Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cannot send email to Hotmail after placing server begind Netscreen 5GT firewall

Posted on 2007-11-30
16
380 Views
Last Modified: 2012-06-27
Hello,
We recently placed our servers behind Netscreen 5GT firewall to increase the security.
All web and mail servers behind the firewall has real (public) IPs and they were sending email to hotmail, gmail, yahoo etc. without any problem before getting behind the firewall.

However, after they started working behind firewall none of the servers can send email to hotmail accounts even though they can still send email to gmail, yahoo etc. and all other domains. Our Firewall IP is seen as our external IP now and it has a correct PTR record. It's IP is not listed in any of the spam blacklists. Our domains have SPF records.

Please send your thoughts about what could be the souce of this problem.

P.S. We also created a port forwarding on the firewall. If you telnet firewall's IP with port 25 it directs to one of the mail servers behind it.
0
Comment
Question by:ozgursar77
  • 8
  • 5
  • 3
16 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20387236
doesnt seem to be a problem with firewall in this case. Verify whether your servers/ ips / hostname has beenblacklisted by them due to some reasons.
0
 

Author Comment

by:ozgursar77
ID: 20387310
Yes, I am sure firewall is not the source of the problem. But after we placed it in front of the servers, public IP address of the internal servers seen by the internet has changed to firewall's IP. For example if I visit whatsmyipaddress.com it shows the firewalls IP.

I checked all spam databases, none of our IPs are listed.
I wrote email to hotmail postmaster support system and waiting their reply. Will post here if I receive any reply.
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20388039
Check the reverse DNS entries for your mail servers. Some mail servers will also not accept your mails if they dont find the reverse DNS entries.

also if possible, NAT your mail servers to the old ips. That thing you will need to confirm with your f/w  or n/w admin
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:ozgursar77
ID: 20388050
Our mail servers have reverse dns entries as well as the firewall's IP.
Firewall's port 25 is NAT to mail server's port 25. So, if anybody looks for a SMTP service on the firewall can access the mailserver itself.
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20388086
what i am mentioning is that earlier your mail server must be having a different IP. can you Nat the same ip now as well.
0
 

Author Comment

by:ozgursar77
ID: 20388099
Yes I NAT the firewall's IP's port 25 to existing mail server's IP and port 25. So if anyone checks whethere there is a mail server on the firewall's IP they will be automatically redirected to the earlier mail server.

Note: It is not possible to assign mail server's IP to the firewall.
0
 
LVL 8

Accepted Solution

by:
charan_jeetsingh earned 75 total points
ID: 20388120
hi Oz,
you are taking my Q in a wrong way.

you mentioned :
"Yes, I am sure firewall is not the source of the problem. But after we placed it in front of the servers, public IP address of the internal servers seen by the internet has changed to firewall's IP." >> this shows that your mail server was having another public ip earlier. What I am saying is that can you check with your f/w or n/w admin that whether you can use to earlier ip what you had given to the mail server before moving it behind firewall by doing a "static nat". without requiring a change to your firewall ips at all.
0
 

Author Comment

by:ozgursar77
ID: 20388143
Well I'm also the firewall admin. I didn't understand the "static nat"
Do you mean that we can open access to the mail server without passing through firewall? So that it's public IP will be seen by the hotmail?
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20388189
No, That means you can direct traffic coming for one public ip to a local ip.

what you are doing right now is port redirection.

in static 1 - 1 nat the pre-requisite is that the ip address must be from the subnet in which your firewall interface ip is...
0
 

Author Comment

by:ozgursar77
ID: 20388244
OK. Thanks. I will check the firewall menu if I can create that static nat
0
 

Author Comment

by:ozgursar77
ID: 20389018
I have tried several ways to configure our Netscreen 5GT to allow one of the internal servers access directly (without taking firewall's external IP) but I couldn't manange to do that.

The mail server behind the firewall has a valid public IP and it was able to access to internet before we placed it behind firewall. What I want to accomplish is to tell firewall, when the mail server tries to access internet using port 25, the servers which it will connect should see it's public IP not the firewall's public IP. Here I need a transparency from firewall (for port 25 only from Trust zone to Untrust zone) Netsceen experts please help me on this problem.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 50 total points
ID: 20390159
Okay, post your config here (sanitized, remove off the 3rd octect from your public ip and remove off the username/password information from the config).

Also mention, the details below;

1. What is your old mail server *private ip* ?
2. What is your old mail server *public ip* ?

Has this thing changed now?

Post the config and we'll be able to create a mip for you instead and then you'd be good to go. The reason why you are not able to send mails is the other servers expect you to send mails using the *old mail server ip* but as of now, it is going through the firewall's untrust interface ip (nat/route mode).

Cheers,
Rajesh
0
 

Author Closing Comment

by:ozgursar77
ID: 31412049
charan, rsivanandan thank you so much for helping me on this problem. I was able to send email to hotmail after changing the Trust interface's mode from NAT to Route. That made the internal servers connect to internet with their public IPs. Hotmail for some reason accepted emails only sourcing from the server itself.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 20391070
Okay, problem solved in that respect. But did you check by doing that if you haven't broken the internal normal machines' internet access?

Cheers,
Rajesh
0
 

Author Comment

by:ozgursar77
ID: 20391100
No, they were able to access internet already before firewall placement. They all have public IPs.
Thank you again for everybody who helped me in this problem.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 20391116
Okay, since they had public ip you're saved, or else it would need some config changes.

Cheers,
Rajesh
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question