Chapter 25 Test Tools & Mail Flow Troubleshooting : Run a Firewall Test
Run a Firewall Test
This tests whether your firewall allows email traffic from IP addresses besides the message security service. Malicious senders may attempt to send traffic directly to port 25 on your server, and bypass filtering and protection. We recommend you configure your email server or firewall to accept traffic only from the message security service. For more details about running this command in the batch interface, see the testfirewall command in the “Commands” chapter of the Batch Reference Guide.
WARNING: You must be sure to add all of your domains to the message security service before locking down your firewall to accept only email traffic from the service IP range. Otherwise, email sent to unregistered domains may bounce.
To run the Firewall Test:
1.
Click the logo at the top of any Administration Console page to go to the Home page.
2.
Click the Firewall Test link in the lower left-hand corner of the page.
3.
On the Firewall Test page, enter the email address of a user to be used as the message recipient. You can also enter a user alias, but not a domain alias.
4.
Click Test. The results appear on the bottom of the page
Successful Results for the Firewall Test
If your server is blocking connections from outside IP addresses, you will see a message saying that the test passed. This is a desirable result, since this keeps malicious senders from bypassing the message security service. No further action is needed.
For example:
Checking firewall from 12.158.34.71...passed (did not accept connection)
Error Messages and Next Steps
If your server is accepting connections from outside IP addresses, you will see a message saying that the connection was accepted. This may cause problems, since malicious senders may be able to bypass the message security service.
Note: Some firewalls and mail servers, such as Lotus Domino, accept the initial test connection to port 25 but force a disconnection before mail is sent. This can cause the Firewall test to fail. If you are using a firewall or mail server that accepts port 25 connections initially, verify that port 25 is protected by manually connecting to port 25 and attempting to send a test message.
If this test shows a successful connection, we recommend that you lock down your firewall to block messages from outside IP addresses. Once you have changed your firewall settings, run the Firewall Test again to confirm that the change is successful.
For example:
Checking firewall from 12.158.34.71...failed (accepted connection)
If the Firewall Test shows accepted connections from an outside IP address:
1.
We recommend you change your firewall settings to block connections to port 25 which do not come from the message security service.
2.
When you have made these changes, run the Firewall Test again to be sure that outside IP addresses are being blocked.
3.
Once you have made these changes, run the SMTP Message Test using the option “Test an email from the data center directly to your mail host” to confirm that mail flow is uninterrupted. See SMTP Message Test for full steps on running the SMTP Message Test.
*
Related Topics
*
SMTP Message Test
*
Setting Up Secure Mail Delivery
*
MX Record Test
*
Changing MX Records for a Domain
*
Latency Test
*
Traceroute Test
*
Reinjection Test
*
Troubleshoot Incoming Email Delivery
*
Verifying Email Flow