Sonicwall and Exchange 5.5

If you try sending email from GMAIL, Yahoo - what NDR is originated??

What if you try excecuting telnet command from internet;
telnet Exchange_server 25.

Sending mail is working. It's the receiving that is not working.

pagefigaro,
I know that your problem is with inbound email and that is what my suggestions are trying to troubleshoot. Did you check what I asked?

Sorry my last comment was more for vishal_breed.

As for the Nat policy, i created 1 for the mail server (included 25, 110, and 143) pointing to internal mail server, and then specified the network range that the spam service said to unblock

Creating the NAT policy automatically creates a firewall rule that allows traffic from the specified range to the exchange server using the mail services.

Did you specify an outbound interface on the NAT policy? If so, remove it and leave the Outbound interface on the (inboind) NAT policy to Any.

The interfaces are actually set to inbound: "any", outbound: "any"

OK, can you paste your NAT policy & your firewall access rules here...

Have you ever tried to telnet on port 25 into your exchange server from outside to see what happens? Have you run a packet trace on the sonicwall from your outside source IP?

Can you give me the public IP that you're trying to connect to?

Source: Original: Firewalled Subnets Translated: (specified network range), Destination: Original: WAN Primary IP, Translated: Exchange Private (internal address), Service: Original: Exchange Services (25, 110, 143)

Our Public IP is: 208.111.214.219
The public IP range of the email service is: 208.74.56.0/255.255.248.0

I have tried to telnet from the outside, but I"m not sure that I'm doing it correctly. I went to a command prompt and typed in "telnet 208.111.214.219 25" and it failed. However SonicWALL tech support says that they can telnet.

I have not run a packet trace because I'm not sure how. Suggestions?

Email filtering tech support can just tell me that connection is refused on their end.

OK your NAT policy looks to be a bit skew-whiff. Did you use the public server wizard to create this or do it manually?

Create a new address object for your spam service IPs. Make sure it's zone is set to WAN and its type is set to Network. If you'd already done this then make sure it is correctly set up. Lets say you call this object SingleFin.

Create 2 more address objects for your Exchange server:

Type host, zone LAN, set it to your Exchange private IP and call it ExchangePrivateIP.
Type host, zone WAN, set it to your Exchange public IP (208.111.214.219 I guess) and call it ExchangePublicIP.

Now delete your NAT policy and create a new one that should look like this:

Source                              Destination                                                        Service                        Interface  
Original       Translated       Original                       Translated                     Original          Translated       Inbound       Outbound
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Singlefin      Original           ExchangePublicIP         ExchangePrivate IP      SMTP         Original        WAN              Any

Check the box to create a reflexive NAT policy.

Create an inbound firewall rule to accompany the above NAT policy - I assume you know how to do that?

And see if that does the job.

BTW, smtp connections to your IP are being refused, probably by the SonicWALL.
If you want to, while troubleshooting use ANY in the source of your NAT policy and firewall rule instead of Singlefin, that way we can try and connect to see if it's working...

can you telnet now?

yes!

Are you now getting email from your spam service?

but alas Spam Service says Connection still refused.

Sonicwall tech opened the ports for me from basically any sending on port 25, 110, 143, and 80 to the exchange server. which is fine. i want to just get it working and then i will filter it only from a range.

So here's the weird thing: the Spam Service delivers mail to mail.rntap.com, which resolves to 74.212.31.141. Which is not the public IP of my firewall. Then I guess 74.212.31.141 delivers to our server. I don't understand how that part works.

Right now, I'm trying to get the current configuration on the Cisco PIX firewall printed out so that I can see what is going on in there. It has to be something on the SonicWALL that is blocking since the Cisco PIX firewall sends mail right through without a problem, I just don't know where it would be blocking.

So what is the server at mail.rntap.com and why are you doing it that way? I'm assuming that's your ISPs mail server, but unless you're using a POP connector in Exchange then mail should be delivered directly to Exchange from your spam service.

