How to Route Internet mail into the GroupWise server?

Posted on 2006-06-26
Medium Priority
Last Modified: 2012-05-05
I am preparing to modify a 30-user GroupWise system to accept the MX Record at the server.  For several years Internet email has been hosted by an external service and the GW Client for each user would obtain external email via the host's POP server and merge this with the internal GroupWise mail.

Working with a single server: Netware 6 / GW 6.5 / BdrMgr 3.7 plus DNS/DHCP

It appears that no changes are needed for GWIA and elsewhere within GroupWise as GWIA has been running all along and Internet addressing has been turned on.  But I am unclear about the changes needed to get the required packets from the Internet to the GW server once the MX Record has been redirected.  My understanding includes . . . with associated questions . . .

1. I will create a static NAT mapping in the DSL router to link (IP address of the A record to which the MX record is assigned) to (IP address bound to the Public NIC on the server) .  The system is currently running with a dynamic map of (another assigned IP) to as part of a range.

     Q: Is my thinking correct that I need the static mapping
         to direct the incoming packets to the server?

2. The routing table already includes a route from destination to next hop of

     Q: Is this route sufficient or do I need to add
          more to the table?

3. I will add a filter exception to BorderManager for inbound SMTP (port 25).  There is already a filter exceptions for outbound SMTP and in & outbound DNS over UDP (port 53).

     Q: Are inbound & outbound for ports 25 and 53 all that are needed?

4. The DNS configuration on this server is already configured with an MX record.

     Q: Is it reasonable to assume no further changes are
         necessary to the DNS configuration?

5.  Q: Any good testing procedures prior to changing the address of the A record to which the MX record is assigned? (Note that this changeover is reasonably easy to do for this domain as the organization is using the CustomDNS service by DynDNS).

I am trying to find the holes in mythinking before I start making changes.  Please let me know if I need to supply additional information for any of these or related issues.

High points assigned due to urgency - need to make changes this week.
Question by:ttheimer
LVL 34

Expert Comment

ID: 16988998
As for 5, try telnetting to port 25 on the GWIA server and walking through an SMTP conversation with it.

Accepted Solution

dotENG earned 2000 total points
ID: 16989128
1. NAT is Network to Address Translation - a Whole Network is mapped to one outgoing Address, what you need is PAT, Port to Address Translation, sometimes called Virtual Server, you will find an option in your router that has the following: Private IP, Private Port, Protocol, Public Port (maybe also Public IP), this is different from NAT since NAT requires an outgoing packet to destination to allow an incomming one.
You could also map an External IP Address to an Internal one, but make sure it's not NAT, you need external packets to reach your server.

2. If this route is configured at the NW server, then this route is obvious, to get to Network - go through Interface.
You need a route that explains how to get to the outside world, something like: Next Hop (Internal IP Address of DSL Router).
This will also check for DNS Resolving.

3. (25 TCP) Is the only incomming port you need for SMTP data transfer.

4,5. you can check your DNS configuration using www.checkdns.net,


Author Comment

ID: 16994550

Thanks for the response.  Your comment about PAT made perfect sense after some reading and investigation in my router.  I'll be making the changes and begin testing this evening . . . I'll find out if my new understanding agrees with reality.

BTW - Your description of NAT is true for dynamic NAT but it appears that static NAT mapping would work for this situation.  That said, however, I have to agree that PAT is truly the elegant solution designed for just this type of server scenario.

I'll return with results.

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

LVL 35

Expert Comment

ID: 16995872
I don't know that I'd be using the router that way - it bypasses the security of BorderManager.

If it were me, I'd not do NAT on the public router, and would assign the public addresses (except for the router's LAN-side address) to BorderManager's public NIC - the primary for the domain, and secondaries for stuff like MX and FTP, and use "static and dynamic" NAT on BorderManager to filter the connections to the servers (like GWIA, GWWA, FTPD, etc.) OR, use the SMTP proxy on BorderManager if you're not going to use GWIA for public POP/IMAP.  If you use the BorderManager SMTP proxy, you set it up to answer to the MX lookups, IIRC, and configure GWIA to use the BM proxy as its proxy address.

There are a ton (well, several) ways to configure GWIA on BM.  Depending on how you do it, there are TIDs for the right way to define your filter exceptions.  Search for "GWIA NAT filter exceptions" on the Novell knowledgebase and pick the one that matches the configuration you settle on.

Were you also planning to do GWWA?  (just curious.)

As far as having the MX record on your DNS server, that won't help squat unless your DNS server is authoritative for your zone, and is publicly addressable by your ISP's DNS servers (assuming you've gotten an agreement from your ISP to allow you to be authoritative for your zone...)  So, if it's sitting behind BM (even if you've got filter exceptions for port 53) it may not work, 'cause you have to have an NS record in public DNS pointing to something that can be accessed from the Internet, that would resolve to your DNS server.  I don't know if DNS proxy on BM works with public DNS behind BM - I think it's just a reverse-proxy - so you'd have to NAT that somehow, if that's possible.

Just setting it to be authoritative in DNS/DHCP console isn't adequate if your ISP, or whomever you've contracted with that has an official name server in the public DNS that you'd set up your server to send updates to, doesn't recognize it as authoritative for your zone.


Author Comment

ID: 17013217
A slight delay while we changed the IP address range assigned by the ISP but now back to the GWIA connection.

The Novell TID 'How to set up an internal GWIA server to use NAT.' seemed to fit my situation so I followed that as my model but I am not getting a response from my GWIA server.  I need to verify that I have the routing set up properly before I focus on GWIA.

For clarification, I am double NATting.  The router uses static maps for 12.99.98.XXX to 192.168.8.XXX and BdrMgr uses static maps for 192.16.8.xxx to 192.168.10.xxx.  The static maps have been used for several years to allow access to internal PCs running pcAnywhere.  The DSL router also dynamically maps all other IPs to one of the 12.99.98.xxx addresses.

And, to restate, BdrMgr and GroupWise and other functions are all on the same server.

So I have mapped the external address to coming out of the DSL router then, following the other static mapping in BdrMgr, I have added a secondary address of and mapped to which is the internal IP of the server.  Will this work to get the packets to GWIA?

And for my understanding, does GWIA then listen on port 25 of and the DNS server behind the firewall has no role in this process?

Getting closer? . . .

Author Comment

ID: 17013417
More information.

I hadn't yet verified that all of the proper ports were open yet so I unloaded ipflt for the test.

Using checkdns.net to test the mail server, the responses were . . .
With ipflt loaded: Timed out waiting for a connection
With ipflt unloaded: Connection refused

I know that I need to now open some filters but I included this information here in case it helps with the routing question.

Author Comment

ID: 17014696
Ugh, forgot to turn on the SMTP option in GWIA.  Mail service is now answering on port 25!

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Salesforce partner relationship management can help you build trust and streamline interactions with partners.
This article describes and provides a custom-made tool I wrote to give businesses a means of identifying commercial music content, without having to expend too much effort. Business recordings are easily identified from possibly illegal music files …
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question