Novell Home

Configuring Mail Proxy for Internal Mail servers

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 21 Jun 2002
 

If you find you are unable to get mail in or out of the BorderManager Server, here are some troubleshooting techniques that should help you figure out what the problem is.

1: Make sure that under the BorderManager server Details | BM setup | IPaddresses that you have public and private IP address configured.

2: Enable Mail Proxy (just below HTTP Proxy) | go to Details | for Primary Mail Domain Name put your domain (example NOVELL.COM) | for internal Mail server name put the Private Mail server's IP address (or name) | put the same IP address for POP3 | Click OK.

3: BorderManager 3.5, 3.6 and 3.7 require additional configuration in the ETC/PROXY/PROXY.CFG file: The following keywords must now be added to the [BM Mail Proxy] section of SYS:\etc\proxy\proxy.cfg with the corresponding values if using Mail Proxy:

BM_Domain: The value for this keyword should be the primary domain of the BM proxy. (i.e. if your primary registered domain name is xyz.com, this value should be set to xyz.com). This keyword is used for the proxy to check incoming mail for spam relay. i.e., if the domain name in the TO: field of the message does not match the primary domain of the proxy, the proxy will reject the message. NOTE: If "Primary Domain Name" is not specified through NetWare Administrator, then this keyword and a value are required in SYS:ETC\PROXY.CFG or outbound e-mail will not get sent. If "Primary Domain Name" *is* specified, then the BM_Domain field it is not necessary.

BM_Proxy_Domain: This field should contain the fully qualified DNS name of the BM proxy. This field is used by the proxy to advertise its correct host name when it sends the HELO command to an SMTP server. This is useful in cases when the target SMTP server is doing a DNS lookup on the hostname advertised in order to avoid spam relay. Though this keyword is optional, if this keyword is not specified, outbound e-mail from the mail proxy may be rejected by the destination SMTP servers. The reason for this is that some SMTP servers do reverse a DNS lookup on the SMTP origin during SMTP session establishment as an anti-spam measure. The recommendation is to specify this keyword with a value.

BM_Incoming_Relay: This field takes integer values of 0 and 1. If this field is set to 1, then the mail proxy will relay e-mail containing a % sign. For example, if it receives a message with TO ADDRESS: johndoe%abc.com@xyz.com, it will relay the message to johndoe@abc.com. If the BM_Incoming_Relay is set to 0, then the proxy will reject all incoming relay requests. By default, it is set to 0 to avoid a spam relay attack.

Example:

[BM Mail Proxy]
BM_Domain=xyz.com
BM_Incoming_Relay=0
BM_Proxy_Domain=mail-proxy.acctg.xyz.com

4: If you are still unable to receive e-mail and you have NAT.NLM loaded do the following: SET NAT DYNAMIC MODE TO PASS THRU=ON (if this works put it in your AUTOEXEC.NCF) or disable Nat Implicit Filtering in INETCFG.

5: Configure the Internal Mail server to forward mail to the BM's Private NIC (modify the GWIA.CFG /MH BMPrivateNic).
See TID 10012539

6: Quick test - telnet to the internal mail server by IP address on port 25. You should get a Service 220 ready.
For additional Mail Proxy Troubleshooting, See TID 10014027

Known Issues

  • The keywords must be added to the PROXY.CFG file or Mail Proxy will not forward mail.
  • If Mail Proxy is enabled and an e-mail/attachment larger than the currently configured spool directory or maximum message size is passed through the PROXY, the server may hang or abend. Work-around: In NWADMIN change the maximum message size to 2000MB and the spool size to 4000MB (even if there is not that much space available).
  • If multiple MX record resolution is required then PROXY.NLM must be loaded with -M (i.e. LOAD PROXY -M).

Alternatives

  • Use static NAT. See TID 10011265
  • Put GWIA on the BorderManager Box.

Pros and Cons of Mail Proxy

Pros

  • You do not need a secondary IP address.
  • You can use access control.
  • May not need to open ports for filters.

Cons

  • Not as robust.
  • Can only handle one domain.
  • Without access rules spamming may be possible. See SOCKS and SPAM for more info.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell