Shorewall users - Jul 2003 - Port Forwarding Trouble with Mandrake MNF

Please excuse my ignorance as I''m a linux newbie.

Basically I have a setup of an adsl ethernet modem (nated and then 
everything forwarded to the external ip of my Mandrake mnf firewall) 
connected to the mnf firewall which then connects to the lan.

internet <--> adsl modem <--> mnf firewall <--> lan

There''s only 2 nics in the mnf firewall so it''s a straight
through
connection between the modem and the mnf firewall.

I managed to get the major services running fine (web browsing, ftp) but
I''m
having problems getting external email to enter into the lan where the 
exchange server lives.  Outgoing smtp mail is fine and I''ve left the 
original smtp rules intact (ie wan --> lan port 25 tcp allowed) but
I''m
still having trouble.

Unfortunately the Mandrake MNF distro doesn''t do the traditional 
configuration files as are on the shorewall website and as a newbie
I''ve
looked at the files in question but can''t work out where
they''re pointing to
(my knowledge of shell/perl/python/whatever scripting in linux is nil).

I''ve looked at the shorewall show nat output and it displays:

0  0  DNAT  TCP  --  *  *  0.0.0.0/0  0.0.0.0/0  TCP  DPT:25 TO:10.0.0.2

(10.0.0.2 is my mail server address)

The rejected email shows:
smtp;554 <email_address@domain.com>: Recipient address rejected: Relay 
access denied

Is this a problem with having to nated subnets (adsl router to mnf wan & mnf
wan to mnf lan) or am I missing something obvious?

Thanks for any help.

_________________________________________________________________
It''s fast, it''s easy and it''s free. Get MSN Messenger
today!
http://www.msn.co.uk/messenger

On Tue, 2003-07-15 at 10:29, Adam Thorpe wrote:
> 
> The rejected email shows:
> smtp;554 <email_address@domain.com>: Recipient address rejected:
Relay
> access denied
> 
> Is this a problem with having to nated subnets (adsl router to mnf wan
& mnf
> wan to mnf lan) or am I missing something obvious?
> 
That looks like a problem with your email server configuration. It
doesn''t realize that it should accept email for the named recipient.
Unfortunately (thankfully) I know nothing about Exchange so I can''t
help
you there (I run Postfix).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks for your reply Tom, it''s really appreciated when the programmer
of
the software takes such an active interest in their forums and incredibly 
promptly too (I''ve just noticed).

Unfortunately I know for a fact that exchange is up and running properly as 
it was working fine this morning until I stuck the mnf in the middle of the 
configuration (don''t ask)!  I''ve had to take the mnf down so
we can still
receive email and I did test it before I left work after I had taken it out 
again.

I suppose I''m going to have to use a packet sniffer (better start
brushing
up on those skills too) to solve this unless anyone has any other 
suggestions?

Thanks again.
>From: Tom Eastep <teastep@shorewall.net>
>To: Adam Thorpe <adam_thorpe@hotmail.com>
>CC: shorewall-users@lists.shorewall.net
>Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF
>Date: 15 Jul 2003 10:38:02 -0700
>MIME-Version: 1.0
>Received: from gateway.shorewall.net ([206.124.146.176]) by 
>mc7-f33.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul 
>2003 10:38:03 -0700
>Received: from wookie.shorewall.net (wookie.shorewall.net 
>[192.168.1.3])(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
>bits))(No client certificate requested)by gateway.shorewall.net (Postfix) 
>with ESMTPid E093C1093C; Tue, 15 Jul 2003 10:38:02 -0700 (PDT)
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
>In-Reply-To: <Law11-F68LX2wEGBssy00011784@hotmail.com>
>References: <Law11-F68LX2wEGBssy00011784@hotmail.com>
>Organization: Message-Id:
<1058290682.22130.180.camel@wookie.shorewall.net>
>X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Return-Path: 
>teastep@shorewall.net
>X-OriginalArrivalTime: 15 Jul 2003 17:38:04.0053 (UTC) 
>FILETIME=[D82A3C50:01C34AF7]
>
>On Tue, 2003-07-15 at 10:29, Adam Thorpe wrote:
>
> >
> > The rejected email shows:
> > smtp;554 <email_address@domain.com>: Recipient address rejected:
Relay
> > access denied
> >
> > Is this a problem with having to nated subnets (adsl router to mnf wan
&
>mnf
> > wan to mnf lan) or am I missing something obvious?
> >
>
>That looks like a problem with your email server configuration. It
>doesn''t realize that it should accept email for the named
recipient.
>Unfortunately (thankfully) I know nothing about Exchange so I can''t
help
>you there (I run Postfix).
>
>-Tom
>--
>Tom Eastep    \ Shorewall - iptables made easy
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
_________________________________________________________________
Sign-up for a FREE BT Broadband connection today! 
http://www.msn.co.uk/specials/btbroadband

