October 18th, 2003, 05:57 PM
cisco router- smtp authentication timeout
I'm having a problem where when I use a mail client to try to send mail through my ISPs mail server, the authentication fails. It is a pop3 account.
I have two routers. I have a d-link that has the default config, with passwords changed and etc. That doesn't have a firewall on it. I can send/recieve mail just fine with that.
However, I have a Cisco 806 broadband router that I have been using and like better.
This is the router I have problems trying to get the smtp to authenticate to send mail. I can receive just fine.
I called my ISP and they advised me to change my MTU. They recommend 1492, which is what it was. They said that some people have better luck with 1500. I have tried that too... and it still won't work.
I will post my config. If anyone notices a config error, please let me know.
I'm thinking there might be a problem with the firewall rules? Though... I don't know why. I allow ALL out, block ALL in. I have personal firewalls on each client to block individual apps on each client. So, I didn't put it on the router.
Its driving me nuts...
EDIT: In the config, you'll notice that on interface Dialer1, there is no mtu specified. I have corrected this. It won't however take the value 1500 as recommended by my ISP.
October 18th, 2003, 09:42 PM
Does your ISP use SMTP or ESMTP?
Try the firewall with a
Q. Inspection of mail through the Cisco IOS firewall does not work properly when I use the ip inspect smtp command. What could be the problem?
A. CBAC can be configured to inspect Simple Mail Transport Protocol (SMTP) but not Extended SMTP (ESMTP). SMTP is described in RFC 821 . CBAC SMTP inspect does not inspect the ESMTP session or command sequence. Configuring SMTP inspection is not useful for ESMTP, and it can cause problems. To determine whether a mail server is doing SMTP or ESMTP, contact your mail server software vendor, or Telnet to mail server port 25 and observe the banner to see if it reports SMTP or ESMTP.
no ip inspect name myfw smtp
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
October 18th, 2003, 09:56 PM
It is kind of unrelated to what you are asking, but looking at that access list, why in god's name are you allowing bootp and netbios into your network? Those are horrendously insecure protocols...
Also, (and I am not a cisco expert by any means), it appears at least to me intially that you have setup your router to be http managed, but without an ACL (your vty does have an ACL, and also don't forget, that http server has made MANY vulnerabilities).
Is this router able to process connections statefully? Ie, if it sees your traffic going out does it automatically allow your return traffic back in with how you have your ACL setup (deny ip any any at the end)? (I honestly don't know which is why I am asking, I am used to the router ACL's not being stateful).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
October 18th, 2003, 09:58 PM
htregz: you got it! thanks man
nebulus200: I initially setup this with the web setup.
I have since (today) gone back and changed the ACLs, so those are not allowed now.
That was just a default setup, I just hadn't changed them yet. Its just easier to get the dialer interfaces and such configured automatically, then go back and configure everything else. I'll post the new config after I complete it. Just to make sure I haven't missed anything. Since I couldn't get my mail to work... I went back and decided to reconfigure it all over again.
As for them being stateful... I don't know. I'd have to check it out.
Thanks for looking out though!
I've had several people scan me since I applied the new ACLs and they're coming up with nothing.
October 18th, 2003, 10:52 PM
Ok, I've updated my config now.
Now that I have that problem out of the way, I just want to make sure that I have the router locked down good enough. I've had some people helping me out a bit, scanning, pinging, etc. Thank you those who helped from unerror and htregz!
Anyone who wants to look over the config and give some feedback... I'd appreciate it!