Connection Questions...
12 August 2001, 02:54 PM
#1
2 PCs running W2K & W2K server (there's also an iMac but I won't start to complicate matters 
)
Want to run Exch 5.5 & use that to send/recieve emails to the lan.
Using a Cisco 760 router to share internet access in the house.
Zonealarm as well.
Surftime account via Demon.
1) Am able to send but not recieve emails via the lan/router - what have I missed? Demon I know has post.demon.co.uk to use as outgoing & pop3.demon.co.uk for tapping incoming. Can't see where this needs to be set up - no mention of usernames/passwords.
Is it Zonealarm causing this problem? Apparently my port 25 is closed
How can I open this?
2) If I were to use Proxy Server would I get any further security benefits, bearing in mind the router I've got?
)Want to run Exch 5.5 & use that to send/recieve emails to the lan.
Using a Cisco 760 router to share internet access in the house.
Zonealarm as well.
Surftime account via Demon.
1) Am able to send but not recieve emails via the lan/router - what have I missed? Demon I know has post.demon.co.uk to use as outgoing & pop3.demon.co.uk for tapping incoming. Can't see where this needs to be set up - no mention of usernames/passwords.
Is it Zonealarm causing this problem? Apparently my port 25 is closed
How can I open this?2) If I were to use Proxy Server would I get any further security benefits, bearing in mind the router I've got?
12 August 2001, 08:00 PM
#3
Scooby Regular
Join Date: Oct 1999
Posts: 778
Likes: 0
Received 0 Likes
on
0 Posts
Hey Puff
You and I do need to have a chat but I haven't had the time.
Anyhow exchange doesn't connect to pop3 unless you have a small business server version. That said thou demon give you smtp in both directions sooo all that should happen is when the server connects via the router demon should connect to port 25 of the server and send you the mail.
Give me a ring on 07973703301 or 01314679999 on MOnday and I will explain!!
Regards
Willie
[This message has been edited by WillieF (edited 12 August 2001).]
You and I do need to have a chat but I haven't had the time.
Anyhow exchange doesn't connect to pop3 unless you have a small business server version. That said thou demon give you smtp in both directions sooo all that should happen is when the server connects via the router demon should connect to port 25 of the server and send you the mail.
Give me a ring on 07973703301 or 01314679999 on MOnday and I will explain!!
Regards
Willie
[This message has been edited by WillieF (edited 12 August 2001).]
12 August 2001, 09:44 PM
#6
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
Puff,
Willie is right. You gotta set up your Exchange server to connect to the Demon SMTP server (via port 25). That way all of your mail will be handled and stored locally (in Exchange). POP3 is for wimps
As for opening up your firewall (for port 25), i guess you gotta read the instructions for Zonealarm!!! Just one thing - don't open 25 to "anyone" - only the trusted Demon servers.
mb
Willie is right. You gotta set up your Exchange server to connect to the Demon SMTP server (via port 25). That way all of your mail will be handled and stored locally (in Exchange). POP3 is for wimps
As for opening up your firewall (for port 25), i guess you gotta read the instructions for Zonealarm!!! Just one thing - don't open 25 to "anyone" - only the trusted Demon servers.
mb
12 August 2001, 10:59 PM
#7
Scooby Regular
Join Date: May 1999
Posts: 7,901
Likes: 0
Received 0 Likes
on
0 Posts
I don't think you can open up ports to specific address ranges in ZoneAlarm -- they're either 'open' or 'closed'. If you *don't* use SMTP delivery, you won't need your local network to act as a server for anything so you can close off all the ports. POP3 connects on port 110, but that's 110 at the server end and a high port number at the client end.
However, it looks like your version of Exchang (sledgehammer to crack a nut) doesn't support POP3 delivery, so you need to find it in the 'programs' list in ZA, and check 'allow access to local network', 'allow access to internet', 'allow to act as local server' and 'allow to act as internet server' (and probably 'pass lock' while you're at it). If you're then worried about security (e.g. people SMTP tunnelling from the internet), you could probably set up an access list on the 760 but I think someone mentioned in another thread that it doesn't support them
Have you tried using something simpler? VPOP3 will collect mail from a POP3 mailbox and act as a local server for delivery around a LAN. I presume this is a home-based thing rather than an office-based one?
