Topic: Seperate Mail Server questions

[Erik Tank]

I sure hope someone can help out with this problem:

SME version: 5.1.2

We have a G3 Mac running OS 9.04 as our current mail server.  We have just about 1000 accounts and do not want to enter them all into our new SME server, which we only want for filtering purposes with SquidGuard.  So far, that works fine, only the email is the problem child.

I have tried all the configurations I know and have dabbled a bit in the config files, but don't seem to be able to get it to work correctly.  Any email we send into our network domain:  anyuser@ourdomain.org is simply not picked up by our real mail server.  We have a PIX firewall which our SME server sits behind connected into the same switch that our mail server is connected too.  As soon as we take our SME server out of the loop of things, our mail server starts collecting all the mail.  We can't find any settings in our mail server to change, and I've tried all I can think of for the SME Server, but it just seems to block all incoming mail.  

Does anyone know how to set this up so that we can get our mail with our current mail server and perferably totally disable all mail capabilities on the SME server?

We are running on a 10.0.0.0 network here.  our mail server is 10.10.0.11 and I have setup the hostname mail.ourdomain.org to be a local computer with that IP address.  Any more information, PLEASE WRITE even if you think it's pointless!  Thank you!

[Tony P.]

What rules are setup on the PIX for forwarding port 25? Does it send to the G3 or the SME? Do you forward all ports on the PIX to the SME? What is the DNS server the SME or something else? Perhaps there is a DNS issue that is causing the mail to bounce round and round.

When both boxes are connected have you tried to telnet to port 25 on the external interface of the PIX? It should send you to the mail server. You may be able to tell by the response from the mail server which server is responding.

Just a few thoughts.

Good Luck.

Tony

[Erik Tank]

I wanted to clear up some of my own writing... I'm having a problem with outside email (from anywhere else but local) coming into my network.  We can send out mail just dandy.

Our T1 line comes into our network via a Cisco 2600 router, then to our PIX, then to our switch(es) which we are all connected.  Our mail server is connected to this same switch, and the SME server is connected to the same switch, as well as many other routers and such things...

As far as the forwarding goes with the PIX, I think everything is forwarded to our SME server... we've never changed anything in the config files... the IP route is pointed to our SME server.  Our SME server IS our DNS server.  I'm not positive on this, but to my experience port 25 is SMTP and that's for outgoing mail... we're having problems with incoming mail - which I'm pretty sure is POP3 unless if there is something I'm not aware of with the way SMTP works... but I think I understand their relationships pretty well and ... no luck.  Any other help is appreciated!

[David Hardy]

Incoming email is by SMTP.

When you send outgoing email you initiate and SMTP session with an external mail host. If your PIX is forwarding everything to the SME box, its also forwarding port 25 so all of your incoming (via SMTP) mail is going to the SME box.

If your mail is collated by an ISP and collected by you from an external pop box then you must have configured the SME box to do that - it CANNOT 'just do it', it would need to know the remote pop mail host, user name and password. This is the MultiDrop email setting in the Server Manager.

You should be using an SMTP feed from your ISP - 1000 users on Multidrop is probably a little excessive .

As Tony P. says, check the PIX settings and telnet against the Pix external IP and port 25.


David.

[Erik Tank]

OK, I see what you mean about the SMTP going out of our local network to fetch mail... or at least I think I see it  

I do NOT use multidrop.  We have our own dedicated mail server here, that we can send and receieve emails even if we are not connected to the Internet.  We have registered our domain name with register.com and have our PIX set to forward any POP3 or SMTP to our local mail server IP.  

Since our E-smith server and mail server are connected to the same switch, the way we force filtering is by setting our other internal router (which has ISDN connections to our other four buildings) to use the gateway of our filter server, which has a gateway of the firewall.  All of our machines locally in this building and the four others, have the gateway of the internal router that I just specified.  

So a packet travels from say, this machine, to the 3620 (internal router), to the filter server, to the PIX, to the outside router, to the T1 box.  

The way our email works, is if you set the 3620's gateway to the PIX, hence bypassing the filter machine and presto, it works fine.  I have just tried today a new route, by bypassing the PIX and only using the E-smith machine as the firewall and that proved useless too... filtering worked great, but it still blocked the email, so I know it's NOT an issue with the firewall... or at least I feel confident in saying that it has to be something to do with our filter server.  It is filtering TOO WELL.  

I've read some about the smtpd_check_rules file and have looked at it.  Is there anyway to just ALLOW ALL and not block or deny anything?  That might fix the problem... right?  I know of the consequences, but still... let me try it right?

Thanks for your help thus far!

[Erik Tank]

I'm still in a bind and would really like anyones feedback, useful or not even.  

I don't understand why this is so hard too do.  Does no one else here have their own domain with their own mail server that sits on the inside of the firewall with them?  

I would think this is a normal setup for an organization... any help is welcome!

[Erik Tank]

I'm still in a bind and would really like anyones feedback, useful or not even.  

I don't understand why this is so hard too do.  Does no one else here have their own domain with their own mail server that sits on the inside of the firewall with them?  

I would think this is a normal setup for an organization... any help is welcome!

