Unable to reach POP server

Discussion in 'Server Networking' started by Bryan Linton, Sep 7, 2004.

  1. Bryan Linton

    Bryan Linton Guest

    My boss has been having trouble checking email while out of the office.
    We're not yet running exchange (migration is about 1 month away), so our
    clients currently POP their mailbox using the Outlook 2000 client with the
    all the latest Office 2000 patches. Internally, it works fine. Externally,
    we have troubles. Here's some background:

    I inherited this network 3 months ago when I took over as IT manager. The
    previous admin had set up an Outlook profile for use when connected in the
    office that used the internal LAN IP of the mail server, and a totally
    separate Outlook profile for use when out of the office that used our
    registered MX record (mail.companyname.com). Until recently we weren't
    running DNS within our network. Now that we are, I decided not long ago to
    create internal DNS records for our mail server with the same name we use
    externally (mail.companyname.com). After some initial hiccups, it worked
    fine. I've been sending and receiving mail from my work desktop using our
    DNS name for 6 weeks now. I have also successfully set up Outlook Express
    at home to POP my mailbox on the mail server thru our SonicWall firewall
    (although I finally disabled that account a while back because I never used
    work email at home).

    So far, so good. I recently configured my boss to use the DNS name of our
    mail server instead of the internal IP. It works internally. But when my
    boss takes his laptop out of the office and tries to check via any available
    internet connection, Outlook says the mail server cannot be reached, and
    pops up the box to verify/change the POPs server name/IP. I've been with
    him when it happens, and here's the wild part: if I ping our mail server's
    registered DNS name (mail.companyname.com), it promptly, correctly resolves
    the name to our external IP, and successfully pings it. But I still can't
    connect.

    I've done ipconfig /flushdns, and still had the problem. He's normally
    booting fresh, logging onto his domain account using cached credentials,
    connecting to the internet, and launching Outlook. Our firewall is (as far
    as I can determine) correctly set to forward all WAN traffic on port 110 to
    the internal IP of our mail server (TCP only).

    I'm running out of places to look, and my boss is running out of patience.
    I finally presumed that his installation of Windows 2000 and Outlook were
    just old and messed up (2-3 years old, as far as I can determine), so I did
    a fresh, clean install of XP Pro today. The only things that haven't
    changed are his domain user account, and his PST file. Still having the
    same problem.

    Sorry for the long post...any takers?

    Thanks in advance,

    Bryan

    p.s. -- Since my Outlook Express at home seemed to have no trouble, I will
    set up Outlook 2000 with my work POP account and do further testing, then
    post the results here.
     
    Bryan Linton, Sep 7, 2004
    #1
    1. Advertisements

  2. Bryan Linton

    Miha Pihler Guest

    Hi Bryan,

    While out on the internet do the following from command line:

    telnet mail.companyname.com 110

    What do you get? You should get something like "+OK InterMail POP3 server
    ready." -- it depends on POP3 server.

    For test you can also run

    telnet mail.companyname.com 25

    Were you able to connect? You should get something like "220 ESMTP
    server" -- again depending on SMTP server...

    Mike
     
    Miha Pihler, Sep 7, 2004
    #2
    1. Advertisements

  3. Bryan Linton

    Bryan Linton Guest

    Thanks Mike. To test, I disconnected from our LAN and established a dial-up
    to the internet (which is also how I tested on his machine yesterday). I
    was able to successfully telnet in thru both ports and got your messages
    almost verbatim. It should be noted that I did this from my computer...not
    his (he's actually in the office and using it now...yesterday was a holiday
    so I took advantage. :) ) The only significant difference I can think of
    between our machines is that mine still uses a static IP on our LAN, while I
    have his assigned dynamically. Shouldn't make a difference as far as I can
    tell, but I'll mention it just in case.

    As an interim solution, I've set up a VPN connection on his laptop and
    instructed him always to connect to the internet *and* establish the VPN
    connection before he launches Outlook. As far as I can tell, that'll work
    okay; it went fine in testing yesterday. Also, to take DNS completely out
    of the picture, I again set up Outlook with the internal IP of our mail
    server.

    So...what now?

    Bryan
     
    Bryan Linton, Sep 7, 2004
    #3
  4. Bryan Linton

    Miha Pihler Guest

    Try to telnet to those from his computer while computer is connected to the
    internet.

    Mike
     
    Miha Pihler, Sep 7, 2004
    #4
  5. Bryan Linton

    Miha Pihler Guest

    Is there any personal firewall software installed on this computer that is
    having problems with POP3 connections?

    Mike
     
    Miha Pihler, Sep 7, 2004
    #5
  6. Bryan Linton

    Bryan Linton Guest

    No firewall software; XP's built-in firewall was not even activated, as far
    as I know. I'll double-check it when I test again. I have to wait 'till
    he's out of his office for a few minutes. Hopefully will be able to within
    the next couple of hours.