However, it looks like your version of Exchang (sledgehammer to crack a nut) doesn't support POP3 delivery, so you need to find it in the 'programs' list in ZA, and check 'allow access to local network', 'allow access to internet', 'allow to act as local server' and 'allow to act as internet server' (and probably 'pass lock' while you're at it). If you're then worried about security (e.g. people SMTP tunnelling from the internet), you could probably set up an access list on the 760 but I think someone mentioned in another thread that it doesn't support them
Have you tried using something simpler? VPOP3 will collect mail from a POP3 mailbox and act as a local server for delivery around a LAN. I presume this is a home-based thing rather than an office-based one?
Trending Topics
13 August 2001, 12:06 AM
#8
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Just out of interest.... the problem I ALLWAYS had when configuring Ex 5.5 with demon was when you configure imc or ims what ever it was called in 5.5 there was a option button Reroute incoming mail (required for POP3 support) make sure this is NOT Selected..
Hope it is working ok now.
Should work other than that...
David
Hope it is working ok now.
Should work other than that...
David
13 August 2001, 09:06 AM
#9
Scooby Senior
Join Date: Oct 2000
Location: Zurich, Switzerland
Posts: 3,105
Likes: 0
Received 0 Likes
on
0 Posts
I assume for outgoing connections you're using NAT on the Cisco to translate your private addressing?
Have you bound incoming connections on port 25 through to your exchange box? But do you have a static IP from the isp?
I'm not familiar with the 760 - I don't know how you do this if it's not running IOS
Richard
Have you bound incoming connections on port 25 through to your exchange box? But do you have a static IP from the isp?
I'm not familiar with the 760 - I don't know how you do this if it's not running IOS
Richard
13 August 2001, 10:13 AM
#11
Scooby Regular
Join Date: May 1999
Posts: 7,901
Likes: 0
Received 0 Likes
on
0 Posts
With Demon you get static IP -- but only 1 IP address. I think perhaps this is where the problem is -- the router will need to do NAT. I know that if you do Demon ADSL you get five addresses to play with (i.e. a /29), but on dialup it's only one.
From
From
13 August 2001, 11:22 AM
#12
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
From CCO
"Cisco 700 series routers provide PAT, enabling local hosts on a private IP network to communicate externally.
Packets destined for an external address have their private IP address plus port number translated to the router's external IP address before the IP packet is forwarded to the WAN. IP packets returning to the router have their external IP addresses (plus port number) translated back to the private IP addresses, and the packets are forwarded to the LAN. "
the command is "set ip pat on"
i.e. it will then it will automatically Xlate all outbound connections behind the dial-in address.
The key I guess is whether the exchange box is going to poll the mail servers to check for incoming mail which (zone alarm aside) should be fine or whether you need the remote mail server to initiate the connection. In which case you would need to set up a static IP address, a DNS entry for your mail domain pointing at your static IP, and a specific translation on the 760 to map port 25 traffic to your server IP - you need to configure a smtp port handler for this :-
set ip pat porthandler smtp 172.27.0.2 (with your exchange box address obviuosly)
Puff if you run a proxy then make sure you turn your local cache right down (or the proxy's). With 1 or 2 users and two cahces (local machine and proxy). If one doesn't have it then neither will the other - and you just end up with delays (albeit v.small) as all the various caches are checked.
People will have differing views but, if you are natting behind the 760 router then that should provide most of the security that personal firewalls provide as there is no way for remote connections to be initiated to the server or PCs. (except port 25)
Url for 760 commands
"Cisco 700 series routers provide PAT, enabling local hosts on a private IP network to communicate externally.
