aXs Guard aXs GUARD Gatekeeper: Support FAQ
1. How do I open a DOS Window?
2. How can I check whether a certain IP address is in use on the network?
3. What does Destination Host Unreachable mean when using the ping command?
4. How can I track default gateway problems on a client computer
5. How can I check whether my network is connected correctly to the Internet
6. How can I print the routing table?
7. How do I check that the DNS settings are correct on my clients?
8. How do you do a DNS lookup?
9. How do you test DHCP settings?
10. How can I find information on my Ethernet NIC(s), DNS and DHCP settings?
1. How can I view the rules and chains in the firewall?
2. How can I test if a specific TCP based protocol is permitted by the firewall?
3. Where should I look first when I can't get a connection?
Surfing and Internet Difficulties
1. We can't surf to our own site
2. Can we have multiple Internet Connections?
3. Problems with surfing
1. Where should I look first if I have a mail transfer problem?
2. There is no SMTP Access to the aXs GUARD MTA
3. Mail is rejected by the aXs GUARD MTA
4. How do I know if an address is blacklisted?
5. Why have I received the message "User unknown"?
6. Why have I received the message "Company Policy Forbids..."?
7. What should I check first if I have mail client problems?
8. I've received an e-mail notifying that I've sent a virus. Is that possible?
9. What does "Sender <-> Recipient Rejected by Mail Policy" mean?
10. What does mailbox over quota mean?
11. User quota problem: not receiving e-mail
12. Why can't I get a Webmail connection?
13. Webmail is enabled, but I still can't get a connection.
14. Webmail works for other users, but not for this one.
15. What Webmail configurations should I check if I can't get a connection?
16. Anti-spam List problems
17. E-mail issue when changing Provider
1. ACL Access Control List doesn't work
2. Messages in Tool: /ub/scripts/svc-virus: kill
3. Duplicate error when adding or modifying a Host or User
4. How to analyze Log files
5. How to fax Photos
Windows Network Difficulties
1. How do I open a DOS Window?
Some of the basic network diagnostic tools for Windows can be used on the command prompt in a DOS window. To open a DOS window, go to:Start ->Run and type, cmd, for Windows 2000, NT or XP, or command, for Windows 98.
A DOS window will open with a command prompt displayed. In these FAQs, ">" represents the command prompt, and "<ENTER>" instructs "press the Enter key".
2.How can I check whether a certain IP address is in use on the network?
The Ping command uses ICMP ping request and reply messages to check whether a certain IP address is in use on the network. For example, entering the following command in a DOS window checks whether IP address 192.168.5.128 is in use on a network:
ping 192.168.5.128 <ENTER>
If the IP address is in use, an ICMP reply will be returned similar to the following:PING 192.168.5.128 (192.168.5.128) 56(84) bytes of data.
64 bytes from 192.168.5.128: icmp_seq=1 ttl=64 time=0.107 ms
64 bytes from 192.168.5.128: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 192.168.5.128: icmp_seq=3 ttl=64 time=0.046 ms
64 bytes from 192.168.5.128: icmp_seq=4 ttl=64 time=0.049 ms
64 bytes from 192.168.5.128: icmp_seq=5 ttl=64 time=0.049 ms
64 bytes from 192.168.5.128: icmp_seq=6 ttl=64 time=0.048 ms
If the IP address is not in use on the same network, the ICMP protocol returns the following reply:
PING 195.0.83.1 (195.0.83.1) 56(84) bytes of data
If this is the result, try pinging the IP address from another host; this will establish whether there is a connection problem to the client computer. It's also possible to use the ping command from the aXs GUARD using the aXs GUARD administrator's tool.
ICMP requests for IP addresses outside the local network are routed through the default gateway. Providing the address exists on a network which can be reached by the default gateway, a reply will be returned. The default gateway principle is explained in the document aXs GUARD Basic Networking Concepts, available to System Administrators via the permanently on-screen Documentation button in the administrator's tool.
3. What does "Destination Host Unreachable" mean when using the ping command?
ICMP requests for IP addresses outside the local network are routed through the default gateway. Providing the address exists on a network which can be reached by the default gateway, a reply will be returned.
