Adam Thorpe
2003-Jul-15 10:29 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
Please excuse my ignorance as I''m a linux newbie. Basically I have a setup of an adsl ethernet modem (nated and then everything forwarded to the external ip of my Mandrake mnf firewall) connected to the mnf firewall which then connects to the lan. internet <--> adsl modem <--> mnf firewall <--> lan There''s only 2 nics in the mnf firewall so it''s a straight through connection between the modem and the mnf firewall. I managed to get the major services running fine (web browsing, ftp) but I''m having problems getting external email to enter into the lan where the exchange server lives. Outgoing smtp mail is fine and I''ve left the original smtp rules intact (ie wan --> lan port 25 tcp allowed) but I''m still having trouble. Unfortunately the Mandrake MNF distro doesn''t do the traditional configuration files as are on the shorewall website and as a newbie I''ve looked at the files in question but can''t work out where they''re pointing to (my knowledge of shell/perl/python/whatever scripting in linux is nil). I''ve looked at the shorewall show nat output and it displays: 0 0 DNAT TCP -- * * 0.0.0.0/0 0.0.0.0/0 TCP DPT:25 TO:10.0.0.2 (10.0.0.2 is my mail server address) The rejected email shows: smtp;554 <email_address@domain.com>: Recipient address rejected: Relay access denied Is this a problem with having to nated subnets (adsl router to mnf wan & mnf wan to mnf lan) or am I missing something obvious? Thanks for any help. _________________________________________________________________ It''s fast, it''s easy and it''s free. Get MSN Messenger today! http://www.msn.co.uk/messenger
Tom Eastep
2003-Jul-15 10:38 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
On Tue, 2003-07-15 at 10:29, Adam Thorpe wrote:> > The rejected email shows: > smtp;554 <email_address@domain.com>: Recipient address rejected: Relay > access denied > > Is this a problem with having to nated subnets (adsl router to mnf wan & mnf > wan to mnf lan) or am I missing something obvious? >That looks like a problem with your email server configuration. It doesn''t realize that it should accept email for the named recipient. Unfortunately (thankfully) I know nothing about Exchange so I can''t help you there (I run Postfix). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Adam Thorpe
2003-Jul-15 11:31 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
Thanks for your reply Tom, it''s really appreciated when the programmer of the software takes such an active interest in their forums and incredibly promptly too (I''ve just noticed). Unfortunately I know for a fact that exchange is up and running properly as it was working fine this morning until I stuck the mnf in the middle of the configuration (don''t ask)! I''ve had to take the mnf down so we can still receive email and I did test it before I left work after I had taken it out again. I suppose I''m going to have to use a packet sniffer (better start brushing up on those skills too) to solve this unless anyone has any other suggestions? Thanks again.>From: Tom Eastep <teastep@shorewall.net> >To: Adam Thorpe <adam_thorpe@hotmail.com> >CC: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF >Date: 15 Jul 2003 10:38:02 -0700 >MIME-Version: 1.0 >Received: from gateway.shorewall.net ([206.124.146.176]) by >mc7-f33.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul >2003 10:38:03 -0700 >Received: from wookie.shorewall.net (wookie.shorewall.net >[192.168.1.3])(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 >bits))(No client certificate requested)by gateway.shorewall.net (Postfix) >with ESMTPid E093C1093C; Tue, 15 Jul 2003 10:38:02 -0700 (PDT) >X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >In-Reply-To: <Law11-F68LX2wEGBssy00011784@hotmail.com> >References: <Law11-F68LX2wEGBssy00011784@hotmail.com> >Organization: Message-Id: <1058290682.22130.180.camel@wookie.shorewall.net> >X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Return-Path: >teastep@shorewall.net >X-OriginalArrivalTime: 15 Jul 2003 17:38:04.0053 (UTC) >FILETIME=[D82A3C50:01C34AF7] > >On Tue, 2003-07-15 at 10:29, Adam Thorpe wrote: > > > > > The rejected email shows: > > smtp;554 <email_address@domain.com>: Recipient address rejected: Relay > > access denied > > > > Is this a problem with having to nated subnets (adsl router to mnf wan & >mnf > > wan to mnf lan) or am I missing something obvious? > > > >That looks like a problem with your email server configuration. It >doesn''t realize that it should accept email for the named recipient. >Unfortunately (thankfully) I know nothing about Exchange so I can''t help >you there (I run Postfix). > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >_________________________________________________________________ Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband
Tom Eastep
2003-Jul-15 11:34 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
On Tue, 15 Jul 2003 18:30:45 +0000, Adam Thorpe <adam_thorpe@hotmail.com> wrote:> > I suppose I''m going to have to use a packet sniffer (better start > brushing up on those skills too) to solve this unless anyone has any > other suggestions? >Only that I assumed that you Exchange server is generating the 554 rejection -- is that the case? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Adam Thorpe
2003-Jul-15 11:53 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
I did a check of the exchange logs when I was trying to troubleshoot the problem but I didn''t see any relaying denied messages in there. In fact, all I did see was outbound logged connections. I''m 99% sure that I should see them there in there but I will do a check when I get back into work tomorrow and turn up the logging level if necessary. What makes me think that it''s not exchange is another post I''ve seen in the forums with a similar problem but in reverse (ie email not been routed outbound). I did the shorewall show nat command (I think) and it showed that no connections through tcp port 25 logged (it''s buried in my original post somewhere) or thats how it looks to my untrained eye anyway. It''s likely I''m completely wrong on this so any other pointers would be appreciated.>From: Tom Eastep <teastep@shorewall.net> >To: Adam Thorpe <adam_thorpe@hotmail.com> >CC: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF >Date: Tue, 15 Jul 2003 11:34:18 -0700 >MIME-Version: 1.0 >Received: from gateway.shorewall.net ([206.124.146.176]) by >mc6-f15.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul >2003 11:35:17 -0700 >Received: from tipper.shorewall.net (tipper.shorewall.net >[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client >certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid >8CCD011382; Tue, 15 Jul 2003 11:34:21 -0700 (PDT) >X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >References: <Law11-F51o79oOwE8cI000119a9@hotmail.com> >Message-ID: <oprsc67gh1ww1ebe@mail.shorewall.net> >In-Reply-To: <Law11-F51o79oOwE8cI000119a9@hotmail.com> >User-Agent: Opera7.11/Win32 M2 build 2880 >Return-Path: teastep@shorewall.net >X-OriginalArrivalTime: 15 Jul 2003 18:35:17.0313 (UTC) >FILETIME=[D68C2310:01C34AFF] > >On Tue, 15 Jul 2003 18:30:45 +0000, Adam Thorpe <adam_thorpe@hotmail.com> >wrote: > > >> >>I suppose I''m going to have to use a packet sniffer (better start brushing >>up on those skills too) to solve this unless anyone has any other >>suggestions? >> > >Only that I assumed that you Exchange server is generating the 554 >rejection -- is that the case? > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net_________________________________________________________________ Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband
Adam Thorpe
2003-Jul-15 11:56 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
Sorry, better clarify my error message better I think. The error message I received was obtained from the non-delivery report that I received from my hotmail account when the test message failed to get through to my work domain where the problem resides. Hope this clears it up a bit.>From: Tom Eastep <teastep@shorewall.net> >To: Adam Thorpe <adam_thorpe@hotmail.com> >CC: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF >Date: Tue, 15 Jul 2003 11:34:18 -0700 >MIME-Version: 1.0 >Received: from gateway.shorewall.net ([206.124.146.176]) by >mc6-f15.