attempt to Comcast?
Are you having problems sending to Comcast customers?

I queried Comcast's mail records and got the following:

Non-authoritative answer:
comcast.net MX preference = 5, mail exchanger = mx2b.comcast.net
comcast.net MX preference = 5, mail exchanger = mx4.comcast.net
comcast.net MX preference = 5, mail exchanger = mx1.comcast.net
comcast.net MX preference = 5, mail exchanger = mx2.comcast.net
comcast.net MX preference = 5, mail exchanger = mx1a.comcast.net
comcast.net MX preference = 5, mail exchanger = mx1b.comcast.net
comcast.net MX preference = 5, mail exchanger = mx3.comcast.net
comcast.net MX preference = 5, mail exchanger = mx2a.comcast.net

I picked one of them: mx4.comcast.net
I resolve its IP: 76.96.26.14

Then telnetted easily to it and getting a response.

So my feeling is that they may have you blocked. Check
http://mxtoolbox.com/blacklists.aspx to see if your IP is on a blocklist.
Also check http://www.sorbs.net/ to see if they have you on their list.

The best thing to do, as well, is simply contact Comcast.

How Do I Get My IP Block Removed at Comcast?
http://security.comcast.net/get-help/IP-Block-Removed.aspx

What Are the Top Requirements to Avoid Being Blocked When Sending to
Comcast?
http://security.comcast.net/get-help/comca...x#rejectedEmail

Can't send email to comcast.net customers?
http://getsatisfaction.com/comcast/topics/...t_net_customers

I hope that helps.


Ace
 
L

lmckeega

Thank you for the suggestions. We actually figured it out last night.

We had recently upgraded to Windows 2008 server. Everything worked fine for
the first few days and then emails to Comcast and a few other places would
time out. The solution was detailed in this article:
http://support.microsoft.com/kb/951291


"Ace Fekay [MCT]" wrote:

> "lmckeega" wrote in message
> news:E137CF9E-4952-4711-B83D-B522A3DE7B34@microsoft.com...
> > Did you ever figure this out? We have the same problem with our Lotus
> > Server
> > and have tried to telnet to comcast.net without success. We can telnet to
> > other email services though.
>
> Do you get any responses from the telnet attempt to Comcast?
> Are you having problems sending to Comcast customers?
>
> I queried Comcast's mail records and got the following:
>
> Non-authoritative answer:
> comcast.net MX preference = 5, mail exchanger = mx2b.comcast.net
> comcast.net MX preference = 5, mail exchanger = mx4.comcast.net
> comcast.net MX preference = 5, mail exchanger = mx1.comcast.net
> comcast.net MX preference = 5, mail exchanger = mx2.comcast.net
> comcast.net MX preference = 5, mail exchanger = mx1a.comcast.net
> comcast.net MX preference = 5, mail exchanger = mx1b.comcast.net
> comcast.net MX preference = 5, mail exchanger = mx3.comcast.net
> comcast.net MX preference = 5, mail exchanger = mx2a.comcast.net
>
> I picked one of them: mx4.comcast.net
> I resolve its IP: 76.96.26.14
>
> Then telnetted easily to it and getting a response.
>
> So my feeling is that they may have you blocked. Check
> http://mxtoolbox.com/blacklists.aspx to see if your IP is on a blocklist.
> Also check http://www.sorbs.net/ to see if they have you on their list.
>
> The best thing to do, as well, is simply contact Comcast.
>
> How Do I Get My IP Block Removed at Comcast?
> http://security.comcast.net/get-help/IP-Block-Removed.aspx
>
> What Are the Top Requirements to Avoid Being Blocked When Sending to
> Comcast?
> http://security.comcast.net/get-help/comca...x#rejectedEmail
>
> Can't send email to comcast.net customers?
> http://getsatisfaction.com/comcast/topics/...t_net_customers
>
> I hope that helps.
>
>
> Ace
>
>
>
>
> .
>
 
A

Ace Fekay [MCT]

"lmckeega" wrote in message
news:1E6FA313-64B5-4B4B-9B3C-66EE91807788@microsoft.com...

Glad to hear you figured it out and got it fixed.

Curious, what type of router or firewall are you using?

Ace



> Thank you for the suggestions. We actually figured it out last night.
>
> We had recently upgraded to Windows 2008 server. Everything worked fine
> for
> the first few days and then emails to Comcast and a few other places would
> time out. The solution was detailed in this article:
> http://support.microsoft.com/kb/951291
>
>
> "Ace Fekay [MCT]" wrote:
>
>> "lmckeega" wrote in message
>> news:E137CF9E-4952-4711-B83D-B522A3DE7B34@microsoft.com...
>> > Did you ever figure this out? We have the same problem with our Lotus
>> > Server
>> > and have tried to telnet to comcast.net without success. We can telnet
>> > to
>> > other email services though.
>>
>> Do you get any responses from the telnet attempt to Comcast?
>> Are you having problems sending to Comcast customers?
>>
>> I queried Comcast's mail records and got the following:
>>
>> Non-authoritative answer:
>> comcast.net MX preference = 5, mail exchanger = mx2b.comcast.net
>> comcast.net MX preference = 5, mail exchanger = mx4.comcast.net
>> comcast.net MX preference = 5, mail exchanger = mx1.comcast.net
>> comcast.net MX preference = 5, mail exchanger = mx2.comcast.net
>> comcast.net MX preference = 5, mail exchanger = mx1a.comcast.net
>> comcast.net MX preference = 5, mail exchanger = mx1b.comcast.net
>> comcast.net MX preference = 5, mail exchanger = mx3.comcast.net
>> comcast.net MX preference = 5, mail exchanger = mx2a.comcast.net
>>
>> I picked one of them: mx4.comcast.net
>> I resolve its IP: 76.96.26.14
>>
>> Then telnetted easily to it and getting a response.
>>
>> So my feeling is that they may have you blocked. Check
>> http://mxtoolbox.com/blacklists.aspx to see if your IP is on a blocklist.
>> Also check http://www.sorbs.net/ to see if they have you on their list.
>>
>> The best thing to do, as well, is simply contact Comcast.
>>
>> How Do I Get My IP Block Removed at Comcast?
>> http://security.comcast.net/get-help/IP-Block-Removed.aspx
>>
>> What Are the Top Requirements to Avoid Being Blocked When Sending to
>> Comcast?
>> http://security.comcast.net/get-help/comca...x#rejectedEmail
>>
>> Can't send email to comcast.net customers?
>> http://getsatisfaction.com/comcast/topics/...t_net_customers
>>
>> I hope that helps.
>>
>>
>> Ace
>>
>>
>>
>>
>> .
>>
 
You must log in or register to reply here.

Similar threads

S
Hi, i have opened the port using power shell command and it got sucess but when i test using the command tnc localhost port number but its getting fa
Replies
0
Views
46
ShahidAhmed321
S
D
Unable to Connect to Specific Remote Resource (Port 443) on Windows 10
Replies
0
Views
26
Diiiiii9
D
P
HDMI port is not working but C-type port is working for display
Replies
0
Views
24
Preolan Naidu
P
A
How could a Windows 10 PC connect with the right VLAN on a trunk port if it was running on a router without VLAN previously?
Replies
0
Views
36
amsel2022
A
M
Enable HDMI port for Windows 10 laptop?
Replies
0
Views
46
ME Montague
M
Back
Top Bottom