Solved

How to Route Internet mail into the GroupWise server?

Posted on 2006-06-26
7
942 Views
Last Modified: 2012-05-05
I am preparing to modify a 30-user GroupWise system to accept the MX Record at the server.  For several years Internet email has been hosted by an external service and the GW Client for each user would obtain external email via the host's POP server and merge this with the internal GroupWise mail.

Working with a single server: Netware 6 / GW 6.5 / BdrMgr 3.7 plus DNS/DHCP

It appears that no changes are needed for GWIA and elsewhere within GroupWise as GWIA has been running all along and Internet addressing has been turned on.  But I am unclear about the changes needed to get the required packets from the Internet to the GW server once the MX Record has been redirected.  My understanding includes . . . with associated questions . . .

1. I will create a static NAT mapping in the DSL router to link 12.99.108.60 (IP address of the A record to which the MX record is assigned) to 192.168.8.90 (IP address bound to the Public NIC on the server) .  The system is currently running with a dynamic map of 12.99.108.57 (another assigned IP) to 192.168.8.90 as part of a range.

     Q: Is my thinking correct that I need the static mapping
         to direct the incoming packets to the server?

2. The routing table already includes a route from destination 192.168.8.0 to next hop of 192.168.8.90.

     Q: Is this route sufficient or do I need to add
          more to the table?

3. I will add a filter exception to BorderManager for inbound SMTP (port 25).  There is already a filter exceptions for outbound SMTP and in & outbound DNS over UDP (port 53).

     Q: Are inbound & outbound for ports 25 and 53 all that are needed?

4. The DNS configuration on this server is already configured with an MX record.

     Q: Is it reasonable to assume no further changes are
         necessary to the DNS configuration?

5.  Q: Any good testing procedures prior to changing the address of the A record to which the MX record is assigned? (Note that this changeover is reasonably easy to do for this domain as the organization is using the CustomDNS service by DynDNS).

I am trying to find the holes in mythinking before I start making changes.  Please let me know if I need to supply additional information for any of these or related issues.

High points assigned due to urgency - need to make changes this week.
0
Comment
Question by:ttheimer
7 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 16988998
As for 5, try telnetting to port 25 on the GWIA server and walking through an SMTP conversation with it.
0
 
LVL 6

Accepted Solution

by:
dotENG earned 500 total points
ID: 16989128
1. NAT is Network to Address Translation - a Whole Network is mapped to one outgoing Address, what you need is PAT, Port to Address Translation, sometimes called Virtual Server, you will find an option in your router that has the following: Private IP, Private Port, Protocol, Public Port (maybe also Public IP), this is different from NAT since NAT requires an outgoing packet to destination to allow an incomming one.
You could also map an External IP Address to an Internal one, but make sure it's not NAT, you need external packets to reach your server.

2. If this route is configured at the NW server, then this route is obvious, to get to 192.168.8.0 Network - go through 192.168.8.90 Interface.
You need a route that explains how to get to the outside world, something like: 0.0.0.0 Next Hop 192.168.8.1 (Internal IP Address of DSL Router).
Check using: LOAD PING GOOGLE.COM
This will also check for DNS Resolving.

3. (25 TCP) Is the only incomming port you need for SMTP data transfer.

4,5. you can check your DNS configuration using www.checkdns.net,
http://www.checkdns.net/quickcheck.aspx?domain=wdc.com&detailed=1


0
 

Author Comment

by:ttheimer
ID: 16994550
dotENG,

Thanks for the response.  Your comment about PAT made perfect sense after some reading and investigation in my router.  I'll be making the changes and begin testing this evening . . . I'll find out if my new understanding agrees with reality.

BTW - Your description of NAT is true for dynamic NAT but it appears that static NAT mapping would work for this situation.  That said, however, I have to agree that PAT is truly the elegant solution designed for just this type of server scenario.

I'll return with results.

Tom
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 35

Expert Comment

by:ShineOn
ID: 16995872
I don't know that I'd be using the router that way - it bypasses the security of BorderManager.

