Re: Unable to reach POP server
From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 09/07/04
- Next message: Jeff Cochran: "Re: Rack vs. tower servers"
- Previous message: Phillip Windell: "Re: Port Forwarding and 1:1 NAT dilemma with email"
- In reply to: Bryan Linton: "Re: Unable to reach POP server"
- Next in thread: Phillip Windell: "Re: Unable to reach POP server"
- Reply: Phillip Windell: "Re: Unable to reach POP server"
- Reply: Bryan Linton: "Re: Unable to reach POP server"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 7 Sep 2004 22:21:36 +0200
Hi,
I am not familiar with SonicWall so you will have to check it's
documentation for specific.
What you need to do for POP3 to work is "redirect" and request that comes to
public IP (IP that is resolved by mail.yourcompany.com) on TCP port 110 to
internal IP of your e-mail (POP) server.
SMTP in your case is a bit more tricky. If you do this for SMTP you will
have an open relay and anyone will be able to relay spam over your mail
server. You could use another IP (not IP that is used for delivery of e-mail
to your company) and redirect any TCP port 25 request to internal SMTP
server (not your antivirus and antispam server) and make sure that only
authenticated users can use this SMTP server (it's e.g. IIS or Exchange SMTP
setting).
With this you will have to configure your e-mail clients (Outlook, Outlook
Express or ...) to actually authenticate before it tries to send the mail.
Note that this will send username and password in clear text. Anyone with a
sniffer on the network will be able to read it.
I hope this helps. Feel free to post back with any questions.
Mike
"Bryan Linton" <blinton@nospam.connellinsurance.com> wrote in message
news:Oocw$EQlEHA.3432@TK2MSFTNGP14.phx.gbl...
> I've found the problem, but I'm not sure of the best solution.
>
> I looked for a firewall problem previously, but could find no fault with
the
> way port forwarding was set up. As it turns out, the problem isn't with
> port forwarding, but with 1:1 NAT.
>
> Currently, we have 3 public IPs. One class A address (x.x.x.32) is
assigned
> to the firewall device itself, which is a SonicWall SOHO2. Two additional
> IPs have been assigned; x.x.x.33 was set up with 1:1 NAT to our fairly new
> SBS 2003, and x.x.x.34 to our mail server. I'm not certain why she (my
> predecessor) chose to have multiple public IPs; my understanding has been
> that they're unneccessary since traffic can be distinguished and routed
> based on the port used. The setup worked, however, since there was never
a
> need to route traffic coming in on the mail server's IP to different
> machines based on the port. Now there is. Why? Because we added a spam
> appliance to our network a month ago.
>
> I changed the 1:1 NAT on the SonicWall a month ago to point to the IP of
our
> new spam firewall appliance instead of the mail server, and then setup the
> spam firewall to forward acceptable mail to the IP of our mail server.
All
> incoming mail flows thru that spam firewall first (running a hardened,
> locked-down linux distro) before being forwarded to the mail server.
> However, it will only forward SMTP mail received on port 25 (and
> technically, it's not simply forwarding...it's receiving, processing, and
> then initiating it's own connection). My connection attempts are
apparently
> all hitting the spam appliance and dying there, including my telnet
> connection attempt to port 25.
>
> At this point it seems clear that if a port-forwarding rule is set up that
> conflicts with a 1:1 NAT setting, the 1:1 NAT setting wins. I don't want
to
> break our email by turning off 1:1 NAT until I'm clear of the
consequences.
> Here's what needs to be accomplished:
>
> -- Incoming SMTP mail needs to be processed by our spam firewall, then
> passed along to our mail server. (This is working)
> -- Users need to be able to POP their mailboxes on the mail server from
> outside the company firewall. (This is not working)
> -- Users need to be able to send outgoing SMTP mail thru our mail server
> from outside the company firewall. (This is not working).
> -- Once we migrate to Exchange 2003 (very shortly), we'll need to
accomplish
> the same goals, with the exception that they'll no longer be using POP3 to
> get mail.
>
> It should be noted that we also have a satellite office with an identical
> model SonicWall firewall. Some kind of VPN is set up between the two
> firewalls to secure all communications between them, although I'm not
clear
> if that's actually doing anything, based on how the girl at that office
> currently does her work. When I asked my predecesor about the reason for
> multiple public IPs she said something about this VPN connection needing a
> dedicated IP. Does that seem reasonable?
>
> Sorry for the long post...any takers welcome. Thanks to Mike for his help
> thus far.
>
> Bryan
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:Ol%23LGZPlEHA.3156@TK2MSFTNGP12.phx.gbl...
> > Check your corporate firewall (firewall that protects your LAN and
server)
> > and make sure that it allows connection to POP3 service from the
Internet
> > (it looks like it doesn't). You should also check firewall log files.
> > If you use NAT device, make sure that is forwards connection from public
> IP
> > address (NAT device) to internal POP server.
> >
> > Mike
>
>
- Next message: Jeff Cochran: "Re: Rack vs. tower servers"
- Previous message: Phillip Windell: "Re: Port Forwarding and 1:1 NAT dilemma with email"
- In reply to: Bryan Linton: "Re: Unable to reach POP server"
- Next in thread: Phillip Windell: "Re: Unable to reach POP server"
- Reply: Phillip Windell: "Re: Unable to reach POP server"
- Reply: Bryan Linton: "Re: Unable to reach POP server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