Packets destined for an external address have their private IP address plus port number translated to the router's external IP address before the IP packet is forwarded to the WAN. IP packets returning to the router have their external IP addresses (plus port number) translated back to the private IP addresses, and the packets are forwarded to the LAN. "
the command is "set ip pat on"
i.e. it will then it will automatically Xlate all outbound connections behind the dial-in address.
The key I guess is whether the exchange box is going to poll the mail servers to check for incoming mail which (zone alarm aside) should be fine or whether you need the remote mail server to initiate the connection. In which case you would need to set up a static IP address, a DNS entry for your mail domain pointing at your static IP, and a specific translation on the 760 to map port 25 traffic to your server IP - you need to configure a smtp port handler for this :-
set ip pat porthandler smtp 172.27.0.2 (with your exchange box address obviuosly
)Puff if you run a proxy then make sure you turn your local cache right down (or the proxy's). With 1 or 2 users and two cahces (local machine and proxy). If one doesn't have it then neither will the other - and you just end up with delays (albeit v.small) as all the various caches are checked.
People will have differing views but, if you are natting behind the 760 router then that should provide most of the security that personal firewalls provide as there is no way for remote connections to be initiated to the server or PCs. (except port 25)
Url for 760 commands
13 August 2001, 11:23 AM
#13
Scooby Senior
Join Date: Oct 2000
Location: Zurich, Switzerland
Posts: 3,105
Likes: 0
Received 0 Likes
on
0 Posts
Puff
Proxy server will provide little additional security if you're running NAT on the Cisco. Are you?! It may well improve the load time of commonly downloaded pages though. But be aware you cannot proxy an smtp connection.....
Your biggest security risk will be to allow incoming smtp connections (especially if you can't use an access list on the Cisco to restrict this to only the Demon smtp boxes) - I'm not sure what vulnerabilites exist for Exchange, but get the box patched up Also shut down as many smtp options as poss under Exchange (to see them, telnet to port 25 and type help [you may need a 'helo' first]).
Or do as was recommended above, dump Exchange and go with a pop3 solution. This allows you to keep your 'outgoing connections only' NAT rule. All incoming requests will be dropped, leaving a hacker only trojans or session hijacks.
If you do allow the incoming connection; it is probably easier to set the NAT up to forward all incoming ports to your Exchange host....don't do this! Make it only incoming requests on 25.
Richard
Proxy server will provide little additional security if you're running NAT on the Cisco. Are you?! It may well improve the load time of commonly downloaded pages though. But be aware you cannot proxy an smtp connection.....
Your biggest security risk will be to allow incoming smtp connections (especially if you can't use an access list on the Cisco to restrict this to only the Demon smtp boxes) - I'm not sure what vulnerabilites exist for Exchange, but get the box patched up
Also shut down as many smtp options as poss under Exchange (to see them, telnet to port 25 and type help [you may need a 'helo' first]).Or do as was recommended above, dump Exchange and go with a pop3 solution. This allows you to keep your 'outgoing connections only' NAT rule. All incoming requests will be dropped, leaving a hacker only trojans or session hijacks.
If you do allow the incoming connection; it is probably easier to set the NAT up to forward all incoming ports to your Exchange host....don't do this! Make it only incoming requests on 25.
Richard
13 August 2001, 01:22 PM
#15
Dean
Well, there's me & the wife & Ez
& of course I'm using a licensed copy
Seriously, I know it's overkill (understatement ) but as I'm the only muppet who looks after our network at work, its not a bad idea to try & duplicate it at home, when I'm free of calls/interuptions etc. Also enables me to gain (much needed ) experience/knowledge in looking after/setting up these sort of things & allows for a certain amount of product testing. I'm mainly self-taught & we don't have a training budget 
Anyway, it doesn't matter if I fubar the set-up, as its not mission critical!!! 
