How to Route Internet mail into the GroupWise server?

I am preparing to modify a 30-user GroupWise system to accept the MX Record at the server.  For several years Internet email has been hosted by an external service and the GW Client for each user would obtain external email via the host's POP server and merge this with the internal GroupWise mail.

Working with a single server: Netware 6 / GW 6.5 / BdrMgr 3.7 plus DNS/DHCP

It appears that no changes are needed for GWIA and elsewhere within GroupWise as GWIA has been running all along and Internet addressing has been turned on.  But I am unclear about the changes needed to get the required packets from the Internet to the GW server once the MX Record has been redirected.  My understanding includes . . . with associated questions . . .

1. I will create a static NAT mapping in the DSL router to link (IP address of the A record to which the MX record is assigned) to (IP address bound to the Public NIC on the server) .  The system is currently running with a dynamic map of (another assigned IP) to as part of a range.

     Q: Is my thinking correct that I need the static mapping
         to direct the incoming packets to the server?

2. The routing table already includes a route from destination to next hop of

     Q: Is this route sufficient or do I need to add
          more to the table?

3. I will add a filter exception to BorderManager for inbound SMTP (port 25).  There is already a filter exceptions for outbound SMTP and in & outbound DNS over UDP (port 53).

     Q: Are inbound & outbound for ports 25 and 53 all that are needed?

4. The DNS configuration on this server is already configured with an MX record.

     Q: Is it reasonable to assume no further changes are
         necessary to the DNS configuration?

5.  Q: Any good testing procedures prior to changing the address of the A record to which the MX record is assigned? (Note that this changeover is reasonably easy to do for this domain as the organization is using the CustomDNS service by DynDNS).

I am trying to find the holes in mythinking before I start making changes.  Please let me know if I need to supply additional information for any of these or related issues.

High points assigned due to urgency - need to make changes this week.
Who is Participating?
dotENGConnect With a Mentor Commented:
1. NAT is Network to Address Translation - a Whole Network is mapped to one outgoing Address, what you need is PAT, Port to Address Translation, sometimes called Virtual Server, you will find an option in your router that has the following: Private IP, Private Port, Protocol, Public Port (maybe also Public IP), this is different from NAT since NAT requires an outgoing packet to destination to allow an incomming one.
You could also map an External IP Address to an Internal one, but make sure it's not NAT, you need external packets to reach your server.

2. If this route is configured at the NW server, then this route is obvious, to get to Network - go through Interface.
You need a route that explains how to get to the outside world, something like: Next Hop (Internal IP Address of DSL Router).
This will also check for DNS Resolving.

3. (25 TCP) Is the only incomming port you need for SMTP data transfer.

4,5. you can check your DNS configuration using,

As for 5, try telnetting to port 25 on the GWIA server and walking through an SMTP conversation with it.
ttheimerAuthor Commented:

Thanks for the response.  Your comment about PAT made perfect sense after some reading and investigation in my router.  I'll be making the changes and begin testing this evening . . . I'll find out if my new understanding agrees with reality.

BTW - Your description of NAT is true for dynamic NAT but it appears that static NAT mapping would work for this situation.  That said, however, I have to agree that PAT is truly the elegant solution designed for just this type of server scenario.

I'll return with results.

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

I don't know that I'd be using the router that way - it bypasses the security of BorderManager.

If it were me, I'd not do NAT on the public router, and would assign the public addresses (except for the router's LAN-side address) to BorderManager's public NIC - the primary for the domain, and secondaries for stuff like MX and FTP, and use "static and dynamic" NAT on BorderManager to filter the connections to the servers (like GWIA, GWWA, FTPD, etc.) OR, use the SMTP proxy on BorderManager if you're not going to use GWIA for public POP/IMAP.  If you use the BorderManager SMTP proxy, you set it up to answer to the MX lookups, IIRC, and configure GWIA to use the BM proxy as its proxy address.

There are a ton (well, several) ways to configure GWIA on BM.  Depending on how you do it, there are TIDs for the right way to define your filter exceptions.  Search for "GWIA NAT filter exceptions" on the Novell knowledgebase and pick the one that matches the configuration you settle on.

Were you also planning to do GWWA?  (just curious.)

As far as having the MX record on your DNS server, that won't help squat unless your DNS server is authoritative for your zone, and is publicly addressable by your ISP's DNS servers (assuming you've gotten an agreement from your ISP to allow you to be authoritative for your zone...)  So, if it's sitting behind BM (even if you've got filter exceptions for port 53) it may not work, 'cause you have to have an NS record in public DNS pointing to something that can be accessed from the Internet, that would resolve to your DNS server.  I don't know if DNS proxy on BM works with public DNS behind BM - I think it's just a reverse-proxy - so you'd have to NAT that somehow, if that's possible.

Just setting it to be authoritative in DNS/DHCP console isn't adequate if your ISP, or whomever you've contracted with that has an official name server in the public DNS that you'd set up your server to send updates to, doesn't recognize it as authoritative for your zone.

ttheimerAuthor Commented:
A slight delay while we changed the IP address range assigned by the ISP but now back to the GWIA connection.

The Novell TID 'How to set up an internal GWIA server to use NAT.' seemed to fit my situation so I followed that as my model but I am not getting a response from my GWIA server.  I need to verify that I have the routing set up properly before I focus on GWIA.

For clarification, I am double NATting.  The router uses static maps for 12.99.98.XXX to 192.168.8.XXX and BdrMgr uses static maps for to  The static maps have been used for several years to allow access to internal PCs running pcAnywhere.  The DSL router also dynamically maps all other IPs to one of the addresses.

And, to restate, BdrMgr and GroupWise and other functions are all on the same server.

So I have mapped the external address to coming out of the DSL router then, following the other static mapping in BdrMgr, I have added a secondary address of and mapped to which is the internal IP of the server.  Will this work to get the packets to GWIA?

And for my understanding, does GWIA then listen on port 25 of and the DNS server behind the firewall has no role in this process?

Getting closer? . . .
ttheimerAuthor Commented:
More information.

I hadn't yet verified that all of the proper ports were open yet so I unloaded ipflt for the test.

Using to test the mail server, the responses were . . .
With ipflt loaded: Timed out waiting for a connection
With ipflt unloaded: Connection refused

I know that I need to now open some filters but I included this information here in case it helps with the routing question.
ttheimerAuthor Commented:
Ugh, forgot to turn on the SMTP option in GWIA.  Mail service is now answering on port 25!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.