On Tue, 15 Jul 2003 18:30:45 +0000, Adam Thorpe <adam_thorpe@hotmail.com> 
wrote:

>
> I suppose I''m going to have to use a packet sniffer (better start 
> brushing up on those skills too) to solve this unless anyone has any 
> other suggestions?
>
Only that I assumed that you Exchange server is generating the 554 
rejection -- is that the case?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I did a check of the exchange logs when I was trying to troubleshoot the 
problem but I didn''t see any relaying denied messages in there.  In
fact,
all I did see was outbound logged connections.  I''m 99% sure that I
should
see them there in there but I will do a check when I get back into work 
tomorrow and turn up the logging level if necessary.

What makes me think that it''s not exchange is another post
I''ve seen in the
forums with a similar problem but in reverse (ie email not been routed 
outbound).  I did the shorewall show nat command (I think) and it showed 
that no connections through tcp port 25 logged (it''s buried in my
original
post somewhere) or thats how it looks to my untrained eye anyway.  It''s
likely I''m completely wrong on this so any other pointers would be 
appreciated.


>From: Tom Eastep <teastep@shorewall.net>
>To: Adam Thorpe <adam_thorpe@hotmail.com>
>CC: shorewall-users@lists.shorewall.net
>Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF
>Date: Tue, 15 Jul 2003 11:34:18 -0700
>MIME-Version: 1.0
>Received: from gateway.shorewall.net ([206.124.146.176]) by 
>mc6-f15.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul 
>2003 11:35:17 -0700
>Received: from tipper.shorewall.net (tipper.shorewall.net 
>[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client 
>certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid 
>8CCD011382; Tue, 15 Jul 2003 11:34:21 -0700 (PDT)
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
>References: <Law11-F51o79oOwE8cI000119a9@hotmail.com>
>Message-ID: <oprsc67gh1ww1ebe@mail.shorewall.net>
>In-Reply-To: <Law11-F51o79oOwE8cI000119a9@hotmail.com>
>User-Agent: Opera7.11/Win32 M2 build 2880
>Return-Path: teastep@shorewall.net
>X-OriginalArrivalTime: 15 Jul 2003 18:35:17.0313 (UTC) 
>FILETIME=[D68C2310:01C34AFF]
>
>On Tue, 15 Jul 2003 18:30:45 +0000, Adam Thorpe
<adam_thorpe@hotmail.com>
>wrote:
>
>
>>
>>I suppose I''m going to have to use a packet sniffer (better
start brushing
>>up on those skills too) to solve this unless anyone has any other 
>>suggestions?
>>
>
>Only that I assumed that you Exchange server is generating the 554 
>rejection -- is that the case?
>
>-Tom
>--
>Tom Eastep    \ Shorewall - iptables made easy
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
_________________________________________________________________
Sign-up for a FREE BT Broadband connection today! 
http://www.msn.co.uk/specials/btbroadband

Sorry, better clarify my error message better I think.
The error message I received was obtained from the non-delivery report that 
I received from my hotmail account when the test message failed to get 
through to my work domain where the problem resides.

Hope this clears it up a bit.

>From: Tom Eastep <teastep@shorewall.net>
>To: Adam Thorpe <adam_thorpe@hotmail.com>
>CC: shorewall-users@lists.shorewall.net
>Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF
>Date: Tue, 15 Jul 2003 11:34:18 -0700
>MIME-Version: 1.0
>Received: from gateway.shorewall.net ([206.124.146.176]) by 
>mc6-f15.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul 
>2003 11:35:17 -0700
>Received: from tipper.shorewall.net (tipper.shorewall.net 
>[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client 
>certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid 
>8CCD011382; Tue, 15 Jul 2003 11:34:21 -0700 (PDT)
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
>References: <Law11-F51o79oOwE8cI000119a9@hotmail.com>
>Message-ID: <oprsc67gh1ww1ebe@mail.shorewall.net>
>In-Reply-To: <Law11-F51o79oOwE8cI000119a9@hotmail.com>
>User-Agent: Opera7.11/Win32 M2 build 2880
>Return-Path: teastep@shorewall.net
>X-OriginalArrivalTime: 15 Jul 2003 18:35:17.0313 (UTC) 
>FILETIME=[D68C2310:01C34AFF]
>
>On Tue, 15 Jul 2003 18:30:45 +0000, Adam Thorpe
<adam_thorpe@hotmail.com>
>wrote:
>
>
>>
>>I suppose I''m going to have to use a packet sniffer (better
start brushing
>>up on those skills too) to solve this unless anyone has any other 
>>suggestions?
>>
>
>Only that I assumed that you Exchange server is generating the 554 
>rejection -- is that the case?
>
>-Tom
>--
>Tom Eastep    \ Shorewall - iptables made easy
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
_________________________________________________________________
Use MSN Messenger to send music and pics to your friends 
http://www.msn.co.uk/messenger

