Solved

Cannot send email to Hotmail after placing server begind Netscreen 5GT firewall

Posted on 2007-11-30
16
370 Views
Last Modified: 2012-06-27
Hello,
We recently placed our servers behind Netscreen 5GT firewall to increase the security.
All web and mail servers behind the firewall has real (public) IPs and they were sending email to hotmail, gmail, yahoo etc. without any problem before getting behind the firewall.

However, after they started working behind firewall none of the servers can send email to hotmail accounts even though they can still send email to gmail, yahoo etc. and all other domains. Our Firewall IP is seen as our external IP now and it has a correct PTR record. It's IP is not listed in any of the spam blacklists. Our domains have SPF records.

Please send your thoughts about what could be the souce of this problem.

P.S. We also created a port forwarding on the firewall. If you telnet firewall's IP with port 25 it directs to one of the mail servers behind it.
0
Comment
Question by:ozgursar77
  • 8
  • 5
  • 3
16 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
Comment Utility
doesnt seem to be a problem with firewall in this case. Verify whether your servers/ ips / hostname has beenblacklisted by them due to some reasons.
0
 

Author Comment

by:ozgursar77
Comment Utility
Yes, I am sure firewall is not the source of the problem. But after we placed it in front of the servers, public IP address of the internal servers seen by the internet has changed to firewall's IP. For example if I visit whatsmyipaddress.com it shows the firewalls IP.

I checked all spam databases, none of our IPs are listed.
I wrote email to hotmail postmaster support system and waiting their reply. Will post here if I receive any reply.
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
Comment Utility
Check the reverse DNS entries for your mail servers. Some mail servers will also not accept your mails if they dont find the reverse DNS entries.

also if possible, NAT your mail servers to the old ips. That thing you will need to confirm with your f/w  or n/w admin
0
 

Author Comment

by:ozgursar77
Comment Utility
Our mail servers have reverse dns entries as well as the firewall's IP.
Firewall's port 25 is NAT to mail server's port 25. So, if anybody looks for a SMTP service on the firewall can access the mailserver itself.
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
Comment Utility
what i am mentioning is that earlier your mail server must be having a different IP. can you Nat the same ip now as well.
0
 

Author Comment

by:ozgursar77
Comment Utility
Yes I NAT the firewall's IP's port 25 to existing mail server's IP and port 25. So if anyone checks whethere there is a mail server on the firewall's IP they will be automatically redirected to the earlier mail server.

Note: It is not possible to assign mail server's IP to the firewall.
0
 
LVL 8

Accepted Solution

by:
charan_jeetsingh earned 75 total points
Comment Utility
hi Oz,
you are taking my Q in a wrong way.

you mentioned :
"Yes, I am sure firewall is not the source of the problem. But after we placed it in front of the servers, public IP address of the internal servers seen by the internet has changed to firewall's IP." >> this shows that your mail server was having another public ip earlier. What I am saying is that can you check with your f/w or n/w admin that whether you can use to earlier ip what you had given to the mail server before moving it behind firewall by doing a "static nat". without requiring a change to your firewall ips at all.
0
 

Author Comment

by:ozgursar77
Comment Utility
Well I'm also the firewall admin. I didn't understand the "static nat"
Do you mean that we can open access to the mail server without passing through firewall? So that it's public IP will be seen by the hotmail?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 8

Expert Comment

by:charan_jeetsingh
Comment Utility
No, That means you can direct traffic coming for one public ip to a local ip.

what you are doing right now is port redirection.

in static 1 - 1 nat the pre-requisite is that the ip address must be from the subnet in which your firewall interface ip is...
0
 

Author Comment

by:ozgursar77
Comment Utility
OK. Thanks. I will check the firewall menu if I can create that static nat
0
 

Author Comment

by:ozgursar77
Comment Utility
I have tried several ways to configure our Netscreen 5GT to allow one of the internal servers access directly (without taking firewall's external IP) but I couldn't manange to do that.

The mail server behind the firewall has a valid public IP and it was able to access to internet before we placed it behind firewall. What I want to accomplish is to tell firewall, when the mail server tries to access internet using port 25, the servers which it will connect should see it's public IP not the firewall's public IP. Here I need a transparency from firewall (for port 25 only from Trust zone to Untrust zone) Netsceen experts please help me on this problem.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 50 total points
Comment Utility
Okay, post your config here (sanitized, remove off the 3rd octect from your public ip and remove off the username/password information from the config).

Also mention, the details below;

1. What is your old mail server *private ip* ?
2. What is your old mail server *public ip* ?

Has this thing changed now?

Post the config and we'll be able to create a mip for you instead and then you'd be good to go. The reason why you are not able to send mails is the other servers expect you to send mails using the *old mail server ip* but as of now, it is going through the firewall's untrust interface ip (nat/route mode).

Cheers,
Rajesh
0
 

Author Closing Comment

by:ozgursar77
Comment Utility
charan, rsivanandan thank you so much for helping me on this problem. I was able to send email to hotmail after changing the Trust interface's mode from NAT to Route. That made the internal servers connect to internet with their public IPs. Hotmail for some reason accepted emails only sourcing from the server itself.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Okay, problem solved in that respect. But did you check by doing that if you haven't broken the internal normal machines' internet access?

Cheers,
Rajesh
0
 

Author Comment

by:ozgursar77
Comment Utility
No, they were able to access internet already before firewall placement. They all have public IPs.
Thank you again for everybody who helped me in this problem.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Okay, since they had public ip you're saved, or else it would need some config changes.

Cheers,
Rajesh
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now