ozgursar77
asked on
Cannot send email to Hotmail after placing server begind Netscreen 5GT firewall
Hello,
We recently placed our servers behind Netscreen 5GT firewall to increase the security.
All web and mail servers behind the firewall has real (public) IPs and they were sending email to hotmail, gmail, yahoo etc. without any problem before getting behind the firewall.
However, after they started working behind firewall none of the servers can send email to hotmail accounts even though they can still send email to gmail, yahoo etc. and all other domains. Our Firewall IP is seen as our external IP now and it has a correct PTR record. It's IP is not listed in any of the spam blacklists. Our domains have SPF records.
Please send your thoughts about what could be the souce of this problem.
P.S. We also created a port forwarding on the firewall. If you telnet firewall's IP with port 25 it directs to one of the mail servers behind it.
We recently placed our servers behind Netscreen 5GT firewall to increase the security.
All web and mail servers behind the firewall has real (public) IPs and they were sending email to hotmail, gmail, yahoo etc. without any problem before getting behind the firewall.
However, after they started working behind firewall none of the servers can send email to hotmail accounts even though they can still send email to gmail, yahoo etc. and all other domains. Our Firewall IP is seen as our external IP now and it has a correct PTR record. It's IP is not listed in any of the spam blacklists. Our domains have SPF records.
Please send your thoughts about what could be the souce of this problem.
P.S. We also created a port forwarding on the firewall. If you telnet firewall's IP with port 25 it directs to one of the mail servers behind it.
doesnt seem to be a problem with firewall in this case. Verify whether your servers/ ips / hostname has beenblacklisted by them due to some reasons.
ASKER
Yes, I am sure firewall is not the source of the problem. But after we placed it in front of the servers, public IP address of the internal servers seen by the internet has changed to firewall's IP. For example if I visit whatsmyipaddress.com it shows the firewalls IP.
I checked all spam databases, none of our IPs are listed.
I wrote email to hotmail postmaster support system and waiting their reply. Will post here if I receive any reply.
I checked all spam databases, none of our IPs are listed.
I wrote email to hotmail postmaster support system and waiting their reply. Will post here if I receive any reply.
Check the reverse DNS entries for your mail servers. Some mail servers will also not accept your mails if they dont find the reverse DNS entries.
also if possible, NAT your mail servers to the old ips. That thing you will need to confirm with your f/w or n/w admin
also if possible, NAT your mail servers to the old ips. That thing you will need to confirm with your f/w or n/w admin
ASKER
Our mail servers have reverse dns entries as well as the firewall's IP.
Firewall's port 25 is NAT to mail server's port 25. So, if anybody looks for a SMTP service on the firewall can access the mailserver itself.
Firewall's port 25 is NAT to mail server's port 25. So, if anybody looks for a SMTP service on the firewall can access the mailserver itself.
what i am mentioning is that earlier your mail server must be having a different IP. can you Nat the same ip now as well.
ASKER
Yes I NAT the firewall's IP's port 25 to existing mail server's IP and port 25. So if anyone checks whethere there is a mail server on the firewall's IP they will be automatically redirected to the earlier mail server.
Note: It is not possible to assign mail server's IP to the firewall.
Note: It is not possible to assign mail server's IP to the firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well I'm also the firewall admin. I didn't understand the "static nat"
Do you mean that we can open access to the mail server without passing through firewall? So that it's public IP will be seen by the hotmail?
Do you mean that we can open access to the mail server without passing through firewall? So that it's public IP will be seen by the hotmail?
No, That means you can direct traffic coming for one public ip to a local ip.
what you are doing right now is port redirection.
in static 1 - 1 nat the pre-requisite is that the ip address must be from the subnet in which your firewall interface ip is...
what you are doing right now is port redirection.
in static 1 - 1 nat the pre-requisite is that the ip address must be from the subnet in which your firewall interface ip is...
ASKER
OK. Thanks. I will check the firewall menu if I can create that static nat
ASKER
I have tried several ways to configure our Netscreen 5GT to allow one of the internal servers access directly (without taking firewall's external IP) but I couldn't manange to do that.
The mail server behind the firewall has a valid public IP and it was able to access to internet before we placed it behind firewall. What I want to accomplish is to tell firewall, when the mail server tries to access internet using port 25, the servers which it will connect should see it's public IP not the firewall's public IP. Here I need a transparency from firewall (for port 25 only from Trust zone to Untrust zone) Netsceen experts please help me on this problem.
The mail server behind the firewall has a valid public IP and it was able to access to internet before we placed it behind firewall. What I want to accomplish is to tell firewall, when the mail server tries to access internet using port 25, the servers which it will connect should see it's public IP not the firewall's public IP. Here I need a transparency from firewall (for port 25 only from Trust zone to Untrust zone) Netsceen experts please help me on this problem.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
charan, rsivanandan thank you so much for helping me on this problem. I was able to send email to hotmail after changing the Trust interface's mode from NAT to Route. That made the internal servers connect to internet with their public IPs. Hotmail for some reason accepted emails only sourcing from the server itself.
Okay, problem solved in that respect. But did you check by doing that if you haven't broken the internal normal machines' internet access?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
No, they were able to access internet already before firewall placement. They all have public IPs.
Thank you again for everybody who helped me in this problem.
Thank you again for everybody who helped me in this problem.
Okay, since they had public ip you're saved, or else it would need some config changes.
Cheers,
Rajesh
Cheers,
Rajesh