Skip to main content

ssl - Windows Server 2003 TCP port mapping / port forwarding




I've recently had an issue with the ISP of a few of my clients in which they've blocked TCP port 25 and de-commissioned their old mail server in lieu of Gmail. Also, our business email has been hosted on Google Apps now for well over a year. This wouldn't be an issue, however our network devices and some applications (which used our ISP's old mail server) have no way to change the SMTP port from 25 to an alternate (let alone enable SSL and some does not allow SMTP authentication). I have, in the mean time, setup a local mail server for sending logs and scan-to-emails for some of our network devices and printers and this is working just fine.



We do have a problem though with our Act! Premium for Web 2006 application (which runs on an internal Windows 2003 Standard Server). I have researched these problems quite a bit over the past few days, but haven't found a working solution for what I'm attempting to do. I am looking for an application that could map/forward all traffic passing through the server from TCP port 25 to 465 or 587 and allow me to enable all traffic to be encrypted via SSL. I have tested several applications in hopes that they could do this, but so far have had no luck. The list of applications/scripts that I've tried so far is as follows:



GSR (perl script - James Specht)
RelayTCP10
KomodiaRelay
ITR (freeware by webcohort)
pmapperi

PortForward (download.com)
PortMapper 1.6 (java application)
PortTunnel
TansuTCP
tcp_forward (perl script - davesource.com)
tcppr (perl script - unknown author)
Tunneller



Most of these forwards a port to a hostname:port (similar to a port forward through a router), and none of them, save for one (with a paid key), have an option to encrypt all traffic on that port with SSL.




Act! Premium for Web 2006 will allow SMTP authentication ONLY when configuring email under a users' login. It has no option to change the SMTP port or to enable SSL. My ultimate goal is to have each of our users of Act! set their mail server to smtp.gmail.com and configure their username and password in the SMTP authentication fields. All mail sent from Act! goes through the server hosting the application. That's why I would like it to just forward all traffic on the server heading for port 25 to translate it and encrypt it with SSL over either port 465 or 587. I have searched/posted on Sage's forums to see if there is a back-end configuration or possibly an .ini file that we could change the SMTP port and enable SSL, but those features are STILL not available even in their latest version of the program.



Any and all help is appreciated if this is something that is actually possible. In the mean time, the local mail server I setup has a custom route that sends mail through a specified Google Apps account for our domain. I suspected though that this setup might have issues with other mail servers blacklisting our public static IP address since it doesn't match up with our MX records for our domain (since their obviously set to Google's) and possibly label our IP as an open relay (since the local mail server has to be setup in this way). This was confirmed this morning when our users received some bouncebacks from some mass mailers they sent out after the change. Even though the local mail server has to be setup as an open relay for our network devices and Act!, port 25 is NOT forwarded through our firewall, so nothing can send mail from the server if it isn't actually on our local network.



Again, I appreciate any help provided.



Thanks!




Answer




Reason you are battling to find software that does that is sort of contained in your question. You want to take socket traffic that is being generated by the Windows 2K3 ip stack, bound for port 25, somehow intercept it, and then send it outbound on the same interface with the destination port rewritted to 485 (and throw in SSL for good measure).



There just is no simple way to do that in software - unless you are a total Windows Programming Guru (or you are a personal friend of Mark Russinovitch and he owes you a favour.).



If you have a NAT capable firewall or router, just use that for translate packets from your 2K3 host to the submission port for Google Apps - and don't use SSL. The only way to use SSL would be what you have sort of done, by the sounds of it, and that is to install a local SMTP MTA, that will receive e-mail on the SMTP port, and relay it out to Google Apps on the submission port and will negotiate TLS between this MTA relay and Google Apps.



You won't really get blacklisted for this, however you may find your mail will be dropped by some MTAs because it is originating from a non-mx IP. To address this problem, add your static IP to an SPF record for your domain in your DNS. That will tell receiving MTAs that do SPF checking that this IP is indeed authorized to send mail on your behalf. Check the OpenSPF project for more information.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more