Page 1 of 2 1 2 LastLast
Results 1 to 25 of 37
  1. #1
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224

    PFsense, no incoming email from outside world?

    So I finally have a PFsense box up and running. Anyway, I can send email but not receive email from outside our network. I also can not access OWA from the https connection and I guess all my blackberry users are sol right now. I have just the default settings.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  2. #2
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    You understand that it is a firewall (which locks out access from the outside) that needs to have ports opened and forwarding rules to the server(s) internal ip address(es) involved?

    http://doc.pfsense.org/index.php/How...ith_pfSense%3F

    and troubleshooting:

    http://doc.pfsense.org/index.php/Por...roubleshooting

    From the outside, use a port scanning utility to see what if anything you have open. THEN START OPENING JUST THE SPECIFIC PORTS NEEDED.

  3. #3
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    That was it I needed some port forwarding instead of just rules. Now it appears that I'm only missing OWA?
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  4. #4
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    Port 443 is the SSL port (80 is not needed unless you also server up a web site or want to use non-SSL access (which is not recommended for OWA due to password issues)

    So follow this article (if it is your same version of Exchange- it is for older servers) along with the steps you just did to the Exchange Server:

    http://support.microsoft.com/kb/259240

    For newer servers this article may help:

    http://www.msexchange.org/tutorials/...rver-2006.html

  5. #5
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Ok outside world is good how but no inside world with owa?
    Last edited by Tuckerman; 03-11-2010 at 01:30 PM.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  6. #6
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    If you are on the lan (10.0.0.x) then pfSense should have nothing to do with it (unless you are doing something like discussed below). Do you have any Server Firewall software enabled and if so do you have a rule to open the 443 that is needed inside the local lan?

    Should be able to get to int inside the network if you are reaching it now outside the network. How many network interfaces did you set up on the pfSense box- just the 2 Lan and Wan (Green and Red) or do you also have say a wireless network that is set up on a 3rd network card in the pfSense configuration?

  7. #7
    Join Date
    Dec 2005
    Location
    South Lake Tahoe
    Posts
    257
    What http error are you getting when trying to connect, and are you trying to connect to the same address that you would connect to externally (an externally facing website http://youremailserver.com, or are you connecting to OWA via an address only available internally (http://yourmailserver/). It sounds like you may be reaching out of the network than back into it and creating problems that way.

  8. #8
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    You can try just the ipaddress (and remember that you may want to try https: also if all you have open for viewing is the SSL version (locking down the http port 80) or also just the servername or IP address of the server.

    Telnet into the server with both ports inside the network if you think it is a firewall issue, if not then it also could be a simple DNS entry problem too. If you use servername or the IP and it works then it could be that the DNS is not right.

    This discussion will give you some other ideas. Could be the address to test is serveripaddress/exchange on the local side and move from there to servername/exchange etc. also.

    http://www.smallbizserver.net/Forums...c/Default.aspx

  9. #9
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Well I can use the IP address but it gives me a error. Before I get this error I looks like I can't connect unless I select continue anyway or something.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  10. #10
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    The first thing is the fact that you can connect internally with the IP address, leads me to probably DNS address issues are the reason the internal is not working or else as mentioned you are attempting to use the external .com or .gov address for the server instead of the local address for your domain. Try the https://servername/owa next to see what happens.

    As for the certificate error - that is as easy one, first question is have you installed the certificate? Is the certificate being used a self signed one created by the server or one that was purchased from a public company? If you understand certificates and the server set-up then there are ways to make it work, even with a self signed certificate. But anyways none of the issues are pfSense or firewall based problems. Go read up on DNS settings, certificate issues etc. to troubleshoot and resolve the rest of your issues.

    http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

    I usually tell the users to bookmark an internal address and an external (for laptops as an example) and not try to get the external address working inside the network through DNS. This is the best discussion on the issue I could find:

    http://serverfault.com/questions/877...nternal-access
    Last edited by RShea; 03-12-2010 at 07:14 AM.

