No incoming email? Exchange 2007 SP2



  • I did a search but nothing comes up. I guess that means that its not a common problem or I'm a idiot. Anyway I just put in place a pfSense box on a enterprise network, I can send email but not receive email. I also can not access OWA from the https connection and I guess all my blackberry users are sol right now. I have just the default settings.



  • Ok I needed to set up port forwarding. I'm still not able to get to OWA?



  • what are your port forwarding rules?



  • For OWA you'll need at least 443/TCP (HTTPS) - did you remember that too?



  • Ok looks like outside world has been getting OWA just fine. I have been testing from the network and can't get to OWA?



  • The "Source" fields aren't doing what you think.  Those rules you list apply to packets arriving on the WAN interface.



  • So what your saying is that I need to put them under the LAN tab?



  • @ptex:

    So what your saying is that I need to put them under the LAN tab?

    arriving

    • A rule allowing inbound 25/TCP traffic from any IP to the IP of your mail server

    • A NAT rule forwarding 25/TCP to your mail server (creating this will create the above)



  • @Cry:

    arriving

    • A rule allowing inbound 25/TCP traffic from any IP to the IP of your mail server

    • A NAT rule forwarding 25/TCP to your mail server (creating this will create the above)



  • @ptex:

    Is that what I did with the 2nd one up from the bottom "NAT smtp"?

    Probably, though you haven't posted your NAT rules.

    Try the diagnostics at MX Toolbox.
    @ptex:

    I did notice on the old firewall rules that there is some kind of "Key Exchange IKE' rule?

    That's probably for an IPsec VPN.



  • Inbound SMTP still isn't working?  You've verified that from a location outside the network?  (You can't reliably test it from inside, as you found out with the OWA.)

    If it's not working, do this.  Delete all the port 25 rules you have now and go into Firewall->NAT.  Create a new NAT rule.  Interface will be WAN (or whatever you call the external interface).  External address will be Interface Address (let's not get into virtual addresses just now).  Protocol will be TCP.  For External port range select SMTP.  For NAT IP enter the IP address of the Exchange server.  Enter a description like 'Inbound SMTP' and click Save.  Verify that the relevant rule was created in Firewall->Rules.  Inbound SMTP connections should now be directed to your Exchange server.  Verify this.

    (I would, before creating any rules, go to Firewall->Aliases and assign names to the IP addresses I intend to use, but that's optional.)

    Now, assuming that's working, please take a couple minutes to create a couple of outbound SMTP rules.  (I am assuming here that the Exchange server is the only allowed mail transfer source allowed on your network.  If that's not the case, modify the following accordingly.)

    In Firewall->Rules click on the LAN tab.  This is where you will create rules that manage outbound traffic (from your LAN to the Internet).  Create a new rule at the top of the list.  Action will be Block, Interface LAN, Protocol TCP, Source ANY, Destination ANY, Destination Port Range SMTP.  Enter a description such as "Block Unauthorized Outbound SMTP" and click Save.  Now create another rule ABOVE (very important) that one.  The action on this one will be PASS and the Source will be the address (or alias) of your Exchange server.  (Internal address, of course; not the public address.)  Everything else will be the same as the previous rule.  Call this one "Allow Outbound SMTP" or some such.

    Now if someone gets a virus on their desktop and starts spraying spam at the Internet, it will be stopped at the firewall and your company won't end up with of its email being blocked by an amazing variety of blocklists across the Internet.



  • Oh I'm sorry yeah SMTP is working fine. It's just OWA from the inside, using its web address. OWA works from the inside using the mail servers IP address but gives a certificate warring. I have pointed all my inside users desktop shortcuts to the IP address and have them ignore the warning. Which works fine but I hate it when things don't work right.

    Now onto OpneVPN thanks all.



  • Oh, different problem.  If you want to be able to access OWA from the inside using the external DNS name, you're going to have to make an A record on your internal DNS server pointing to the internal IP address.  (And if you're going to do that, making a zone for the public domain name on your internal DNS server, you'll have to replicate all the other public records or your users won't be able to get to, for example, 'www.companyname.com'.

    Or just create an internal A record like 'mail' and get a multi-name cert that will work with both the internal and external domain names.


Log in to reply