Exchange Server 2003 and firewall

I have had Exchange Server 2003 working fine over a dial-up connection with DDNS.

I have now obtained a broadband connection and a static IP address, and am using a DSL Ethernet modem (DLINK DSL-300T) with a broadband router/firewall (DLING DI-624).

The POP3 connector in Exchange 2003 (this is actually Small Business Server 2003) still works, as does sending email from Exchange - at least now that I have opened the router's firewall ports 25 and 110.

However, the Exchange 2003 mail domain does not seem to be receiving mail addressed to it. So I can receive mail from my old POP3 accounts but not to mail accounts hosted on the Exchange server itself.

I'm guessing this is another firewall issue. Unfortunately the firewall doesn't seem to log all it's events, so I'm unable to see whether there's something being blocked.

What are the ports/protocols I need to open and/or the port forwarding I need to specify, to enable the Exchange server to be found and accept incoming email addressed to it?

 

Those are the correct ports. I assume you have them fowrarded to the LAN IP of the Server?
Did you remember to check enable on the entry?

I know these are simple things but easy to miss.

Try pinging those ports from the wan side.

Look at the error logs. May be a DNS issue.

 

Hi

Yes I have the rules enabled, and I have installed a "Virtual Server" in the router - DLINK's term for port forwarding.

I have opened the ports for all IP addressess on the LAN and WAN sides for the purposes of testing this, whilst forwarding 25 and 110 incoming requests to the same ports on the Exchange server.

The Event Log shows no errors in the DNS.

I can't ping a port as ICMP doesn't understand port numbers.
However I can telnet to port 110.
I CANNOT telnet to port 25, as I think I should be able to. That's part of the reason I think the firewall is the problem. But having opened the firewall for all addresses on port 25, and set up a port forward, I'm not sure what else to do.

 

When Exchange uses POP3 to grab e-mail from an ISP's mailbox/mailserver, Exchange is acting as the client - NOT THE SERVER. You should close/block port 110 on your Exchange server unless external users are connecting to it to retrieve e-mails. Even if external users need a link into your Exchange server I would still suggest that you close port 110 and use Webmail instead.

By opening port 110 you are allowing remote access to your local mailboxes. If you don't need to do this close 110 off.

 

I will start by summarising what I think you are saying.

• Outgoing e-mail is working fine
• You are able to pull e-mails from individual POP3 mail boxes (old addresses outside your main e-mail domain) into your Exchange server.
• You are not receiving mail sent to your domain via SMTP

If this is the case the fact that you are unable to telnet into port 25 is highly significant.

When receiving an SMTP mail feed, the Exchange server is acting as the server in this communication. Whoever is send the mail, will be sending it to port 25 at your address. If the server isn't listening on that port or the port is being blocked then SMTP mail won't get to you.

I suggest the following strategy.

1. Try opening a telnet session to your server's port 25 from the server. You may be able to use "TELNET 127.0.0.1 25" if exchange is bound to all addresses. Otherwise use the correct local address. If this test fails the problem is that Exchange is not listening on port 25. Check your configuration and restart the Exchange services.
2. If you can telnet in from the server, next try from another PC inside you network. If that fails, I expect that you have a problem with the ISA set up.
3. If you get to this point and are still unable to telnet to the Exchange server from then internet then I would try two things. First double check the port forwarding on the router - external port 25 to Exchange server port 25. Second, ring up your ISP and ask them if they can connect to port 25. That is alway a good thing to do as first it is a good check, and second it forces your ISP to check their set up.

Finally, if all this works, fine and good. If not this may be a good time to review how you have your server and internet connection set up. To work at its best the system should be set up as follows:

• Server has TWO network cards. One is connected to the router and provides the connection to the internet. The other is connected to a switch/hub and provides a connection to the internal network.
• The only computer connected to the router is the server. All other computers connect to the internet through the server and are therefore protected and controlled by ISA on the server.

For this system to work you have to have two local networks. One between your router and the server, and the other between server and the local computers. A key point is that the port forwarding on the router needs to point at the EXTERNAL network card on the server and not the internal one.

 

Another factor that will prevent the system working is if the static addess asigned to you is not actually being assigned to your connection by the ISP. Get you ISP to check that your static IP is actually pointing at your ADSL connection. You could also use something like shields up to see what the external world is seeing your address as, but this may not give you a definitive answer as you may have more than one IP address bound to your connection. So check with your ISP.

 

Well, lots to read Reggie!

Your summary of what I am saying is correct.
At the moment I am using POP3 to access the Exchange domain mailbox when I'm out on site, hence having 110 open. Understand your comments re security and will consider webmail - but then that still requires a web port to be open! And they're notoriously insecure.

I can telnet from any machine inside the network, but not from outside.

My setup uses one NIC. The router is also a WAP and a wired switch. I could get another NIC and a second router, but for the moment, until it's all working, I don't intend to. As far as I can see that's all about security, but not about getting this to work??

If you feel this could be a fundamental problem in making it work, I may reconsider. But when I had the dial up, this all worked just fine using the SBS simple firewall.

ShieldsUp tells me port 25 is in stealth, despite having port forwarding set up and the SMTP connector running, and the SMTP service running too. I have stopped both the Windows SMTP service and the Exchange SMTP virtual server, but this didn't cure the problem.

It isn't clear to me why the port appears to be in stealth. Running the SMTP service and connector, and ensuring port forwarding is on and port 25 open to external IPs should make the port show as open, surely?

Maybe the router is ignoring my instruction to open port 25?

 

Does your GUI look like this? http://support.dlink.com/faq/view.asp?prod_id=1005#604

 

It does indeed.

 

Yes, I was obviously switched to transmit yesterday. Over eager after a week away in Greece

Interesting. My first reaction is that the problem is the port forwarding on the router. However, my experience (which I admit is with older Dlink routers) is that routers don't mask ports in that way. All the ADSL routers I've used either close or open a port. Therefore, I think this points to the problem being ISA on the server. ISA is more likely to cloak/stealh a port.

Is port 25 the only stealth port (or one of a small number)?

Thinking over this again, I think there is merit in your argument. However, there are good tools available to lock down IIS (which Exchange uses to host the webmail interface), while there is less assistance with securing the POP service. It isn't as easy a descision as I suggested in my earlier posting. Of course the secure option is to remotely connect to the server over VPN, and perhaps that is the option I should have advocated.

 

Well, I do have a VPN connection and that works. It may be the best bet, but there's the separate problem of the VPN not recognising Netbios names even though LMHOSTS is present and WINS is running. I gave up on that one!

Actually, ShieldsUp says that all my ports are stealth except 110 and 21, which is what I expect except I expected 25 to be available.

I am running SBS Standard which doesn't include ISA, so I have discounted ISA. The firewall available in SBS Standard is "Basic Firewall ". This is not apparently available on a connection via a router.
When I had the dial-up, it definitely gave me a Basic Firewall setup and I could get to the properties via the Connections properties of the Remote Access and Routing console.

When I replaced this with DSL, no new "connection" was created in the RAR console. I assume, therefore, that no firewall is running.
Now, it's just possible this is wrong, but if so I have no way of accessing the connection and turning off Basic Firewall.

When running the Internet Connection Wizard to create the router connection, the wizard detected my router, and asked if I wanted to configure it automatically. I said yes, but it then came up with an error saying it couldn't configure the router firewall.
I then had to re-run the wizard, and this time say no. The wizard then ran through the configuration, including apparently successfully configuring the firewall I had told it not to. It's just possible that the firewall it was configuring was the basic Firewall software in SBS I suppose. Bt if so, as I say, I can't find a conection listed that I can see the firewall properties for.

Nick

 

Just checked out the LAN connection properties in the RAR Console. The Basic Firewall and NAT configuration is set to "private connection to a private network" - i.e. no firewall enabled.

 

If the majority of ports are in Stealth mode, it must be the router doing it. Obviously the newer DLink routers are clever than the ones I have on my networks. Sorry - I've sent you on a wild goose chase.

So I am sure the problem is the port redirection on the router.

Also 21 is a strange port to have open on it's own. Don't you need 20 as well for FTP?

 

I didn't think I needed 21 for FTP - and it seems to serve me FTP though I haven't tried uploading from a remote machine.

I'm convinced it's the router/firewall now.
DLINK support has told me I don't need to do anything from default, despite the fact that there's a default rule to deny access to any port from the WAN.

Then they told me to enable tghe virtual server, which of course I have already done.

Then they told me to put in an application rule, though as far as I know Exchange only needs port 25, not a range of ports triggered by 25, which is what the Applications tab is for.

Then they told me that my computer or firewall software must be blocking the port, even though I had explained that I can telnet the port from any machine inside the firewall, and get a response from the SMTP server; but I can't even see it from outside. And that the port appeared to be in stealth mode from the WAN side.
I also had explained I don't have any other firewall running.

Finally they have told me to do a hardware reset using the reset button on the back - something that will lose all my custom settings, such as Terminal Services and Gnutella

I'm at a loss what to do next, unless I buy a Netgear on the way home and install that.

 

I am confident you only need port 25 for incoming STMP as you have said.

There is an alternative. Get your ISP to deliver your domain e-mail into one of their POP mailboxes and grab it from there using SBS's POP mail connector. This may or may not work - depends how the ISP sets up the forwarding into the pop mailbox and how Exchange parses the e-mail headers. This solution is not as good a solution as using an SMTP feed but may be worth considering as a temporary fix.

 

I'm sure I can get my ISP to host the domain - they provide that service. I would then need to go to my backup mail service provider and change my MX records too.

However, as you say, this is a workaround rather than a fix. Once I get a problem like this, it bugs me until I find a solution, so implementing a workaround won't stop me thinking about it!

 

I cant help but think it's a firewall issue.

I would call DLink but make sure you get past the level one idiots. The level one is off shore and all they do is direct you to a FAQ.

 

I have now replaced the router/firewall with another model.
I can now telnet the server. I can also connect using Outlook or OE, but I can't send mail.
I also cannot receive mail sent to the domain, still.

But now, I am at least getting through to the Exchange server. SMTP is trying to deliver mail to my Exchange server but is getting error

454 5.7.3 Client does not have permission to submit mail to this server

All I can find about this says the client is not authenticated to send mail to this server - but the server must surely accept incoming mail from anywhere!?!?

Do I need to change some settings somewhere?

 

Just found the answer on Experts-Exchange!

Somehow the "Allow anonymous access" box got unticked in the SMTP Virtual Server properties!

So I had two problems - a faulty router/firewall and a changed property in the virtual server.

Thanks to all for your help.
Now I only have to get the B****** who crunched a lorry into the side of my brand new loan car this morning so I'll have an excess to pay on the garage's insurance.
No day can be all good results can it?