Exposing an email server through Smoothwall for external access

[Dickens]

Hi,

I'm hoping one of the smoothwall experts out there can help with a small problem we have. We just upgraded our internet access and previously had our email server straddling both the internal and external networks - two NICs one internal and one external. Our cisco router was then directly connected to our Smoothwall box and the external NIC of our email server, allowing email webclient access both internally and externally.

I want to move our email server behind our Smoothwall box and just open up the necessary firewall ports on Smoothwall to allow external access to email.

I've configured an external alias on Smoothwall, using a 2nd static ip from the range allocated, then set up port forwarding to forward http and https traffic onto our mail server's internal ip. Now when I try to access the mail server using the alias ip from outside of the network I get a 404 Not found.

Looking at the access logs on the mail server, the external traffic is not getting through, and looking at the realtime firewall logs on the Smoothwall box I can see why - entries from my external ip (with strange port numbers - e.g. 31225) are being blocked, however the destination ip is the internal ip of our mail server and the port is correct (443).

My question, finally, is why would an http request be hitting smoothwall with a strange port number, rather than 443 as one would expect, and why would the logs show the destination as the internal ip of our mail server, since the firewall rule is not being matched - hence the block.

I'm sure I'm missing something obvious here - any help gratefully received.

[rob_f]

Hi,

I've configured an external alias on Smoothwall, using a 2nd static ip from the range allocated, then set up port forwarding to forward http and https traffic onto our mail server's internal ip. Now when I try to access the mail server using the alias ip from outside of the network I get a 404 Not found.

Looking at the access logs on the mail server, the external traffic is not getting through, and looking at the realtime firewall logs on the Smoothwall box I can see why - entries from my external ip (with strange port numbers - e.g. 31225) are being blocked, however the destination ip is the internal ip of our mail server and the port is correct (443).

My question, finally, is why would an http request be hitting smoothwall with a strange port number, rather than 443 as one would expect, and why would the logs show the destination as the internal ip of our mail server, since the firewall rule is not being matched - hence the block.

When you connect to a server you open up a local high numbered port to connect to the remote port 443 on the server, like..

mypc:31225 -> mailserver:443

So that's not a problem. Is it actually a 404 you get, as that would indicate that the webserver on the mailserver is returning content (404 is a message that the server itself sends, not that the browser generates to say it can't find something).

First place that I would check is the mailserver - if you've previously had two NICs and now are using one, make sure that you have the correct default gateway set. The internal NIC needs to have its default gateway set to the SmoothWall so that the packets can get back from the mailserver, to the SmoothWall, then back on to the remote client.

Also you might want to set up source mapping so that when the mailserver goes outbound it uses the same alias IP - otherwise you get a situation where mail comes in on one IP but the server sends out on another; some external spam systems will flag this as dubious and you might get blocked.

Hope this helps,


Rob.

[Dickens]

Rob - you're a star !

I'd removed the details of the second nic from /etc/network/interfaces, but forgot to add the gateway onto the internal nic to allow it access outside of the network. Once the gateway was added, everything fell into place and I can now access the mail server from outside of the network. I've also added the source mapping - thanks for the tip, much appreciated !