Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Chnaging publishing method for a mail server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Chnaging publishing method for a mail server - 26.Jan.2004 12:36:00 PM
|
|
|
GuillaumeP
Posts: 22
Joined: 25.Sep.2002
From: France
Status: offline
|
Hi All,
I currently have an ISA server on a Win2K adv. Server box.
This box have 2 nics on external with 5 public IPs and one internal with 2 private IPs.
I have an MDaemon mail server installed on the ISA box itself with 2 email domains first.com and second.com
I have allready published this 2 servers with Server Publishing rules. It's work fine but I allways have then 127.0.0.1 IP for all internet users connections. I have already post a message on this matter and Thomas Shinder say me to use the packet filtering instead of Server publishing rules.
I look on the ISA Server 2000 (building firewalls for windows 200) book, on the learning zone and on this message board. But I can't find a simple tutorial to publish my email server with packet filtering.
Here is what I need to have finally :
MDaemon email server accessible from Internet for anyone who wan't to send email to *@first.com and *@second.com, and users from email domain first.com and second.com can send and recieve email through this email server even if they are in or out the network (from internet or from the internal network)
I also need to "map" one external IP to the first.com email domain and another external IP to the second.com email domain.
ExternalIP1 -> first.com bind to InternalIP1
ExternalIP2 -> second.com bind to InternalIP2
What are the differents IP Packet Filtering rules I need to set up do to what I need ?
Please help me.
Thanks.
Guillaume.
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 26.Jan.2004 8:49:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Guillaume,
if I understand your configuration correctly, you have two instances of the MDaemon mail server running on ISA, each one bound to a specific internal IP address. Right?
Now, to convert from a server publishing scenario to an IP packet filter publishing scenario, you will have to do the following for each instance of the MDaemon mail server:
- disable the server publishing rule
- bind the instance of MDaemon also to a specific external IP address
- create an inbound IP packet filter for the SMTP protocol (TCP port 25 inbound).
HTH,
Stefaan
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 27.Jan.2004 2:37:00 PM
|
|
|
GuillaumeP
Posts: 22
Joined: 25.Sep.2002
From: France
Status: offline
|
Hi spouseele,
First, thanks for your reply.
quote:
if I understand your configuration correctly, you have two instances of the MDaemon mail server running on ISA, each one bound to a specific internal IP address. Right?
I have only one instance of the MDaemon mail server, but this instance provide service for 2 domain. But I think it's look like the same.
quote:
- bind the instance of MDaemon also to a specific external IP address
With this method, is there more risk to be attacked or not ?
quote:
- create an inbound IP packet filter for the SMTP protocol (TCP port 25 inbound).
Should I also create inbound and/or outbound filter for the POP and IMAP protocols ?
Regards,
Guillaume.
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 27.Jan.2004 9:00:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Guillaume,
personally I prefer server publishing instead of IP packet filtering for services running on ISA itself. In my opinion the server publishing method is more secure.
What do you have currently in place for the POP and IMAP protocols?
HTH,
Stefaan
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 28.Jan.2004 9:18:00 AM
|
|
|
GuillaumeP
Posts: 22
Joined: 25.Sep.2002
From: France
Status: offline
|
Hi Stefaan,
quote:
personally I prefer server publishing instead of IP packet filtering for services running on ISA itself. In my opinion the server publishing method is more secure.
The fact is on my MDaemon server I'm not able to see the real IP Address of the mail senders, and I'm not able to perform verification on their IP (This is to try to better combat spam)
quote:
What do you have currently in place for the POP and IMAP protocols?
Currently I have the following "Server Publishing Rules" :
for the first.com domain PulbicIP1
[Publish STMP first.com]
Protocol: SMTP server
ExternalIP: PublicIP1
InternalIP: PrivateIP1
Apply to: All request
[Publish STMP first.com on 366]
; this is because some ISP like MSN block the STMP(port 25) traffic and MDaemon accept SMTP commands on port 366
Protocol: SMTP server on 366
; I create this new protocol definition
ExternalIP: PublicIP1
InternalIP: PrivateIP1
Apply to: All request
[Publish POP3 first.com]
Protocol: POP3 server
ExternalIP: PublicIP1
InternalIP: PrivateIP1
Apply to: All request
[Publish IMAP first.com]
Protocol: IMAP4 server
ExternalIP: PublicIP1
InternalIP: PrivateIP1
Apply to: All request
for the second.com domain PulbicIP2
[Publish STMP second.com]
Protocol: SMTP server
ExternalIP: PublicIP2
InternalIP: PrivateIP2
Apply to: All request
[Publish STMP second.com on 366]
Protocol: SMTP server on 366
ExternalIP: PublicIP2
InternalIP: PrivateIP2
Apply to: All request
[Publish POP3 second.com]
Protocol: POP3 server
ExternalIP: PublicIP2
InternalIP: PrivateIP2
Apply to: All request
[Publish IMAP second.com]
Protocol: IMAP4 server
ExternalIP: PublicIP2
InternalIP: PrivateIP2
Apply to: All request
Regards,
Guillaume.
