Skip to main content

ssl - Windows Server 2003 TCP port mapping / port forwarding

itemprop="text">


I've recently had an issue
with the ISP of a few of my clients in which they've blocked TCP port 25 and
de-commissioned their old mail server in lieu of Gmail. Also, our business email has
been hosted on Google Apps now for well over a year. This wouldn't be an issue, however
our network devices and some applications (which used our ISP's old mail server) have no
way to change the SMTP port from 25 to an alternate (let alone enable SSL and some does
not allow SMTP authentication). I have, in the mean time, setup a local mail server for
sending logs and scan-to-emails for some of our network devices and printers and this is
working just fine.



We do have a problem though
with our Act! Premium for Web 2006 application (which runs on an internal Windows 2003
Standard Server). I have researched these problems quite a bit over the past few days,
but haven't found a working solution for what I'm attempting to do. I am looking for an
application that could map/forward all traffic passing through the server from TCP port
25 to 465 or 587 and allow me to enable all traffic to be encrypted via SSL. I have
tested several applications in hopes that they could do this, but so far have had no
luck. The list of applications/scripts that I've tried so far is as
follows:



GSR (perl script - James
Specht)
RelayTCP10
KomodiaRelay
ITR (freeware by
webcohort)
pmapperi

PortForward
(download.com)
PortMapper 1.6 (java
application)
PortTunnel
TansuTCP
tcp_forward (perl script
- davesource.com)
tcppr (perl script - unknown
author)
Tunneller



Most of these
forwards a port to a hostname:port (similar to a port forward through a router), and
none of them, save for one (with a paid key), have an option to encrypt all traffic on
that port with SSL.




Act! Premium for
Web 2006 will allow SMTP authentication ONLY when configuring email under a users'
login. It has no option to change the SMTP port or to enable SSL. My ultimate goal is to
have each of our users of Act! set their mail server to smtp.gmail.com and configure
their username and password in the SMTP authentication fields. All mail sent from Act!
goes through the server hosting the application. That's why I would like it to just
forward all traffic on the server heading for port 25 to translate it and encrypt it
with SSL over either port 465 or 587. I have searched/posted on Sage's forums to see if
there is a back-end configuration or possibly an .ini file that we could change the SMTP
port and enable SSL, but those features are STILL not available even in their latest
version of the program.



Any and all help is
appreciated if this is something that is actually possible. In the mean time, the local
mail server I setup has a custom route that sends mail through a specified Google Apps
account for our domain. I suspected though that this setup might have issues with other
mail servers blacklisting our public static IP address since it doesn't match up with
our MX records for our domain (since their obviously set to Google's) and possibly label
our IP as an open relay (since the local mail server has to be setup in this way). This
was confirmed this morning when our users received some bouncebacks from some mass
mailers they sent out after the change. Even though the local mail server has to be
setup as an open relay for our network devices and Act!, port 25 is NOT forwarded
through our firewall, so nothing can send mail from the server if it isn't actually on
our local network.



Again, I appreciate any help
provided.



Thanks!





Answer





Reason you are battling to find
software that does that is sort of contained in your question. You want to take socket
traffic that is being generated by the Windows 2K3 ip stack, bound for port 25, somehow
intercept it, and then send it outbound on the same interface with
the destination port rewritted to 485 (and throw in SSL for good
measure).



There just is no simple way to do that
in software - unless you are a total Windows Programming Guru (or you are a personal
friend of Mark Russinovitch and he owes you a
favour.).



If you have a NAT capable firewall or
router, just use that for translate packets from your 2K3 host to the submission port
for Google Apps - and don't use SSL. The only way to use SSL would be what you have sort
of done, by the sounds of it, and that is to install a local SMTP MTA, that will receive
e-mail on the SMTP port, and relay it out to Google Apps on the submission port and will
negotiate TLS between this MTA relay and Google
Apps.



You won't really get blacklisted for this,
however you may find your mail will be dropped by some MTAs because it is originating
from a non-mx IP. To address this problem, add your static IP to an SPF record for your
domain in your DNS. That will tell receiving MTAs that do SPF checking that this IP is
indeed authorized to send mail on your behalf. Check the href="http://www.openspf.org/" rel="nofollow noreferrer">OpenSPF project
for more information.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more