Topic: webmail external access

[ciso112]

Hi guys

and thank you for such a great piece of software as you are developing!

As an enthusiastic newbie, I'd like to increase a comfort of mail users by allowing them to access their accounts also from external network.

My first step was going through the settings in server-manager where in Configuration/Email/Change e-mail access settings I got to the "Webmail access" which I set to "Allow HTTPS (secure)". Now, https://domainname.sk/webmail is accessible through internal network, but not external (other two options of "Webmail access" work as I would expect).

Afterwards, I was browsing through google, wiki.contribs.org and this forum but without any luck.

I use 9.1 version.

Thank you for your help,
Lukas

[jameswilson]

can you get to anything on your server externally?

[ciso112]

hm,
only other service I can think of is to test webserver www.domainname.sk which, from outsite is unaccessible, from inside  loads the page.
Is it still a a topic for smeserver or I should check my firewall settings?

[guest22]

Is it still a a topic for smeserver or I should check my firewall settings?

Yep.

[janet]

Ciso

You need to tell us your network & gateway arrangement.
If you want to access services on sme server eg webmail, then you will need to open appropriate ports in your firewall eg port 443 & perhaps others, & also forward those ports to your sme server.
....assuming you have a seperate external firewall/gateway than just your sme server.
Is your sme server in gateway server mode, or server only mode ?

[Stefano]

And you'd tell US more about your external DNS...

[ciso112]

Hi guys!

it has really been a nice surprise to come here after some time - yet its also a first time since I posted the question to deal with it - and find more answers, I considered the topic to be solved.
Janet, the general process is clear to me by now and it matches the one proposed by you. The question in my mind was what actual numbers of ports to open? Also, portS? Dont I only need one and therefore 443 it is?
About the network arrangement, there is one PC serving as a firewall - smoothwall is installed - and the "main" PC where a virtualization solution is installed and few servers are running, one of them being smeserver which is confired into server-gateway mode.
Thank you for the help, stay tuned.

[janet]

ciso112

You can easily google search for a list of port usage. There are also many tips about configuring your sme server & network that are available in the official Manual, Howtos & FAQ, all linked at top of this forum.

With a seperate smoothwall firewall acting as your network gateway, you would more typically configure the sme server in "server only" mode.
Configure smoothwall to foward port 443 to the sme server.
Note that doing so will prevent access to other servers via port 443 (as it can only be forwarded once).
If you have multiple external IPs then that changes your possibilities.

If you also want the sme server to act as a mail server (that talks directly to other mail servers) then also forward port 25 to sme server. If you want to allow external authenticated imap & smtp access to your sme mail server, then also open & forward ports 465 & 993 (& use thise ports with SSL configured in external email clients).

Note that not having your sme server as the main gateway & firewall for your site, does impair or negate some of the very good mail protection features of sme server.

If you can, I would replace your smoothwall firewall with sme server. Behind the scenes using custom templates etc, the sme server firewall is very customisable.
It really depends on why you feel you need the smoothwall firewall, it is no 'safer" than using sme server as firewall, but the feature sets are different.

[ciso112]

janet,
thx.
Actually I have two networks - initial 10.14.2xx.xx is changed to 192.168.0.x which then changes to 10.100.100.x, where some services run, sme server is one of them, accessible through the address.. The setting has historic reasons
Re-setting is a possibility.

To start with, I also have good news - I managed to install an email management system & set an automatic response to incoming message's sender and it really works.
Now, what still doesn't work is external access to webmail - from the internal network, the link in servername.domain.sk/webmail format opens a login form; from the external network, it can't be loaded. In the firewall settings, I opened 443, 993, 25, 465, both TCP and UDP. Of course, these ports are forwarded to sme server's address.
Could I ask for any more ideas?

PS: When having two firewalls mounted serially (one after each other) with different set's of attributes & settings, don't I have a more likely position when trying to accomplish different tasks?

[janet]

ciso112

Double firewalls gives you more complexity & out of my skill set so others will need to answer you about that. To me you are unnecessarily complicating things. I would put the sme server into server only mode.