All ideas/tips etc from the very knowledgeable people on the bbs all helps
Thanks peeps
Well, there's me & the wife & Ez
& of course I'm using a licensed copy Seriously, I know it's overkill (understatement
) but as I'm the only muppet who looks after our network at work, its not a bad idea to try & duplicate it at home, when I'm free of calls/interuptions etc. Also enables me to gain (much needed ) experience/knowledge in looking after/setting up these sort of things & allows for a certain amount of product testing. I'm mainly self-taught & we don't have a training budget Anyway, it doesn't matter if I fubar the set-up, as its not mission critical!!! All ideas/tips etc from the very knowledgeable people on the bbs all helps
Thanks peeps
13 August 2001, 01:34 PM
#17
Scooby Regular
Join Date: Dec 2001
Posts: 436
Likes: 0
Received 0 Likes
on
0 Posts
of course you could use demon as a smart mailhost and get your x55 server to poll the demon server every 5 mins, that way you dont have to worry about anon incoming smtp connections.
your x55 server will be initiating the port 25 connection each time so this should get around the issues of zonealarm blocking the incoming port 25 stuff..
Any
your x55 server will be initiating the port 25 connection each time so this should get around the issues of zonealarm blocking the incoming port 25 stuff..
Any
13 August 2001, 02:52 PM
#19
Scooby Regular
Join Date: Dec 2001
Posts: 436
Likes: 0
Received 0 Likes
on
0 Posts
First ensure that your incoming smtp mail is delieverd to the demon smtp server which is your smarthost..
next go to your internet mail service(IMS) settings in x55, set the connections tab to send via DNS and select outgoing only.
Then create a new IMS and set it to incoming only and setup the polling of mail via the dial up connection, specify the period required and the host to retrieve from.
More time consuming overall but worth it as you can control the mail flow more precisely
next go to your internet mail service(IMS) settings in x55, set the connections tab to send via DNS and select outgoing only.
Then create a new IMS and set it to incoming only and setup the polling of mail via the dial up connection, specify the period required and the host to retrieve from.
More time consuming overall but worth it as you can control the mail flow more precisely
23 August 2001, 12:07 AM
#20
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
Puff
If you can identify exactly want you want the router to do, I can give you a config.
Along the lines of PCs addresses, ISP number etc. + Plus details of want you want allowed inbound i.e. SMTP to Box A, WWW to Box B etc plus outbound. (Typically allow any connection initiated on the home LAN out).
Bear in mind that unless you have an ISDN account with fixed IP address (e.g. Demon business) the options for inbound connections are very limited as no-one will know your IP address
Can't help too much on mail/exchange 'cos its not my thing. (Cisco's however are !)
If you power the router up and can get a terminal on the console the output of "show ver" would tell us what IOS and memory the box has. It may take a "firewall feature" set IOS which again gives a bit more scope for fancy configs.
Mail off-line if you want.
Deano
If you can identify exactly want you want the router to do, I can give you a config.
Along the lines of PCs addresses, ISP number etc. + Plus details of want you want allowed inbound i.e. SMTP to Box A, WWW to Box B etc plus outbound. (Typically allow any connection initiated on the home LAN out).
Bear in mind that unless you have an ISDN account with fixed IP address (e.g. Demon business) the options for inbound connections are very limited as no-one will know your IP address
Can't help too much on mail/exchange 'cos its not my thing. (Cisco's however are !)
If you power the router up and can get a terminal on the console the output of "show ver" would tell us what IOS and memory the box has. It may take a "firewall feature" set IOS which again gives a bit more scope for fancy configs.
Mail off-line if you want.
Deano
23 August 2001, 12:41 AM
#22
Scooby Regular
Join Date: May 2000
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
You can run full servers off a demon connection without problems. I've been testing a full server (DNS, WWW, EMAIL) off the back of a demon connection for 24/7 without problems, prior to co-lo in telehouse.
However, issues you are likely to hit are regarding the ports you do/do not open up for incoming/outgoing access, both on the router and also on ZoneAlarm (plus IPSEC/ TCPIP filtering if you're using them).
Whatever happens ensure you DO NOT allow relaying through exchange! Most exchange servers set up by 'self taught' people are totally open and as you are on the end of a static IP from demon you're likely to find that you are regularly scanned for open ports (I got several realy attempts per day!).