    B
     
    Bryan Linton, Sep 7, 2004
    #6
  7. Bryan Linton

    Bryan Linton Guest

    Ok, update. I screwed up the previous test. I thought I'd disabled my LAN
    connection when I established the dial-up, but apparently I did not, so my
    connection was established internally. I tested his and re-tested mine over
    dial-up, and both failed to telnet in on those ports. Windows firewall was
    disabled on both.
     
    Bryan Linton, Sep 7, 2004
    #7
  8. Bryan Linton

    Miha Pihler Guest

    Check your corporate firewall (firewall that protects your LAN and server)
    and make sure that it allows connection to POP3 service from the Internet
    (it looks like it doesn't). You should also check firewall log files.
    If you use NAT device, make sure that is forwards connection from public IP
    address (NAT device) to internal POP server.

    Mike
     
    Miha Pihler, Sep 7, 2004
    #8
  9. Bryan Linton

    Bryan Linton Guest

    I've found the problem, but I'm not sure of the best solution.

    I looked for a firewall problem previously, but could find no fault with the
    way port forwarding was set up. As it turns out, the problem isn't with
    port forwarding, but with 1:1 NAT.

    Currently, we have 3 public IPs. One class A address (x.x.x.32) is assigned
    to the firewall device itself, which is a SonicWall SOHO2. Two additional
    IPs have been assigned; x.x.x.33 was set up with 1:1 NAT to our fairly new
    SBS 2003, and x.x.x.34 to our mail server. I'm not certain why she (my
    predecessor) chose to have multiple public IPs; my understanding has been
    that they're unneccessary since traffic can be distinguished and routed
    based on the port used. The setup worked, however, since there was never a
    need to route traffic coming in on the mail server's IP to different
    machines based on the port. Now there is. Why? Because we added a spam
    appliance to our network a month ago.

    I changed the 1:1 NAT on the SonicWall a month ago to point to the IP of our
    new spam firewall appliance instead of the mail server, and then setup the
    spam firewall to forward acceptable mail to the IP of our mail server. All
    incoming mail flows thru that spam firewall first (running a hardened,
    locked-down linux distro) before being forwarded to the mail server.
    However, it will only forward SMTP mail received on port 25 (and
    technically, it's not simply forwarding...it's receiving, processing, and
    then initiating it's own connection). My connection attempts are apparently
    all hitting the spam appliance and dying there, including my telnet
    connection attempt to port 25.

    At this point it seems clear that if a port-forwarding rule is set up that
    conflicts with a 1:1 NAT setting, the 1:1 NAT setting wins. I don't want to
    break our email by turning off 1:1 NAT until I'm clear of the consequences.
    Here's what needs to be accomplished:

    -- Incoming SMTP mail needs to be processed by our spam firewall, then
    passed along to our mail server. (This is working)
    -- Users need to be able to POP their mailboxes on the mail server from
    outside the company firewall. (This is not working)
    -- Users need to be able to send outgoing SMTP mail thru our mail server
    from outside the company firewall. (This is not working).
    -- Once we migrate to Exchange 2003 (very shortly), we'll need to accomplish
    the same goals, with the exception that they'll no longer be using POP3 to
    get mail.

    It should be noted that we also have a satellite office with an identical
    model SonicWall firewall. Some kind of VPN is set up between the two
    firewalls to secure all communications between them, although I'm not clear
    if that's actually doing anything, based on how the girl at that office
    currently does her work. When I asked my predecesor about the reason for
    multiple public IPs she said something about this VPN connection needing a
    dedicated IP. Does that seem reasonable?

    Sorry for the long post...any takers welcome. Thanks to Mike for his help
    thus far.

    Bryan
     
    Bryan Linton, Sep 7, 2004
    #9
  10. That is actually a good way to do that. I would not criticize her.
    Separating "jobs" out to different public IP#s is more flexable and
    scaleable then trying do everthing with on one public IP#.
     
    Phillip Windell, Sep 7, 2004
    #10
  11. Bryan Linton

    Miha Pihler Guest

    Hi,

    I am not familiar with SonicWall so you will have to check it's
    documentation for specific.

    What you need to do for POP3 to work is "redirect" and request that comes to
    public IP (IP that is resolved by mail.yourcompany.com) on TCP port 110 to
    internal IP of your e-mail (POP) server.

    SMTP in your case is a bit more tricky. If you do this for SMTP you will
    have an open relay and anyone will be able to relay spam over your mail
    server. You could use another IP (not IP that is used for delivery of e-mail
    to your company) and redirect any TCP port 25 request to internal SMTP
    server (not your antivirus and antispam server) and make sure that only
    authenticated users can use this SMTP server (it's e.g. IIS or Exchange SMTP
    setting).
    With this you will have to configure your e-mail clients (Outlook, Outlook
    Express or ...) to actually authenticate before it tries to send the mail.
    Note that this will send username and password in clear text. Anyone with a
    sniffer on the network will be able to read it.

