Messaging Gateway

Hi there,

I am new to this community, but I'm reading similar thread related to the error message that I'm facing now with my SMG 10.0.2. I wasn't able to connect to the device whenever I attempt to telnet to its port 25 and keeps getting this, 554 5.7.1 "You are not allowed to connect" error message. I haved tried the suggested solution from other thread but it doesn't help. I check the logs and doesn't show anything on why the connection was drop. One more funny thing is that I can see the SMTP banner when I check it from mxtoolbox.com but if I telnet the device from public network I can't connect and see the banner. I'm unable to telnet the device from inside, using the local IP. Emails are also flowing in. It's just that I cant access the mail server outside of the corporate LAN.

Hope you guys could help me as I'm trying to fixed this issue for quite sometime already. All the necessary records that I need is already inplace. 

Thanks.

Mel

does this help

http://symantec.com/docs/TECH169847

Hi Pete,

I have done that. Btw, I can telnet to the device from the inside network without a problem. I had call the support of my firewall and symantec but no help. 

Thanks.

Mel

Hello Mel,

If I understand you correctly, this is to be expected. If you are trying to telnet to the Symantec Messaging Gateway port 25 from a public IP pool, you will get rejected because public pools are not designated for sending SMTP traffic. This is a primary way many SMTP filters prevent spammers from sending unauthorized email from compromised home computers (of which botnets have huge networks).

This is a security configuration. If you would like to disable this for some reason you would disable the Symantec Global Bad Senders setting: Reputation > Bad Senders > Symantec Global Bad Senders.

Disabling this setting is highly discouraged as it protects from the largest percentage of bad senders.

Regards,

Art

Hi Art,

Thanks for the info. but I have no idea now on how am I going to solve issue without disabling the Global Bad Sender. If I let it enable, I wont be able to access the emails from public places. Once the users go off the corporate network even with VPN. Can I asked for any advised or workaround to properly configure this as I'm dealing with this issue for quite some time already. 

Thanks.

Mel

Hello Mel,

Unfortunately I'm not quite clear on what your goal is. Generally telnet is used for testing, but it sounds like you are trying to do more than testing. Also, it sounds like you might be asking about outbound email, but the configuration and response messages would be different for outbound.

Please provide details on the goal or what you expect to happen and hopefully we can steer things in the correct direction.

Hi Art,

I do the telnet test because after I try to access the server from public network, it was unsuccessful. Then I found out that I was not allowed to connect from outside. 

Right now, my goal is to filter all inbound emails. I won't filter the outbound mail for the time being. Given that necessary ports are open at the firewall level, I can only send and received emails when I'm inside the corporate office.

Thanks.

Mel

Hi there,

I would like to check with you guys if my settings are correct as I can only access and send/received email from internal network. IP are the real IP of the device. Hope to get a advice/help from you as I'm quite hopeless setting up this device.

thanks.

Hello Mel,

The issue is probably something simple, but difficult to narrow down in forum communications like this. I recommend calling support to get what will probably be a quick answer.

However, aside from that, to recap:

• You installed the Symantec Messaging Gateway (SMG) and configured it.
• You have never received email through the SMG
• When you test via telent from a public IP pool, you receive a "you are not allowed" rejection.
• When you test with a service like MX Toolbox, the banner is seen and it doens't appear that they get the same rejection.

If all the above are true, then you may not have an issue, just a testing difficulty. Are you expecting live mail to be flowing through the SMG? If so, what do the Message Audit Logs (MAL) say? You can search for connections (since messages aren't being processed you might only see connections) in the MAL by setting the filter to "Connecting IP" and setting the filter value to "." (just a period, no quotes). If necessary, you can also temporarily set your Message Transfer Agent logs to Information and check the logs for activity and connecting IPs.

Another thing that can give you info is if you send an email from a sender like gmial or yahoo or some other provider, you should receive an NDR back (Non-Delivery Report) that should provide some info on what occurred. Basically, it may just be that you see your "you are not allowed" but at least you'd then know that it's not just your telnet test that is failing.

Another thing to check is your MX records to make sure they are pointed to the correct IP for your environment. Since you are using internal IPs for SMG, you'll also want to make sure your firewall is utilizing NAT correctly. Based on your telnet test, it seems that these steps are complete, though.

In regards to telnet tests, have you tried to telnet to your downstream MTA (172.16.0.52 based on your screenshots)? Making sure you can connect and deliver messages to the next hop will remove that from the list of possible failure points. Sometimes the environment is not configured to properly allow SMG to connect to the internal mail server, so messages get processed by SMG but are not delivered to the final recipients.

Hopefully that information will help you get a little further. It's a lot, and possible just starting points, which is why I recommend calling support. The bottom line, though, is that legitimate mail senders should not be getting the same failure error that your telnet test is giving (the "you are not allowed" error).

Regards,

Art

Hi Art,

To clarify this points that you list down,

However, aside from that, to recap:

• You installed the Symantec Messaging Gateway (SMG) and configured it. Yes, I install and configure the device.
• You have never received email through the SMG I managed to send/received mails after it was scanned by SMG but, only when I'm connected to the corporate network. If I'm connected to public network, I'm unable to send email via MS Outlook. Using webmail, its fine. And I don't understand at which portion is misconfigured.
• When you test via telent from a public IP pool, you receive a "you are not allowed" rejection. Yes. I check the logs, it was block by the MTA.
• When you test with a service like MX Toolbox, the banner is seen and it doens't appear that they get the same rejection. This portion is not that crucial I think. I just wonder why it can passthrough.

I had tried calling the Support Desk but unfortunately, they can't help me so long that the device is running, as they always mention it's beyond their scope, et. al. For the firewall side, I open already the necessary ports that are needed. I even configure a policy to split the SMTP traffic to HTTP but it seems that it has no use.

For the MX Records, PTR, RDNS, I had settle those things. As I had mention earlier, I had no problem sending emails to foreign domains if I'm in the office. The problem now is if I'm using public internet which is shouldn't be a problem.I missed out something but I do not know what is that.

Regards.

Mel