watchguard allows Exchange's outbound smtp, but not 3rd party outbound smtp

Posted on 2004-11-16
Medium Priority
Last Modified: 2013-11-16
We run w2k3SBS with exchange, and we have a firebox x500.  We have an SMTP proxy because we use NAT to take incoming mail to our external IP and fwd them to our internal server IP.  Outgoing smtp is from our internal server IP to Any.  

Our outside sales guy lives by his usa.net email and so we just fwd his company email to his usa.net account (smtp.postoffice.net).  When he is in the building he can surf around and do most things, but he can not send email via port 25.  
He can log in and use webmail to send, but he can not send via Outlook.  

My guess is this:  because the smtp proxy wants to see SMTP traffic coming from the server's IP, and because Mr. Salesman's laptop has a different IP, the firewall blocks it.  I have tried adding a host IP, host name, network IP, etc.  The firebox sees his computer, but still, he can not send smtp traffic out.  

Last week we had a DNS issue where we ended up deleting the DNS proxy and recreated a DNS Filter instead.  It seems this would be the thing to do here for the SMTP issue, however we use NAT, and I couldn't see that the SMTP Filter would allow me to recreate a similar NAT.  Any thoughts?

Question by:amcorjon

Expert Comment

ID: 12599474
Have you tried to add a packet filter rule on port 25 with Mr. Salesman IP address?

Author Comment

ID: 12599524
Where exactly would I do that?  Within the SMTP Proxy, or the SMTP Filter, or on another proxy?  (please excuse the newbie for ignorance, my learning curve these past few months is hectic, but great, none-the-less)
LVL 12

Expert Comment

ID: 12599528
Hold on a sec here.... You are saying that when he is in the US his email works fine.. He plugs his laptop on your lan and cant use a specific SMTP server from his USA ISP to send email out?

-Unless I misunderstood, it sounds to me like your ISP does not allow any SMTP traffic that is not directed towards their relay servers, or the US guys ISP does not allow use of the server if your address is not part of their network.
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Author Comment

ID: 12599891
Let me try to clarify.   When Mr. Salesman comes to the office, he connects via WiFi.  He does not authenticate to our domain.  He just grabs an IP to establish a connection.  If he uses a browser he can log into his web-based email account to send/receive.  If he uses Outlook, he can only receive, and not send.  Here is one log file entry, maybe this will help:

11/14/04 09:35  firewalld[118]:  deny out eth1 48 tcp 20 128 1269 25 syn (SMTP)

Any thoughts?


LVL 12

Accepted Solution

Housenet earned 750 total points
ID: 12600414
On the firewall "deny out to 25 smtp`
``Outgoing smtp is from our internal server IP to Any `
Am I missing something or did you test it with to any? too much?

-Have dhcp assign him the same ip with a reservation and allow from exchangeip/32 and to any

Author Comment

ID: 12606635
ok i'll try that as soon as he visits the office again.  thanks housenet.  i'll follow up with the results.

Author Comment

ID: 12618329
Found the problem in the SMTP proxy.  Strangely enough it had to do with the INCOMING smtp proxy - ESMTP "Allow Auth" needed to be checked.  The firewall was stripping the authentication info and the server wouldn't recognize him.

I checked the option, saved/flashed the firebox.  Had the user resend, and success!

This was not very intuitive because the traffic in question is outbound SMTP, whereas the checkbox that affected this was in the incoming properties of the SMTP proxy.  Strange.  

LVL 14

Expert Comment

ID: 12649868

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 8 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question