?
Solved

Port forwarding on NS5GT

Posted on 2008-06-23
11
Medium Priority
?
1,376 Views
Last Modified: 2013-11-30
I have a Netscreen NS5GT and I am trying to allow for IMAP connection to my MS Exchange Server.  When I attempt to send mail I receive a "550 5.7.1 relaying denied from local server" error.  Any ideas how to accomplish this?
0
Comment
Question by:JSTechinLA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 21848911
This is because of your pc having an non-local IP address, or non-local mail domain, which is rejected by Exchange Policy. You will have to change this in Exchange itself, e.g. allow for your external IP address (if static), or allow for send after prior authorization.
You should not allow for relying in general.
0
 

Author Comment

by:JSTechinLA
ID: 21848944
Since I am trying to allow for IMAP connections for my users on their laptops outside my network, I can't set a static IP for each laptop.  Is there another way of authorizing the traffic?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21849104
If Exchange allows for SMTPA (A= with authentification), as I think i tdoes, you can set an option to allow everything for authentificated user. But don't ask me, where that option is hidden :-)

This will require that clients enable SMTP-Authentication before sending in your eMail software, e.g.  in Outlook it is in email account setup, advanced.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:JSTechinLA
ID: 21857282
I have been working with Microsoft Exchange support on this issue and they insist that the exhange server is properly configured that it is port 143 on the Netscreen device that needs to be opened.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21858268
This only can be true if Exchange uses IMAP to authenticate the sender, which uses SMTP (!). Never heard of that.
Or, Exchange requires you to open IMAP before SMTP, for authorization.

You cannot do more in NetScreen as to open both SMTP and IMAP (Untrust - Trust and vice versa), and to forward those two ports to Exchange.

On the other hand, you didn't state exactly if you want to send from Exchange and get that error (so the message comes from outside), or you want to send from Internet to Exchange. In any case, sending eMail means SMTP, not IMAP.

0
 

Author Comment

by:JSTechinLA
ID: 21858538
Okay.  I have opened up SMTP and IMAP on the netscreen for both untrust to trust and trust to untrust. Same result.  I understand that SMTP is the sending "Mail" part of the process.  I just don't undertand this on a deep enough level to make sense of everything.  Can you tell me what port 143 is ( is it SMTP?).  I see ports like /21 and /3389 on my netscreen but nowhere do I see any reference to port 143.  Also, I have tried to configure the addresses specific to the port and it always rejects it saying that it is an invalid IP address.  Again, I have tried multiple combinations of ip/netmask and ports to no good result.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21864070
25/tcp is SMTP
143/tcp is IMAP4
21/tcp is ftp (together with 20/tcp)
3389/tcp is Remote Desktop

You are confusing me. How could you open IMAP and SMTP if you cannot find port 143? In policies you use predefined or custom service entries like "IMAP", "SMTP" aso. Those services are defined either under Network > Services    or   Policy > Policy Elements > Services, and here you see all settings like source and target port.

Let's assume your policies are all right, you need to define VIP (if NAT is applied) on interface level. This means you tell your NetScreen that if an request on IMAP port comes on your single public address, it will be translated and forwarded to Exchange Server. Is this the problem? Or is your Exchange Server reachable under its own public ip address?

You didn't answer to my last question, yet.
0
 

Author Comment

by:JSTechinLA
ID: 21867142
I thought that 143 was IMAP4 but wasn't sure.  Depending on who I talk to they use either 143 or IMAP so now I know that they are one in the same.  Thanks.
The error occurs when I am trying to send an email from my exchange server (either locally attached or through the internet) to any address other than my domain.  The mail coming in works fine, it is the mail that I want to send out that is stopped with the "unable to relay" message.  It seems odd that my firewall would block something from going out.
Is this clearer?
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 1500 total points
ID: 21868636
When sending email to other mail servers, several steps will be taken. As example, I will describe sending email from   a@mydomain.com   to    b@targetdomain.com

- get MX DNS record for the target domain. You can test this manually:
      nslookup -type=mx targetdomain.com
   you should get a full name and an public ip address of the mail server in charge. Let's assume it is mx.targetdomain.com

- use SMTP to contact this email server, and spool the message. To test:
     telnet  mx.targetdomain.com smtp
     ehlo It's me
     mail from: <a@mydomain.com>
     rcpt to: <b@targetdomain.com>
     data
(put here some normal email header and text, but that is not important)
     .
     quit
  If that works, Exchange is doing something wrong.

My guesses are that it does not work. If so, you might be on the wrong mail server. And because only your own domain works, I think you are either on your Exchange server or on an internet relay for your Exchange server. Both will not allow for relaying (receiving email for non-local targets).
0
 

Author Comment

by:JSTechinLA
ID: 21869370
The Get MX DNS worked fine.
The telnet to SMTP failed to connect.
I used:  
telnet mx,gmail.com smtp

Any further thoughts?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21873066
AFAIK google mail does not allow for SMTP. Try another one.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month7 days, 21 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question