Solved

Sonicwall and Exchange 5.5

Posted on 2007-11-20
27
1,581 Views
Last Modified: 2010-05-18
We are installing a SonicWALL TZ190 Enhanced firewall to replace a Cisco PIX 615. The domain has a Exchange 5.5 server that currently hosts the mail but also uses a spam filtering email service. We can send mail out using the Outlook client but cannot receive mail. Port 25, 143, 135, and 110 have all been opened and forwarded traffic to Exchange server. The outgoing mail goes directly through the Exchange server but the incoming mail goes to the spam service first then to the server. The instructions from the spam service was to open a range of IP's and that has been done but we still seem to not be able to receive. Any suggestions?
0
Comment
Question by:pagefigaro
  • 14
  • 12
27 Comments
 
LVL 13

Expert Comment

by:vishal_breed
ID: 20319607
If you try sending email from GMAIL, Yahoo - what NDR is originated??

What if you try excecuting telnet command from internet;
telnet Exchange_server 25.
0
 
LVL 10

Accepted Solution

by:
budchawla earned 500 total points
ID: 20324706
You need to create a port-forwarding rule to get inbound traffic.

On SonicOS enhanced you need to do 2 things...

1. create a NAT policy that reflects the route that the traffic will take
2. create a firewall rule that allows that specific traffic (SMTP, port 25 in your case unless your spam service says otherwise) along the route created earlier.

I assume your spam service is a hosted service on the internet? Double-check which IP they're sending email traffic to, and make sure your policies and rules are set up accordingly..
0
 

Author Comment

by:pagefigaro
ID: 20365244
Sending mail is working. It's the receiving that is not working.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20365302
pagefigaro,
I know that your problem is with inbound email and that is what my suggestions are trying to troubleshoot. Did you check what I asked?
0
 

Author Comment

by:pagefigaro
ID: 20365411
Sorry my last comment was more for vishal_breed.

As for the Nat policy, i created 1 for the mail server (included 25, 110, and 143) pointing to internal mail server, and then specified the network range that the spam service said to unblock

Creating the NAT policy automatically creates a firewall rule that allows traffic from the specified range to the exchange server using the mail services.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20365497
Did you specify an outbound interface on the NAT policy? If so, remove it and leave the Outbound interface on the (inboind) NAT policy to Any.
0
 

Author Comment

by:pagefigaro
ID: 20365559
The interfaces are actually set to inbound: "any", outbound: "any"
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20365600
OK, can you paste your NAT policy & your firewall access rules here...

Have you ever tried to telnet on port 25 into your exchange server from outside to see what happens? Have you run a packet trace on the sonicwall from your outside source IP?

Can you give me the public IP that you're trying to connect to?
0
 

Author Comment

by:pagefigaro
ID: 20365695
Source: Original: Firewalled Subnets Translated: (specified network range), Destination: Original: WAN Primary IP, Translated: Exchange Private (internal address), Service: Original: Exchange Services (25, 110, 143)

Our Public IP is: 208.111.214.219
The public IP range of the email service is: 208.74.56.0/255.255.248.0

I have tried to telnet from the outside, but I"m not sure that I'm doing it correctly. I went to a command prompt and typed in "telnet 208.111.214.219 25" and it failed. However SonicWALL tech support says that they can telnet.

I have not run a packet trace because I'm not sure how. Suggestions?

Email filtering tech support can just tell me that connection is refused on their end.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20366030
OK your NAT policy looks to be a bit skew-whiff. Did you use the public server wizard to create this or do it manually?

Create a new address object for your spam service IPs. Make sure it's zone is set to WAN and its type is set to Network. If you'd already done this then make sure it is correctly set up. Lets say you call this object SingleFin.

Create 2 more address objects for your Exchange server:

Type host, zone LAN, set it to your Exchange private IP and call it ExchangePrivateIP.
Type host, zone WAN, set it to your Exchange public IP (208.111.214.219 I guess) and call it ExchangePublicIP.

Now delete your NAT policy and create a new one that should look like this:

Source                              Destination                                                        Service                        Interface  
Original       Translated       Original                       Translated                     Original          Translated       Inbound       Outbound
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Singlefin      Original           ExchangePublicIP         ExchangePrivate IP      SMTP         Original        WAN              Any

Check the box to create a reflexive NAT policy.

Create an inbound firewall rule to accompany the above NAT policy - I assume you know how to do that?

And see if that does the job.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20366047
BTW, smtp connections to your IP are being refused, probably by the SonicWALL.
If you want to, while troubleshooting use ANY in the source of your NAT policy and firewall rule instead of Singlefin, that way we can try and connect to see if it's working...
0
 

Author Comment

by:pagefigaro
ID: 20366070
can you telnet now?
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20366129
yes!
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Expert Comment

by:budchawla
ID: 20366283
Are you now getting email from your spam service?
0
 

Author Comment

by:pagefigaro
ID: 20366456
but alas Spam Service says Connection still refused.

Sonicwall tech opened the ports for me from basically any sending on port 25, 110, 143, and 80 to the exchange server. which is fine. i want to just get it working and then i will filter it only from a range.

