Port Forwarding and 1:1 NAT dilemma with email

Mike Pihler has been great helping me with this so far, but I'm at a new
juncture and the thread's getting deep, so I'll briefly restate the problem
here:

Users cannot POP their mailboxes on our mail server from outside the company
firewall, and they used to be able to. The public DNS name of our mail
server properly resolves, and pinging the address it resolves to also works.

I looked for a firewall problem previously, but could find no fault with the
way port forwarding was set up. I think I've finally found the problem, and
as it turns out, the problem isn't with port forwarding per se, but with 1:1
NAT.

Currently, we have 3 public IPs. One class A address (x.x.x.32) is assigned
to the firewall device itself, which is a SonicWall SOHO2. Two additional
IPs have been assigned; x.x.x.33 was set up with 1:1 NAT to our fairly new
SBS 2003, and x.x.x.34 to our mail server. I'm not certain why she (my
predecessor) chose to have multiple public IPs; my understanding has been
that they're unnecessary since traffic can be distinguished and routed based
on the port used. The setup worked, however, since there was never a need
to route traffic coming in on the mail server's IP to different machines
based on the port. Now there is. Why? Because we added a spam appliance
to our network a month ago.

I changed the 1:1 NAT on the SonicWall a month ago to point to the IP of our
new spam firewall appliance instead of the mail server, and then setup the
spam firewall to forward acceptable mail to the IP of our mail server. All
incoming mail flows thru that spam firewall first (running a hardened,
locked-down Linux distro) before being forwarded to the mail server.
However, it will only forward SMTP mail received on port 25 (and
technically, it's not simply forwarding...it's receiving, processing, and
then initiating it's own connection). My connection attempts are apparently
all hitting the spam appliance and dying there, including my telnet
connection attempt to port 25.

At this point it seems clear that if a port-forwarding rule is set up that
conflicts with a 1:1 NAT setting, the 1:1 NAT setting wins. The current
rule -- the one that says traffic received on port 110 from any WAN source
should be forwarded to the LAN IP of our mail server -- isn't being followed
because the 1:1 NAT setting forwards ALL traffic to *that specific* WAN IP
to our spam firewall. I don't want to disrupt our email by turning off 1:1
NAT and setting up individual port-forwarding rules until I have a clearly
defined plan and I'm clear about the consequences. Here's what needs to be
accomplished:

-- Incoming SMTP mail needs to be processed by our spam firewall, then
passed along to our mail server. (This is working)
-- Users need to be able to POP their mailboxes on the mail server from
outside the company firewall. (This is not working)
-- Users need to be able to send outgoing SMTP mail thru our mail server
from outside the company firewall. (This is not working).
-- Once we migrate to Exchange 2003 (very shortly), we'll need to accomplish
the same goals, with the exception that they'll no longer be using POP3 to
get mail.

It should be noted that we also have a satellite office with an identical
model SonicWall firewall. Some kind of VPN is set up between the two
firewalls to secure all communications between them, although I'm not clear
if that's actually doing anything, based on how the girl at that office
currently does her work. When I asked my predecessor about the reason for
multiple public IPs she said something about this VPN connection needing a
dedicated IP. Does that seem reasonable?

Sorry for the long post...any takers welcome. Thanks to Mike for his help
thus far.

Bryan

"Miha Pihler" <mihap-(E-Mail Removed)> wrote in message
news:Ol%(E-Mail Removed)...
> Check your corporate firewall (firewall that protects your LAN and server)
> and make sure that it allows connection to POP3 service from the Internet
> (it looks like it doesn't). You should also check firewall log files.
> If you use NAT device, make sure that is forwards connection from public
IP
> address (NAT device) to internal POP server.
>
> Mike

"Bryan Linton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> to the firewall device itself, which is a SonicWall SOHO2. Two additional
> IPs have been assigned; x.x.x.33 was set up with 1:1 NAT to our fairly new
> SBS 2003, and x.x.x.34 to our mail server. I'm not certain why she (my
> predecessor) chose to have multiple public IPs; my understanding has been
> that they're unnecessary since traffic can be distinguished and routed
based
> on the port used. The setup worked, however, since there was never a need

That is actually a good way to do that. I would not criticize her.
Separating "jobs" out to different public IP#s is more flexable and
scaleable then trying do everthing with on one public IP#.

> on the port used. The setup worked, however, since there was never a need
> to route traffic coming in on the mail server's IP to different machines
> based on the port. Now there is. Why? Because we added a spam appliance
> to our network a month ago.
>
> I changed the 1:1 NAT on the SonicWall a month ago to point to the IP of
our
> new spam firewall appliance instead of the mail server, and then setup the
> spam firewall to forward acceptable mail to the IP of our mail server.
All
> incoming mail flows thru that spam firewall first (running a hardened,
> locked-down Linux distro) before being forwarded to the mail server.
> However, it will only forward SMTP mail received on port 25 (and
> technically, it's not simply forwarding...it's receiving, processing, and
> then initiating it's own connection). My connection attempts are
apparently

Ours is simlar to yours. It wasn't difficult,...incoming SMTP goes from the
Firewall to the Spam Filter first then to the Mail Server. However inbound
POP3 goes from the Firewall directly to the Mail Server. Outbound POP3 and
SMTP both go from the Mail Server Directly to the Firewall and do not
involve the Spam Filter.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...

> That is actually a good way to do that. I would not criticize her.
> Separating "jobs" out to different public IP#s is more flexable and
> scaleable then trying do everthing with on one public IP#.
<snip>

Thanks for the reply. I actually wasn't criticizing, I honestly was not
sure why she did it that way. In my case, the 1:1 NAT is interfering with
my port-forwarding requirements, but I can see how multiple IP addresses
could give additional flexibility, now that you mention it.

> Ours is simlar to yours. It wasn't difficult,...incoming SMTP goes from
the
> Firewall to the Spam Filter first then to the Mail Server. However inbound
> POP3 goes from the Firewall directly to the Mail Server. Outbound POP3
and
> SMTP both go from the Mail Server Directly to the Firewall and do not
> involve the Spam Filter.

The dilemma I have is how to let our external users relay mail off our
server. All incoming traffic on port 25 is relayed to our spam firewall, so
any attempt to connect to our mail server on port 25 would also be directed
to the spam firewall. Do I need to set my mail server's SMTP port to an
unassigned, non-standard port number? Like, say, port 60? I would then
need to set all my outlook clients to send mail on that port, instead of
port 25, and also set my spam firewall to receive mail on port 25 and
forward good mail to the mail server on port 60. Am I forgetting anything?

Bryan

> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com