Koozali.org: home of the SME Server

Mail Server Issue in my DMZ HELP!

Offline cyberwatcher

  • **
  • 66
  • +0/-0
    • The Network Security Company
Mail Server Issue in my DMZ HELP!
« on: September 05, 2008, 03:08:18 AM »
 
My LAN has 2 different subnets 10.1.1.0 and 172.16.10.0 which is my DMZ. When I place the SME Mail server in the DMZ I have verified that the Mail server is able to reach outside as well as can send and receive mail. I cannot use outlook however as I get 550 error relaying denied. I have gone into the network and manually added: 172.16.10.0 with the gateway having to be 10.1.1.1 which makes sense as the instruction say "Router" should be the IP address of the router on your local network via which the additional network is reached." I cannot add 172.16.10.1. I can ping it from the mail server it is open. Not sure if that is my issue or not.

If I try to add 172.16.10.1 I get the error message "router address is not accessible from local network."

DNZ is resolved locally, the router I use Juniper SSG allows me to add my policies so that I may have access between the segments just fine. Any help would be great.

I guess I problem is unique? No one seems to want to reply....  :sad:

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Mail Server Issue in my DMZ HELP!
« Reply #1 on: September 05, 2008, 01:32:14 PM »
You can either set up your Outlook users  to use authenticated smtps to relay, or else you have to tell your SME server that 10.1.1.0 is a "local network" (server-manager::Security::Local networks) so that it will adjust its firewall rules to allow access to SMTP from that network.


Offline cyberwatcher

  • **
  • 66
  • +0/-0
    • The Network Security Company
Re: Mail Server Issue in my DMZ HELP!
« Reply #2 on: September 05, 2008, 11:26:58 PM »
Okay I tried adding the 10.1.1.0 to the local networks however it did not work. I successfully added it however I still get the error mentioned.

How or where are the settings in Outlook for smtps? Or is that actually in the SME admin console?

I will take a look in the console and or google it. Thanks.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Mail Server Issue in my DMZ HELP!
« Reply #3 on: September 06, 2008, 04:51:01 PM »
To change outlook you need modify each user's outlook as described here: http://wiki.contribs.org/Email#Outlook.2FOutlook_Express_give_error_10060.2F0x800CCC90

(yes, this post looks like it's talking about outlook express, but the steps look pretty close to what I remember for Outlook).

==========

My comments about adding 10.1.1.0 as a "local network" on your SME assumed that your network looks like this:

Code: [Select]
Internet
   |
Juniper_SSG----SME (172.16.10.x)
   |
LAN_(10.1.1.x)

With network settings similar to the following:

SME LAN:
* IP 172.16.10.x
* Netmask 255.255.255.0
* Gateway: 172.16.10.1

SME Additional "Local Network":
* Network: 10.1.1.0
* Netmask: 255.255.255.0
* Router: 172.16.10.1

LAN Wkstn:
* IP: 10.1.1.x
* Netmask: 255.255.255.0
* Gateway: 10.1.1.1

Juniper_SSG:
WAN: (unspecified)
DMZ: 172.16.10.1 / 255.255.255.0
LAN: 10.1.1.1 / 255.255.255.0

If any of this is not how your network is configured then my earlier instructions would not solve your problem.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Mail Server Issue in my DMZ HELP!
« Reply #4 on: September 06, 2008, 04:58:09 PM »
It occurs to me that you could also solve your problem by putting your SME into Server/Gateway mode, with the WAN address on 172.16.10.x and the LAN addressed on the 10.1.1.x network, like this:

Code: [Select]
Internet
   |
Juniper_SSG----(SME WAN 172.16.10.x) - SME
   |                                  /
   |                                / (SME LAN 10.1.1.x)
    \                             /
     Core_Switch----------------/
       |
  LAN_(10.1.1.x)

Offline cyberwatcher

  • **
  • 66
  • +0/-0
    • The Network Security Company
Re: Mail Server Issue in my DMZ HELP!
« Reply #5 on: September 06, 2008, 09:00:57 PM »
Looks like that did the trick. I set it up in Outlook: outgoing SMTP server requires authentication. I also added port 465 for SMTP as well as 995 for POP3 using SSL.

Also had to add a policy from my firewall allowing SMTP and HTTPS from untrust to DMZ and TCP-ANY from my workstation to the mail server in the DMZ. Thanks for the help.
« Last Edit: September 06, 2008, 09:10:39 PM by cyberwatcher »