Mailing List Archive

On Wednesday 01 August 2001 21:18, you wrote:
> Hello there,
> I'm working at a small medical clinic. We had a PPP dialup connection
> to a local ISP. We have upgraded to a DSL connection and a RH 7.1 firewall
> running IPtables.

Since you are running Linux why not run a linux mail service like sendmail or
postfix?

>Everything is working great. Web surfing, etc, The only
> problem is that we have a Microshaft exchange server running behind the
> firewall. I have forwarded port 25 to the exchange server. We can send and
> recieve mail within our domain and we can recieve inbound email from
> outside our domain, but if we send mail outside the domain (either as a
> reply or and a new mail message) we get an undeliverable notification.

Well all your local mail (within your domain) should send since of course it
won't go through the firewall. And you are receiving mail because you have
the port forwarding. So I am guessing there is a problem with your outgoing
traffic being sent.

Can we see your firewall script?

--
Jordan Wilberding <diginux@diginux.net>
diginux.net Sys Admin

WoD <wod.sourceforge.net>
Aztec 3D <aztec.sourceforge.net

"Fight war, not wars,
destroy power, not people"
-Crass

John Maegli wrote:
> I have forwarded port 25 to the exchange server. We can send and
> recieve mail within our domain and we can recieve inbound email from
> outside our domain, but if we send mail outside the domain (either as a
> reply or and a new mail message) we get an undeliverable notification.

did you write a rule in your FORWARD chain to handle the outgoing new
connections?

iptables -A FORWARD -p 6 -s <exchange-server> --sport $unpriv -d 0/0
--dport 25 -j ACCEPT

Possibly a rule in the nat table if you are using private addresses?

bryan

--
Vegetarian: Indian word for lousy hunter

http://support.microsoft.com/support/kb/articles/Q155/8/31.asp

hi,

you may want to take a look at the above link which may help. MSX will
listen on port 135 for client connects to RPC. but then, and for whatever
reason, MSX will assign two random ports for the Directory & Information
stores. the above link will show you how to edit the registry to give the
DS & IS static ports. then add those ports to your rules on your firewall.

note that there are those who frown on allowing RPC connects through a
firewall, a VPN would enhance the security there.

Bill




William Burlew
Network Systems Administrator
Information Security Officer
Siemens Technology-To-Business Center, LLC
http://www.ttb.siemens.com



John Maegli wrote:

> Hello there,
> I'm working at a small medical clinic. We had a PPP dialup connection to
> a local ISP. We have upgraded to a DSL connection and a RH 7.1 firewall
> running IPtables. Everything is working great. Web surfing, etc, The only
> problem is that we have a Microshaft exchange server running behind the
> firewall. I have forwarded port 25 to the exchange server. We can send and
> recieve mail within our domain and we can recieve inbound email from
> outside our domain, but if we send mail outside the domain (either as a
> reply or and a new mail message) we get an undeliverable notification. Also
> we cannot even open the undeliverable notification we get a message that
> says we can't open the mail. Any thoughts would be appreciated. Thanx in
> advance.
> John

You need to divide and conquer. Separate out the exchange and the
communication and test.

At the SMTP (exchange) server try doing a telnet to an outside SMTP server
(port 25). This should be how you test it to make sure that you can connect
and send a manual email from that system out to the internet. Make sure you
get domain name resolution also, so try telnet <some smtp ip> 25 and telnet
<some smtp domain name> 25 to be sure. Once that works then try your normal
process of sending a mail message out. Then if the former works and the
latter doesn't you don't go messing up your firewalls rules when its your
exchange config. Visa versa also, you don't mess up your exchange rules
when its your firewall!

If the telnet doesn't work, check to make sure that the gateway on the
exchange server is set to the system that port forwarded the traffic to it.

All and all you could have two problems exchange config and TCP/IP config
(on exchange system and/or firewall)

William wrote:
------------

http://support.microsoft.com/support/kb/articles/Q155/8/31.asp

hi,

you may want to take a look at the above link which may help. MSX will
listen on port 135 for client connects to RPC. but then, and for whatever
reason, MSX will assign two random ports for the Directory & Information
stores. the above link will show you how to edit the registry to give the
DS & IS static ports. then add those ports to your rules on your firewall.

note that there are those who frown on allowing RPC connects through a
firewall, a VPN would enhance the security there.

Bill




William Burlew
Network Systems Administrator
Information Security Officer
Siemens Technology-To-Business Center, LLC
http://www.ttb.siemens.com



John Maegli wrote:

> Hello there,
> I'm working at a small medical clinic. We had a PPP dialup connection
to
> a local ISP. We have upgraded to a DSL connection and a RH 7.1 firewall
> running IPtables. Everything is working great. Web surfing, etc, The only
> problem is that we have a Microshaft exchange server running behind the
> firewall. I have forwarded port 25 to the exchange server. We can send and
> recieve mail within our domain and we can recieve inbound email from
> outside our domain, but if we send mail outside the domain (either as a
> reply or and a new mail message) we get an undeliverable notification.
Also
> we cannot even open the undeliverable notification we get a message that
> says we can't open the mail. Any thoughts would be appreciated. Thanx in
> advance.
> John

These rules have been working for me since I started using iptables.
Avbout a year now I would guess...
Fill in the IP of your host running exchange, modify the other variables
to match your needs, and run. Works great!
If you need more info, please let me know. I have had this going for a
while now, so I have a pretty good idea.

EXCHANGE_HOST="xxx.xxx.xxx.xxx"

# Part of the Exchange server stuff (25)
logger -s "Allow SMTP Server Connections on port 25"
$IPTABLES -A INPUT -i $EXTERNAL_IF -p tcp -s $ALLADDR --sport 25 -d
$EXCHANGE_HOST --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT -v
$IPTABLES -A OUTPUT -o $EXTERNAL_IF -p tcp -s $INTERNAL_NET --sport 25
-d $ALLADDR --dport 25 -j ACCEPT -v

$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp -d $EXTERNAL_IP
--dport 25 -m state --state NEW,ESTABLISHED,RELATED -j DNAT
--to-destination $EXCHANGE_HOST:25 -v

Vern H. Gill
State Director
Director of Marketing
Conejo Valley Jaycees
vgill@technologist.com
http://www.conejovalleyjaycees.org