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul >2003 11:35:17 -0700 >Received: from tipper.shorewall.net (tipper.shorewall.net >[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client >certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid >8CCD011382; Tue, 15 Jul 2003 11:34:21 -0700 (PDT) >X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >References: <Law11-F51o79oOwE8cI000119a9@hotmail.com> >Message-ID: <oprsc67gh1ww1ebe@mail.shorewall.net> >In-Reply-To: <Law11-F51o79oOwE8cI000119a9@hotmail.com> >User-Agent: Opera7.11/Win32 M2 build 2880 >Return-Path: teastep@shorewall.net >X-OriginalArrivalTime: 15 Jul 2003 18:35:17.0313 (UTC) >FILETIME=[D68C2310:01C34AFF] > >On Tue, 15 Jul 2003 18:30:45 +0000, Adam Thorpe <adam_thorpe@hotmail.com> >wrote: > > >> >>I suppose I''m going to have to use a packet sniffer (better start brushing >>up on those skills too) to solve this unless anyone has any other >>suggestions? >> > >Only that I assumed that you Exchange server is generating the 554 >rejection -- is that the case? > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net_________________________________________________________________ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger
Tom Eastep
2003-Jul-15 11:58 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
On Tue, 15 Jul 2003 18:55:59 +0000, Adam Thorpe <adam_thorpe@hotmail.com> wrote:> Sorry, better clarify my error message better I think. > The error message I received was obtained from the non-delivery report > that I received from my hotmail account when the test message failed to > get through to my work domain where the problem resides. > > Hope this clears it up a bit.But what host generated the 554? The DSN should tell you... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Adam Thorpe
2003-Jul-15 12:04 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
This is the email header I got back. It doesn''t tell you much, but it looks like it''s the hotmail server can''t connect: --9B095B5ADSN=_01C34A66355CC45C000006A0hotmail.com Content-Type: message/delivery-status Reporting-MTA: dns;hotmail.com Received-From-MTA: dns;mail.hotmail.com Arrival-Date: Tue, 15 Jul 2003 10:24:14 -0700 Final-Recipient: rfc822;email_address@domain.com Action: failed Status: 5.0.0 Diagnostic-Code: smtp;554 <email_address@domain.com>: Recipient address rejected: Relay access denied --9B095B5ADSN=_01C34A66355CC45C000006A0hotmail.com Content-Type: message/rfc822 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 15 Jul 2003 10:24:14 -0700 Received: from 195.74.100.68 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 15 Jul 2003 17:24:14 GMT X-Originating-IP: [195.74.100.68] X-Originating-Email: [adam_thorpe@hotmail.com] From: "Adam Thorpe" <adam_thorpe@hotmail.com> To: email_address@domain.com Bcc: Subject: 18:20 Date: Tue, 15 Jul 2003 17:24:14 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: <LAW11-F76hNzW3l1GM300002f84@hotmail.com> X-OriginalArrivalTime: 15 Jul 2003 17:24:14.0952 (UTC) FILETIME=[E9FB7680:01C34AF5] [END OF EMAIL HEADER] --------------------------------------------->From: Tom Eastep <teastep@shorewall.net> >To: Adam Thorpe <adam_thorpe@hotmail.com>,smerrill@finelinegraphics.com >CC: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF >Date: Tue, 15 Jul 2003 11:58:18 -0700 >MIME-Version: 1.0 >Received: from gateway.shorewall.net ([206.124.146.176]) by >mc8-f13.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul >2003 11:59:01 -0700 >Received: from tipper.shorewall.net (tipper.shorewall.net >[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client >certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid >DC6D811391; Tue, 15 Jul 2003 11:58:20 -0700 (PDT) >X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >References: <Law11-F50FrYILoygXL00011d0e@hotmail.com> >Message-ID: <oprsc8bgujww1ebe@mail.shorewall.net> >In-Reply-To: <Law11-F50FrYILoygXL00011d0e@hotmail.com> >User-Agent: Opera7.11/Win32 M2 build 2880 >Return-Path: teastep@shorewall.net >X-OriginalArrivalTime: 15 Jul 2003 18:59:02.0267 (UTC) >FILETIME=[27E2DCB0:01C34B03] > >On Tue, 15 Jul 2003 18:55:59 +0000, Adam Thorpe <adam_thorpe@hotmail.com> >wrote: > >>Sorry, better clarify my error message better I think. >>The error message I received was obtained from the non-delivery report >>that I received from my hotmail account when the test message failed to >>get through to my work domain where the problem resides. >> >>Hope this clears it up a bit. > >But what host generated the 554? The DSN should tell you... > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net_________________________________________________________________ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband
Graeme Boyle
2003-Jul-15 12:08 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
