Solved

Port forwarding on NS5GT

Posted on 2008-06-23
11
1,371 Views
Last Modified: 2013-11-30
I have a Netscreen NS5GT and I am trying to allow for IMAP connection to my MS Exchange Server.  When I attempt to send mail I receive a "550 5.7.1 relaying denied from local server" error.  Any ideas how to accomplish this?
0
Comment
Question by:JSTechinLA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 21848911
This is because of your pc having an non-local IP address, or non-local mail domain, which is rejected by Exchange Policy. You will have to change this in Exchange itself, e.g. allow for your external IP address (if static), or allow for send after prior authorization.
You should not allow for relying in general.
0
 

Author Comment

by:JSTechinLA
ID: 21848944
Since I am trying to allow for IMAP connections for my users on their laptops outside my network, I can't set a static IP for each laptop.  Is there another way of authorizing the traffic?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21849104
If Exchange allows for SMTPA (A= with authentification), as I think i tdoes, you can set an option to allow everything for authentificated user. But don't ask me, where that option is hidden :-)

This will require that clients enable SMTP-Authentication before sending in your eMail software, e.g.  in Outlook it is in email account setup, advanced.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:JSTechinLA
ID: 21857282
I have been working with Microsoft Exchange support on this issue and they insist that the exhange server is properly configured that it is port 143 on the Netscreen device that needs to be opened.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21858268
This only can be true if Exchange uses IMAP to authenticate the sender, which uses SMTP (!). Never heard of that.
Or, Exchange requires you to open IMAP before SMTP, for authorization.

You cannot do more in NetScreen as to open both SMTP and IMAP (Untrust - Trust and vice versa), and to forward those two ports to Exchange.

On the other hand, you didn't state exactly if you want to send from Exchange and get that error (so the message comes from outside), or you want to send from Internet to Exchange. In any case, sending eMail means SMTP, not IMAP.

0
 

Author Comment

by:JSTechinLA
ID: 21858538
Okay.  I have opened up SMTP and IMAP on the netscreen for both untrust to trust and trust to untrust. Same result.  I understand that SMTP is the sending "Mail" part of the process.  I just don't undertand this on a deep enough level to make sense of everything.  Can you tell me what port 143 is ( is it SMTP?).  I see ports like /21 and /3389 on my netscreen but nowhere do I see any reference to port 143.  Also, I have tried to configure the addresses specific to the port and it always rejects it saying that it is an invalid IP address.  Again, I have tried multiple combinations of ip/netmask and ports to no good result.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21864070
25/tcp is SMTP
143/tcp is IMAP4
21/tcp is ftp (together with 20/tcp)
3389/tcp is Remote Desktop

You are confusing me. How could you open IMAP and SMTP if you cannot find port 143? In policies you use predefined or custom service entries like "IMAP", "SMTP" aso. Those services are defined either under Network > Services    or   Policy > Policy Elements > Services, and here you see all settings like source and target port.

Let's assume your policies are all right, you need to define VIP (if NAT is applied) on interface level. This means you tell your NetScreen that if an request on IMAP port comes on your single public address, it will be translated and forwarded to Exchange Server. Is this the problem? Or is your Exchange Server reachable under its own public ip address?

You didn't answer to my last question, yet.
0
 

Author Comment

by:JSTechinLA
ID: 21867142
I thought that 143 was IMAP4 but wasn't sure.  Depending on who I talk to they use either 143 or IMAP so now I know that they are one in the same.  Thanks.
The error occurs when I am trying to send an email from my exchange server (either locally attached or through the internet) to any address other than my domain.  The mail coming in works fine, it is the mail that I want to send out that is stopped with the "unable to relay" message.  It seems odd that my firewall would block something from going out.
Is this clearer?
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 21868636
When sending email to other mail servers, several steps will be taken. As example, I will describe sending email from   a@mydomain.com   to    b@targetdomain.com

- get MX DNS record for the target domain. You can test this manually:
      nslookup -type=mx targetdomain.com
   you should get a full name and an public ip address of the mail server in charge. Let's assume it is mx.targetdomain.com

- use SMTP to contact this email server, and spool the message. To test:
     telnet  mx.targetdomain.com smtp
     ehlo It's me
     mail from: <a@mydomain.com>
     rcpt to: <b@targetdomain.com>
     data
(put here some normal email header and text, but that is not important)
     .
     quit
  If that works, Exchange is doing something wrong.

My guesses are that it does not work. If so, you might be on the wrong mail server. And because only your own domain works, I think you are either on your Exchange server or on an internet relay for your Exchange server. Both will not allow for relaying (receiving email for non-local targets).
0
 

Author Comment

by:JSTechinLA
ID: 21869370
The Get MX DNS worked fine.
The telnet to SMTP failed to connect.
I used:  
telnet mx,gmail.com smtp

Any further thoughts?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 21873066
AFAIK google mail does not allow for SMTP. Try another one.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question