  11. #11
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Quote Originally Posted by ColinB View Post
    It sounds like you may be reaching out of the network than back into it and creating problems that way.
    Thats exactly what I'm doing.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  12. #12
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Quote Originally Posted by RShea View Post

    As for the certificate error - that is as easy one, first question is have you installed the certificate? Is the certificate being used a self signed one created by the server or one that was purchased from a public company? If you understand certificates and the server set-up then there are ways to make it work, even with a self signed certificate. But anyways none of the issues are pfSense or firewall based problems. Go read up on DNS settings, certificate issues etc. to troubleshoot and resolve the rest of your issues.
    This all worked fine for that last 2 years until I put pfsense in place a few days ago. Which leads me to think it's a firewall issue, no?
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  13. #13
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    No, not necessarily- but I still do not know the web address you used to use and the one you are trying to use now- inside the network. What are your DNS server(s)? Internally of course they should point to your Microsoft server unless you have separate DNS servers running for the network? As you have proved the pfSense is not blocking the port and there is no forwarding required behind the pfSense box on the internal network.

    DNS is not one of my strongest areas, but the nslookup should supply some info. The certificate error can be resolved- it just may not match up any more locally if you are using a purchased certificate that is tied to your domain name used outside.

    Read my edited post above too on the DNS discussion. Also are you running ISA server on the network?
    Last edited by RShea; 03-12-2010 at 07:33 AM.

  14. #14
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    the owa link was https:\\server\owa. It is a 3ed party certificate so I'm guessing that when I use a internal PC the request is not coming from the externally facing address from our ISP which is where the certificate is issued from. Why can't I use the address above to leave the network and come back in through the wan?
    Last edited by Tuckerman; 03-12-2010 at 07:42 AM.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  15. #15
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Quote Originally Posted by RShea View Post

    I usually tell the users to bookmark an internal address and an external (for laptops as an example) and not try to get the external address working inside the network through DNS. This is the best discussion on the issue I could find:

    http://serverfault.com/questions/877...nternal-access
    This may end up being my solution but reluctantly because it worked with the cheap firewall that was in place for years. I did notice on the old firewall rules that there is some kind of "Key Exchange IKE' rule? Also I hate not being able to finger stuff out, I'll lose sleep over this work around.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  16. #16
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    First I'd recommend you edit the post and place something in the .org address that is generic (just to be safe from a hackers point on the public forum). You can do what you are asking about- but there are risks that you have to understand, since DNS can and may get cached and if users say take a laptop in and out of the network regularly they could be continued to be confused or have issues due to looping.

  17. #17
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Quote Originally Posted by RShea View Post
    First I'd recommend you edit the post and place something in the .org address that is generic (just to be safe from a hackers point on the public forum). You can do what you are asking about- but there are risks that you have to understand, since DNS can and may get cached and if users say take a laptop in and out of the network regularly they could be continued to be confused or have issues due to looping.
    Well thats something else I guess my laptop users use Outlook and when they come in they plug in and their email works fine also when they are at home they open Outlook and everything runs fine.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  18. #18
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    You have a few options depending on what you want to do. First as mentioned have 2 different bookmarked connections and train the users for inside and outside the network. One could be http: for inside (no certificate required) and the https: for outside just like you have been doing all along.
    Also don't know if it is best practices or if you could do the 3rd party certificate for outside and also load a second self signed server created certificate for inside to match the local address.

    Another option is to investigate the Internet Key issues between the old router and pfSense.
    I have not played with pfSense enough to know if it supports the key exchange options. There are tons of pfSense support forums and of course Google as options.
    Here is a good discussion on the IKE:
    http://www.ciscopress.com/articles/article.asp?p=25474

  19. #19
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    Quote Originally Posted by Tuckerman View Post
    Well thats something else I guess my laptop users use Outlook and when they come in they plug in and their email works fine also when they are at home they open Outlook and everything runs fine.
    Then who needs to use OWA inside the network? If they do not go outside the network then there are a bunch of suggestions as simple changes or just DNS setup for the occasional need.