If it were me, I'd not do NAT on the public router, and would assign the public addresses (except for the router's LAN-side address) to BorderManager's public NIC - the primary for the domain, and secondaries for stuff like MX and FTP, and use "static and dynamic" NAT on BorderManager to filter the connections to the servers (like GWIA, GWWA, FTPD, etc.) OR, use the SMTP proxy on BorderManager if you're not going to use GWIA for public POP/IMAP.  If you use the BorderManager SMTP proxy, you set it up to answer to the MX lookups, IIRC, and configure GWIA to use the BM proxy as its proxy address.

There are a ton (well, several) ways to configure GWIA on BM.  Depending on how you do it, there are TIDs for the right way to define your filter exceptions.  Search for "GWIA NAT filter exceptions" on the Novell knowledgebase and pick the one that matches the configuration you settle on.

Were you also planning to do GWWA?  (just curious.)

As far as having the MX record on your DNS server, that won't help squat unless your DNS server is authoritative for your zone, and is publicly addressable by your ISP's DNS servers (assuming you've gotten an agreement from your ISP to allow you to be authoritative for your zone...)  So, if it's sitting behind BM (even if you've got filter exceptions for port 53) it may not work, 'cause you have to have an NS record in public DNS pointing to something that can be accessed from the Internet, that would resolve to your DNS server.  I don't know if DNS proxy on BM works with public DNS behind BM - I think it's just a reverse-proxy - so you'd have to NAT that somehow, if that's possible.

Just setting it to be authoritative in DNS/DHCP console isn't adequate if your ISP, or whomever you've contracted with that has an official name server in the public DNS that you'd set up your server to send updates to, doesn't recognize it as authoritative for your zone.

0
 

Author Comment

by:ttheimer
ID: 17013217
A slight delay while we changed the IP address range assigned by the ISP but now back to the GWIA connection.

The Novell TID 'How to set up an internal GWIA server to use NAT.' seemed to fit my situation so I followed that as my model but I am not getting a response from my GWIA server.  I need to verify that I have the routing set up properly before I focus on GWIA.

For clarification, I am double NATting.  The router uses static maps for 12.99.98.XXX to 192.168.8.XXX and BdrMgr uses static maps for 192.16.8.xxx to 192.168.10.xxx.  The static maps have been used for several years to allow access to internal PCs running pcAnywhere.  The DSL router also dynamically maps all other IPs to one of the 12.99.98.xxx addresses.

And, to restate, BdrMgr and GroupWise and other functions are all on the same server.

So I have mapped the external address 12.99.98.162 to 192.168.8.92 coming out of the DSL router then, following the other static mapping in BdrMgr, I have added a secondary address of 192.168.8.92 and mapped 192.168.8.92 to 192.168.10.91 which is the internal IP of the server.  Will this work to get the packets to GWIA?

And for my understanding, does GWIA then listen on port 25 of 192.168.10.91 and the DNS server behind the firewall has no role in this process?

Getting closer? . . .
0
 

Author Comment

by:ttheimer
ID: 17013417
More information.

I hadn't yet verified that all of the proper ports were open yet so I unloaded ipflt for the test.

Using checkdns.net to test the mail server, the responses were . . .
With ipflt loaded: Timed out waiting for a connection
With ipflt unloaded: Connection refused

I know that I need to now open some filters but I included this information here in case it helps with the routing question.
0
 

Author Comment

by:ttheimer
ID: 17014696
Ugh, forgot to turn on the SMTP option in GWIA.  Mail service is now answering on port 25!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Novell DNS in conjunction with Microsott DNS 3 277
Novell VM migrate to ESXi 4 1 792
Corrupt CA on Novell OES2 SLES10 3 159
Xenapp 7.6 integration with Novell OES 11 sp2 4 110
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
What does UTC stand for?  “Coordinated Universal Time” – Think of this as the true time on Planet Earth that never changes with the exception of minor leap seconds here and there to account for the changes in the planet's rotation.   What does th…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now