On Tue, 15 Jul 2003 18:55:59 +0000, Adam Thorpe <adam_thorpe@hotmail.com> 
wrote:
> Sorry, better clarify my error message better I think.
> The error message I received was obtained from the non-delivery report 
> that I received from my hotmail account when the test message failed to 
> get through to my work domain where the problem resides.
>
> Hope this clears it up a bit.
But what host generated the 554? The DSN should tell you...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

This is the email header I got back.  It doesn''t tell you much, but it
looks
like it''s the hotmail server can''t connect:

--9B095B5ADSN=_01C34A66355CC45C000006A0hotmail.com
Content-Type: message/delivery-status

Reporting-MTA: dns;hotmail.com
Received-From-MTA: dns;mail.hotmail.com
Arrival-Date: Tue, 15 Jul 2003 10:24:14 -0700

Final-Recipient: rfc822;email_address@domain.com
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp;554 <email_address@domain.com>: Recipient address 
rejected: Relay access denied


--9B095B5ADSN=_01C34A66355CC45C000006A0hotmail.com
Content-Type: message/rfc822

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Tue, 15 Jul 2003 10:24:14 -0700
Received: from 195.74.100.68 by lw11fd.law11.hotmail.msn.com with HTTP;
	Tue, 15 Jul 2003 17:24:14 GMT
X-Originating-IP: [195.74.100.68]
X-Originating-Email: [adam_thorpe@hotmail.com]
From: "Adam Thorpe" <adam_thorpe@hotmail.com>
To: email_address@domain.com
Bcc:
Subject: 18:20
Date: Tue, 15 Jul 2003 17:24:14 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <LAW11-F76hNzW3l1GM300002f84@hotmail.com>
X-OriginalArrivalTime: 15 Jul 2003 17:24:14.0952 (UTC) 
FILETIME=[E9FB7680:01C34AF5]


[END OF EMAIL HEADER]
---------------------------------------------
>From: Tom Eastep <teastep@shorewall.net>
>To: Adam Thorpe
<adam_thorpe@hotmail.com>,smerrill@finelinegraphics.com
>CC: shorewall-users@lists.shorewall.net
>Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF
>Date: Tue, 15 Jul 2003 11:58:18 -0700
>MIME-Version: 1.0
>Received: from gateway.shorewall.net ([206.124.146.176]) by 
>mc8-f13.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 Jul 
>2003 11:59:01 -0700
>Received: from tipper.shorewall.net (tipper.shorewall.net 
>[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client 
>certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid 
>DC6D811391; Tue, 15 Jul 2003 11:58:20 -0700 (PDT)
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
>References: <Law11-F50FrYILoygXL00011d0e@hotmail.com>
>Message-ID: <oprsc8bgujww1ebe@mail.shorewall.net>
>In-Reply-To: <Law11-F50FrYILoygXL00011d0e@hotmail.com>
>User-Agent: Opera7.11/Win32 M2 build 2880
>Return-Path: teastep@shorewall.net
>X-OriginalArrivalTime: 15 Jul 2003 18:59:02.0267 (UTC) 
>FILETIME=[27E2DCB0:01C34B03]
>
>On Tue, 15 Jul 2003 18:55:59 +0000, Adam Thorpe
<adam_thorpe@hotmail.com>
>wrote:
>
>>Sorry, better clarify my error message better I think.
>>The error message I received was obtained from the non-delivery report 
>>that I received from my hotmail account when the test message failed to 
>>get through to my work domain where the problem resides.
>>
>>Hope this clears it up a bit.
>
>But what host generated the 554? The DSN should tell you...
>
>-Tom
>--
>Tom Eastep    \ Shorewall - iptables made easy
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection 
http://www.msn.co.uk/specials/btbroadband

> Sorry, better clarify my error message better I think.
> The error message I received was obtained from the 
> non-delivery report that 
> I received from my hotmail account when the test message 
> failed to get 
> through to my work domain where the problem resides.
> 
> Hope this clears it up a bit.
>
Could your firewall be answering requests on port 25 and then trying to
relay those to your internal Exchange server?

