• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 758
  • Last Modified:

IMAP Sending issue from outside firewall. Think it is firewall...stumped?

I have been around MS servers and networking for a long time but am stumped on an IMAP SMTP sending issue.

It's been a few years since i set the original configurations and we never really used IMAP until we have some users with MACs at home so I cannot remember when it last worked, but we don't change that much either.

Inside the firewall my IMAP connections can send fine.  Outside the firewall they cannot connect to send, but can receive just fine.

The other thing is we are receiving external mail just fine, but if i try and telnet to port 25, i cannot connect.  We have a Sonicwall FW and I have been up and down the configs and can't see anything misconfigured.

Thanks in advance.  I am stumped.

I am running a 2003 FE/BE
Authenticated users and certain subnets trusted to relay.  This is why it works internally.  Externally, since it should accept the authentication, but I think this is where it is failing somehow.


0
TumacLumber
Asked:
TumacLumber
  • 10
  • 8
  • 7
  • +1
2 Solutions
 
Alan HardistyCo-OwnerCommented:
How do you receive your mail?

Do you receive it from a 3rd party that filters your mail and then delivers it to you?

If you do - the firewall may only allow their IP Addresses to send on port 25.  Please check your firewall rules.
0
 
MegaNuk3Commented:
Check on http://www.canyouseeme.org/ to see if that says port 25 is open to your public IP

Www.testexchangeconnectivity.com can also test SMTP to your domain/server
0
 
MegaNuk3Commented:
As Alan says, you might only be allowing port 25 externally to and from MessageLabs or some other 3rd party/ISP

Once you confirm port 25 is open to your server then ensure the Macs are set to authenticate with the Sending SMTP server before sending.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
TumacLumberAuthor Commented:
We do not use a 3rd party for SPAM.

We use Vamsoft ORFee and GFI MailSecurity/MailEssentials on our Exchange server.   To my knowledge they do not restrict connections on 25.  

Based on my knowledge, I am surprised that we are receiving external mail since I cannot telnet to port 25 unless for some odd reason my FIOS is not letting it connect, but all indication is that I am reaching my pub IP 173.11.xxx.xxx

I am less concerned about the telnet than the fact that I cannot relay authenticated users from outside the firewall

 
0
 
Alan HardistyCo-OwnerCommented:
I can telnet to your IP Address - mail2.domain.com : )
0
 
TumacLumberAuthor Commented:
try mail.domain.com

0
 
Alan HardistyCo-OwnerCommented:
Yep - not a problem either.
0
 
TumacLumberAuthor Commented:
That is really odd.  I wonder if something in my Win7 is not allowing me or my home ISP (Verizon) is not allowing me to Telnet.  

I was wondering how we could receive mail without 25 being open.   That also tells me my SPAM/Security solutions aren't doing anything tricky.

Still have the issue of 25 not letting authenticated user relay for IMAP.....
0
 
Alan HardistyCo-OwnerCommented:
It could be the ISP blocking port 25 wherever the IMAP users are.  Most ISP's do now as an anti-spam measure.  You could use a different port to send on.
0
 
TumacLumberAuthor Commented:
I will try reconfiguring to 547 and try this weekend.

Thanks,
0
 
Alan HardistyCo-OwnerCommented:
No probs - do you want me to hide your IP / domain names?
0
 
TumacLumberAuthor Commented:
Yah - that would probably be good.
0
 
MegaNuk3Commented:
You could try telneting to 587 as that is secure SMTP and see if that is open
0
 
digitapCommented:
do you have any of the security services enabled on your sonicwall? i.e., content filter, IPS, GAV, anti-spam?
0
 
TumacLumberAuthor Commented:
Yes we have CGS package.  As far as I remember (which I can check) is we have Content filter and Intrusion on .  We found the Anti-spyware feature kills internet functionality.  Maybe IP is not allowing?
0
 
digitapCommented:
it's quite possibly IPS. GAV does have an exclusion for IMAP, so confirm this hasn't been enabled. regarding IPS, by default, high, med, low risks are configured to detect and high risks are set to block. consider setting it to detect only and see if this changes anything.

also, go to Log > Categories and make sure your logging level is debug and check the top box of each category to select all the categories in each column. then, go back to your log and monitor. if the security services are blocking the IMAP traffic, then you'll see those in yellow.
0
 
digitapCommented:
by the way, what kind of sonicwall do you have? enhanced or standard?
0
 
TumacLumberAuthor Commented:
We have Enhanced OS.  NSA 2400.

