Topic: webmail external access

[ciso112]

guys,

I will start with the two-domain-question. Internet provider provides internet & also a domain zsbudm..edu.sk Simultaneously, a school uses an administration software by a company which also takes care of internet pages (also communication between a program and a page occurs) which run on zsbudm..edupage.sk domain. It looks to me the second domain is out of our concern in this question. Also, email addresses mentioned here are real ones & are being used.

"So in that case please get the services of a tech support person who does understand your network, you will save yourself & us a lot of time."
It's funny because I'm the tech support person

I'm not sure how to set up resolving of DNS, so I enclose screenshots of informative labels, starting with smoothwall.

First, DNS service, it was blank with no data just until now, I entered providers DNSs:
https://www.imageupload.co.uk/image/BVdJ

Second, incoming rules:
https://www.imageupload.co.uk/image/BVdQ
Been not empty only for several last days.

And an overview of smoothwalls network settings:
https://www.imageupload.co.uk/image/BVdM

SME server's config:
https://www.imageupload.co.uk/image/BVdq

And here is the main config file:
https://www.imageupload.co.uk/image/BVdg

I believe to have a reply about the records by tomorrow. When trying to run these fancy tests of yours I got the same results as you (network-tools, mainly). When port-scanning, only 443 was opened, even 80 was closed, isn't it strange?

Once again, your help is being hugely appreciated.

[janet]

Ciso112

I cannot help you with smoothwall configuration as I do not know smoothwall.

I am NOT talking about DNS settings in smoothwall or sme server or anywhere in your local network.

External DNS settings refers to external records about your domain name, which nameservers it uses, how those nameservers are configured (to point to in order to resolve your domain name). These DNS records are typically held at the registrar of your domain name (maybe that is telecom.sk) or your ISP (Internet Service Provider). Whichever person in your organisation that purchased & setup the domain name should be aware of where you host your domain name DNS records. There is usually a web panel you can login to, to setup & check.
Please do your homework & find out that info & then access the DNS records site to check what Public IP your domain is resolving to etc etc.

[ciso112]

janet

Situation is not as straightforward as it would be in an ideal world. I don't have access to DNS records as neither me nor school is the owner of the domain. It is owned by the ministry of education, telekom.sk is the domain keeper. But what telekom.sk can grant me is the right to ask for a change in  settings.
Luckily, the telekom employee I communicate with didn't mind the work and gave the thing a complete check. Here are the results:

"
  Takto je nakonfigurovany CISCO ASA5505 kde mate pripojeny server:

         BUDM-BUDM EDU1 DSL:172.16.5.160 ASA:192.168.30.78 IC:0687 Základná škola s MŠ, Kpt. J. Rašu 430, Budmerice wifi44/AP1 SW:10.31.55.254


DSL ok, ASA ok, SWITCH catalyst 2960 nepripojeny, NAT je nastaveny nasledovne:  //SWITCH catalyst 2960 - non functional


static (inside,outside) 87.197.51.74 10.14.252.5 netmask 255.255.255.255 dns
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 eq ssh
access-list ACL-OUTSIDE extended permit udp any host 87.197.51.74 eq 22
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 range www 84
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 eq https
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 range 5800 5808
access-list ACL-OUTSIDE extended permit udp any host 87.197.51.74 range 5800 5808
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 range 5900 5908
access-list ACL-OUTSIDE extended permit udp any host 87.197.51.74 range 5900 5908
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 eq 8080

global (outside) 1 87.197.51.73
global (outside) 2 87.197.51.78
nat (inside) 0 access-list V-RAMCI-EDU
nat (inside) 1 10.14.252.0 255.255.255.0
nat (wifi) 0 access-list V-RAMCI-EDU
nat (wifi) 2 10.31.55.0 255.255.255.0
"
I planned to translate the spoken parts, but after checking, it kind of seems useless as it seems understandable, sorry if mistaken.

server I see 10.14.252.5 c04a.0007.227e
Answers ping also from the internet.

HTTPS is also available with a text "This web site is under construction"   -- this is a correct page to appear; but when entering https://www.zsbudmerice.edu.sk in a browser, nothing is being loaded, yet when in terminal & pinging both the IP address and domain name, answer appears in both cases.

Anyway, not really sure since when, but it works! External access is possible through https://87.197.51.74/webmail !

Kind of a puzzling end, maybe some more answers will be given, surely would be nice.

Thx everyone & especially janet for the help!

[janet]

ciso112

The telekom employee seems to have done something to fix access.
I CAN put these URLs into a browser & resolve to your sites.

https://www.zsbudmerice.edu.sk
I get
This web site is under construction
(Probably a message from the sme server).

https://87.197.51.74/webmail
https://www.zsbudmerice.edu.sk/webmail
I get
Horde webmail login screen in both cases

You have to be aware when testing fault situations where changes are being made & retested, to flush the cache in your browser & sometimes even in sme server squid cache, as you can inadvertantly continue to read the cache (which shows an old no longer applicable result).

I have not done full tests but it looks fixed to me based on the above.

http access does not resolve so not sure what is happening there, better to only use https anyway to web sites.
ie I can access
https://www.zsbudmerice.edu.sk

but cannot access
http://www.zsbudmerice.edu.sk

This might be a setting related to sme server for the ibay which says to use https only ?

[TerryF]

As per janets response for me as well, from here: Oz

[janet]

ciso112

Another test result
http://www.dnsstuff.com/tools#dnsReport|type=domain&&value=zsbudmerice.edu.sk
It shows the http error, so maybe that is an external issue, perhaps disabled or blocked by higher powers as you have the "other domain" website for www access.

[ciso112]

janet

http access was not working due to a smoothwall's setting of sending traffic from the port 80 to a wrong address, not smeserver's.
So a bit more work on ssh from my site & everything should then be working like a charm which wouldn't be possible without your help, everyone and mainly janet, thx once more