MattLog.net » cisco

Exchange 2007 500 Firewall Error

Matt Shadbolt — Wed, 31 Dec 2008 00:39:50 +0000

If your having intermittent DSN errors returning to your users with the message “mail.someremoteserver.com #500 Firewall Error##” I’ve found the the error is actually due to your local Cisco router/firewall.

It seems that some Cisco routers and IOS versions that use the ip inspect command on the outgoing interface have problems with the newer Exchange 07 message headers. Simply remove the ip inspect from the interface (no ip inspect) and the problem seems to disappear.

EDIT: I’ve since found that you don’t need to totally disable the ip inspect – you just need to remove the esmtp filtering from the list of ip inspect protocols. Matt.

Consideration when upgrading Cisco IOS Software

Matt Shadbolt — Thu, 16 Oct 2008 02:01:15 +0000

Upgrading your IOS is generally a pretty strait forward task. There is one consideration you should make before attempting to upgrade your router – the required “feature set”.

If you install an IOS image that doesn’t include some of the features included in your previous IOS version you may find that some functionality is lost.

You can quickly check the feature set by running the show version command on your router. You will find the feature set version either in the System Image file name (ie “flash:c1234aa-advsecurityk9-mz”) or you can find it on the very first line of the output (ie “(c1234aa-advsecurityk9-mz)” ).

Once you know your current feature set, just find the new IOS image that complies with the current feature set and you should be good to go.

Locking down outbound SMTP

Matt Shadbolt — Wed, 30 Jul 2008 09:22:35 +0000

I’ve recently had issues with my companies IP address being blacklisted by a bunch of RBL’s (Realtime Block Lists) blocking mail delivery from our server on the basis that we are sending SPAM. We of course didn’t realize there was a rouge client on our network sending bulk unsolicited emails.

After weeding out the client – and confirming their AV was installed and up-to-date, it was now time to stop this from happening again. And its actually relitively simple.

In this (and most) instances, the virus installs a light-weight SMTP server on the client and spews email on behalf of the SPAMmers. To stop this we need to block rouge emails being sent from within our network.

My company only has one mail server so the update to our outbound Cisco ACL was simple.

Sample:

ip access-list extended sample-inbound
allow ip any host 192.168.168.100 eq SMTP
deny ip any any eq SMTP
allow ip any any (yes I know, not good practice but a good example!)

OK, so fairly straight forward. As the traffic leaves our network the outbound ACL is run through. Firstly, if the SMTP traffic is from the server (192.168.168.100) the traffic is allowed. If the traffic doesn’t map the host IP address it drops to the second line. Obviously the next line deny’s any SMTP traffic – this is the condition that will stop any other client on the network from sending mail they shouldn’t be.

Simple as that.

NOTE: Be sure you apply the ACL to the correct interface! You should apply it to the interface that is connected to the server – in this example the default gateway of the 192.168.168.x network