RE: incoming and outgoing

  • From: "Walkowiak, Matt" <Matt.Walkowiak@xxxxxxxxxxxx>
  • To: "Joe Szumowski" <joes1010@xxxxxxx>, <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 20 Jun 2002 10:09:05 -0500

Firewalls SHOULD be very simple.  Usually, they have at least one
external IP address, and are doing NAT on the inside.  If you want an
inside computer to be accessible from the outside, tell the world to go
to the External IP address, and then the firewall decides what port the
request is coming in on.  Then it tries finds a rule that matches the
requesting packet.  If it does find a rule, it pushes your packet down
that rule.  Note, that rule could be to drop the packet, or forward it
to a web server or POP3 server...

So, you need a rule that says a TCP packet on port 80 from anywhere,
forward to 10.0.0.50, port 80 (OWA)
Same thing for POP3, but use port 110 instead (POP3).
You probably already have a rule for port 25 to allow incoming mail into
your exchange server - try copying that rule with the different ports
(???)

Now, if your firewall is doing proxy, that's different, and
unfortunately, I will be of little help there.  The way I understand
proxy, it grabs the packet and holds it for a bit.  Then it fires up an
equivalent request on the other side of the firewall that goes and gets
the data that the original packet asked for.  When it gets the response,
it fires off that response to the requester - this way the outside and
the inside never directly talk to one another, whereas with port
forwarding the outside and inside do talk directly to one another.

