Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 402
  • Last Modified:

Cannot send email to Hotmail after placing server begind Netscreen 5GT firewall

Hello,
We recently placed our servers behind Netscreen 5GT firewall to increase the security.
All web and mail servers behind the firewall has real (public) IPs and they were sending email to hotmail, gmail, yahoo etc. without any problem before getting behind the firewall.

However, after they started working behind firewall none of the servers can send email to hotmail accounts even though they can still send email to gmail, yahoo etc. and all other domains. Our Firewall IP is seen as our external IP now and it has a correct PTR record. It's IP is not listed in any of the spam blacklists. Our domains have SPF records.

Please send your thoughts about what could be the souce of this problem.

P.S. We also created a port forwarding on the firewall. If you telnet firewall's IP with port 25 it directs to one of the mail servers behind it.
0
ozgursar77
Asked:
ozgursar77
  • 8
  • 5
  • 3
2 Solutions
 
charan_jeetsinghCommented:
doesnt seem to be a problem with firewall in this case. Verify whether your servers/ ips / hostname has beenblacklisted by them due to some reasons.
0
 
ozgursar77Author Commented:
Yes, I am sure firewall is not the source of the problem. But after we placed it in front of the servers, public IP address of the internal servers seen by the internet has changed to firewall's IP. For example if I visit whatsmyipaddress.com it shows the firewalls IP.

I checked all spam databases, none of our IPs are listed.
I wrote email to hotmail postmaster support system and waiting their reply. Will post here if I receive any reply.
0
 
charan_jeetsinghCommented:
Check the reverse DNS entries for your mail servers. Some mail servers will also not accept your mails if they dont find the reverse DNS entries.

also if possible, NAT your mail servers to the old ips. That thing you will need to confirm with your f/w  or n/w admin
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
ozgursar77Author Commented:
Our mail servers have reverse dns entries as well as the firewall's IP.
Firewall's port 25 is NAT to mail server's port 25. So, if anybody looks for a SMTP service on the firewall can access the mailserver itself.
0
 
charan_jeetsinghCommented:
what i am mentioning is that earlier your mail server must be having a different IP. can you Nat the same ip now as well.
0
 
ozgursar77Author Commented:
Yes I NAT the firewall's IP's port 25 to existing mail server's IP and port 25. So if anyone checks whethere there is a mail server on the firewall's IP they will be automatically redirected to the earlier mail server.

Note: It is not possible to assign mail server's IP to the firewall.
0
 
charan_jeetsinghCommented:
hi Oz,
you are taking my Q in a wrong way.

you mentioned :
"Yes, I am sure firewall is not the source of the problem. But after we placed it in front of the servers, public IP address of the internal servers seen by the internet has changed to firewall's IP." >> this shows that your mail server was having another public ip earlier. What I am saying is that can you check with your f/w or n/w admin that whether you can use to earlier ip what you had given to the mail server before moving it behind firewall by doing a "static nat". without requiring a change to your firewall ips at all.
0
 
ozgursar77Author Commented:
Well I'm also the firewall admin. I didn't understand the "static nat"
Do you mean that we can open access to the mail server without passing through firewall? So that it's public IP will be seen by the hotmail?
0
 
charan_jeetsinghCommented:
No, That means you can direct traffic coming for one public ip to a local ip.

what you are doing right now is port redirection.

in static 1 - 1 nat the pre-requisite is that the ip address must be from the subnet in which your firewall interface ip is...
0
 
ozgursar77Author Commented:
OK. Thanks. I will check the firewall menu if I can create that static nat
0
 
ozgursar77Author Commented:
I have tried several ways to configure our Netscreen 5GT to allow one of the internal servers access directly (without taking firewall's external IP) but I couldn't manange to do that.

The mail server behind the firewall has a valid public IP and it was able to access to internet before we placed it behind firewall. What I want to accomplish is to tell firewall, when the mail server tries to access internet using port 25, the servers which it will connect should see it's public IP not the firewall's public IP. Here I need a transparency from firewall (for port 25 only from Trust zone to Untrust zone) Netsceen experts please help me on this problem.
0
 
rsivanandanCommented:
Okay, post your config here (sanitized, remove off the 3rd octect from your public ip and remove off the username/password information from the config).

Also mention, the details below;

1. What is your old mail server *private ip* ?
2. What is your old mail server *public ip* ?

Has this thing changed now?

Post the config and we'll be able to create a mip for you instead and then you'd be good to go. The reason why you are not able to send mails is the other servers expect you to send mails using the *old mail server ip* but as of now, it is going through the firewall's untrust interface ip (nat/route mode).

Cheers,
Rajesh
0
 
ozgursar77Author Commented:
charan, rsivanandan thank you so much for helping me on this problem. I was able to send email to hotmail after changing the Trust interface's mode from NAT to Route. That made the internal servers connect to internet with their public IPs. Hotmail for some reason accepted emails only sourcing from the server itself.
0
 
rsivanandanCommented:
Okay, problem solved in that respect. But did you check by doing that if you haven't broken the internal normal machines' internet access?

Cheers,
Rajesh
0
 
ozgursar77Author Commented:
No, they were able to access internet already before firewall placement. They all have public IPs.
Thank you again for everybody who helped me in this problem.
0
 
rsivanandanCommented:
Okay, since they had public ip you're saved, or else it would need some config changes.

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 8
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now