Solved

How to Route Internet mail into the GroupWise server?

Posted on 2006-06-26
7
932 Views
Last Modified: 2012-05-05
I am preparing to modify a 30-user GroupWise system to accept the MX Record at the server.  For several years Internet email has been hosted by an external service and the GW Client for each user would obtain external email via the host's POP server and merge this with the internal GroupWise mail.

Working with a single server: Netware 6 / GW 6.5 / BdrMgr 3.7 plus DNS/DHCP

It appears that no changes are needed for GWIA and elsewhere within GroupWise as GWIA has been running all along and Internet addressing has been turned on.  But I am unclear about the changes needed to get the required packets from the Internet to the GW server once the MX Record has been redirected.  My understanding includes . . . with associated questions . . .

1. I will create a static NAT mapping in the DSL router to link 12.99.108.60 (IP address of the A record to which the MX record is assigned) to 192.168.8.90 (IP address bound to the Public NIC on the server) .  The system is currently running with a dynamic map of 12.99.108.57 (another assigned IP) to 192.168.8.90 as part of a range.

     Q: Is my thinking correct that I need the static mapping
         to direct the incoming packets to the server?

2. The routing table already includes a route from destination 192.168.8.0 to next hop of 192.168.8.90.

     Q: Is this route sufficient or do I need to add
          more to the table?

3. I will add a filter exception to BorderManager for inbound SMTP (port 25).  There is already a filter exceptions for outbound SMTP and in & outbound DNS over UDP (port 53).

     Q: Are inbound & outbound for ports 25 and 53 all that are needed?

4. The DNS configuration on this server is already configured with an MX record.

     Q: Is it reasonable to assume no further changes are
         necessary to the DNS configuration?

5.  Q: Any good testing procedures prior to changing the address of the A record to which the MX record is assigned? (Note that this changeover is reasonably easy to do for this domain as the organization is using the CustomDNS service by DynDNS).

I am trying to find the holes in mythinking before I start making changes.  Please let me know if I need to supply additional information for any of these or related issues.

High points assigned due to urgency - need to make changes this week.
0
Comment
Question by:ttheimer
7 Comments
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
As for 5, try telnetting to port 25 on the GWIA server and walking through an SMTP conversation with it.
0
 
LVL 6

Accepted Solution

by:
dotENG earned 500 total points
Comment Utility
1. NAT is Network to Address Translation - a Whole Network is mapped to one outgoing Address, what you need is PAT, Port to Address Translation, sometimes called Virtual Server, you will find an option in your router that has the following: Private IP, Private Port, Protocol, Public Port (maybe also Public IP), this is different from NAT since NAT requires an outgoing packet to destination to allow an incomming one.
You could also map an External IP Address to an Internal one, but make sure it's not NAT, you need external packets to reach your server.

2. If this route is configured at the NW server, then this route is obvious, to get to 192.168.8.0 Network - go through 192.168.8.90 Interface.
You need a route that explains how to get to the outside world, something like: 0.0.0.0 Next Hop 192.168.8.1 (Internal IP Address of DSL Router).
Check using: LOAD PING GOOGLE.COM
This will also check for DNS Resolving.

3. (25 TCP) Is the only incomming port you need for SMTP data transfer.

4,5. you can check your DNS configuration using www.checkdns.net,
http://www.checkdns.net/quickcheck.aspx?domain=wdc.com&detailed=1


0
 

Author Comment

by:ttheimer
Comment Utility
dotENG,

Thanks for the response.  Your comment about PAT made perfect sense after some reading and investigation in my router.  I'll be making the changes and begin testing this evening . . . I'll find out if my new understanding agrees with reality.

BTW - Your description of NAT is true for dynamic NAT but it appears that static NAT mapping would work for this situation.  That said, however, I have to agree that PAT is truly the elegant solution designed for just this type of server scenario.

I'll return with results.

Tom
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
I don't know that I'd be using the router that way - it bypasses the security of BorderManager.

If it were me, I'd not do NAT on the public router, and would assign the public addresses (except for the router's LAN-side address) to BorderManager's public NIC - the primary for the domain, and secondaries for stuff like MX and FTP, and use "static and dynamic" NAT on BorderManager to filter the connections to the servers (like GWIA, GWWA, FTPD, etc.) OR, use the SMTP proxy on BorderManager if you're not going to use GWIA for public POP/IMAP.  If you use the BorderManager SMTP proxy, you set it up to answer to the MX lookups, IIRC, and configure GWIA to use the BM proxy as its proxy address.

There are a ton (well, several) ways to configure GWIA on BM.  Depending on how you do it, there are TIDs for the right way to define your filter exceptions.  Search for "GWIA NAT filter exceptions" on the Novell knowledgebase and pick the one that matches the configuration you settle on.

Were you also planning to do GWWA?  (just curious.)

As far as having the MX record on your DNS server, that won't help squat unless your DNS server is authoritative for your zone, and is publicly addressable by your ISP's DNS servers (assuming you've gotten an agreement from your ISP to allow you to be authoritative for your zone...)  So, if it's sitting behind BM (even if you've got filter exceptions for port 53) it may not work, 'cause you have to have an NS record in public DNS pointing to something that can be accessed from the Internet, that would resolve to your DNS server.  I don't know if DNS proxy on BM works with public DNS behind BM - I think it's just a reverse-proxy - so you'd have to NAT that somehow, if that's possible.

Just setting it to be authoritative in DNS/DHCP console isn't adequate if your ISP, or whomever you've contracted with that has an official name server in the public DNS that you'd set up your server to send updates to, doesn't recognize it as authoritative for your zone.

0
 

Author Comment

by:ttheimer
Comment Utility
A slight delay while we changed the IP address range assigned by the ISP but now back to the GWIA connection.

The Novell TID 'How to set up an internal GWIA server to use NAT.' seemed to fit my situation so I followed that as my model but I am not getting a response from my GWIA server.  I need to verify that I have the routing set up properly before I focus on GWIA.

For clarification, I am double NATting.  The router uses static maps for 12.99.98.XXX to 192.168.8.XXX and BdrMgr uses static maps for 192.16.8.xxx to 192.168.10.xxx.  The static maps have been used for several years to allow access to internal PCs running pcAnywhere.  The DSL router also dynamically maps all other IPs to one of the 12.99.98.xxx addresses.

And, to restate, BdrMgr and GroupWise and other functions are all on the same server.

So I have mapped the external address 12.99.98.162 to 192.168.8.92 coming out of the DSL router then, following the other static mapping in BdrMgr, I have added a secondary address of 192.168.8.92 and mapped 192.168.8.92 to 192.168.10.91 which is the internal IP of the server.  Will this work to get the packets to GWIA?

And for my understanding, does GWIA then listen on port 25 of 192.168.10.91 and the DNS server behind the firewall has no role in this process?

Getting closer? . . .
0
 

Author Comment

by:ttheimer
Comment Utility
More information.

I hadn't yet verified that all of the proper ports were open yet so I unloaded ipflt for the test.

Using checkdns.net to test the mail server, the responses were . . .
With ipflt loaded: Timed out waiting for a connection
With ipflt unloaded: Connection refused

I know that I need to now open some filters but I included this information here in case it helps with the routing question.
0
 

Author Comment

by:ttheimer
Comment Utility
Ugh, forgot to turn on the SMTP option in GWIA.  Mail service is now answering on port 25!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now