watchguard allows Exchange's outbound smtp, but not 3rd party outbound smtp

We run w2k3SBS with exchange, and we have a firebox x500.  We have an SMTP proxy because we use NAT to take incoming mail to our external IP and fwd them to our internal server IP.  Outgoing smtp is from our internal server IP to Any.  

Our outside sales guy lives by his email and so we just fwd his company email to his account (  When he is in the building he can surf around and do most things, but he can not send email via port 25.  
He can log in and use webmail to send, but he can not send via Outlook.  

My guess is this:  because the smtp proxy wants to see SMTP traffic coming from the server's IP, and because Mr. Salesman's laptop has a different IP, the firewall blocks it.  I have tried adding a host IP, host name, network IP, etc.  The firebox sees his computer, but still, he can not send smtp traffic out.  

Last week we had a DNS issue where we ended up deleting the DNS proxy and recreated a DNS Filter instead.  It seems this would be the thing to do here for the SMTP issue, however we use NAT, and I couldn't see that the SMTP Filter would allow me to recreate a similar NAT.  Any thoughts?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you tried to add a packet filter rule on port 25 with Mr. Salesman IP address?
amcorjonAuthor Commented:
Where exactly would I do that?  Within the SMTP Proxy, or the SMTP Filter, or on another proxy?  (please excuse the newbie for ignorance, my learning curve these past few months is hectic, but great, none-the-less)
Hold on a sec here.... You are saying that when he is in the US his email works fine.. He plugs his laptop on your lan and cant use a specific SMTP server from his USA ISP to send email out?

-Unless I misunderstood, it sounds to me like your ISP does not allow any SMTP traffic that is not directed towards their relay servers, or the US guys ISP does not allow use of the server if your address is not part of their network.
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

amcorjonAuthor Commented:
Let me try to clarify.   When Mr. Salesman comes to the office, he connects via WiFi.  He does not authenticate to our domain.  He just grabs an IP to establish a connection.  If he uses a browser he can log into his web-based email account to send/receive.  If he uses Outlook, he can only receive, and not send.  Here is one log file entry, maybe this will help:

11/14/04 09:35  firewalld[118]:  deny out eth1 48 tcp 20 128 1269 25 syn (SMTP)

Any thoughts?


On the firewall "deny out to 25 smtp`
``Outgoing smtp is from our internal server IP to Any `
Am I missing something or did you test it with to any? too much?

-Have dhcp assign him the same ip with a reservation and allow from exchangeip/32 and to any

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amcorjonAuthor Commented:
ok i'll try that as soon as he visits the office again.  thanks housenet.  i'll follow up with the results.
amcorjonAuthor Commented:
Found the problem in the SMTP proxy.  Strangely enough it had to do with the INCOMING smtp proxy - ESMTP "Allow Auth" needed to be checked.  The firewall was stripping the authentication info and the server wouldn't recognize him.

I checked the option, saved/flashed the firebox.  Had the user resend, and success!

This was not very intuitive because the traffic in question is outbound SMTP, whereas the checkbox that affected this was in the incoming properties of the SMTP proxy.  Strange.  

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.