You said earlier that webserver www.domainname.sk from outsite is unaccessible.
So this is probably the reason you cannot access webmail externally.
I assume you are using the URL
https://www.domainname.sk/webmail
 & that domain is hosted (& configured) on the sme server.
You were asked earlier about external DNS records, so are external DNS records configured correctly to resolve that donain to your smoothwall gateway IP, & is port 80 forwarded to your sme server ?
Generally speaking you would need to configure that domain in your smoothwall gateway so it will respond to external requests, which are then forwarded to sme server. I cannot advise you about smoothwall config but others here probably can, or ask a smoothwall support forum.

If you tell us the real donain name & your external public IP then we can test to see whether it is configured to resolve correctly.
You can run those tests also if you know what to do.

Can you access webmail externally by using your public IP eg
https://10.14.2xx.xx/webmail

You could also run a port scan to see what is really open, from a Windows browser behind your gateway, go to www.grc.com & run a port scan.

[ciso112]

janet

www.zsbudmerice.edu.sk is the domain name. But I'm not sure about an IP address as I'm quite sure the one used by me - 192.168.0.x - is different from the one used by "outsiders".
In the same breath would I like to mention that in the past, a request was put upon internet provider by us to set NATting from 87.197.51.74 to 10.14.252.5. 
What is new in a setting is I added port 80 directing to sme server - more precisely, its 192.168.0.x address as it also has 10.100.100.x address on the second network card leading to the inner network.
About access testing, here are the results:
From everywhere - 10.31.55.x(when connected into a hardware firewall by cisco), 192.168.0.x and 10.100.100.x, I could load and use https://10.14.252.5/webmail/  whilst only on 10.100.100.x could I load http://www.zsbudmerice.edu.sk.
https://smeserver.zsbudmerice.edu.sk/webmail/ wasn't accessible
This was my attempt to answer your IP address question. What I can't answer is "external DNS records" part, don't know where to look for them or even what they are, not even google helped, although only a brief research was performed.
Thx for your time and energy.

Well, an update, Now I'm totally outside the network and I can't connect to 10.14.252.5./webmail..

[janet]

ciso112

It looks like telecom.sk is hosting your external domain name records, & maybe the nameserver settings are not correct, so perhaps you should contact them. Otherwise ask whoever you registered your domain name with as they should be able to tell you where (web site) your external DNS records are.

If I put www.zsbudmerice.edu.sk or http://87.197.51.74 in a browser, they do not resolve.
All the other IPs (& ranges) you mention are private IPs only used on your local network & will not resolve from the Internet (as they are not public IPs)

It appears the domain name is configured in external DNS records (see below) but does not resolve correctly for some reason.

Here are the nameservers & I suspect they are not configured correctly to point at your server.
ns.telecom.sk
ns2.telecom.sk

It may (also) be that your gateway (smoothwall) is not configured correctly to resolve the IP 87.197.51.74

You really need to tell us much more about your local setup with all the firewalls & NATing going on etc, & show or tell us how you have configured smoothwall to resolve your public IP (87.197.51.74) & domain name www.zsbudmerice.edu.sk

Drawing a picture is often the best way to keep it simple, but I suspect you do not have enough knowledge to understand all of this.
So in that case please get the services of a tech support person who does understand your network, you will save yourself & us a lot of time.

You would also need to configure the domain name in sme server as well so it will accept traffic for that domain name if not already done (seperate issue to those above), so please show us your sme server configuration, available from the server manager Review Configuration panel.
It looks like it is configured as you say the domain name can resolve from a local network (which is a little puzzling actually), but maybe you configured the domain name to resolve using the local DNS server in sme (resolve locally) rather than Internet DNS servers.

The way you are using the sme server with 2 NICs in server gateway mode is not how it is typically done, AFAIK you cannot use the public facing NIC in that sort of situation (typically). It should connect directly to a modem/router in bridged mode which connects directly to your Internet ADSL connection/phone line etc. Which NIC are you using ?

Maybe you have the sme server external connection configured for a Static IP in the "Configure this server" screens which points to a gateway, that is a specialist type of configuration & you should know what you are doing if using that.


Here is the complete tests from http://network-tools.com

87.197.51.74 is from Slovak Republic (SK) in region Eastern Europe
Input: www.zsbudmerice.edu.sk
canonical name: www.zsbudmerice.edu.sk
Registered Domain: zsbudmerice.edu.sk

TraceRoute from Network-Tools.com to 87.197.51.74 [www.zsbudmerice.edu.sk]
Hop   (ms)   (ms)   (ms)           IP Address   Host name
1      0      0      0         206.123.64.233     - 
2      1      1      1         129.250.202.253    xe-0-4-0-12.r01.dllstx04.us.bb.gin.ntt.net 
3      1      1      1         129.250.2.208    ae-9.r07.dllstx09.us.bb.gin.ntt.net 
4      1      1      1         213.248.81.249    dls-bb1-link.telia.net 
5      44      44      44         213.155.133.176    nyk-bb1-link.telia.net 
6      126      126      126         213.155.131.146    ffm-bb4-link.telia.net 
7      138      138      139         62.115.113.109    win-bb2-link.telia.net 
8      149      148      146         62.115.113.109    win-bb2-link.telia.net 
9      149      149      149         62.115.148.231    slovaktelekom-ic-318662-brat-b1.c.telia.net 
10      152      151      158         62.115.148.231    slovaktelekom-ic-318662-brat-b1.c.telia.net 
11      149      161      149         87.197.255.245    st-static-srk245.87-197-255.telecom.sk 
12      149      150      149         87.197.255.246    st-static-srk246.87-197-255.telecom.sk 
13      Timed out      157      Timed out         87.197.255.246    st-static-srk246.87-197-255.telecom.sk 
14      Timed out      Timed out      Timed out              - 
15      Timed out      Timed out      Timed out              - 
16      Timed out      Timed out      Timed out              - 
17      174      173      173         87.197.51.74    edunet-static-74.87-197-51.telecom.sk 

Trace complete

Retrieving DNS records for www.zsbudmerice.edu.sk...
DNS servers
ns.telecom.sk
ns2.telecom.sk

Answer records
www.zsbudmerice.edu.sk      A   87.197.51.74   86400s

Authority records

Additional records
Whois query for zsbudmerice.edu.sk...
Results returned from whois.sk-nic.sk:

%
% whois.sk-nic.sk - whois server for TLD .sk
%
Not found.

[janet]

ciso112

As well as the above posting can you run the port scan from a workstation behind your smoothwall gateway as previously requested & tell us the result. It is possible your ISP is blocking ports or your gateway does not have the ports open.
ie go to & read up what to do, Shields Up I think is what you want
http://www.grc.com/

[TerryF]

Something is very screwed upo, I believe this is the correct web address: http://zsbudmerice.edupage.sk

http://zsbudmerice.edupage.sk/contact/?

[janet]

TerryF

Good find.

ciso112

The contact page uses a different domain for the email addresses, so can you tell us what is going on with the 2 domains
Email školy:    kubovicova@zsbudmerice.edu.sk
Email zástupkyňa:    drgonova@zsbudmerice.edu.sk
Email na webmastera:    admin@zsbudmerice.edu.sk

[ciso112]

guys,

I will start with the two-domain-question. Internet provider provides internet & also a domain zsbudm..edu.sk Simultaneously, a school uses an administration software by a company which also takes care of internet pages (also communication between a program and a page occurs) which run on zsbudm..edupage.sk domain. It looks to me the second domain is out of our concern in this question. Also, email addresses mentioned here are real ones & are being used.

"So in that case please get the services of a tech support person who does understand your network, you will save yourself & us a lot of time."
It's funny because I'm the tech support person

I'm not sure how to set up resolving of DNS, so I enclose screenshots of informative labels, starting with smoothwall.

First, DNS service, it was blank with no data just until now, I entered providers DNSs:
https://www.imageupload.co.uk/image/BVdJ

Second, incoming rules:
https://www.imageupload.co.uk/image/BVdQ
Been not empty only for several last days.

And an overview of smoothwalls network settings:
https://www.imageupload.co.uk/image/BVdM

SME server's config:
https://www.imageupload.co.uk/image/BVdq

And here is the main config file:
https://www.imageupload.co.uk/image/BVdg

I believe to have a reply about the records by tomorrow. When trying to run these fancy tests of yours I got the same results as you (network-tools, mainly). When port-scanning, only 443 was opened, even 80 was closed, isn't it strange?

Once again, your help is being hugely appreciated.

[janet]

Ciso112

I cannot help you with smoothwall configuration as I do not know smoothwall.

I am NOT talking about DNS settings in smoothwall or sme server or anywhere in your local network.

External DNS settings refers to external records about your domain name, which nameservers it uses, how those nameservers are configured (to point to in order to resolve your domain name). These DNS records are typically held at the registrar of your domain name (maybe that is telecom.sk) or your ISP (Internet Service Provider). Whichever person in your organisation that purchased & setup the domain name should be aware of where you host your domain name DNS records. There is usually a web panel you can login to, to setup & check.
Please do your homework & find out that info & then access the DNS records site to check what Public IP your domain is resolving to etc etc.

[ciso112]

janet

Situation is not as straightforward as it would be in an ideal world. I don't have access to DNS records as neither me nor school is the owner of the domain. It is owned by the ministry of education, telekom.sk is the domain keeper. But what telekom.sk can grant me is the right to ask for a change in  settings.
Luckily, the telekom employee I communicate with didn't mind the work and gave the thing a complete check. Here are the results:

"
  Takto je nakonfigurovany CISCO ASA5505 kde mate pripojeny server:

         BUDM-BUDM EDU1 DSL:172.16.5.160 ASA:192.168.30.78 IC:0687 Základná škola s MŠ, Kpt. J. Rašu 430, Budmerice wifi44/AP1 SW:10.31.55.254


DSL ok, ASA ok, SWITCH catalyst 2960 nepripojeny, NAT je nastaveny nasledovne:  //SWITCH catalyst 2960 - non functional


static (inside,outside) 87.197.51.74 10.14.252.5 netmask 255.255.255.255 dns
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 eq ssh
access-list ACL-OUTSIDE extended permit udp any host 87.197.51.74 eq 22
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 range www 84
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 eq https
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 range 5800 5808
access-list ACL-OUTSIDE extended permit udp any host 87.197.51.74 range 5800 5808
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 range 5900 5908
access-list ACL-OUTSIDE extended permit udp any host 87.197.51.74 range 5900 5908
access-list ACL-OUTSIDE extended permit tcp any host 87.197.51.74 eq 8080

global (outside) 1 87.197.51.73
global (outside) 2 87.197.51.78
nat (inside) 0 access-list V-RAMCI-EDU
nat (inside) 1 10.14.252.0 255.255.255.0
nat (wifi) 0 access-list V-RAMCI-EDU
nat (wifi) 2 10.31.55.0 255.255.255.0
"
I planned to translate the spoken parts, but after checking, it kind of seems useless as it seems understandable, sorry if mistaken.

server I see 10.14.252.5 c04a.0007.227e
Answers ping also from the internet.

HTTPS is also available with a text "This web site is under construction"   -- this is a correct page to appear; but when entering https://www.zsbudmerice.edu.sk in a browser, nothing is being loaded, yet when in terminal & pinging both the IP address and domain name, answer appears in both cases.

Anyway, not really sure since when, but it works! External access is possible through https://87.197.51.74/webmail !

Kind of a puzzling end, maybe some more answers will be given, surely would be nice.

Thx everyone & especially janet for the help!

[janet]

ciso112

The telekom employee seems to have done something to fix access.
I CAN put these URLs into a browser & resolve to your sites.

https://www.zsbudmerice.edu.sk
I get
This web site is under construction
(Probably a message from the sme server).

https://87.197.51.74/webmail
https://www.zsbudmerice.edu.sk/webmail
I get
Horde webmail login screen in both cases

You have to be aware when testing fault situations where changes are being made & retested, to flush the cache in your browser & sometimes even in sme server squid cache, as you can inadvertantly continue to read the cache (which shows an old no longer applicable result).

I have not done full tests but it looks fixed to me based on the above.

http access does not resolve so not sure what is happening there, better to only use https anyway to web sites.
ie I can access
https://www.zsbudmerice.edu.sk

but cannot access
http://www.zsbudmerice.edu.sk

This might be a setting related to sme server for the ibay which says to use https only ?

[TerryF]

As per janets response for me as well, from here: Oz

[janet]

ciso112

Another test result
http://www.dnsstuff.com/tools#dnsReport|type=domain&&value=zsbudmerice.edu.sk
It shows the http error, so maybe that is an external issue, perhaps disabled or blocked by higher powers as you have the "other domain" website for www access.

[ciso112]

janet

http access was not working due to a smoothwall's setting of sending traffic from the port 80 to a wrong address, not smeserver's.
So a bit more work on ssh from my site & everything should then be working like a charm which wouldn't be possible without your help, everyone and mainly janet, thx once more