    I hope this helps. Feel free to post back with any questions.

    Mike
     
    Miha Pihler, Sep 7, 2004
    #11
  12. All that needs done there is make sure that all SMTP goes to the Spam
    Filter. The Spam Filter itself will either have the means to avoid relaying
    spam or it would simply be configured to forward everything (that isn't
    thrown out as spam) to the mail server,..then the mail server will prevent
    spam relay by its own means.

    Our Spam Filter run on IIS's SMTP which is set to insist that anyone
    attempting to relay must authenticate with AD,...the mail Server itself
    (Exchange) does the same thing. It works perfectly and have never had an
    open relay.

    This method however does requires the user's Mail Client Software be able to
    authenticate with the SMTP Server (just like it already does with POP3).
    But I don't consider that a problem.
     
    Phillip Windell, Sep 7, 2004
    #12
  13. Bryan Linton

    Miha Pihler Guest

    All that needs done there is make sure that all SMTP goes to the Spam
    Agreed. Reason why I suggested connecting to Exchange is easier
    configuration. Majority of 3rd party antivirus and antispam solutions that I
    have seen have pretty poor authentication capabilities for allowing
    relaying... This server will need to relay messages from company users while
    out of the office.
    I like this feature, but I have seen few Exchange servers abused by this.
    Somehow someone somewhere got a hold of valid Exchange account and started
    relaying spam... :-\ Now I usually disable "allow relay for authenticated
    users". I enable it if the customer actually needs this feature.

    Mike
     
    Miha Pihler, Sep 7, 2004
    #13
  14. Yea, I have heard of that happening. I guess regular password changes would
    stop that but not all places what to put up with changing passwords.
     
    Phillip Windell, Sep 7, 2004
    #14
  15. Bryan Linton

    Bryan Linton Guest

    <snip>

    Thanks for the reply. I actually wasn't criticizing, I honestly was not
    sure why she did it that way. In my case, the 1:1 NAT is interfering with
    my port-forwarding requirements, but I can see how multiple IP addresses
    could give additional flexibility, now that you mention it.

    The dilemma I have is how to let our external users relay mail off our
    server. All incoming traffic on port 25 is relayed to our spam firewall, so
    any attempt to connect to our mail server on port 25 would also be directed
    to the spam firewall. Do I need to set my mail server's SMTP port to an
    unassigned, non-standard port number? Like, say, port 60? I would then
    need to set all my outlook clients to send mail on that port, instead of
    port 25, and also set my spam firewall to receive mail on port 25 and
    forward good mail to the mail server on port 60. Am I forgetting anything?

    Bryan
     
    Bryan Linton, Sep 8, 2004
    #15
  16. Bryan Linton

    Bryan Linton Guest

    <snip>

    Thanks Mike. I have actually already set up a rule to redirect all WAN
    traffic on TCP port 110 to the internal IP of our mail server.
    Unfortunately, the 1:1 NAT will not let it work, since the NAT automatically
    forwards ALL traffic received at IP x.x.x.34 (which is what
    "mail.mycompany.com" resolves to) to the IP of our spam firewall, regardless
    of the port. Since my connection request on port 110 is coming in on the
    x.x.x.34 IP, the NAT grabs it, and my port-forwarding rule never gets used.
    We've actually had an open relay all along, but not really...we have always
    required all our clients to be authenticated before sending mail, and they
    are all set up this way, so we've never had a problem with it.

    I thought of using a different IP for POP mail outside of the office, so the
    1:1 NAT on the IP for mail.ourcompany.com won't interfere. But that'd
    defeat the purpose of using the DNS name to facilitate internal and external
    access to our mail server.

    Once we're on exchange, this won't be nearly as big of an issue, since
    outlook clients don't send or receive mail on port 25, iirc. But we're not
    there yet, and it'd be nice to get this working in the meantime.

    Bryan
     
    Bryan Linton, Sep 8, 2004
    #16
  17. No. The users would simply use the Spam filter's SMTP service just as if it
    was the regular mail server's SMTP. They would not know the difference. It
    is up to the Spam Filter to be able to determine if they should be allowed
    to relay or not. The real mail server would never even see or touch the
    user's outbound mail. The message would simply go from the user mail
    client's "outbox" (Outlook Express?) to the Spam Filter's SMTP Service where
    is is tested to see if it is spam, then tested to see if the user is allowed
    to relay, and then it would be "relayed" directly to whereever it is
    supposed to be destined,...it would never get to nor touch the regular mail
    server.

