Solved

Port forwarding on NS5GT

Posted on 2008-06-23
11
1,364 Views
Last Modified: 2013-11-30
I have a Netscreen NS5GT and I am trying to allow for IMAP connection to my MS Exchange Server.  When I attempt to send mail I receive a "550 5.7.1 relaying denied from local server" error.  Any ideas how to accomplish this?
0
Comment
Question by:JSTechinLA
  • 6
  • 5
11 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This is because of your pc having an non-local IP address, or non-local mail domain, which is rejected by Exchange Policy. You will have to change this in Exchange itself, e.g. allow for your external IP address (if static), or allow for send after prior authorization.
You should not allow for relying in general.
0
 

Author Comment

by:JSTechinLA
Comment Utility
Since I am trying to allow for IMAP connections for my users on their laptops outside my network, I can't set a static IP for each laptop.  Is there another way of authorizing the traffic?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
If Exchange allows for SMTPA (A= with authentification), as I think i tdoes, you can set an option to allow everything for authentificated user. But don't ask me, where that option is hidden :-)

This will require that clients enable SMTP-Authentication before sending in your eMail software, e.g.  in Outlook it is in email account setup, advanced.
0
 

Author Comment

by:JSTechinLA
Comment Utility
I have been working with Microsoft Exchange support on this issue and they insist that the exhange server is properly configured that it is port 143 on the Netscreen device that needs to be opened.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This only can be true if Exchange uses IMAP to authenticate the sender, which uses SMTP (!). Never heard of that.
Or, Exchange requires you to open IMAP before SMTP, for authorization.

You cannot do more in NetScreen as to open both SMTP and IMAP (Untrust - Trust and vice versa), and to forward those two ports to Exchange.

On the other hand, you didn't state exactly if you want to send from Exchange and get that error (so the message comes from outside), or you want to send from Internet to Exchange. In any case, sending eMail means SMTP, not IMAP.

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:JSTechinLA
Comment Utility
Okay.  I have opened up SMTP and IMAP on the netscreen for both untrust to trust and trust to untrust. Same result.  I understand that SMTP is the sending "Mail" part of the process.  I just don't undertand this on a deep enough level to make sense of everything.  Can you tell me what port 143 is ( is it SMTP?).  I see ports like /21 and /3389 on my netscreen but nowhere do I see any reference to port 143.  Also, I have tried to configure the addresses specific to the port and it always rejects it saying that it is an invalid IP address.  Again, I have tried multiple combinations of ip/netmask and ports to no good result.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
25/tcp is SMTP
143/tcp is IMAP4
21/tcp is ftp (together with 20/tcp)
3389/tcp is Remote Desktop

You are confusing me. How could you open IMAP and SMTP if you cannot find port 143? In policies you use predefined or custom service entries like "IMAP", "SMTP" aso. Those services are defined either under Network > Services    or   Policy > Policy Elements > Services, and here you see all settings like source and target port.

Let's assume your policies are all right, you need to define VIP (if NAT is applied) on interface level. This means you tell your NetScreen that if an request on IMAP port comes on your single public address, it will be translated and forwarded to Exchange Server. Is this the problem? Or is your Exchange Server reachable under its own public ip address?

You didn't answer to my last question, yet.
0
 

Author Comment

by:JSTechinLA
Comment Utility
I thought that 143 was IMAP4 but wasn't sure.  Depending on who I talk to they use either 143 or IMAP so now I know that they are one in the same.  Thanks.
The error occurs when I am trying to send an email from my exchange server (either locally attached or through the internet) to any address other than my domain.  The mail coming in works fine, it is the mail that I want to send out that is stopped with the "unable to relay" message.  It seems odd that my firewall would block something from going out.
Is this clearer?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
When sending email to other mail servers, several steps will be taken. As example, I will describe sending email from   a@mydomain.com   to    b@targetdomain.com

- get MX DNS record for the target domain. You can test this manually:
      nslookup -type=mx targetdomain.com
   you should get a full name and an public ip address of the mail server in charge. Let's assume it is mx.targetdomain.com

- use SMTP to contact this email server, and spool the message. To test:
     telnet  mx.targetdomain.com smtp
     ehlo It's me
     mail from: <a@mydomain.com>
     rcpt to: <b@targetdomain.com>
     data
(put here some normal email header and text, but that is not important)
     .
     quit
  If that works, Exchange is doing something wrong.

My guesses are that it does not work. If so, you might be on the wrong mail server. And because only your own domain works, I think you are either on your Exchange server or on an internet relay for your Exchange server. Both will not allow for relaying (receiving email for non-local targets).
0
 

Author Comment

by:JSTechinLA
Comment Utility
The Get MX DNS worked fine.
The telnet to SMTP failed to connect.
I used:  
telnet mx,gmail.com smtp

Any further thoughts?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
AFAIK google mail does not allow for SMTP. Try another one.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Checkpoint books 3 67
SMTP Question 3 61
Sonicwall SOHO SSL-VPN no LAN Access 5 54
Spitting up an internet connection. 7 58
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now