  20. #20
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Quote Originally Posted by RShea View Post
    Then who needs to use OWA inside the network? If they do not go outside the network then there are a bunch of suggestions as simple changes or just DNS setup for the occasional need.
    I'm with you but, people in some areas share PCs and are required to check their email. They are give a few minutes a day to do so and they don't want to log out and then back in a again to use Outlook. So they use OWA. I said lets have them use Outlook and have them pick a profile when it loads but apparently that too hard for some people.
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  21. #21
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    Then train them for http://servername/owa while inside the network locally on said workstation and use port 80 (which has no certificate since it is not SSL) and then add the https to the https://domainname.org/owa when outside the building....

    Alternatives- hire someone to set it up, or study up on the DNS if you have control of the DNS servers (DNS and Bind from O'Reilly Press is a good book) or else try the 2 different type of certificates and install the server created one on all the local machines that are not laptops.

    pfSense maybe handling the forwarding differently than your old router- which could be a good thing from a protection standpoint- it is following routing rules better.

  22. #22
    Join Date
    Jan 2003
    Location
    nh
    Posts
    8,224
    Had to rebuild the PF box and again no outside access to owa. Fauck!!!!!!
    People should learn endurance; they should learn to endure the discomforts of heat and cold, hunger and thirst; they should learn to be patient when receiving abuse and scorn; for it is the practice of endurance that quenches the fire of worldly passions which is burning up their bodies.
    --Buddha

    *))
    ((*
    *))
    ((*


    www.skiclinics.com

  23. #23
    Join Date
    Feb 2006
    Location
    Among Greatness All Around
    Posts
    6,628
    Did you backup the original configuration after you got it solved the last time? Step through the articles again and figure out the issue. Then document the fix, and do an image or backup of the server.

  24. #24
    jgb@etree Guest
    It probably brought you back to a default configuration that doesn't include the port forwards (80/443) that you setup last time.

    Your internal certificate issue with OWA is pretty straightforward once you understand how a SSL cert works.

    Prior to your firewall, you were accessing OWA from inside the office as if you were actually inside.

    Let's say the DNS name and IP scheme goes like this:

    Internal: 172.16.3.100 exchange01.company.com (or perhaps exchange01.company.local)
    External: 64.65.66.67 mail.company.com

    Pre firewall, they were hitting mail.company.com/owa but it was actually getting routed out to your ISP, and then back in as if the connection were from an external source, so you didn't have cert issues inside or outside of the office. Enter your firewall. Not familiar with the PFsense, but a most firewalls (my experience is with Cisco PIX & ASA's) will not allow a connection from the inside to come back in the same interface - just won't work. So hitting mail.company.com (or it's external IP address) becomes unpossible from behind the firewall. Your workaround is to hit exchange01.company.com/owa, but you'll now get a SSL error as the certificate loaded onto the server says that the hostname is supposed to be mail.company.com, but you are accessing it with exchange01.company.com. Just hit continue & move on.

    Hope that makes sense. Tried to keep it as basic as possible. There is a way around this, but it's a little more complex. LMK if you'd like details.

    To fix:

    For starters, make sure you can still access internally to confirm that the server is working properly. If so, just pop in some new port forwarding rules and then test from outside.

    http://doc.pfsense.org/index.php/How...ith_pfSense%3F

    Code:
    1.Go to the Firewall menu, select NAT, then click on the Port Forward tab. 
    2.Click on the + icon at the top or bottom of the screen. 
    3.Choose the Interface for the port forward (likely WAN) and if needed, pick a virtual IP address from the External Address drop-down. 
    4.Enter your forwarded port in the External Port range box(es) 
    5.Enter the internal IP address you'd like to send that port to in the NAT IP box. 
    6.Fill in a local port if it differs from the external port. 
    7.Check the Auto-add a firewall rule checkbox 
    8.Click Save which will return you to the Port Forward NAT screen, showing you all the NAT entries. 
    9.Finally, click Apply Changes - wait a few seconds and test.

  25. #25
    jgb@etree Guest
    Oh, and for the record: This is why you never make changes to a production firewall during business hours


    Edit: And if email isn't flowing from outside, make sure you setup port 25/tcp to be forwarded to your mail server as well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •