Topic: webmail external access

[ciso112]

Hi guys

and thank you for such a great piece of software as you are developing!

As an enthusiastic newbie, I'd like to increase a comfort of mail users by allowing them to access their accounts also from external network.

My first step was going through the settings in server-manager where in Configuration/Email/Change e-mail access settings I got to the "Webmail access" which I set to "Allow HTTPS (secure)". Now, https://domainname.sk/webmail is accessible through internal network, but not external (other two options of "Webmail access" work as I would expect).

Afterwards, I was browsing through google, wiki.contribs.org and this forum but without any luck.

I use 9.1 version.

Thank you for your help,
Lukas

[jameswilson]

can you get to anything on your server externally?

[ciso112]

hm,
only other service I can think of is to test webserver www.domainname.sk which, from outsite is unaccessible, from inside  loads the page.
Is it still a a topic for smeserver or I should check my firewall settings?

[guest22]

Is it still a a topic for smeserver or I should check my firewall settings?

Yep.

[janet]

Ciso

You need to tell us your network & gateway arrangement.
If you want to access services on sme server eg webmail, then you will need to open appropriate ports in your firewall eg port 443 & perhaps others, & also forward those ports to your sme server.
....assuming you have a seperate external firewall/gateway than just your sme server.
Is your sme server in gateway server mode, or server only mode ?

[Stefano]

And you'd tell US more about your external DNS...

[ciso112]

Hi guys!

it has really been a nice surprise to come here after some time - yet its also a first time since I posted the question to deal with it - and find more answers, I considered the topic to be solved.
Janet, the general process is clear to me by now and it matches the one proposed by you. The question in my mind was what actual numbers of ports to open? Also, portS? Dont I only need one and therefore 443 it is?
About the network arrangement, there is one PC serving as a firewall - smoothwall is installed - and the "main" PC where a virtualization solution is installed and few servers are running, one of them being smeserver which is confired into server-gateway mode.
Thank you for the help, stay tuned.

[janet]

ciso112

You can easily google search for a list of port usage. There are also many tips about configuring your sme server & network that are available in the official Manual, Howtos & FAQ, all linked at top of this forum.

With a seperate smoothwall firewall acting as your network gateway, you would more typically configure the sme server in "server only" mode.
Configure smoothwall to foward port 443 to the sme server.
Note that doing so will prevent access to other servers via port 443 (as it can only be forwarded once).
If you have multiple external IPs then that changes your possibilities.

If you also want the sme server to act as a mail server (that talks directly to other mail servers) then also forward port 25 to sme server. If you want to allow external authenticated imap & smtp access to your sme mail server, then also open & forward ports 465 & 993 (& use thise ports with SSL configured in external email clients).

Note that not having your sme server as the main gateway & firewall for your site, does impair or negate some of the very good mail protection features of sme server.

If you can, I would replace your smoothwall firewall with sme server. Behind the scenes using custom templates etc, the sme server firewall is very customisable.
It really depends on why you feel you need the smoothwall firewall, it is no 'safer" than using sme server as firewall, but the feature sets are different.

[ciso112]

janet,
thx.
Actually I have two networks - initial 10.14.2xx.xx is changed to 192.168.0.x which then changes to 10.100.100.x, where some services run, sme server is one of them, accessible through the address.. The setting has historic reasons
Re-setting is a possibility.

To start with, I also have good news - I managed to install an email management system & set an automatic response to incoming message's sender and it really works.
Now, what still doesn't work is external access to webmail - from the internal network, the link in servername.domain.sk/webmail format opens a login form; from the external network, it can't be loaded. In the firewall settings, I opened 443, 993, 25, 465, both TCP and UDP. Of course, these ports are forwarded to sme server's address.
Could I ask for any more ideas?

PS: When having two firewalls mounted serially (one after each other) with different set's of attributes & settings, don't I have a more likely position when trying to accomplish different tasks?

[janet]

ciso112

Double firewalls gives you more complexity & out of my skill set so others will need to answer you about that. To me you are unnecessarily complicating things. I would put the sme server into server only mode.

You said earlier that webserver www.domainname.sk from outsite is unaccessible.
So this is probably the reason you cannot access webmail externally.
I assume you are using the URL
https://www.domainname.sk/webmail
 & that domain is hosted (& configured) on the sme server.
You were asked earlier about external DNS records, so are external DNS records configured correctly to resolve that donain to your smoothwall gateway IP, & is port 80 forwarded to your sme server ?
Generally speaking you would need to configure that domain in your smoothwall gateway so it will respond to external requests, which are then forwarded to sme server. I cannot advise you about smoothwall config but others here probably can, or ask a smoothwall support forum.

If you tell us the real donain name & your external public IP then we can test to see whether it is configured to resolve correctly.
You can run those tests also if you know what to do.

Can you access webmail externally by using your public IP eg
https://10.14.2xx.xx/webmail

You could also run a port scan to see what is really open, from a Windows browser behind your gateway, go to www.grc.com & run a port scan.

[ciso112]

janet

www.zsbudmerice.edu.sk is the domain name. But I'm not sure about an IP address as I'm quite sure the one used by me - 192.168.0.x - is different from the one used by "outsiders".
In the same breath would I like to mention that in the past, a request was put upon internet provider by us to set NATting from 87.197.51.74 to 10.14.252.5. 
What is new in a setting is I added port 80 directing to sme server - more precisely, its 192.168.0.x address as it also has 10.100.100.x address on the second network card leading to the inner network.
About access testing, here are the results:
From everywhere - 10.31.55.x(when connected into a hardware firewall by cisco), 192.168.0.x and 10.100.100.x, I could load and use https://10.14.252.5/webmail/  whilst only on 10.100.100.x could I load http://www.zsbudmerice.edu.sk.
https://smeserver.zsbudmerice.edu.sk/webmail/ wasn't accessible
This was my attempt to answer your IP address question. What I can't answer is "external DNS records" part, don't know where to look for them or even what they are, not even google helped, although only a brief research was performed.
Thx for your time and energy.

