Port forwarding on NS5GT

I have a Netscreen NS5GT and I am trying to allow for IMAP connection to my MS Exchange Server.  When I attempt to send mail I receive a "550 5.7.1 relaying denied from local server" error.  Any ideas how to accomplish this?
Who is Participating?
QlemoConnect With a Mentor Batchelor and DeveloperCommented:
When sending email to other mail servers, several steps will be taken. As example, I will describe sending email from   a@mydomain.com   to    b@targetdomain.com

- get MX DNS record for the target domain. You can test this manually:
      nslookup -type=mx targetdomain.com
   you should get a full name and an public ip address of the mail server in charge. Let's assume it is mx.targetdomain.com

- use SMTP to contact this email server, and spool the message. To test:
     telnet  mx.targetdomain.com smtp
     ehlo It's me
     mail from: <a@mydomain.com>
     rcpt to: <b@targetdomain.com>
(put here some normal email header and text, but that is not important)
  If that works, Exchange is doing something wrong.

My guesses are that it does not work. If so, you might be on the wrong mail server. And because only your own domain works, I think you are either on your Exchange server or on an internet relay for your Exchange server. Both will not allow for relaying (receiving email for non-local targets).
QlemoBatchelor and DeveloperCommented:
This is because of your pc having an non-local IP address, or non-local mail domain, which is rejected by Exchange Policy. You will have to change this in Exchange itself, e.g. allow for your external IP address (if static), or allow for send after prior authorization.
You should not allow for relying in general.
JSTechinLAAuthor Commented:
Since I am trying to allow for IMAP connections for my users on their laptops outside my network, I can't set a static IP for each laptop.  Is there another way of authorizing the traffic?
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

QlemoBatchelor and DeveloperCommented:
If Exchange allows for SMTPA (A= with authentification), as I think i tdoes, you can set an option to allow everything for authentificated user. But don't ask me, where that option is hidden :-)

This will require that clients enable SMTP-Authentication before sending in your eMail software, e.g.  in Outlook it is in email account setup, advanced.
JSTechinLAAuthor Commented:
I have been working with Microsoft Exchange support on this issue and they insist that the exhange server is properly configured that it is port 143 on the Netscreen device that needs to be opened.
QlemoBatchelor and DeveloperCommented:
This only can be true if Exchange uses IMAP to authenticate the sender, which uses SMTP (!). Never heard of that.
Or, Exchange requires you to open IMAP before SMTP, for authorization.

You cannot do more in NetScreen as to open both SMTP and IMAP (Untrust - Trust and vice versa), and to forward those two ports to Exchange.

On the other hand, you didn't state exactly if you want to send from Exchange and get that error (so the message comes from outside), or you want to send from Internet to Exchange. In any case, sending eMail means SMTP, not IMAP.

JSTechinLAAuthor Commented:
Okay.  I have opened up SMTP and IMAP on the netscreen for both untrust to trust and trust to untrust. Same result.  I understand that SMTP is the sending "Mail" part of the process.  I just don't undertand this on a deep enough level to make sense of everything.  Can you tell me what port 143 is ( is it SMTP?).  I see ports like /21 and /3389 on my netscreen but nowhere do I see any reference to port 143.  Also, I have tried to configure the addresses specific to the port and it always rejects it saying that it is an invalid IP address.  Again, I have tried multiple combinations of ip/netmask and ports to no good result.
QlemoBatchelor and DeveloperCommented:
25/tcp is SMTP
143/tcp is IMAP4
21/tcp is ftp (together with 20/tcp)
3389/tcp is Remote Desktop

You are confusing me. How could you open IMAP and SMTP if you cannot find port 143? In policies you use predefined or custom service entries like "IMAP", "SMTP" aso. Those services are defined either under Network > Services    or   Policy > Policy Elements > Services, and here you see all settings like source and target port.

Let's assume your policies are all right, you need to define VIP (if NAT is applied) on interface level. This means you tell your NetScreen that if an request on IMAP port comes on your single public address, it will be translated and forwarded to Exchange Server. Is this the problem? Or is your Exchange Server reachable under its own public ip address?

You didn't answer to my last question, yet.
JSTechinLAAuthor Commented:
I thought that 143 was IMAP4 but wasn't sure.  Depending on who I talk to they use either 143 or IMAP so now I know that they are one in the same.  Thanks.
The error occurs when I am trying to send an email from my exchange server (either locally attached or through the internet) to any address other than my domain.  The mail coming in works fine, it is the mail that I want to send out that is stopped with the "unable to relay" message.  It seems odd that my firewall would block something from going out.
Is this clearer?
JSTechinLAAuthor Commented:
The Get MX DNS worked fine.
The telnet to SMTP failed to connect.
I used:  
telnet mx,gmail.com smtp

Any further thoughts?
QlemoBatchelor and DeveloperCommented:
AFAIK google mail does not allow for SMTP. Try another one.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.