Solved

IMAP Sending issue from outside firewall.  Think it is firewall...stumped?

Posted on 2011-03-10
29
628 Views
Last Modified: 2012-05-11
I have been around MS servers and networking for a long time but am stumped on an IMAP SMTP sending issue.

It's been a few years since i set the original configurations and we never really used IMAP until we have some users with MACs at home so I cannot remember when it last worked, but we don't change that much either.

Inside the firewall my IMAP connections can send fine.  Outside the firewall they cannot connect to send, but can receive just fine.

The other thing is we are receiving external mail just fine, but if i try and telnet to port 25, i cannot connect.  We have a Sonicwall FW and I have been up and down the configs and can't see anything misconfigured.

Thanks in advance.  I am stumped.

I am running a 2003 FE/BE
Authenticated users and certain subnets trusted to relay.  This is why it works internally.  Externally, since it should accept the authentication, but I think this is where it is failing somehow.


0
Comment
Question by:TumacLumber
  • 10
  • 8
  • 7
  • +1
29 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35106344
How do you receive your mail?

Do you receive it from a 3rd party that filters your mail and then delivers it to you?

If you do - the firewall may only allow their IP Addresses to send on port 25.  Please check your firewall rules.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35106372
Check on http://www.canyouseeme.org/ to see if that says port 25 is open to your public IP

Www.testexchangeconnectivity.com can also test SMTP to your domain/server
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35106395
As Alan says, you might only be allowing port 25 externally to and from MessageLabs or some other 3rd party/ISP

Once you confirm port 25 is open to your server then ensure the Macs are set to authenticate with the Sending SMTP server before sending.
0
 

Author Comment

by:TumacLumber
ID: 35110207
We do not use a 3rd party for SPAM.

We use Vamsoft ORFee and GFI MailSecurity/MailEssentials on our Exchange server.   To my knowledge they do not restrict connections on 25.  

Based on my knowledge, I am surprised that we are receiving external mail since I cannot telnet to port 25 unless for some odd reason my FIOS is not letting it connect, but all indication is that I am reaching my pub IP 173.11.xxx.xxx

I am less concerned about the telnet than the fact that I cannot relay authenticated users from outside the firewall

 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35110222
I can telnet to your IP Address - mail2.domain.com : )
0
 

Author Comment

by:TumacLumber
ID: 35110236
try mail.domain.com

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35110242
Yep - not a problem either.
0
 

Author Comment

by:TumacLumber
ID: 35110280
That is really odd.  I wonder if something in my Win7 is not allowing me or my home ISP (Verizon) is not allowing me to Telnet.  

I was wondering how we could receive mail without 25 being open.   That also tells me my SPAM/Security solutions aren't doing anything tricky.

Still have the issue of 25 not letting authenticated user relay for IMAP.....
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 35110298
It could be the ISP blocking port 25 wherever the IMAP users are.  Most ISP's do now as an anti-spam measure.  You could use a different port to send on.
0
 

Author Comment

by:TumacLumber
ID: 35110499
I will try reconfiguring to 547 and try this weekend.

Thanks,
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35110558
No probs - do you want me to hide your IP / domain names?
0
 

Author Comment

by:TumacLumber
ID: 35110617
Yah - that would probably be good.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35111096
You could try telneting to 587 as that is secure SMTP and see if that is open
0
 
LVL 33

Expert Comment

by:digitap
ID: 35112332
do you have any of the security services enabled on your sonicwall? i.e., content filter, IPS, GAV, anti-spam?
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:TumacLumber
ID: 35112513
Yes we have CGS package.  As far as I remember (which I can check) is we have Content filter and Intrusion on .  We found the Anti-spyware feature kills internet functionality.  Maybe IP is not allowing?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35112621
it's quite possibly IPS. GAV does have an exclusion for IMAP, so confirm this hasn't been enabled. regarding IPS, by default, high, med, low risks are configured to detect and high risks are set to block. consider setting it to detect only and see if this changes anything.

also, go to Log > Categories and make sure your logging level is debug and check the top box of each category to select all the categories in each column. then, go back to your log and monitor. if the security services are blocking the IMAP traffic, then you'll see those in yellow.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35112624
by the way, what kind of sonicwall do you have? enhanced or standard?
0
 

Author Comment

by:TumacLumber
ID: 35112903
We have Enhanced OS.  NSA 2400.