Ensure you pass the tests at
However, issues you are likely to hit are regarding the ports you do/do not open up for incoming/outgoing access, both on the router and also on ZoneAlarm (plus IPSEC/ TCPIP filtering if you're using them).
Whatever happens ensure you DO NOT allow relaying through exchange! Most exchange servers set up by 'self taught' people are totally open and as you are on the end of a static IP from demon you're likely to find that you are regularly scanned for open ports (I got several realy attempts per day!).
Ensure you pass the tests at
23 August 2001, 12:58 AM
#23
Kryten
LOL
Funny you should mention about relay & Exchange...
Easynet, who supplied/configured our leased line, suddenly rang up about 3 months ago & gave me 40 minutes to reconfigure our server against relaying, or they would turn off the connection
Seems they had only *just* become aware that it was happening & this was their knee-jerk reaction. Fortunately, after a bit of abuse from me , I was told how to do it, so did. Just rather tedious exercise
LOL
Funny you should mention about relay & Exchange...
Easynet, who supplied/configured our leased line, suddenly rang up about 3 months ago & gave me 40 minutes to reconfigure our server against relaying, or they would turn off the connection
Seems they had only *just* become aware that it was happening
& this was their knee-jerk reaction. Fortunately, after a bit of abuse from me , I was told how to do it, so did. Just rather tedious exercise
23 August 2001, 11:01 AM
#26
more questions The model is a 1603
Its been used as 1 of 2 identical routers acting as, well, routers between our network and another with a dedicated 128k line.
Therefore it would appear to have an X21 lead, which is no good for me.
However, it has an ISDN BRI port which will do for my Home Highway.
I have various bits of software, an IP pack, including Configmaker, and that would appear to be/have IOS 12.0
However, I've also got a 1601 & that is still in use & I've got software for that as well, or is it all the same for the series & interchangeable?Not sure exactly what is what. Any way to find out? Also has a flash card.
23 August 2001, 11:40 AM
#27
Scooby Regular
Join Date: May 1999
Posts: 7,901
Likes: 0
Received 0 Likes
on
0 Posts
There should be a console port on the back that you plug an RJ-45 into. Then you need an RJ-45 to 9 or 25-pin serial adapter and plug into the serial port of your PC. Use a terminal emulator (hyperterm is fine) set to 9600 baud and you will be able to log on to the router and find out its config (if you know the passwords -- they're probably 'cisco' and 'cisco'). Log in with a password, then type 'enable' and put in the enable password. Then 'sh ver' will show you which IOS is running, 'sh flash' will show you what's on the flash card and 'sh run' will show the current config.
Config maker -- never used it.
The IOS will be the same for the 1601 and 1603 -- the numbers on the end usually refer to differences in the type of interfaces or number of slots.
I presume it has an Ethernet port as well (otherwise it's not going to be much use)?
What you really need is a guide to configuring Cisco IOS. You can download a lot of stuff from
Config maker -- never used it.
The IOS will be the same for the 1601 and 1603 -- the numbers on the end usually refer to differences in the type of interfaces or number of slots.
I presume it has an Ethernet port as well (otherwise it's not going to be much use)?
What you really need is a guide to configuring Cisco IOS. You can download a lot of stuff from
24 August 2001, 09:55 PM
#30
Scooby Regular
Join Date: May 2000
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
The reason they threaten to cut the line is twofold. One is the extra bandwidth through their network it will use, the other is that as the spam is appearing from their network, they could end up on the RBL lists.
A guy I know didn't patch his server (despite repeated reminders) and I got a frantic phone call one day to say that his provider had shut his link down due to spamming. Got him to check the mail queues and there were 200,000 messages in the queue waiting to be sent!
Once you're discovered as a relay, your IP address makes it onto newsgroups/spam websites within minutes
A guy I know didn't patch his server (despite repeated reminders) and I got a frantic phone call one day to say that his provider had shut his link down due to spamming. Got him to check the mail queues and there were 200,000 messages in the queue waiting to be sent!
Once you're discovered as a relay, your IP address makes it onto newsgroups/spam websites within minutes