Just a thought.

Graeme

On Tue, 15 Jul 2003 15:08:14 -0400, Graeme Boyle <g.boyle3@verizon.net> 
wrote:

>
> Could your firewall be answering requests on port 25 and then trying to
> relay those to your internal Exchange server?
I thought of that too -- I''ve been looking at the MNF info on the
Mandrake
web site and I can''t find any reference to SMTP proxying.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hello,

Unfortunetly I have some extensive experience with Exchange and
Firewalls. The solution is kinda off topic and rather complex. It
involves doing something intelligent like putting Postfix as a relay
between Exchange and the firewall. Hopefulling in a DMZ. and the next
part is the brain dead way that Exchange handles split DNS zones. As in
the overly complex crap you have to do to get it to handle masqueraded
E-mail. Im not sure what you have there but if it sounds anything like
the above e-mail me at fsmith@ladylinux.com and I will try and help you
out and post a synopsis here on the list.

Regards,

-- 
Francesca C Smith
Lady Linux Internet Services
1801 Bolton Street # 1
Baltimore, MD 21217

I didn''t see any mention on the mandrake site either but I''ve
seen reference
to email addresses when setting up.  Not sure if these are just placeholders 
for error message generation (I saw one when squid locked me out of internet 
access after hours this evening) or if there is a mail server/relay 
installed somewhere, but it''s a good suggestion and I''ll
investigate more
tomorrow.

Thanks
Adam
>From: Tom Eastep <teastep@shorewall.net>
>To: g.boyle3@verizon.net, ''Adam Thorpe''
<adam_thorpe@hotmail.com>
>CC: shorewall-users@lists.shorewall.net
>Subject: Re: [Shorewall-users] Port Forwarding Trouble with Mandrake MNF
>Date: Tue, 15 Jul 2003 12:14:59 -0700
>MIME-Version: 1.0
>Received: from gateway.shorewall.net ([206.124.146.176]) by 
>mc1-f27.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 15 
>Jul 2003 12:47:05 -0700
>Received: from tipper.shorewall.net (tipper.shorewall.net 
>[192.168.3.8])(using TLSv1 with cipher RC4-SHA (128/128 bits))(No client 
>certificate requested)by gateway.shorewall.net (Postfix) with ESMTPid 
>2D12611523; Tue, 15 Jul 2003 12:15:03 -0700 (PDT)
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
>References: <005101c34b04$71ccb7a0$20020a0a@VIISAGE.NET>
>Message-ID: <oprsc829k3ww1ebe@mail.shorewall.net>
>In-Reply-To: <005101c34b04$71ccb7a0$20020a0a@VIISAGE.NET>
>User-Agent: Opera7.11/Win32 M2 build 2880
>Return-Path: teastep@shorewall.net
>X-OriginalArrivalTime: 15 Jul 2003 19:47:05.0292 (UTC) 
>FILETIME=[DE4D90C0:01C34B09]
>
>On Tue, 15 Jul 2003 15:08:14 -0400, Graeme Boyle
<g.boyle3@verizon.net>
>wrote:
>
>
>>
>>Could your firewall be answering requests on port 25 and then trying to
>>relay those to your internal Exchange server?
>
>I thought of that too -- I''ve been looking at the MNF info on the
Mandrake
>web site and I can''t find any reference to SMTP proxying.
>
>-Tom
>--
>Tom Eastep    \ Shorewall - iptables made easy
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile

On Tue, 2003-07-15 at 13:12, Adam Thorpe wrote:
> I didn''t see any mention on the mandrake site either but
I''ve seen reference
> to email addresses when setting up.  Not sure if these are just
placeholders
> for error message generation (I saw one when squid locked me out of
internet
> access after hours this evening) or if there is a mail server/relay 
> installed somewhere, but it''s a good suggestion and I''ll
investigate more
> tomorrow.
It would certainly explain what we are seeing if MNF is redirecting
incoming port 25 to its local MTA. If that MTA hasn''t been configured
to
relay for your domain we would see the 554 AND we would see no packets
hitting your DNAT rule.

You will be able to see the entire set of nat rules by entering
"shorewall show nat" at a shell prompt on your MNF box.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net