Blackberry devices no longer email



  • Hello All,

    After getting a new install pfSense 1.2.3 up and going for a few days,I am now getting all kinds of emails from Blackberry users. This is a school enviornment and all other email clients work OK. I am very familiar with sendmail ,Dovecot and done quite a bit of testing before I finally released the pfSense box into the wilds! Anyway, internally and externally We can send/receive email from the school email server other than after the pfSense box was put into place all the BB users received in their inbox." Unable to connect to email server" and also has an email about "Activation"?
    Is it possible the BB Internet Service thingy thinks that the new mac address of the pfSense that the email passes through is a bugus device?
    I am guessing I'll end up blowing a day (or more) of Wiresharking the email server to decypher were things are failing.
    I have read quite a few similar close scenarios on the BB forums but no really 1.2.3.4.,,, this  fixes the email receiving bomb out. I did not change one thing on the actual running sendmail/Dovecot email server post pfSense install.
    Whats makes this tuff is I'm not at all into the smart phone thing( I do have somewhat of a life),,, and I do not have a Blackberry to beat on to try and troubleshoot this thing.

    Edit: Wanted to add. I have the default of nat reflection disabled. Would it do any good to uncheck this to enable nat reflection,possibly? I thought I should try and leave as many defaults as possible to start out with.

    Thanks,
    BC



  • Did you remember to ensure that you forwarded ports 143/TCP and 110/TCP from the Internet to your IMAP/POP3 server?



  • Thanks for the feedback Cry Havock.

    Yes I did port forward tcp 25 , 110 , 143 , as anyone can use the webmail at home as well as at school no probs.
    I have read all kinds of posts on BB forums of this thing happening and has something to do with refreshing routing tables on the BB device & also "reactivating the BB device"?. Dont really make sense but as I said I am not at all savy on navigating a BB and most all of the users can only do an reconcile email on their BB as well:(.
    Does the unchecking the nat reflection to enable it, do any good in this case maybe?
    My guess is it is something to do with a routing change as seen by the BB device even though it can touch the server as each device does get some sort of 'activation email' inbox',,,Possibly the BB sees the new firewall as a no good mac address?…

    Take Care,
    Barry



  • I know BES server is using tcp ports 3101 and 3500 but I suppose you do not have BES server within your infrastructure.
    The best way to start I think is

    tcpdump -ni  <lan int="" name=""> net 206.51.26.0/24</lan>
    

    and see who is trying to connect to what.



  • @brcisna:

    Thanks for the feedback Cry Havock.

    Yes I did port forward tcp 25 , 110 , 143 , as anyone can use the webmail at home as well as at school no probs.

    Webmail uses HTTP or HTTPS - 80 or 443.  Webmail does not require access to SMTP, POP3 or IMAP across the Internet.

    Use a tool that checks that ports are open, like this one and check that your ports can be reached from the Internet.



  • Thanks for the feedback everyone.
    I do have port 80 forwarded as well to the email server.
    Webmail does work fine remotely.
    It appears it is an Blackberry specific problem. Not sure what is hanging them though? I'll have to do a Wireshark marathon from the email server itself,and see were the connection quits back and forth. If there happens to be any Blackberry experts on board,,maybe they have seen the fix for this?
    Also I have tested with Outlook ,OE,Evolution remotely and they all work fine as well.
    hhmmm,,,,?

    Thanks,
    Barry



  • @brcisna:

    Thanks for the feedback everyone.
    I do have port 80 forwarded as well to the email server.
    Webmail does work fine remotely.
    It appears it is an Blackberry specific problem. Not sure what is hanging them though? I'll have to do a Wireshark marathon from the email server itself,and see were the connection quits back and forth. If there happens to be any Blackberry experts on board,,maybe they have seen the fix for this?
    Also I have tested with Outlook ,OE,Evolution remotely and they all work fine as well.
    hhmmm,,,,?

    Thanks,
    Barry

    No need to Wireshark, do this```
    tcpdump -ni  <lan int="" name=""> net 206.51.26.0/24</lan>

    it will show communication with Blackberry servers.


  • Eugene,

    Thanks for the tip. Hopefully using the command you provided it will not be a tcpdump marathon,,,:-).
    OK, so if the internal email server's ip address is 172.28.8.55 , I would run in a shell on pfSense machine:

    tcpdump -ni  172.28.8.55 net 206.51.26.0/24

    This seems idiot proof,even for me!

