?
Solved

How to Route Internet mail into the GroupWise server?

Posted on 2006-06-26
7
Medium Priority
?
977 Views
Last Modified: 2012-05-05
I am preparing to modify a 30-user GroupWise system to accept the MX Record at the server.  For several years Internet email has been hosted by an external service and the GW Client for each user would obtain external email via the host's POP server and merge this with the internal GroupWise mail.

Working with a single server: Netware 6 / GW 6.5 / BdrMgr 3.7 plus DNS/DHCP

It appears that no changes are needed for GWIA and elsewhere within GroupWise as GWIA has been running all along and Internet addressing has been turned on.  But I am unclear about the changes needed to get the required packets from the Internet to the GW server once the MX Record has been redirected.  My understanding includes . . . with associated questions . . .

1. I will create a static NAT mapping in the DSL router to link 12.99.108.60 (IP address of the A record to which the MX record is assigned) to 192.168.8.90 (IP address bound to the Public NIC on the server) .  The system is currently running with a dynamic map of 12.99.108.57 (another assigned IP) to 192.168.8.90 as part of a range.

     Q: Is my thinking correct that I need the static mapping
         to direct the incoming packets to the server?

2. The routing table already includes a route from destination 192.168.8.0 to next hop of 192.168.8.90.

     Q: Is this route sufficient or do I need to add
          more to the table?

3. I will add a filter exception to BorderManager for inbound SMTP (port 25).  There is already a filter exceptions for outbound SMTP and in & outbound DNS over UDP (port 53).

     Q: Are inbound & outbound for ports 25 and 53 all that are needed?

4. The DNS configuration on this server is already configured with an MX record.

     Q: Is it reasonable to assume no further changes are
         necessary to the DNS configuration?

5.  Q: Any good testing procedures prior to changing the address of the A record to which the MX record is assigned? (Note that this changeover is reasonably easy to do for this domain as the organization is using the CustomDNS service by DynDNS).

I am trying to find the holes in mythinking before I start making changes.  Please let me know if I need to supply additional information for any of these or related issues.

High points assigned due to urgency - need to make changes this week.
0
Comment
Question by:ttheimer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 16988998
As for 5, try telnetting to port 25 on the GWIA server and walking through an SMTP conversation with it.
0
 
LVL 6

Accepted Solution

by:
dotENG earned 2000 total points
ID: 16989128
1. NAT is Network to Address Translation - a Whole Network is mapped to one outgoing Address, what you need is PAT, Port to Address Translation, sometimes called Virtual Server, you will find an option in your router that has the following: Private IP, Private Port, Protocol, Public Port (maybe also Public IP), this is different from NAT since NAT requires an outgoing packet to destination to allow an incomming one.
You could also map an External IP Address to an Internal one, but make sure it's not NAT, you need external packets to reach your server.

2. If this route is configured at the NW server, then this route is obvious, to get to 192.168.8.0 Network - go through 192.168.8.90 Interface.
You need a route that explains how to get to the outside world, something like: 0.0.0.0 Next Hop 192.168.8.1 (Internal IP Address of DSL Router).
Check using: LOAD PING GOOGLE.COM
This will also check for DNS Resolving.

3. (25 TCP) Is the only incomming port you need for SMTP data transfer.

4,5. you can check your DNS configuration using www.checkdns.net,
http://www.checkdns.net/quickcheck.aspx?domain=wdc.com&detailed=1


0
 

Author Comment

by:ttheimer
ID: 16994550
dotENG,

Thanks for the response.  Your comment about PAT made perfect sense after some reading and investigation in my router.  I'll be making the changes and begin testing this evening . . . I'll find out if my new understanding agrees with reality.

BTW - Your description of NAT is true for dynamic NAT but it appears that static NAT mapping would work for this situation.  That said, however, I have to agree that PAT is truly the elegant solution designed for just this type of server scenario.

I'll return with results.

Tom
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 35

Expert Comment

by:ShineOn
ID: 16995872
I don't know that I'd be using the router that way - it bypasses the security of BorderManager.

If it were me, I'd not do NAT on the public router, and would assign the public addresses (except for the router's LAN-side address) to BorderManager's public NIC - the primary for the domain, and secondaries for stuff like MX and FTP, and use "static and dynamic" NAT on BorderManager to filter the connections to the servers (like GWIA, GWWA, FTPD, etc.) OR, use the SMTP proxy on BorderManager if you're not going to use GWIA for public POP/IMAP.  If you use the BorderManager SMTP proxy, you set it up to answer to the MX lookups, IIRC, and configure GWIA to use the BM proxy as its proxy address.

There are a ton (well, several) ways to configure GWIA on BM.  Depending on how you do it, there are TIDs for the right way to define your filter exceptions.  Search for "GWIA NAT filter exceptions" on the Novell knowledgebase and pick the one that matches the configuration you settle on.

Were you also planning to do GWWA?  (just curious.)

As far as having the MX record on your DNS server, that won't help squat unless your DNS server is authoritative for your zone, and is publicly addressable by your ISP's DNS servers (assuming you've gotten an agreement from your ISP to allow you to be authoritative for your zone...)  So, if it's sitting behind BM (even if you've got filter exceptions for port 53) it may not work, 'cause you have to have an NS record in public DNS pointing to something that can be accessed from the Internet, that would resolve to your DNS server.  I don't know if DNS proxy on BM works with public DNS behind BM - I think it's just a reverse-proxy - so you'd have to NAT that somehow, if that's possible.

Just setting it to be authoritative in DNS/DHCP console isn't adequate if your ISP, or whomever you've contracted with that has an official name server in the public DNS that you'd set up your server to send updates to, doesn't recognize it as authoritative for your zone.

0
 

Author Comment

by:ttheimer
ID: 17013217
A slight delay while we changed the IP address range assigned by the ISP but now back to the GWIA connection.

The Novell TID 'How to set up an internal GWIA server to use NAT.' seemed to fit my situation so I followed that as my model but I am not getting a response from my GWIA server.  I need to verify that I have the routing set up properly before I focus on GWIA.

For clarification, I am double NATting.  The router uses static maps for 12.99.98.XXX to 192.168.8.XXX and BdrMgr uses static maps for 192.16.8.xxx to 192.168.10.xxx.  The static maps have been used for several years to allow access to internal PCs running pcAnywhere.  The DSL router also dynamically maps all other IPs to one of the 12.99.98.xxx addresses.

And, to restate, BdrMgr and GroupWise and other functions are all on the same server.

So I have mapped the external address 12.99.98.162 to 192.168.8.92 coming out of the DSL router then, following the other static mapping in BdrMgr, I have added a secondary address of 192.168.8.92 and mapped 192.168.8.92 to 192.168.10.91 which is the internal IP of the server.  Will this work to get the packets to GWIA?

And for my understanding, does GWIA then listen on port 25 of 192.168.10.91 and the DNS server behind the firewall has no role in this process?

Getting closer? . . .
0
 

Author Comment

by:ttheimer
ID: 17013417
More information.

I hadn't yet verified that all of the proper ports were open yet so I unloaded ipflt for the test.

Using checkdns.net to test the mail server, the responses were . . .
With ipflt loaded: Timed out waiting for a connection
With ipflt unloaded: Connection refused

I know that I need to now open some filters but I included this information here in case it helps with the routing question.
0
 

Author Comment

by:ttheimer
ID: 17014696
Ugh, forgot to turn on the SMTP option in GWIA.  Mail service is now answering on port 25!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are witnesses that everyone is saying that our children shouldn't "play" with a technology because it is dangerous. This article is going to prove that they are wrong.
In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question