Topic: Webmail and Website are down externally

[jrm657]

I'm having real trouble solving the following issue. I've tried searching the forums, calling my ISP tech support... no dice so far.

Since 2002 I've been running SME Server for a small office network. We're running it as the gateway, file server, email server and web server. We were connecting to the Internet via DSL with a dynamic IP address that would sync with dyndns.org. Everything was working just fine and dandy: webpage, webmail, etc.

In Feb 2004 I got tired of our email getting rejected by other ISPs because it appeared to be SPAM from a dynamic ip. So I switched with my ISP (SBC) to static IP. Well, now webmail and the webpage are down from outside the network. Internally I can access webmail and can view the website, but not outside. So port 80 seems to be delivering webpages inside the network but not outside.

Some suggested that my ISP is blocking port 80. I called up SBC and they said no. They said port 80 is wide open.

It's weird because even though port 80 seems to be down, port 25 seems to be working fine. I'm getting email in and out through the server just fine.

Any ideas?

Thanks! Justin


-------------
SME Configuration: 5.6 Developer
-------------

[boringgit]

Has this problem been there ever since Feb when you switched to static?

Obvious stuff perhaps, but are you using domain / dynamic dns from the outside? In which case are you able to ping / access using IP.

Have you got the box set to "private" mode?

[jrm657]

Has this problem been there ever since Feb when you switched to static?

Yes, I'm embarrassed to say, the problem has been there since we switched to static ips back in Feb. I've searched for answers since then, but nothing has popped up yet. Some of my users are going to start needing remote access to their email, so now I'm restarting my search for a solution.

Obvious stuff perhaps, but are you using domain / dynamic dns from the outside? In which case are you able to ping / access using IP.

I'm using dyndns.org to manage the DNS for my website domain name as I was doing before when I had dynamic ip. I have checked in with DynDns' tech support who said I've got my record configured to work with static ip. They said there was no issue on their end. All I did in my DynDns record was switch from dynamic ip to static ip and I typed in the external ip of the SME server.

I can ping the domain and the IP successfully. But I can't pull up the website in an http or https request.

Have you got the box set to "private" mode?

Nope, it's set to server and gateway.

[schirrms]

hi jrm657,

could you please tell us your static IP address and your domain name ?

It could be easier to try to help you

Regards,

[boringgit]

Also couldn't hurt to try the ShieldsUp! test on Steve Gibsons page www.grc.com

When I run the test (from behind an SME server where remote access works) I can see Ports 25, 80, 113 & 443 open.

You should see these open as well.

Also can never hurt to telnet to these ports just to see if something else intercepts...

[jrm657]

hi jrm657,

could you please tell us your static IP address and your domain name ?

It could be easier to try to help you

Regards,

------------------------------------
The domain is http://www.wespine.org and the ip is 67.67.108.122.
Thanks!

[schirrms]

Hi,

I just did some tests :
From my point of vue, your DNS is correct, and it's a real SME server at the end of the connection (at least, the header sent when doing a -successful- connection on your SMTP port is very sme friendly.
When I try to traceroute your system, a filter stop me somewhere at swbell.net (who seems to be the owner of 'your' IP address.
I can ping your system freely.

Doing a ligth nmap test, here is the result :

Code: [Select]

[root@gw1]config-# nmap -sS -p 20-113,443 wespine.org

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on adsl-67-67-108-122.dsl.stlsmo.swbell.net (67.67.108.122):
(The 93 ports scanned but not shown below are in state: filtered)
Port       State       Service
25/tcp     open        smtp
113/tcp    open        auth
I just did the test, around 19:05 pm GMT time
You should find interresting informations in your /var/log/messages, just do a filter with my IP :
213.41.138.173

What I can see here is that I didn't receive any answer from your HTTP port (nor your HTTPS port)

So, if your SME server is filtering my connection, you should find in your log some information telling that my system try to connect to your port 80.

If yopu don't find that, it could be that a filter is set in front of your system.

Is your SME directly connected to the modem, or do you use some kind of router in between ?

Regards,
Pascal

[Anonymous]

Hey Pascal,
The results of your tests match my results using ShieldsUp (big thanks to boringgit-- ShieldsUp is a great service.. and it's free!). I appreciate your taking the time to run those tests.