    POP3 on the other hand is a spearate service all together. The user connects
    directly to the POP3 Service on your real Mail Server to be able to pick up
    their mail. They would do this via the way your Firewall if rigged to pass
    the POP3 traffic on to the real mail server. The spam filter machine is in
    no way involved in this.
     
    Phillip Windell, Sep 8, 2004
    #17
  18. automatically

    Get rid of the 1:1 NAT. It's that simple. You can't use it. You need a
    *different* IP# being used on the internal side for POP3 than what you use
    for SMTP. You can't use 1:1 NAT for this. You need the Firewall to send
    SMTP traffic to one internal IP# while sending the POP3 traffic to a
    different internal IP#.

    This is exactly what we do here using GFI's MailEssentials on one machine
    running IIS/SMTP while our Exchange2000 runs on a different machine.
    Incomming SMTP is sent to the GFI's MailEssentials while incomming POP3 is
    sent directly to Exchange. We do this with only one IP# on the external
    side of the Firewall. We actualy have 32 addresses, but we don't bind them
    to the Firewall,...the Firewall is not our only externally exposed device.
    That won't save you. It is an even Bigger issue because communicating as an
    Exchange Client is a lot more complicated than the simple way the POP3/SMTP
    operates. When users are outside the system they should use SMTP/POP3.
    Running Outlook as a regular Exchange client is great when inside on the LAN
    when there is "gobs" of bandwidth,...but it is not designed for a slow WAN
    link. Our Laptops all run Outlook as a regular Exchange Client and they can
    *not* use it when outside the building. When they are outside the building
    they use Outlook Web Access instead via their web browser which is
    specifically designed to use over the Internet with a slow WAN (or dialup)
    link. I'm not saying there aren't ways to run MAPI over the Internet, I'm
    just recommending that you don't.
     
    Phillip Windell, Sep 8, 2004
    #18
  19. Bryan Linton

    Bryan Linton Guest

    I don't think that'll work in our case, because our spam filter does not
    relay mail back out to the internet, but only to explicitly configured
    internal domain names mapped to internal IPs; in other words it only relays
    to internal mail servers. Outgoing mail sent by our mail server is not
    screened thru the spam firewall; our mail server sends it directly out. In
    that case, since I have two types of incoming SMTP traffic (inbound mail
    from internet mail servers, and users needing to relay their outgoing mail)
    that need to be handled by two different devices, I think I need that SMTP
    traffic to come in on two different ports. I obviously can't change the
    port that other internet mail servers send us mail on, but I *can* change
    the port WE use to communicate with OUR mail server. It simply means that
    all devices that wish to establish a direct connection with our mail server
    must do so on a specified nonstandard port. I have control over those
    devices, which are my Outlook clients, and my spam firewall. If I configure
    my mail server, spam firewall, and outlook clients with a common,
    nonstandard port, I think that will allow me to set up port forwarding rules
    to meet my needs.

    I wrote that all out partly to clarify it in my own mind, and partly to have
    someone besides myself check my logic. :) Am I barking up the wrong tree,
    or will that solve my problem?

    If so, then there's just one more problem to solve...that of changing the
    ports on all my clients. Hello, GPO.

    Bryan

    B
     
    Bryan Linton, Sep 10, 2004
    #19
  20. Actually now that you mention that, I have changed ours to do that as well.
    But that is really not relevant to this issue.
    Same as ours.
    Yes you have two types, but your conclusion about it is wrong. These are the
    wo types:

    1. Internal users - They go directly to the Mail server for both SMTP and
    POP3 while the Spam Filter machine is not involved at all.

    2. External users - They go (should go) directly to the mail server for POP3
    (via the Firewall), but go to the Spam Filter for SMTP (via the Firewall).
    Whether the Spam Filter sends outbound mail directly to the Internet or
    passes it to the mail server and lets it handle it is not relevant.
    No, you don't do that...
    There isn't any fooling with ports here at all. You're making it harder
    than it has to be. The Firewall simply passes all POP3 to the mail server
    while passing all SMTP to the mail server itself. Whether your Spam Filter
    relays their outbound mail itself or passes it to the mail server and lets
    it do it is irrelevant and has no effect on the firewall setup.

    The internal users are irrelvant because they go directly to the mail server
    and don't use the firewall for that at all.

    As a sample of how this can work,...sometimes my Spam filter gives me
    trouble, so I remove it with one simple change,..I just change the IP# that
    the firewall sends incoming SMTP so that it goes directly to the mail
    server. The mail keeps right on flowing although I lose the Spam Filtering.
    When I get the Spam Filter fixed I simply set the firewall to pass the SMTP
    to the Spam Filter's IP# like it originally was. Now the mail goes through
    the filter again,...all back to normal. The POP3 never changes, it always
    goes direct to the mail server from the firewall.
     
    Phillip Windell, Sep 10, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.