I'm sure many are knowledgeable enough to avoid these situations. It was a learning experience for us.
We had recently changed our configuration on our firewall from Transparent mode to NAT mode. Transparent mode simply passes all packets through, based on the rules, but doesn't hide inside IP's...doesn't have to be at the gateway of a subnet... We were switching over to a new ISP with many less IP addresses as we'd had before (Class C down to 8 total IP's). Anyway, one of the trusted network mappings we allowed relay for was our new IP range, although it was actually the IP's used by our router, the WAN-side IP of the firewall and the mapped IP address for the mail server. Evidently, through NAT...all outside address must have been translated....though the logs didn't seem to show that. In fact, everything that happened externally seemed to be mapped to the inside gateway address of the DMZ connection, where the email server is attached. We had already removed that range of addresses from the Permit Relay ranges, to no avail. Regardless, As soon as we removed the outside addresses, the relay closed. I'm still testing it further. I've already had our new ISP retest it and it passed their tests. FYI, the so-called DMZ of the Netscreen doesn't mean that it's wide open. You can set rules and NAT addressing on that port as well, and we have. Only Email-related traffic is allowed through this port. In the midst of all of this, we had also ran into a problem which turned out to be caused by the fact that we apparently forgot to disable Microsoft's SMTP services. When this happened, IMail refused any and all SMTP traffic...except via the web interface, which struck me as strange. The server would allow POP3, but never received any email. The external sender would get back a message stating that out smtp server didn't have a record of the destination email account. That was Microsoft's SMTP service interfering. That strange thing about this is that this server has been running for several months without issue. I half wonder if one of Microsoft's patches didn't re-enable the service. Why wouldn't it have caused a problem before if it was never disabled?! We've installed all but Windows 2000 SP3...as we have been leary about this service. I've had mixed results in updating...problems with services not starting due to incorrect passwords for the service start. Any problems from others with SP3? Dennis T. Kemp II (Tom) Program Manager MCSE/CNA/A+ Control Concepts, Inc. [EMAIL PROTECTED] 703-876-6418 Fax#: 703-876-6416 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
