watchguard allows Exchange's outbound smtp, but not 3rd party outbound smtp

Posted on 2004-11-16
Last Modified: 2013-11-16
We run w2k3SBS with exchange, and we have a firebox x500.  We have an SMTP proxy because we use NAT to take incoming mail to our external IP and fwd them to our internal server IP.  Outgoing smtp is from our internal server IP to Any.  

Our outside sales guy lives by his email and so we just fwd his company email to his account (  When he is in the building he can surf around and do most things, but he can not send email via port 25.  
He can log in and use webmail to send, but he can not send via Outlook.  

My guess is this:  because the smtp proxy wants to see SMTP traffic coming from the server's IP, and because Mr. Salesman's laptop has a different IP, the firewall blocks it.  I have tried adding a host IP, host name, network IP, etc.  The firebox sees his computer, but still, he can not send smtp traffic out.  

Last week we had a DNS issue where we ended up deleting the DNS proxy and recreated a DNS Filter instead.  It seems this would be the thing to do here for the SMTP issue, however we use NAT, and I couldn't see that the SMTP Filter would allow me to recreate a similar NAT.  Any thoughts?

Question by:amcorjon

    Expert Comment

    Have you tried to add a packet filter rule on port 25 with Mr. Salesman IP address?

    Author Comment

    Where exactly would I do that?  Within the SMTP Proxy, or the SMTP Filter, or on another proxy?  (please excuse the newbie for ignorance, my learning curve these past few months is hectic, but great, none-the-less)
    LVL 12

    Expert Comment

    Hold on a sec here.... You are saying that when he is in the US his email works fine.. He plugs his laptop on your lan and cant use a specific SMTP server from his USA ISP to send email out?

    -Unless I misunderstood, it sounds to me like your ISP does not allow any SMTP traffic that is not directed towards their relay servers, or the US guys ISP does not allow use of the server if your address is not part of their network.

    Author Comment

    Let me try to clarify.   When Mr. Salesman comes to the office, he connects via WiFi.  He does not authenticate to our domain.  He just grabs an IP to establish a connection.  If he uses a browser he can log into his web-based email account to send/receive.  If he uses Outlook, he can only receive, and not send.  Here is one log file entry, maybe this will help:

    11/14/04 09:35  firewalld[118]:  deny out eth1 48 tcp 20 128 1269 25 syn (SMTP)

    Any thoughts?


    LVL 12

    Accepted Solution

    On the firewall "deny out to 25 smtp`
    ``Outgoing smtp is from our internal server IP to Any `
    Am I missing something or did you test it with to any? too much?

    -Have dhcp assign him the same ip with a reservation and allow from exchangeip/32 and to any

    Author Comment

    ok i'll try that as soon as he visits the office again.  thanks housenet.  i'll follow up with the results.

    Author Comment

    Found the problem in the SMTP proxy.  Strangely enough it had to do with the INCOMING smtp proxy - ESMTP "Allow Auth" needed to be checked.  The firewall was stripping the authentication info and the server wouldn't recognize him.

    I checked the option, saved/flashed the firebox.  Had the user resend, and success!

    This was not very intuitive because the traffic in question is outbound SMTP, whereas the checkbox that affected this was in the incoming properties of the SMTP proxy.  Strange.  

    LVL 14

    Expert Comment


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now