Solved

Incoming Mail through a firewall

Posted on 2009-07-14
6
409 Views
Last Modified: 2013-11-30
I'm a little stumped on this one.  I have a mail server that was multi-homed, and used the external interface for the virtual smtp server.

I have finally installed a new firewall, and have been able to get RPC over HTTP through the firewall, as well as OWA.  I created rules for SMTP and HTTPS, and forwarded the traffic to the internal interface, as well as change the Virtual SMTP server to use the internal interface.

As I mentioned, OWA and RPC over HTTPS both work; but I have NO incoming email.  I am also running GFI MailEssentials and MailSecurity; but in both cases they are directed at the Virtual SMTP Server.  I did verify that the incoming mail stopped as it was not even hitting the MailEssentials.

Any suggestions?

As soon as I renabled the external interface and disabled the virtual ip on the firewall as well as the rules; I started receiving incoming emails.

Sidenote: the firewall is pfSense.

Thanks,
0
Comment
Question by:cjmara
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24855612
do you have MX record pointing to both public IP's, or just to the external interface?
0
 

Author Comment

by:cjmara
ID: 24855635
The MX record is pointing to the external interface, but we set that up on the firewall (after it was disabled on the mail server) as a virtual ip and then added the rules for forwarding.

Thanks
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24855650
what rules have you for the virtual ip in the firewall?

Sounds like the rule for SMTP is not quite right..
Can you telnet to port 25 externally to test?

0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:cjmara
ID: 24855701
Sorry I should have added that.  We were able to telnet to port 25 on the appropriate address (once I remembered to change the Virtual SMTP server).

I am including a picture of the rules that we have since disabled.

Thanks,
pfSense-rules.png
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 500 total points
ID: 24855768
you say "that we have since disabled."

and yes, they are disabled...

I'm assuming you've enabled them...

When you tested the SMTP, did you get an email sent to you?
I usually test the SMTP till I get an email in my inbox, to verify the handshaking all the way..

___________________________________________________
telnet mail.domain.ext 25
You should receive a reply like:
Trying ???.???.???.???...
Connected to mail.domain.ext.
Escape character is '^]'.
220 mail.domain.ext ESMTP Sendmail ?version-number?; ?date+time+gmtoffset?

You will then need to delcare where you are sending the email from:
HELO local.domain.name - dont worry too much about your local domain name although you really should use your exact fully qualified domain name as seen by the outside world the mail server has no choice but to take your word for it as of RFC822-RFC1123.
This should give you:
250 mail.domain.ext Hello local.domain.name [loc.al.i.p], pleased to meet you

Now give your email address:
MAIL FROM: mail@domain.ext
Should yeild:
250 2.1.0 mail@domain.ext... Sender ok
If it doesn't please see possible problems.

Now give the recipients address:
RCPT TO: mail@otherdomain.ext
Should yeild:
250 2.1.0 mail@otherdomain.ext... Recipient ok
If it doesn't please see possible problems.

To start composing the message issue the command DATA

If you want a subject for your email type Subject:-type subject here- then press enter twice (these are needed to conform to RFC 882)

You may now proceed to type the body of your message (e.g. hello mail@otherdomain.ext from mail@domain.ext)

To tell the mail server that you have completed the message enter a single "." on a line on it's own.
The mail server should reply with: 250 2.0.0 ???????? Message accepted for delivery

You can close the connection by issuing the QUIT command.

0
 

Author Closing Comment

by:cjmara
ID: 31603556
Well,

I wasn't able to get things working properly from home last night so I left it until this morning.  I switched everything on the mail server, and then the firewall; and then connected to the mail server.  Yesterday we only went as far as connecting to the mail server, so this morning we completed the process by sending a mail as you had suggested.  It worked, and when I went and looked at my logs, mail did not stop coming in today.

Not sure what has changed as I followed the same steps that I did yesterday (and rechecked yesterday) but today it is working.  At the same point, doesn't really matter much as long as it is working.

Thanks for the suggestion, as going back to it made the difference.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question