So here's the weird thing: the Spam Service delivers mail to mail.rntap.com, which resolves to 74.212.31.141. Which is not the public IP of my firewall. Then I guess 74.212.31.141 delivers to our server. I don't understand how that part works.

Right now, I'm trying to get the current configuration on the Cisco PIX firewall printed out so that I can see what is going on in there. It has to be something on the SonicWALL that is blocking since the Cisco PIX firewall sends mail right through without a problem, I just don't know where it would be blocking.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20366666
So what is the server at mail.rntap.com and why are you doing it that way? I'm assuming that's your ISPs mail server, but unless you're using a POP connector in Exchange then mail should be delivered directly to Exchange from your spam service.

That is why I asked you to check what IP they were sending email to.

I recommend that unless there is a reason to use your ISPs servers you should either tell your antispam providers to send mail directly to your exchange server or change mail.rntap.com to point to your Exchange public IP. Either way achieves the same thing.
0
 

Author Comment

by:pagefigaro
ID: 20366727
this is Exchange 5.5, is pop connector available? I do not know why they are doing it this way. the only thing i do know is the way that the spam service has configured is working now with the PIX connected. do you think that the SonicWALL is inherently different in the way that it processes connections?

I will paste the Cisco PIX configuration in here to offer insight into what is currently configured:
rntap# show config
: Saved
: Written by enable_15 at 08:07:27.261 UTC Sat May 31 2008
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1oxeW0KnPBRCSAp2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname rntap
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 172.16.100.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 74.212.31.141 172.16.100.240 netmask 255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host 74.212.31.141 eq www any
conduit permit tcp host 74.212.31.141 eq pop3 any
conduit permit tcp host 74.212.31.141 eq smtp any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe1 request dialout pppoe
vpdn group pppoe1 localname boone@epix.net
vpdn group pppoe1 ppp authentication pap
vpdn username boone@epix.net password ********
terminal width 80
Cryptochecksum:6a234dee3f6fbdafcd4b75d7ec836831
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20366769
Aha Exchange 5.5...
but there's a different issue here... if your antispam provider is saying that they get a connection refused when connecting to mail.rntap.com then that's a separate issue, since that server is not behind the sonicwall. Is that still the case?

Who owns the server at mail.rntap.com? What method is used to deliver mail from there to your Exchange server?
0
 

Author Comment

by:pagefigaro
ID: 20366817
Their ISP owns the server. I do not know what method is being used...I will have to investigate. So you're thinking possibly that if some method is being used, then it is configured in the PIX? The part that confuses me is why would they get a connection refused all of a sudden on the Spam service end when I put the SonicWALL in place? We are not behind that server to my knowledge...
0
 

Author Comment

by:pagefigaro
ID: 20366937
well now I'm getting conflicting information from the internal company. They are saying that they own the IP and host the website. But I don't understand that. How can they host a 74. address when their public IP is a 208. address?
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20366997
Technically, there's nothing impossible about that - you can have a different subnet routed by your ISP.

As it happens, both IPs are owned by the same company, who own 208.111.192.0/18 and 74.212.0.0/18

OrgName:    Frontier Communications of America, Inc.
OrgID:      FRTR
Address:    180 South Clinton AVE
City:       Rochester
StateProv:  NY
PostalCode: 14646
Country:    US

I think you need to figure out why you're getting conflicting information from the "internal company". Who is the "internal company"? Your company? Your clients?

The setup you need is really simple. MX record pointing to your antispam service, and that service delivering mail to your Exchange server. I recommend you also set up a backup MX service.

It looks like you're getting an SMTP feed from your ISP, which is also an accepted way of doing things. So the question is, where is traffic failing?

Where is the server at 74.212.31.141? Is it on your LAN? If so, then you need to create a NAT policy + access rule set for that IP address. You need to know where that server is...

0
 

Author Comment

by:pagefigaro
ID: 20368777
I need to do some investigation it looks like. Thanks for all of your helpful suggestions today. The "internal company" is our client, yes. And apparently they are not very much aware of what they have going on and I assumed that they did. I should have some better clarification by the end of this week. Thanks again. Will keep you informed.
0
 
LVL 10

Expert Comment

by:budchawla
ID: 20370335
no problem, i'll be here...
0
 

Author Comment

by:pagefigaro
ID: 20375006
Looks like the 208 address is the one assigned to the PPPoE account. The 74 address is just assigned to their domain name. I'm trying now to get it switched around. So that 74 is assigned to the PPPoe and also to the domain name.
0
 

Author Comment

by:pagefigaro
ID: 20551904
Sorry for taking so long. I have some updated information. I believe what we need to do is use ARP and configure Static IP routing on the Sonicwall. I am not familiar with this, so if anyone has any suggestions, I would greatly appreciate hearing them. The sonicwall needs to be able to act like it can accept communication from 2 static IPs. The 74 address needs to be for the mail and the 208 is just the DSL provided IP.
0
 

Author Comment

by:pagefigaro
ID: 20705646
Solution was to create a static arp address for the 74 IP, then create static routing for the 74 network to route to our internal exchange server.
0
 

Author Closing Comment

by:pagefigaro
ID: 31423381
Thanks for all your help
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now