    One thing I noticed I do not have port 443 forwarded and wonder if this may be required for Blackberry devices to try and at least negotiate at secure login first?

    Does pfSense come with tcpdump installed?

    Thanks,
    Barry



  • No, mail server is out of picture here if you do not have Blackberry Enterprise server running within your Organization.
    I suppose blackberries use your network via WiFi to connect to RIM's servers to synchronize e-mails.
    So command would be
    tcpdump -ni em0 net 206.51.26.0/24

    substitute em0 with real interface name of your LAN (bge0? rl0?).



  • Eugene,

    Thanks again!
    With our old firewall setup,,,somehow,,all of the blackberry users could use it for our email server. I honestly don't even know how they set it up…:-). I m not even sure how all of the BB Enterprise sever thing even comes into play. It sounds like yet another maintenence nightmare right off of the bat. We do have lots of people now that have Blackberrys,,even in our little hillbilly community school  so I have to get this resolved asap!,,,:-).
    Are you saying it should not even be able to use this with an non Blackberry type email server?
    I'll give the command you provided a spin!

    Thanks!
    Barry



  • You're still confusing webmail (80 or 443) which involves using a web server to access your email, and SMTP, POP3 and IMAP (25, 110 and 143).  Don't mix them up.

    Please post a screenshot of your WAN interface rules.



  • Blackberry does not connect to your e-mail server even being connected to your LAN. Even if you see e-mails from your server on your BB. It actually does not have e-mail client in the sense we use this word. It does not work this way. BB connects to a server at RIM (Research In Motion) over secure protocol developed by RIM, and this server pulls e-mails from your e-mail server showing them on your BB. The same (but opposite direction) is true for sending e-mails.
    Again, when you go to WEB from your BB trying to see some web-page your BB sends request to some server in RIM and RIM then delivers contents from this page to you BB.
    Actually it is very interesting topic "how blackberry works". I might be mistaken in what I've said above but this is what I've traced setting up ipsec-tunnel Blackberry - pfSense.



  • Thanks again to all for info provided.

    Havok, When I get back to the salt mines Monday I'll put some screen shots of the WAN firewall rules .
    Eugene, Sounds like you been nerding on the BB architecture,,,:)
    Only thing different I can see is the former firewall/commercial setup,,,did have both an smtp and and pop3 relay built into it.
    But,,,as I stated earlier I can make Outlook ,Outlook Express, Evolution work without a hitch remotely–telnet 25--sendmail  & 110--dovecot ,,,blah,,blah,works,, as well as inside the LAN. Webmail works fine both remotely and LAN side too,FYI.
    Seems like there must be a port missing for BB servers to pull/push from the internal email server.
    Do any of you's think enabling the nat reflection would do any good? Guess I'll just have to do the tcpdump routine  Monday and see were the chatter quits at.
    Asking again as I have not had to use it,,,is tcpdump installed on pfSense 1.2.3 by default?
    pfSense is working pretty sweet so far,,other than the BB snafoo.:)

    Take Care,
    Barry



  • Hello All,

    Attaching two screen shots of the pfSense WAN rules. I added the last two entries in Wan_02 just to see if BB devices would work,which they did not. I see I do not have port 143 forwarded ,but we can in fact log into Webmail remotely as I have a dedicated VIP for this. Could this be why the BB devices are not touching the internal email server correctly?
    FYI: The internal email server IP is 172.28.8.55
    Someone can look at the screen shots and tell me what I have wrong?…:-)
    I would guess there are some redundancies as I was desperate trying to get the BB's to work.

    Thanks,
    Barry






  • Obviously you do not understand what you are doing and what is even more sad you are not listening to us. I think commercial support http://www.pfsense.org/index.php?option=com_content&task=view&id=62&Itemid=73 is the way to go.



  • Barry,

    As it says in my signature - don't PM me for assistance or to direct my attention to a post.

    I've said everything I need to say.  As Eugene says you're not listening to us so there's no point in us wasting our time with you.



  • Thanks to all who provided ideas on a resolve for the BB email problem.
    I wound up deleting all port forwards,and recreated tcp 25,110,143 along with 80/VIP for imap and BB works fine now.
    Also used the tcpdump  command provided by Eugene to see interaction between pfSense box and BB servers as well.
    Hope some day I become important as well.

    Thanks,
    Barry


Locked