Matt Walkowiak


> Matt,
> I read your response and it was very useful.  I experienced many of
those
> problems a few weeks ago and I wish I had your info then.  Our email
is
now
> working both inside and outside the domain with one exception.  We are
now
> attempting to retrieve our email from outside the domain using either
pop3
> or OWA.  We have a cyperguard firewall and have set the smart proxies
when
> it see mail.xxxxxx.org to rout it to the exchange server.  Seems easy
enough
> but it doesn't work.  The mail.xxxxxx.org resolves to the outside IP
address
> of the firewall.  This IP allows resolves to hb.xxxxxx.org (another
RISC6000
> server).  I am working with the firewall people regarding OWA but I
would
> like to get pop3 working in the mean time.  Any thoughts.
> Thanks
> ----- Original Message -----
> From: "Walkowiak, Matt" <Matt.Walkowiak@xxxxxxxxxxxx>
> To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
> Sent: Tuesday, June 18, 2002 3:18 PM
> Subject: [exchangelist] RE: incoming and outgoing
>
>
> http://www.MSExchange.org/ - Re-Vamped!
>
>
> Ok, you Internet e-mail newbies - LISTEN UP!!!  Hehe...
>
> To RECEIVE e-mail, this is what needs to happen:
> Some guy from Hanover, Indiana wants to send you a message.  He has
your
> e-mail address (user@xxxxxxxxxx).  After he finishes typing it, he
sends
> it off to his designated SMTP server, and if he is local or allowed to
> relay, the SMTP server takes over from there.  Otherwise, he will get
a
> "relay not allowed" error message - has nothing to do with you at
all...
> The SMTP server does a lookup on the domain.com part of your e-mail
> address.  It asks the world "what IP address should I send stuff
> destined for domain.com to?"  The world queries the zone record for
the
> domain domain.com and finds the lowest numbered MX record - that's the
> IP address the SMTP server is looking for!
> Now, the sending SMTP server tries to talk to that IP address it got
> from the MX record (gotta make sure that IP address is the same as
your
> exchange server, or at least it needs to be able to get to your
exchange
> server) using SMTP (port 25).  This is the first thing you need to
> check; have someone from a different ISP try and telnet to your
exchange
> server on port 25:
> telnet ip.add.re.ss 25
> Then, make sure the name works, too:
> telnet mail.domain.com 25
> Both should return a 220 response from the Exchange server.
> If they do, then the sending SMTP server dumps the data from itself to
> your server.  THEN, your Exchange server sees if it is supposed to
> answer to @domain.com.  If no, then bad things happen.  If yes, then
the
> Exchange server sees what account this particular e-mail belongs to
> (looks at the part before the @ sign) - if that user exists, it will
try
> and dump the data into that mailbox.  If it doesn't exist, then your
> exchange server will spit back a response to the sender in Hanover,
> Indiana informing him that the e-mail account was not found.
>
> If you have gotten this far and you STILL cannot receive e-mails from
> the outside in, then you have proven the problem exists on your
exchange
> server.
>
> If you cannot SEND mail to an outside user in, say, Hanover, Indiana,
> there are a few different steps you will want to try.
> First, make sure your server can ping it's own IP address, them make
> sure it can ping its gateway.  Then see if it can ping a host out on
the
> Internet - try random numbers till ya find one that responds.  Then,
and
> here's the hard part, see if you can resolve names - ping www.asdf.com
> and see if you get an IP address back - don't worry if you don't get a
> ping response, we already determined you could ping an IP address -
now
> we just care if you can resolve an addy.  Then see if you can surf the
> Internet.  (The first step I always try is to surf the Internet, then
I
> work backwards to figure out what is wrong, which is why I wrote all
> that before I said to try and surf - a lot of things need to happen to
> be able to surf the Internet)
>
> If you can surf the Internet, that means you can talk on ports 80,
maybe
> 443, 53 and if you could ping, port 0.  However, it tells you very
> little about being able to send packets out on port 25.  So, from your
> Exchange server that can surf the Internet, telnet to some mail server
> on port 25 and see if you get a 220 response.  No?  try a few others,
> (including your ISP's - that's actually a very good test)  Some ISP's
> will block port 25 from leaving their network, so clear that when you
> talk to them.
> If you did getta 220 response and still cannot send, make sure your
> server is not an open relay and listed in one of the spam relay
> databases.  Also, make sure that the domain you are sending FROM is
> resolvable - many mail server will do a quick check to be sure they
are
> talking to an actual mail server before they will allow a computer to
> send data on port 25.  And make sure the sender (you at your desk
using
> Outlook) can talk to the Exchange server and that you are either local
> or have relay permissions.
>
> Oh, and one more step to do with problems in either direction - TURN
ON
> SMTP LOGGING!  In Exchange 2000, it's in System Manager, Servers -->
> Server name --> Protocols --> SMTP --> Default SMTP.  Go into
properties
> of that and Enable logging with ALL the extended features.  Logs will
> tell you SO much if you are actually recording them :)
>
> HTH!
>
> Matt Walkowiak
>
>
>
>
>
> -----Original Message-----
> From: Marvin Cummings [mailto:marvc@xxxxxxxxxxxxx]
> Sent: Tuesday, June 18, 2002 12:40 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: incoming and outgoing
>
> http://www.MSExchange.org/ - Re-Vamped!
>
>
> Can I ask a question on this reply?
>
> Doesn't exchange create a recipient policy on the initial install? I'm
> having the same problem where I'm able to send email internally and
can
> also
> send it outside, I'm just not able to receive any. After being asked
to
> create a recipient policy I noticed that there was one already
created.
> Does
> this mean I need to create another one? If so should I use a different
> email
> address type or the same SMTP?
> EX newbie...
>
> -----Original Message-----
> From: Andrew J. Shipp [mailto:Andrew@xxxxxxxxxxxxxxxxxx]
> Sent: Tuesday, June 18, 2002 1:26 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: incoming and outgoing
>
>
> http://www.MSExchange.org/ - Re-Vamped!
>
>
> Have you set yourself up with an external email address / created a
> recipient policy?
>
>
>
> -----Original Message-----
> From: Denise Dorrance [mailto:denisedorrance@xxxxxxxxxxx]
> Sent: 18 June 2002 16:29
> To: [ExchangeList]
> Subject: [exchangelist] incoming and outgoing
>
> http://www.MSExchange.org/ - Re-Vamped!
>
>
> Hi All -
>
> I am able to send email to anyone within the domain but cannot send or
> receive from or to anyone outside of the company.  Any help would be
> appreciated.
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org Discussion List
as:
> joes1010@xxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
>



Other related posts: