Solved

Port forwarding on NS5GT

Posted on 2008-06-23
11
1,365 Views
Last Modified: 2013-11-30
I have a Netscreen NS5GT and I am trying to allow for IMAP connection to my MS Exchange Server.  When I attempt to send mail I receive a "550 5.7.1 relaying denied from local server" error.  Any ideas how to accomplish this?
0
Comment
Question by:JSTechinLA
  • 6
  • 5
11 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 21848911
This is because of your pc having an non-local IP address, or non-local mail domain, which is rejected by Exchange Policy. You will have to change this in Exchange itself, e.g. allow for your external IP address (if static), or allow for send after prior authorization.
You should not allow for relying in general.
0
 

Author Comment

by:JSTechinLA
ID: 21848944
Since I am trying to allow for IMAP connections for my users on their laptops outside my network, I can't set a static IP for each laptop.  Is there another way of authorizing the traffic?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 21849104
If Exchange allows for SMTPA (A= with authentification), as I think i tdoes, you can set an option to allow everything for authentificated user. But don't ask me, where that option is hidden :-)

This will require that clients enable SMTP-Authentication before sending in your eMail software, e.g.  in Outlook it is in email account setup, advanced.
0
 

Author Comment

by:JSTechinLA
ID: 21857282
I have been working with Microsoft Exchange support on this issue and they insist that the exhange server is properly configured that it is port 143 on the Netscreen device that needs to be opened.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 21858268
This only can be true if Exchange uses IMAP to authenticate the sender, which uses SMTP (!). Never heard of that.
Or, Exchange requires you to open IMAP before SMTP, for authorization.

You cannot do more in NetScreen as to open both SMTP and IMAP (Untrust - Trust and vice versa), and to forward those two ports to Exchange.

On the other hand, you didn't state exactly if you want to send from Exchange and get that error (so the message comes from outside), or you want to send from Internet to Exchange. In any case, sending eMail means SMTP, not IMAP.

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:JSTechinLA
ID: 21858538
Okay.  I have opened up SMTP and IMAP on the netscreen for both untrust to trust and trust to untrust. Same result.  I understand that SMTP is the sending "Mail" part of the process.  I just don't undertand this on a deep enough level to make sense of everything.  Can you tell me what port 143 is ( is it SMTP?).  I see ports like /21 and /3389 on my netscreen but nowhere do I see any reference to port 143.  Also, I have tried to configure the addresses specific to the port and it always rejects it saying that it is an invalid IP address.  Again, I have tried multiple combinations of ip/netmask and ports to no good result.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 21864070
25/tcp is SMTP
143/tcp is IMAP4
21/tcp is ftp (together with 20/tcp)
3389/tcp is Remote Desktop

You are confusing me. How could you open IMAP and SMTP if you cannot find port 143? In policies you use predefined or custom service entries like "IMAP", "SMTP" aso. Those services are defined either under Network > Services    or   Policy > Policy Elements > Services, and here you see all settings like source and target port.

Let's assume your policies are all right, you need to define VIP (if NAT is applied) on interface level. This means you tell your NetScreen that if an request on IMAP port comes on your single public address, it will be translated and forwarded to Exchange Server. Is this the problem? Or is your Exchange Server reachable under its own public ip address?

You didn't answer to my last question, yet.
0
 

Author Comment

by:JSTechinLA
ID: 21867142
I thought that 143 was IMAP4 but wasn't sure.  Depending on who I talk to they use either 143 or IMAP so now I know that they are one in the same.  Thanks.
The error occurs when I am trying to send an email from my exchange server (either locally attached or through the internet) to any address other than my domain.  The mail coming in works fine, it is the mail that I want to send out that is stopped with the "unable to relay" message.  It seems odd that my firewall would block something from going out.
Is this clearer?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 21868636
When sending email to other mail servers, several steps will be taken. As example, I will describe sending email from   a@mydomain.com   to    b@targetdomain.com

- get MX DNS record for the target domain. You can test this manually:
      nslookup -type=mx targetdomain.com
   you should get a full name and an public ip address of the mail server in charge. Let's assume it is mx.targetdomain.com

- use SMTP to contact this email server, and spool the message. To test:
     telnet  mx.targetdomain.com smtp
     ehlo It's me
     mail from: <a@mydomain.com>
     rcpt to: <b@targetdomain.com>
     data
(put here some normal email header and text, but that is not important)
     .
     quit
  If that works, Exchange is doing something wrong.

My guesses are that it does not work. If so, you might be on the wrong mail server. And because only your own domain works, I think you are either on your Exchange server or on an internet relay for your Exchange server. Both will not allow for relaying (receiving email for non-local targets).
0
 

Author Comment

by:JSTechinLA
ID: 21869370
The Get MX DNS worked fine.
The telnet to SMTP failed to connect.
I used:  
telnet mx,gmail.com smtp

Any further thoughts?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 21873066
AFAIK google mail does not allow for SMTP. Try another one.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now