I have perused the logs for an IMAP block but have not seen one.  I only see some SMTP Relay denied, but the source IP is not the IP that I was trying to connect from, so I do not believe that log event pertained to my problem.

0
 
LVL 33

Expert Comment

by:digitap
ID: 35112960
yes, i'd agree.

so, if i understand correctly, you are unable to get IMAP traffic in WAN > LAN, is that correct? how do you have the ports opened through your firewall to allow this traffic? is it a part of an address group for other Exchange services or an individual address object?
0
 

Author Comment

by:TumacLumber
ID: 35113002
IMAP, POP, OWA are lumped into a service definition that has a NAT policy for our firewall.  IMAP is connecting to the server fine, but IMAP uses SMTP for sending.

I cannot test this while inside my network, but I wouldn't be surprised that Port 25 traffic is blocked by my ISP since I was unable to telnet to the port on my public ip from home but alanhardisty was able to and I can telnet from my network here to the outside IP.

I am going to add 587 to my NAT policies and test it over the weekend.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35113024
are exchange servers already configured to use port 587 instead of port 25?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35113027
or, in addition to?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35115604
If your ISP is blocking anything - it will be blocking the port out, not in, so as I can telnet to your IP / server from the UK, that would suggest that it is not being blocked inwards at all.

When you IMAP users are connecting - where are they connecting from (or how)?

Perhaps their ISP is blocking outbound Port 25, which would explain a great deal, as well as your ISP from your home, because you cannot telnet on port 25 either.  To test - try to telnet to port 25 on mail.sohomail.co.uk (telnet mail.mydomain.co.uk 25 or telnet 188.220.xxx.xxx 25).  If you can't connect, then it isn't a DNS problem, your ISP is blocking your port 25 outbound.

This is standard practise for Home DSL connections - if you change the port to 587 for inbound (Secure SMTP) on your server and change your firewall to allow inbound connections using port 587 (as well as 25 so that the rest of the world can send you mail), then configure your IMAP clients to use port 587 for sending, that won't be getting blocked by ANY ISP, so you shouldn't have any problems.

The alternative is to use RPC over HTTPS then all you need open is port 443, which will be if you have OWA working and then anyone can send mail in and out with a correctly configured client (and SSL certificate).
0
 

Author Comment

by:TumacLumber
ID: 35117470
Yah - Looks like ISP outbound block as I could not telnet to your server.  I am going to open 587 on my firewall and see what happens.  I use RPC over HTTP for my main configuration but I have a couple users (salespeople so I cater to them a little bit) who use Mac's at home that would rather use them.  I originally had the Mac set up with Exchange option, but it stopped working so I switched it to IMAP and started having this problem.

As far as I know, Entourage cannot do RPC over HTTP but have not validated that in a while.


Thanks for your help testing my connection from outside.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35117517
Office 2011 for MAC can do RPC over HTTPS to Exchange 2010 - I know that for a fact, so theoretically, it should cope with Exchange 2003 too, but need to check.

Sounds very much like your ISP is blocking port 25 - not unusual!!
0
 

Author Closing Comment

by:TumacLumber
ID: 35117662
I need a sys admin to help me keep up on all this stuff.  Thanks for the help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35117715
It's an ever changing beast the IT world!  EE is always here for you when you need it : )

Thanks for the points.

Alan
0
 
LVL 33

Expert Comment

by:digitap
ID: 35118135
yes...i can say this was the first time i'd heard of the 587 port!
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now