That is why I asked you to check what IP they were sending email to.

I recommend that unless there is a reason to use your ISPs servers you should either tell your antispam providers to send mail directly to your exchange server or change mail.rntap.com to point to your Exchange public IP. Either way achieves the same thing.

this is Exchange 5.5, is pop connector available? I do not know why they are doing it this way. the only thing i do know is the way that the spam service has configured is working now with the PIX connected. do you think that the SonicWALL is inherently different in the way that it processes connections?

I will paste the Cisco PIX configuration in here to offer insight into what is currently configured:
rntap# show config
: Saved
: Written by enable_15 at 08:07:27.261 UTC Sat May 31 2008
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1oxeW0KnPBRCSAp2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname rntap
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 172.16.100.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 74.212.31.141 172.16.100.240 netmask 255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host 74.212.31.141 eq www any
conduit permit tcp host 74.212.31.141 eq pop3 any
conduit permit tcp host 74.212.31.141 eq smtp any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe1 request dialout pppoe
vpdn group pppoe1 localname boone@epix.net
vpdn group pppoe1 ppp authentication pap
vpdn username boone@epix.net password ********
terminal width 80
Cryptochecksum:6a234dee3f6fbdafcd4b75d7ec836831

Aha Exchange 5.5...
but there's a different issue here... if your antispam provider is saying that they get a connection refused when connecting to mail.rntap.com then that's a separate issue, since that server is not behind the sonicwall. Is that still the case?

Who owns the server at mail.rntap.com? What method is used to deliver mail from there to your Exchange server?

Their ISP owns the server. I do not know what method is being used...I will have to investigate. So you're thinking possibly that if some method is being used, then it is configured in the PIX? The part that confuses me is why would they get a connection refused all of a sudden on the Spam service end when I put the SonicWALL in place? We are not behind that server to my knowledge...

well now I'm getting conflicting information from the internal company. They are saying that they own the IP and host the website. But I don't understand that. How can they host a 74. address when their public IP is a 208. address?

Technically, there's nothing impossible about that - you can have a different subnet routed by your ISP.

As it happens, both IPs are owned by the same company, who own 208.111.192.0/18 and 74.212.0.0/18

OrgName:    Frontier Communications of America, Inc.
OrgID:      FRTR
Address:    180 South Clinton AVE
City:       Rochester
StateProv:  NY
PostalCode: 14646
Country:    US

I think you need to figure out why you're getting conflicting information from the "internal company". Who is the "internal company"? Your company? Your clients?

The setup you need is really simple. MX record pointing to your antispam service, and that service delivering mail to your Exchange server. I recommend you also set up a backup MX service.

It looks like you're getting an SMTP feed from your ISP, which is also an accepted way of doing things. So the question is, where is traffic failing?

Where is the server at 74.212.31.141? Is it on your LAN? If so, then you need to create a NAT policy + access rule set for that IP address. You need to know where that server is...

I need to do some investigation it looks like. Thanks for all of your helpful suggestions today. The "internal company" is our client, yes. And apparently they are not very much aware of what they have going on and I assumed that they did. I should have some better clarification by the end of this week. Thanks again. Will keep you informed.

no problem, i'll be here...

Looks like the 208 address is the one assigned to the PPPoE account. The 74 address is just assigned to their domain name. I'm trying now to get it switched around. So that 74 is assigned to the PPPoe and also to the domain name.

Sorry for taking so long. I have some updated information. I believe what we need to do is use ARP and configure Static IP routing on the Sonicwall. I am not familiar with this, so if anyone has any suggestions, I would greatly appreciate hearing them. The sonicwall needs to be able to act like it can accept communication from 2 static IPs. The 74 address needs to be for the mail and the 208 is just the DSL provided IP.

Solution was to create a static arp address for the 74 IP, then create static routing for the 74 network to route to our internal exchange server.

Thanks for all your help