I have perused the logs for an IMAP block but have not seen one.  I only see some SMTP Relay denied, but the source IP is not the IP that I was trying to connect from, so I do not believe that log event pertained to my problem.

0
 
digitapCommented:
yes, i'd agree.

so, if i understand correctly, you are unable to get IMAP traffic in WAN > LAN, is that correct? how do you have the ports opened through your firewall to allow this traffic? is it a part of an address group for other Exchange services or an individual address object?
0
 
TumacLumberAuthor Commented:
IMAP, POP, OWA are lumped into a service definition that has a NAT policy for our firewall.  IMAP is connecting to the server fine, but IMAP uses SMTP for sending.

I cannot test this while inside my network, but I wouldn't be surprised that Port 25 traffic is blocked by my ISP since I was unable to telnet to the port on my public ip from home but alanhardisty was able to and I can telnet from my network here to the outside IP.

I am going to add 587 to my NAT policies and test it over the weekend.
0
 
digitapCommented:
are exchange servers already configured to use port 587 instead of port 25?
0
 
digitapCommented:
or, in addition to?
0
 
Alan HardistyCo-OwnerCommented:
If your ISP is blocking anything - it will be blocking the port out, not in, so as I can telnet to your IP / server from the UK, that would suggest that it is not being blocked inwards at all.

When you IMAP users are connecting - where are they connecting from (or how)?

Perhaps their ISP is blocking outbound Port 25, which would explain a great deal, as well as your ISP from your home, because you cannot telnet on port 25 either.  To test - try to telnet to port 25 on mail.sohomail.co.uk (telnet mail.mydomain.co.uk 25 or telnet 188.220.xxx.xxx 25).  If you can't connect, then it isn't a DNS problem, your ISP is blocking your port 25 outbound.

This is standard practise for Home DSL connections - if you change the port to 587 for inbound (Secure SMTP) on your server and change your firewall to allow inbound connections using port 587 (as well as 25 so that the rest of the world can send you mail), then configure your IMAP clients to use port 587 for sending, that won't be getting blocked by ANY ISP, so you shouldn't have any problems.

The alternative is to use RPC over HTTPS then all you need open is port 443, which will be if you have OWA working and then anyone can send mail in and out with a correctly configured client (and SSL certificate).
0
 
TumacLumberAuthor Commented:
Yah - Looks like ISP outbound block as I could not telnet to your server.  I am going to open 587 on my firewall and see what happens.  I use RPC over HTTP for my main configuration but I have a couple users (salespeople so I cater to them a little bit) who use Mac's at home that would rather use them.  I originally had the Mac set up with Exchange option, but it stopped working so I switched it to IMAP and started having this problem.

As far as I know, Entourage cannot do RPC over HTTP but have not validated that in a while.


Thanks for your help testing my connection from outside.
0
 
Alan HardistyCo-OwnerCommented:
Office 2011 for MAC can do RPC over HTTPS to Exchange 2010 - I know that for a fact, so theoretically, it should cope with Exchange 2003 too, but need to check.

Sounds very much like your ISP is blocking port 25 - not unusual!!
0
 
TumacLumberAuthor Commented:
I need a sys admin to help me keep up on all this stuff.  Thanks for the help.
0
 
Alan HardistyCo-OwnerCommented:
It's an ever changing beast the IT world!  EE is always here for you when you need it : )

Thanks for the points.

Alan
0
 
digitapCommented:
yes...i can say this was the first time i'd heard of the 587 port!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 10
  • 8
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now