Well, an update, Now I'm totally outside the network and I can't connect to 10.14.252.5./webmail..

[janet]

ciso112

It looks like telecom.sk is hosting your external domain name records, & maybe the nameserver settings are not correct, so perhaps you should contact them. Otherwise ask whoever you registered your domain name with as they should be able to tell you where (web site) your external DNS records are.

If I put www.zsbudmerice.edu.sk or http://87.197.51.74 in a browser, they do not resolve.
All the other IPs (& ranges) you mention are private IPs only used on your local network & will not resolve from the Internet (as they are not public IPs)

It appears the domain name is configured in external DNS records (see below) but does not resolve correctly for some reason.

Here are the nameservers & I suspect they are not configured correctly to point at your server.
ns.telecom.sk
ns2.telecom.sk

It may (also) be that your gateway (smoothwall) is not configured correctly to resolve the IP 87.197.51.74

You really need to tell us much more about your local setup with all the firewalls & NATing going on etc, & show or tell us how you have configured smoothwall to resolve your public IP (87.197.51.74) & domain name www.zsbudmerice.edu.sk

Drawing a picture is often the best way to keep it simple, but I suspect you do not have enough knowledge to understand all of this.
So in that case please get the services of a tech support person who does understand your network, you will save yourself & us a lot of time.

You would also need to configure the domain name in sme server as well so it will accept traffic for that domain name if not already done (seperate issue to those above), so please show us your sme server configuration, available from the server manager Review Configuration panel.
It looks like it is configured as you say the domain name can resolve from a local network (which is a little puzzling actually), but maybe you configured the domain name to resolve using the local DNS server in sme (resolve locally) rather than Internet DNS servers.

The way you are using the sme server with 2 NICs in server gateway mode is not how it is typically done, AFAIK you cannot use the public facing NIC in that sort of situation (typically). It should connect directly to a modem/router in bridged mode which connects directly to your Internet ADSL connection/phone line etc. Which NIC are you using ?

Maybe you have the sme server external connection configured for a Static IP in the "Configure this server" screens which points to a gateway, that is a specialist type of configuration & you should know what you are doing if using that.


Here is the complete tests from http://network-tools.com

87.197.51.74 is from Slovak Republic (SK) in region Eastern Europe
Input: www.zsbudmerice.edu.sk
canonical name: www.zsbudmerice.edu.sk
Registered Domain: zsbudmerice.edu.sk

TraceRoute from Network-Tools.com to 87.197.51.74 [www.zsbudmerice.edu.sk]
Hop   (ms)   (ms)   (ms)           IP Address   Host name
1      0      0      0         206.123.64.233     - 
2      1      1      1         129.250.202.253    xe-0-4-0-12.r01.dllstx04.us.bb.gin.ntt.net 
3      1      1      1         129.250.2.208    ae-9.r07.dllstx09.us.bb.gin.ntt.net 
4      1      1      1         213.248.81.249    dls-bb1-link.telia.net 
5      44      44      44         213.155.133.176    nyk-bb1-link.telia.net 
6      126      126      126         213.155.131.146    ffm-bb4-link.telia.net 
7      138      138      139         62.115.113.109    win-bb2-link.telia.net 
8      149      148      146         62.115.113.109    win-bb2-link.telia.net 
9      149      149      149         62.115.148.231    slovaktelekom-ic-318662-brat-b1.c.telia.net 
10      152      151      158         62.115.148.231    slovaktelekom-ic-318662-brat-b1.c.telia.net 
11      149      161      149         87.197.255.245    st-static-srk245.87-197-255.telecom.sk 
12      149      150      149         87.197.255.246    st-static-srk246.87-197-255.telecom.sk 
13      Timed out      157      Timed out         87.197.255.246    st-static-srk246.87-197-255.telecom.sk 
14      Timed out      Timed out      Timed out              - 
15      Timed out      Timed out      Timed out              - 
16      Timed out      Timed out      Timed out              - 
17      174      173      173         87.197.51.74    edunet-static-74.87-197-51.telecom.sk 

Trace complete

Retrieving DNS records for www.zsbudmerice.edu.sk...
DNS servers
ns.telecom.sk
ns2.telecom.sk

Answer records
www.zsbudmerice.edu.sk      A   87.197.51.74   86400s

Authority records

Additional records
Whois query for zsbudmerice.edu.sk...
Results returned from whois.sk-nic.sk:

%
% whois.sk-nic.sk - whois server for TLD .sk
%
Not found.

[janet]

ciso112

As well as the above posting can you run the port scan from a workstation behind your smoothwall gateway as previously requested & tell us the result. It is possible your ISP is blocking ports or your gateway does not have the ports open.
ie go to & read up what to do, Shields Up I think is what you want
http://www.grc.com/

[TerryF]

Something is very screwed upo, I believe this is the correct web address: http://zsbudmerice.edupage.sk

http://zsbudmerice.edupage.sk/contact/?

[janet]

TerryF

Good find.

ciso112

The contact page uses a different domain for the email addresses, so can you tell us what is going on with the 2 domains
Email školy:    kubovicova@zsbudmerice.edu.sk
Email zástupkyňa:    drgonova@zsbudmerice.edu.sk
Email na webmastera:    admin@zsbudmerice.edu.sk