How Do I Configure Sonicwall Ports & Rules for Anti-Spam Service

I may have a unique question for Experts Exchange as I did a search and could find nothing that addresses my problem.

I have a Sonicwall NSA 2400 running firmware 5.6.0.0 and I just purchased and activated the Sonicwall Anti-Spam license for it.  When I attempt to enable the service in the admin page, I get the following error...

"Mail Server Auto-Detect Failed
The system detects there are one or more NAT and/or Rule policies that use a service group or a service port range that includes SMTP and non-SMTP service ports.The system could not enable the Anti-Spam service using the current configuration.

Please check and modify your NAT and/or Access Rule policies to separate SMTP service from non-SMTP services at Firewall > Access Rules and Network > NAT Policies. "

I have existing rules in place for my Exchange Server and apparently one or several of the rules is conflicting with what the Anti-Spam service wants to do.  I have contacted Sonicwall Tech Support but have not received a response yet.  I have also scoured through their documentation but get conflicting resolutions to this error.  Some things say to delete all of your SMTP-related rules from the firewall and then enable the service, which will create the rules it needs on its own.  Other things say to separate your SMTP ports and services from non-SMTP ports and services and then enable but I am not finding any ports and services in my SMTP rules that are non-SMTP related.

Has anyone seen this error before and what is the best resolution to overcome it?
CruJonesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

digitapCommented:
It certainly sounds as if deleting the firewall/nat rules and letting the anti-spam create them for you is the way to go.  Get a backup first, of course.  Remember, there will be three nat rules.  One ingress, one egress and one loopback.  Also, two firewall rules: ingress and egress.  You should delete the address objects as well.

Something else to think about, 5.6 is an early release and you may have stumbled upon a bug in the new firmware.  Did you post on the forums or did you contact support and create a support ticket?  You should call support with something like this.

What you could do is back rev to the release prior to 5.6 and see if the issue persists.  Get a backup and you should be able to restore to the prior version without having to reconfigure everything.
0
CruJonesAuthor Commented:
I opened an online service ticket but since I haven't gotten a respnse yet, I'll call them tomorrow.  The reason I'm running 5.6 is because a few weeks ago I was installing a SonicPoint-N and it wasn't initializing correctly.  Tech Support recommended upgrading the firmware to 5.6 and it fixed that problem so I'm afraid if I back rev I'll lose the SonicPoint.  I think you're right though, this sounds like a bug in 5.6 because everything I have read says that enabling the Anti-Spam service should delete the rules it needs to and create its own.

I'll leave this open until I talk to Tech Support and get it resolved so others can have the solution.  Thanks for your help digitap.
0
digitapCommented:
Sounds good.  Probably should wait on the back rev.  I loaded 5.6 on a NSA 2400 with SonicPointn devices and trouble connecting to the wireless network.  I discovered that if I used a vap profile in a virtual access point, the laptops wouldn't connect.  I ended up configuring the security directly within the vap rather than use the profile and that fixed it...another bug.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

CruJonesAuthor Commented:
Just finished up with Sonicwall Tech support.  What he ended up doing was the second of my questioned solutions, which was separate the SMTP Port 25 services from non-SMTP related ports and services.  My firewall had a mail group setup that included ports 25, 143 and 110 (because we have off-site users on IMAP and POP on various devices).  It appeared he went into Network > Services and edited the mail group to remove SMTP from the mail group mentioned above.  He then went into Network > NAT Policies and created a new policy for SMTP.  Lastly he went into Firewall > Access Rules and added a rule for SMTP.

We were then able to enable the Anti-Spam service without the error message.  When I asked if this might be a bug, he said the Anti-Spam service is not capable of isolating the SMTP service on its own to create the rules it needs to when enabling the service.  That would be nice if it could.  Thanks for the help digitap.
0
digitapCommented:
actually, i would have argued (as i'm apt to do).  if the smtp service can't do that then they should make his steps part of the setup instructions...i haven't read them yet, but i assume the steps weren't there.
either way...glad you got it working!

0
digitapCommented:
actually, i would have argued (as i'm apt to do).  if the smtp service can't do that then they should make his steps part of the setup instructions...i haven't read them yet, but i assume the steps weren't there.
either way...glad you got it working!

0
digitapCommented:
actually, i would have argued (as i'm apt to do).  if the smtp service can't do that then they should make his steps part of the setup instructions...i haven't read them yet, but i assume the steps weren't there.
either way...glad you got it working!

0
CruJonesAuthor Commented:
I must be too passive as I was just happy to get off the phone with him after being on hold for 20 minutes and then struggling through our conversation for another 20.  I went back and looked at both the Quick Start and detailed instructions and neither mention this potential hiccup.  Matter of fact I believe the detailed instructions say that if there are existing policies, the generated policies will use the existing policies as their original destination.  I'll have to double check that.
0
digitapCommented:
i think you got 'em...they'll fix it the next release
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
digitapCommented:
Glad I could assist and thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.