Hi,
We have purchased an email service which filters out spam and then forwards email to our server one of a number of non-standard ports. We will not be able to use port 25 to receive SMTP mail from this service. We use the Email Server in Wingate to reject email that is not addressed to domain recipients and relay properly addressed email to our internal Exchange Server. Therefore, I need to configure the Wingate Email Server to receive external email only at a non-standard port (probably port 925). I would like to continue to use port 25 internally; and I need to send Internet mail externally on port 25. I can see how to do this with a mapping proxy, but I am confused as to how one might do this with the Email Server. It appears that you might do this with the bindings. But one might also do this in ENS. How do I do this? Once I can receive email on port 925 from the Internet, I would like to restrict reception to two IPs - which are the IPs of the clustered servers at the email antispam/antivirus service that we are using. Please let me know how to attack this.
Regards,
Bob Tucker
Email Server - Configure to receive on non-standard port
Moderator: Qbik Staff
8 posts
• Page 1 of 1
Email Server - Configure to receive on non-standard port
by Bob Tucker » Nov 21 04 10:40 pm
Last edited by Bob Tucker on Nov 22 04 6:30 pm, edited 1 time in total.
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by Pascal » Nov 22 04 8:18 am
Hi Bob,
You are correct - there are two ways to do this.
Method 1
One would be to setup an ENS level redirect for the external port. (From the trusted IPs on the Internet). If you setup a Port Security Action that will redirect Internet TCP connections on port 925 to 127.0.0.1 on port 25, without translating the source IP (Checkbox becomes available once you have it set to "Redirect").
What that gives you is any external traffic on port 925 gets pushed up to the local host on port 25. The original source address (For SMTP Server rule validation) is not translated.
Method 2
Bind your SMTP Server to your external adapter - overriding the service port to 925. Ensure that the bindings to your internal adapters remain as they were.
General
For both methods you'd do then is go into the SMTP Server and add a policy that will allow (a) all your local machines access (User Everyone, using the Locations Tab) and (b) the two IP addresses you want to restrict access to.
That will then block anybody else from using port 925 -> 25.
You are correct - there are two ways to do this.
Method 1
One would be to setup an ENS level redirect for the external port. (From the trusted IPs on the Internet). If you setup a Port Security Action that will redirect Internet TCP connections on port 925 to 127.0.0.1 on port 25, without translating the source IP (Checkbox becomes available once you have it set to "Redirect").
What that gives you is any external traffic on port 925 gets pushed up to the local host on port 25. The original source address (For SMTP Server rule validation) is not translated.
Method 2
Bind your SMTP Server to your external adapter - overriding the service port to 925. Ensure that the bindings to your internal adapters remain as they were.
General
For both methods you'd do then is go into the SMTP Server and add a policy that will allow (a) all your local machines access (User Everyone, using the Locations Tab) and (b) the two IP addresses you want to restrict access to.
That will then block anybody else from using port 925 -> 25.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by Bob Tucker » Nov 22 04 1:05 pm
Dear Pascal,
Thank you very much for your post. It is very clear and most helpful. I tried both methods. Although I could manually send email via telnet to the Wingate SMTP server on port 925 using both methods, the email daemon at the antispam/antivirus service appears to much prefer the added binding at port 925 to the SMTP server, so that is where I left it. I restricted SMTP locations in the manner you suggested. I removed the external firewall hole at port 25. It took spammers less than an hour to find the new port. So I moved the new port to a port that has no obvious relationship to port 25. I am sure some spammers will find it within a few hours. Thank you again for your assistance. I appreciate it very much.
Kindest Regards,
Bob Tucker
Thank you very much for your post. It is very clear and most helpful. I tried both methods. Although I could manually send email via telnet to the Wingate SMTP server on port 925 using both methods, the email daemon at the antispam/antivirus service appears to much prefer the added binding at port 925 to the SMTP server, so that is where I left it. I restricted SMTP locations in the manner you suggested. I removed the external firewall hole at port 25. It took spammers less than an hour to find the new port. So I moved the new port to a port that has no obvious relationship to port 25. I am sure some spammers will find it within a few hours. Thank you again for your assistance. I appreciate it very much.
Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by Bob Tucker » Nov 22 04 11:51 pm
Dear Pascal,
There is one part to this I do not know how to deal with. I have left the default port on the SMTP service 25 as the SMTP server receives email from the Exchange server and sends email to the Internet on port 25. Whenever I stop and start Wingate, ENS adds a hole at port 25 and deletes the hole on the non-standard port. I think I have managed to get Wingate to keep the hole on the non-standard port. How do I get Wingate to stop automatically creating the hole on port 25 each time it starts?
Kindest Regards,
Bob Tucker
There is one part to this I do not know how to deal with. I have left the default port on the SMTP service 25 as the SMTP server receives email from the Exchange server and sends email to the Internet on port 25. Whenever I stop and start Wingate, ENS adds a hole at port 25 and deletes the hole on the non-standard port. I think I have managed to get Wingate to keep the hole on the non-standard port. How do I get Wingate to stop automatically creating the hole on port 25 each time it starts?
Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by Bob Tucker » Nov 23 04 11:36 am
Dear Pascal,
Thank you. You are right. I thought I needed a binding to the external NIC at port 25 to use that gateway. I was wrong. Eliminating that binding fixes the problem.
Regards,
Bob Tucker
Thank you. You are right. I thought I needed a binding to the external NIC at port 25 to use that gateway. I was wrong. Eliminating that binding fixes the problem.
Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by Bob Tucker » Nov 23 04 12:58 pm
Dear Pascal,
What confused me was how automatic holes are created and maintained. After I determined that the mailer daemon on the box at the antispam service liked the additonal binding as opposed to an ENS mapping, I added a binding policy to the SMTP server for any external adapater with an override on the service port. I changed the existing binding policy so that the binding at port 25 was made to any internal adapter - rather than any adapter. I have two gateways. When I applied the revised policies, bindings were created at the override port on both external adapters, a binding at port 25 remained on the internal adapter, and there were no longer bindings on port 25 on the external adapters - just as I wanted. Bu I fiund that when I applied the policy changes - no hole was created in the firewall. I manually created the hole. But, as I recall, it was not recreated when I restarted Wingate. I then went back and revised the policy to create the external binding at the the non-standard port on only a single adapter. A hole was created at the override port, and that hole was created each time Wingate was restarted. I then added a policy to create a binding on the non-standard port on the second external adapter. When I applied that, all was good. But when I restarted Wingate, the hole on the override port was again not recreated. Meanwhile, I recalled I that had deleted the binding on port 25. I revised the policy to recreate that binding. And I found that the hole in the firewall at the non-standard port was no longer deleted when I restarted Wingate. As a result, I thought the binding at port 25 on the external adapter was required. I was wrong. I needed to create policies in a manner that Wingate could deal with more clearly. After your post, I went back and changed the policies so that each policy deals with a single binding and adapter. I manually created the holes in the firewall. Everything works.
Kindest Regards,
Bob Tucker
What confused me was how automatic holes are created and maintained. After I determined that the mailer daemon on the box at the antispam service liked the additonal binding as opposed to an ENS mapping, I added a binding policy to the SMTP server for any external adapater with an override on the service port. I changed the existing binding policy so that the binding at port 25 was made to any internal adapter - rather than any adapter. I have two gateways. When I applied the revised policies, bindings were created at the override port on both external adapters, a binding at port 25 remained on the internal adapter, and there were no longer bindings on port 25 on the external adapters - just as I wanted. Bu I fiund that when I applied the policy changes - no hole was created in the firewall. I manually created the hole. But, as I recall, it was not recreated when I restarted Wingate. I then went back and revised the policy to create the external binding at the the non-standard port on only a single adapter. A hole was created at the override port, and that hole was created each time Wingate was restarted. I then added a policy to create a binding on the non-standard port on the second external adapter. When I applied that, all was good. But when I restarted Wingate, the hole on the override port was again not recreated. Meanwhile, I recalled I that had deleted the binding on port 25. I revised the policy to recreate that binding. And I found that the hole in the firewall at the non-standard port was no longer deleted when I restarted Wingate. As a result, I thought the binding at port 25 on the external adapter was required. I was wrong. I needed to create policies in a manner that Wingate could deal with more clearly. After your post, I went back and changed the policies so that each policy deals with a single binding and adapter. I manually created the holes in the firewall. Everything works.
Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
8 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 11 guests