Screen OS

Hi,

I have setup an email server behind an SSG-5 in the DMZ. The SSG-5  in turn is behind an ISP's router. I have a set a VIP to direct SMTP traffic destinated to our Public IP to the DMZ server. I have untrust, trust and DMZ zones in the trust-vr.I have setup policies allowing MAIL-POP3 traffic from trust to DMZ,MAIL traffic from untrust to DMZ.

POP3 from the trust zone (our internal network) works fine but no email from outside (internet) can reach our server.

I have checked our DNS MX record and it looks OK (I use 'dig' ) but any email sent to our address it times out trying to get a connection.

I have checked it with the ISP and they assured me that they do not block any SMTP traffic.

 

The scheme below describes the setup (the [] indicates RJ-45) :

  (Public IP)194.x.x.x--[][ R ][]--192.168.x.1/29--[ S ][]--192.168.x.2/29(0/0 untrust)

                          | O |                    | S |[]--1.x.x.1/24(0/1 DMZ)--1.x.x.7/32-[Email Server]

                          | U |                    | G |[]--192.x.x.1/24(0/2 trust)--192.x.x.x/24(Our Net)

                          | T |                    | - |

                          | E |                    [ 5 ]

                          [ R ]

I have attached the configuration file.

What am I doing wrong?

Any hint is welcome and very much appreciated!

i think this is the problem:

 

 set policy id 9 from "Untrust" to "DMZ"  "VIP(ethernet0/0)" "Mail_Server" "MAIL-POP3" permit

 

to match your vip your policy needs to be:

 

set policy id from untrust to dmz any vip(e0/0) smtp permit

 

hope this helps! 🙂

Hi AndyT,

 

Thanks for pointing the problem with policy No 9. This was a typo due to different experiments I am currying out trying to solve the problem.

I originally had set the policy as you mentioned but it did not work. Nevertheless I have now changed it back to the right one -thanks again- and as I expected, no email gets through either.

The problem is somewhere else.

 

Thanks

can you do a quick debug flow basic to see packets traversing the firewall and then post the output so we can see what's going on?  there is a really good guide written by andyc stickied at the top of the page.

I did a debug flow basic. I set the filters (10.11.12.13 is the email server 'blurred' IP) :

>set ffilter src-ip 10.11.12.13

>set ffilter dst-ip 10.11.12.13

>set ffilter dst-port 25

 

I sent an email using a different network (wireless hotspot) and a different domain (my private email account) and I got only one line in the debug flow: 

## 2009-07-24 8:27:34 : Fail to sendmail due to failure to connect

 

The 'sendmail' is one word. 

 

I sent another email using our network but trough a different relay server and I got all the debug flow for sending it out (due to dst-port 25 I assume) and as the last line, again:

## 2009-07-24 8:42:26 : Fail to sendmail due to failure to connect

 

If this does not ring a bell to you then I can try something like ping and post the debug flow.

 

 

 

 

i have similar configs, try to modify the route

 

set route 0.0.0.0/0  interface ethernet0/0 

 

and

 

set route source 192.168.252.2/29  interface ethernet0/0 gateway [public ip or router serial ip]  preference 20 permanent 

 

HTH 

AndyT and Wadkabeer,

 

Thanks for posting and helping on the problem.

I finally resolved it. It was caused by the ISP that blocked traffic to port 25. Initially they assured me that the port was open and there should be a problem with the firewall configuration. That's why I turned to the Juniper forum.

After some experiments I was convinced that it's not the firewall so I insisted to have someone verify on what ports traffic was allowed and only then they said Ooops! 25 is blocked. Sorry! Now it's "opened" and I our email server is up and running.

 

Bottom line, do not trust a support center "specialist" when he/she says that no trafic to specific port is blocked. Double check it!

 

 

 

 

Been there, done that. Glad you got it resolved.