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 28.Jan.2004 9:47:00 AM
|
|
|
GuillaumeP
Posts: 22
Joined: 25.Sep.2002
From: France
Status: offline
|
Hi Stefaan,
I also have the followinf IP Packet Filters :
[SMTP Out]
Mode: Allow
Type: Custom
Direction: Outbound
Protocol: TCP
Local Port: All
Remote Port: 25
Local Computer: Default external IP Address
Remote Computer: All
[POP3 Out]
Mode: Allow
Type: Custom
Protocol: TCP
Direction: Outbound
Local Port: All
Remote Port: 110
Local Computer: Default external IP Address
Remote Computer: All
I notice that if this rules are not here, my MDaemon server can send email to the outside world.
Please tell me if there are something wrong and what I have to set up.
TIA
Guillaume.
PS: for my personal knowledge, what does mean HTH ? I know I did not write very good english, but I'm french and learn english at work.
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 28.Jan.2004 11:04:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Guillaume,
OK, so the POP and IMAP are also services delivered by the MDaemon server on ISA. Right?
If you want the real source IPs you can't use server publishing for services running on ISA itself. You have to use the IP packet filtering method. The problem is now that you have to convert *all* MDaemon server publishing rules to the IP packet filtering method. The reason for it is that once the MDaemon server is bound to the ISA external IP address, you can't server publish anymore to the same external IP address.
Now, to give applications running on ISA itself outbound access, you always have to use IP packet filtering, at least for non-HTTP traffic. You can't use protocol and site&content rules here. That's explains the need for the SMTP Out and POP3 Out IP packet filters.
PS: HTH means 'hope this helps'
HTH,
Stefaan
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 29.Jan.2004 9:41:00 AM
|
|
|
GuillaumeP
Posts: 22
Joined: 25.Sep.2002
From: France
Status: offline
|
Hi Stefaan,
quote:
OK, so the POP and IMAP are also services delivered by the MDaemon server on ISA. Right?
Yes.
To resume all this dicsussion, if I do the following, does all will working like befaore ?
- disable the server publishing rule
- bind the first.com domain in MDaemon to the External IP address 1 (ExternalIP1)
- bind the second.com domain in MDaemon to the External IP address 2 (ExternalIP2)
- Create the following IP packet filtering rules:
For the first domain (first.com bound to the ExternalIP1)
- [SMTP first.com In/Out]
Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 25
Remote Port: 25
Local Computer: ExternalIP1
Remote Computer: All
- [SMTP first.com on 366 In/Out]
Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 366
Remote Port: 366
Local Computer: ExternalIP1
Remote Computer: All
- [POP3 first.com In/Out]
Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 110
Remote Port: 110
Local Computer: ExternalIP1
Remote Computer: All
- [IMAP4 first.com In/Out]
Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 143
Remote Port: 143
Local Computer: ExternalIP1
Remote Computer: All
For the second domain (second.com bound to the ExternalIP2)
- [SMTP second.com In/Out]Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 25
Remote Port: 25
Local Computer: ExternalIP2
Remote Computer: All
- [SMTP second.com on 366 In/Out]
Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 366
Remote Port: 366
Local Computer: ExternalIP2
Remote Computer: All
- [POP3 first.com In/Out]
Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 110
Remote Port: 110
Local Computer: ExternalIP2
Remote Computer: All
- [IMAP4 first.com In/Out]
Mode: Allow
Type: Custom
Direction: Inbound and Outbound
Protocol: TCP
Local Port: 143
Remote Port: 143
Local Computer: ExternalIP2
Remote Computer: All
Regards,
Guillaume.
[ January 29, 2004, 09:47 AM: Message edited by: Guillaume Patry ]
|
|
|
|
|
RE: Chnaging publishing method for a mail server - 29.Jan.2004 9:21:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Guillaume,
I can't command on what you have to do in the configuration of the MDaemon server because I don't know the product. However, after you have disabled the server publishing rules and bound the MDaemon too to the external IP addresses, check out first if the MDAemon is listening on the configured IP addresses. Use the following command for that: netstat -an | find ":XYZ", where XYZ is the TCP port number you want to check (25, 110, 143, etc.).
Regarding the IP packet filters, you can NOT combine the inbound and outbound IP packet filters into one IP packet filter. So, for the inbound IP packet filters the local port should be fixed and the remote port should be all or dynamic. For the outbound direction the local port should be all or dynamic and the remote port should be fixed.
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Chnaging publishing method for a mail server - ![[Smile]](/image/smiles/smile.gif)