> Sorry, better clarify my error message better I think. > The error message I received was obtained from the > non-delivery report that > I received from my hotmail account when the test message > failed to get > through to my work domain where the problem resides. > > Hope this clears it up a bit. >Could your firewall be answering requests on port 25 and then trying to relay those to your internal Exchange server? Just a thought. Graeme
Tom Eastep
2003-Jul-15 12:15 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
On Tue, 15 Jul 2003 15:08:14 -0400, Graeme Boyle <g.boyle3@verizon.net> wrote:> > Could your firewall be answering requests on port 25 and then trying to > relay those to your internal Exchange server?I thought of that too -- I''ve been looking at the MNF info on the Mandrake web site and I can''t find any reference to SMTP proxying. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Francesca C. Smith
2003-Jul-15 12:22 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
Hello, Unfortunetly I have some extensive experience with Exchange and Firewalls. The solution is kinda off topic and rather complex. It involves doing something intelligent like putting Postfix as a relay between Exchange and the firewall. Hopefulling in a DMZ. and the next part is the brain dead way that Exchange handles split DNS zones. As in the overly complex crap you have to do to get it to handle masqueraded E-mail. Im not sure what you have there but if it sounds anything like the above e-mail me at fsmith@ladylinux.com and I will try and help you out and post a synopsis here on the list. Regards, -- Francesca C Smith Lady Linux Internet Services 1801 Bolton Street # 1 Baltimore, MD 21217
Adam Thorpe
2003-Jul-15 13:12 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
I didn''t see any mention on the mandrake site either but I''ve seen reference to email addresses when setting up. Not sure if these are just placeholders for error message generation (I saw one when squid locked me out of internet access after hours this evening) or if there is a mail server/relay installed somewhere, but it''s a good suggestion and I''ll investigate more tomorrow. Thanks Adam>From: Tom Eastep <teastep@shorewall.net> >To: g.boyle3@verizon.net, ''Adam Thorpe'' <adam_thorpe@hotmail.com> >CC: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF >Date: Tue, 15 Jul 2003 12:14:59 -0700 >MIME-Version: 1.0 >Received: from gateway.shorewall.net ([206.124.146.176]) by >mc1-f27.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 >Jul 2003 12:47:05 -0700 >Received: from tipper.shorewall.net (tipper.shorewall.net >[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client >certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid >2D12611523; Tue, 15 Jul 2003 12:15:03 -0700 (PDT) >X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >References: <005101c34b04$71ccb7a0$20020a0a@VIISAGE.NET> >Message-ID: <oprsc829k3ww1ebe@mail.shorewall.net> >In-Reply-To: <005101c34b04$71ccb7a0$20020a0a@VIISAGE.NET> >User-Agent: Opera7.11/Win32 M2 build 2880 >Return-Path: teastep@shorewall.net >X-OriginalArrivalTime: 15 Jul 2003 19:47:05.0292 (UTC) >FILETIME=[DE4D90C0:01C34B09] > >On Tue, 15 Jul 2003 15:08:14 -0400, Graeme Boyle <g.boyle3@verizon.net> >wrote: > > >> >>Could your firewall be answering requests on port 25 and then trying to >>relay those to your internal Exchange server? > >I thought of that too -- I''ve been looking at the MNF info on the Mandrake >web site and I can''t find any reference to SMTP proxying. > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net_________________________________________________________________ Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile
Tom Eastep
2003-Jul-15 13:18 UTC
[Shorewall-users] Port Forwarding Trouble with Mandrake MNF
On Tue, 2003-07-15 at 13:12, Adam Thorpe wrote:> I didn''t see any mention on the mandrake site either but I''ve seen reference > to email addresses when setting up. Not sure if these are just placeholders > for error message generation (I saw one when squid locked me out of internet > access after hours this evening) or if there is a mail server/relay > installed somewhere, but it''s a good suggestion and I''ll investigate more > tomorrow.It would certainly explain what we are seeing if MNF is redirecting incoming port 25 to its local MTA. If that MTA hasn''t been configured to relay for your domain we would see the 554 AND we would see no packets hitting your DNAT rule. You will be able to see the entire set of nat rules by entering "shorewall show nat" at a shell prompt on your MNF box. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net