SBS 2003 SP1, port 25 closed so no incoming mail
Hello
Installed a SBS2003 SP1 server today with Exchange.
My router forwards port 25 traffic to the server but the server's port 25 is closed - i'm damned if I can get it open.
I "think" it's security policy, but am really a bit lost.
Maximum points for instructions on how to open the port (preferably in English!), my neck is on the line here
hope you can help
Installed a SBS2003 SP1 server today with Exchange.
My router forwards port 25 traffic to the server but the server's port 25 is closed - i'm damned if I can get it open.
I "think" it's security policy, but am really a bit lost.
Maximum points for instructions on how to open the port (preferably in English!), my neck is on the line here
hope you can help
You tried to run the CEICW already?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Running the CEICW would be the first thing to do... see http://sbsurl.com/ceicw for the overview.
If you have a TWO NIC configuration, please see http://sbsurl.com/twonics to make sure you have configured things properly. If you have a single NIC, you can review the options at http://sbsurl.com/msicw.
But I would wonder why you think the "SERVER" has port 25 blocked? How are you testing this?
My guess is that the ISP has it blocked because that's a very common occurance. Usually if you have a static IP you either need to contact the ISP to unblock or they provide a way to manually unblock in their control panel.
Jeff
TechSoEasy
If you have a TWO NIC configuration, please see http://sbsurl.com/twonics to make sure you have configured things properly. If you have a single NIC, you can review the options at http://sbsurl.com/msicw.
But I would wonder why you think the "SERVER" has port 25 blocked? How are you testing this?
My guess is that the ISP has it blocked because that's a very common occurance. Usually if you have a static IP you either need to contact the ISP to unblock or they provide a way to manually unblock in their control panel.
Jeff
TechSoEasy
ASKER
i've run the CEICW, i can send mail / access internet just fine
port 25 is NOT blocked by the ISP
the router is configured to redirect 25 traffic to the server ip
port being blocked on the server was the only other thing i could imagine would stop me connecting.
I can telnet into the server from the LAN, but not from the internet
does that help you or me at all ?
port 25 is NOT blocked by the ISP
the router is configured to redirect 25 traffic to the server ip
port being blocked on the server was the only other thing i could imagine would stop me connecting.
I can telnet into the server from the LAN, but not from the internet
does that help you or me at all ?
"I can telnet into the server from the LAN, but not from the internet"
This leads me to think that the router is not forwarding port 25 correctly.
This leads me to think that the router is not forwarding port 25 correctly.
Are you using the basic firewall provided by "routing and remote access" in SBS? If you are, you need to open the Routing and Remote Access snap-in. Then expand your servername. Expand IP Routing > Expand IP Routing > Click NAT/Basic Firewall > Right Click Server Local Area Connection > Properties. Click on Services and Ports tab > Make sure Internet Mail Server (SMTP) is checked. Make sure the Private address is pointed to the e-mail server.
You should NOT have to modify the RRAS settings AT ALL if the CEICW is run correctly. The only thing that may cause a problem is if the binding order or the IP Address Configuration isn't correct.
The binding order only applies if you have two nics...
can you please post an IPCONFIG /ALL from your server?
Thanks.
Jeff
TechSoEasy
The binding order only applies if you have two nics...
can you please post an IPCONFIG /ALL from your server?
Thanks.
Jeff
TechSoEasy
you're right he shouldnt, but it never hurts to double check right?
Also, what is the make/model of your Router? Some routers require TWO settings to open ports... one is a pointer and the other opens the port on the firewall.
Jeff
TechSoEasy
Jeff
TechSoEasy
As for double checking... actually it CAN hurt if you correct the problem at that level. The CEICW will put these things in the right place... and usually someone who isn't intimately familiar with RRAS settings would do more harm than good by changing ANY of them... IMHO.
If there is something wrong with those settings, either someone has gone in and manually changed them, or there are far more issues than just the right IP Address pointing to SMTP. This can usually be detected by reviewing the IPCONFIG /ALL and correcting any problems there. Because if you correct it at the RRAS level, when the problem actually exists 3 or 4 levels up the chain, you will be missing a lot of things that are also wrong.
Jeff
TechSoEasy
If there is something wrong with those settings, either someone has gone in and manually changed them, or there are far more issues than just the right IP Address pointing to SMTP. This can usually be detected by reviewing the IPCONFIG /ALL and correcting any problems there. Because if you correct it at the RRAS level, when the problem actually exists 3 or 4 levels up the chain, you will be missing a lot of things that are also wrong.
Jeff
TechSoEasy
ASKER
ok, the router is definitly configured OK - I know this for a fact
IP config..
hostname - csiserv
primary dns suffix - csi.local
node type - hybrid
ip routing enabled - no
wins proxy enabled - no
dns suufix search - csi.local
LAN Connection
DHCP enabled - no
ip address - 10.0.0.9
subnet - 255.255.255.0
default gateway - 10.0.0.252 (that's the router!)
dns servers - 10.0.0.9
wins server - 10.0.0.9
IP config..
hostname - csiserv
primary dns suffix - csi.local
node type - hybrid
ip routing enabled - no
wins proxy enabled - no
dns suufix search - csi.local
LAN Connection
DHCP enabled - no
ip address - 10.0.0.9
subnet - 255.255.255.0
default gateway - 10.0.0.252 (that's the router!)
dns servers - 10.0.0.9
wins server - 10.0.0.9
everything looks good IMHO what do you think Jeff?
ubiquitas -- how do you know that for a fact? i'm assuming when you mean you can telnet from the LAN is that you've tried it from other PCs on the LAN right? i would triple check that the correct port is being forwarded to that server. also when you try telnet'ing in from the outside are you telneting to ur MX record IP address or domain?
ubiquitas -- how do you know that for a fact? i'm assuming when you mean you can telnet from the LAN is that you've tried it from other PCs on the LAN right? i would triple check that the correct port is being forwarded to that server. also when you try telnet'ing in from the outside are you telneting to ur MX record IP address or domain?
Unfortunately this is not a complete IPCONFIG /ALL and therefore I am unable to assess whether there is a problem or not. While there is nothing in an IPCONFIG that would compromise security, you may want to slightly edit it for privacy purposes. If you choose to do that, please only replace the last two octets of a Public IP Address with ***.*** and the first part of the domain name can be replaced with *******. Then to copy the text right click on the upper left corner of the CMD window for edit options.
I would still ask that you provide the make/model of the router along with it's Firmware Version if you want a true 3rd party opinion of your situation.
Jeff
TechSoEasy
I would still ask that you provide the make/model of the router along with it's Firmware Version if you want a true 3rd party opinion of your situation.
Jeff
TechSoEasy
ASKER
solution found - we have 2 routers and the wrong router had been entered in the CEICW - thanks all :)