Basically the only ports that are open to the outside are 25 and 113. Port 80 is shown as stealth, so it didn't respond as open or closed. The server just didn't respond to the request on that port.

However, inside the network as I am now, I can access webmail on the SME server without a problem. So port 80 must be open on the server but is blocked between the server and the internet.

Maybe SBC was mistaken and they REALLY ARE blocking port 80. That would seem to explain this situation. I should give them a call again.

Is there a way for me to check what ports are open on the SME server internally? Is there a configuration file that lists the port statuses or is there a program I can run internally on the network to test the server? The problem with ShieldsUp is that it's outside my network.

I looked in the various "messages" log files and couldn't find any record of your server (213.41.138.173). So probably SBC is blocking port 80. They must also be blocking 443.

To answer your last question, yes the server is connected directly to the DSL modem. The server is gateway/router/DHCP...

Thanks again!

[boringgit]

Two thoughts...

Is your DSL modem the type with one RJ45 port, or multiple?

If one, then no luck, if multiple (Here in the UK, when you subscribe to many of BTs' ADSL services you get a 4 port router), you could connect a PC to one of the other ports - that way you can see exactly what you are presenting the Internet before it even gets to your ISP.

(You may be able to try that using a hub on the external ethernet side as well I suppose...)

Do you have access to a dial up account from the same ISP. UK again, but over here Freeserve used to intercept SMTP traffic to servers outside their network. I beleive that they only did this for external servers, on the inside of the network you should have been fine....

[schirrms]

Hi,

To be sure of your SME server configuration :

1) Just set a linux or windows box in plce of your SME server, with a web server on it, but no firewall or other filters.
Set the IP address, netmask and default gateway statically (after all, you use a static address), and set also dns servers.
Check that this test box has a correct access to the net, and then, from the net, try to connect to the web server of your test box. If it don't work, see your provider.
2) on the other way (I did that when my old ISP start to block access to port 25 and 80), you can also put (with a cross-over ethernet cable) a computer in fron of your SME box, with the IP address of your default Gateway. then, from this test box, try to access to your web page (by IP, there would be no name resolution in this case).

If case 1 stuck and case 2 works, you should thinking of changing your ISP...

HTH,

[jrm657]

Thanks for the updates guys!

My dsl modem only has one RJ45 port.

On other fronts, I downloaded Advanced Port Scanner v1.1 from download.com. It's a free albeit simple utility that scans for open and closed ports. I ran it from an INTERNAL computer to scan the ports on the SME server. It showed many more ports open than ShieldsUp showed, including 25, 80 and 110. So internally the right ports are open. Externally port 25 seems to be open and 80 closed.

I spoke with SBC Tech support on Saturday and they said (again) that port 80 is open. They did a ping test to my static ip and determined that all is a-ok. I asked them to confirm port 80 by telnetting to the ip on port 80, but they claimed not to have access to telnet from the tech support side. So I have to trust them that port 80 is open?! I've read so many threads that talk about ISP's blocking that port. But I'll take their word until I can run the test that schirrms recommends.

I will try putting a windows box with a web server directly connected to the dsl modem and apply all the settings. I'm taking a trip this weekend and most likely won't be able to test that until the following weekend. I will update at that time.

Again, thanks to all who have responded so generously!

[anonymoua]

mate, have you set your static ip to point to your primary ibay and published it globally?

Just a small thought.

I had a similar problem and found that by giving my primary ibay the static ip and published it globally that it fixed the problem.

http://www.gtdesign.com.au     (sorry guys no *nix stuff here) ( yet )

[GoVeGeTa]

actually you have to do this by changing settings in Hostnames and addresses.

Choose a hostname you want to publish globally.

eg; www.yourdomain.com

next,

change location to remote and make sure publish globally
box is checked.

next,

in remote host ip box put the local ip of your sme server box, eg,
192.168.0.1
And in the next box put your static ip
eg,  200.0.0.3

next,

and save configuration.
i had the same problem 3 weeks ago and did the above
mentioned procedure and everything seems fine now.
(I have had 23 new users sign up so it must be working ok)

If youve already done this then plz disregard my message.

[jrm657]

Just a quick update here.

Someone recommended setting the server from "public server and gateway" to "private server and gateway" and then back again in order to reset the iptables in the firewall.

Well, that worked! Now I can access the server from outside like before.

Thanks for all your help!
Justin