[bob]

For clarification can you provide IP Addresses and host names/and or network map. It sounds to me like your email server is Never getting the email. Did you port forward on the SME to send port 25 to your mail server? Also try to ping your email host name from the SME.

[Erik Tank]

Outside router: 209.7.177.1
Internal PIX: 10.10.0.1
External PIX: 209.7.177.5
3620 inside router: 10.10.0.3
Internal SME NIC: 10.10.0.15
External SME NIC: 10.10.0.16
mail server: 10.10.0.11

I just installed a few copy of 5.5 beta 9 and put port forwarding on and pushed 25 on TCP and UDP to the 10.10.0.11 address.  When I ping the hostname mail.emsd37.org from my SME box it now points to 10.10.0.11.... however my 3620 router points out to theIP of 209.7.177.9 because of our MX lookup record for our domain, which points mail.emsd37.org to the IP of 209.7.177.9.  

Our MX record also points our www.emsd37.org to 209.7.177.7 and that works and our webpage can be seen from outside our local network (from the Internet successfully).  

Does this help anyone at all?  Thanks for the help thus far.

[bob]

Erik,

A couple of things here are confusing me.

1. 3620 inside router: 10.10.0.3

  What is the purpose of this router to the 10.10.0.x network(assuming netmask is 255.255.255.0)

2. You are using Squidguard for Web Caching? What doe email have to do with this?

3. Instead of the 3620 Router couldn't you NAT the mail server directly from the PIX to email server? NAT 10.10.0.11 <--> 209.7.177.9

4. What is the hostname of the SME box? If it has the domain of emsd37.org on it I believe it automatically aliases itself to mail.emsd37.org  so if it is the DNS server it will take over the mail if you use DNS.

5. Why are the external and internal interfaces of the SME on the same network(assuming netmask of /24) If you just want to use it as a Squid server, you can still use only one interface for that.


Take a look at some of my assumptions and see if they help.

Bob

[Erik Tank]

Our 3620 router routes all of our other buildings together via ISDN lines.  We have each building set up for a different 10.x number.  For example, DHCP assigns building 1 with 10.20.0.0 addresses and building 2 with 10.30.0.0 addresses and so forth.  This way we can tell which building is having problems by their IP addresses but still use the dandiness of DHCP.  

The SME machine is running 5.1.2 with squidguard.  That was it's sole purpose for being built.  We have to network cards, because the class that we went too for instructions about the E-smith software instructed us to do so.  Plus I can only imagine it would make things faster to have two network cards, since we are keeping our network up to date with gigabit ethernet and fiber.  

Our server was initially on the same domain, and I simply changed the mail.emsd37.org (our domain if I hadn't mentioned this earlier) from a "self" address to a "local" address and put in the 10.10.0.11 address of our mail server.  This not only worked for pinging, but it worked for our web server which we did the same exact process for and it works flawlessly.  

YES, the most confusing thing about this entire situation is that our PIX has a static route to send all mail traffic directly to the 10.10.0.11 (mail server) address.  When we watch the software on the mail server, it never gets a connection from the sites, such as hotmail when we try to send an email.  Once in a while a connection will open with some foreign IP and then close, without sending or receiving any data...

To understand things further, I probably stated this earlier, but it plays an important role:

Our 3620 is our default gateway for all machines.  So a quite implementation of our filter server is done by simply changing the gateway of the 3620 from our firewall (10.10.0.1) to our filter server (10.10.0.15).  Our filter server is set up with the 10.10.0.1 (firewalls) ip so, it just adds him to the loop and yes, the filtering works terrific... too good, because then, and only then, the mail stops coming in.  

We cannot ping mail.emsd37.org from any of our cisco devices, which at first made me think that DNS is not setup correctly, but we have a valid nameserver listed for Internet use, and it cannot even ping www.yahoo.com.  This confused us further.  The sad part is, a very long time ago, we had our cisco devices installed for us, because at the time, no one that worked there knew how to do it.  There are a lot of parts that don't look correct to us, but we are not sure why they say what they say.  

Anyway, I added our DNS server to the name-server list, since it can support up to 6 DNS servers, but that proved useless too, still could not ping.  However, on our filter server and all of our machines, I can successfully ping the address mail.emsd37.org and it brings up the correct IP of 10.10.0.11.  Since the PIX is set to forward all traffic on 209.7.177.9 to 10.10.0.11, and mail.emsd37.org is registered to the IP of 209.7.177.9, then I'm lost at why we cannot receive our mail.  

By the way, one more thing is, almost all of our networks are using the 255.255.0.0 netmask.  

The reason our SME server has both interfaces on the same network is simply because we spent a lot of money on the PIX and don't feel it wise to risk vulnerabilities with our SME server on the outside, let alone the rest of our network.  Plus, we tried it on the outside, too and it produced the same exact problems.  We decided to move it back inside the firewall, so that we can still use the filter servers console to allow or deny access by IP.  If it is outside our firewall, then only our PIX could let us assign specific IPs to everyone and that's just too silly to do for this purpose when it's so much easier on the inside, plus we have a nice little jukebox set up on it too.  

Thanks for the help so far.... keep the info flowing.

[Erik Tank]

*bump*  I still need help with this... anyone throw in a bone?