Pinging to an external IP address
The default gateway principle is explained in the document, aXs GUARD Basic Networking Concepts, available through the permanently on-screen Documentation button in the administrator's tool. In the drawing above, a client in LAN 1 (IP address 192.168.5.1) pinging to LAN 2 (IP address 195.0.83.1) with the default gateway correctly configured, would receive a reply similar to the following:
>PING 195.0.83.1.<ENTER>
>PING 195.0.83.1 (195.0.83.1) 56(84) bytes of data.
64 bytes from 195.0.83.1: icmp_seq=1 ttl=64 time=0.453 ms
64 bytes from 195.0.83.1: icmp_seq=2 ttl=64 time=0.363 ms
64 bytes from 195.0.83.1: icmp_seq=3 ttl=64 time=0.389 ms
64 bytes from 195.0.83.1: icmp_seq=4 ttl=64 time=0.361 ms
An incorrectly configured default gateway would prompt the following error:
PING 192.168.5.128 (192.168.5.128) 56(84) bytes of data.
From 192.168.5.128 icmp_seq=1 Destination Host Unreachable
From 192.168.5.128 icmp_seq=2 Destination Host Unreachable
From 192.168.5.128 icmp_seq=3 Destination Host Unreachable
From 192.168.5.128 icmp_seq=4 Destination Host Unreachable
From 192.168.5.128 icmp_seq=5 Destination Host Unreachable
If the reply indicates that the default gateway is incorrectly configured, test this with the ipconfig command on your client computer.
Note: It is possible to ping fully qualified domain names instead of IP addresses if your DNS server is configured appropriately.
> ping gwb.axsguard.be <ENTER>
4. How can I track default gateway problems on a client computer?
This command displays all configuration parameters of your Ethernet NIC(s) and may be useful for tracking default gateway problems:
>ipconfig <ENTER>
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 195.0.83.117
Subnet Mask . . . . . . . . . . . : 255.255.255. >
Default Gateway . . . . . . . . . : 195.0.83.1
The default gateway principle is explained in the document, aXs GUARD Basic Networking Concepts, available through the Documentation button in the administrator's tool.
If a ping attempt results in "Destination host unreachable", this indicates in incorrectly configured default gateway on the client computer, or a routing problem on the network. A network routing problem exists if the same result is received when pinging from another computer or from the aXs GUARD administrator's tool. Routing concepts are explained in the documents aXs GUARD Basic Networking Concepts and aXs GUARD Advanced Networking Concepts, available through the Documentation button in the administrator's tool.
5. How can I check whether my network is connected correctly to the Internet?
You can use the tracert command to determine whether your network is connected correctly to the Internet. For example, the following command traces the route to the aXs GUARD Web server:
Note: Tracerts to domain names require the DNS server to be configured first and will fail if the DNS server is incorrectly configured. Alternatively, if the destination IP address is known, the tracert can be directly to the IP address, in which case DNS server configuration is not required. DNS is explained in the separate document, aXs GUARD Advanced Networking Concepts, available through the Documentation button in the administrator's tool.
An example response might be:
Tracing route to ibase425.kpn.be [195.207.40.26]
over a maximum of 30 hops:
1 6 ms <1 ms <1 ms gwb-dmz.able.be [195.0.83.1]
2 17 ms 19 ms 19 ms axsguard-i-r.able.be[213.49.26.1]
3 15 ms 19 ms 19 ms 193.75.152.86
4 24 ms 19 ms 29 ms 194.119.224.129
5 32 ms 29 ms 29 ms 194.119.224.57
6 20 ms 29 ms 29 ms 195.207.71.241
7 29 ms 29 ms 39 ms 195.207.129.5
8 27 ms 29 ms 29 ms 195.207.129.10
9 25 ms 29 ms 29 ms ibase425.kpn.be [195.207.40.26]
Trace complete.
Note: Sometimes asterisk (*) symbols appear instead of router information, indicating that a router doesn't fully or correctly support ICMP time-exceeded messages (for an explanation of the tracert command, see below). For example:
Tracing route to mach.vub.ac.be [134.184.129.3]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms gwb-dmz.able.be [195.0.83.1]
2 10 ms 19 ms 19 ms axsguard-i-r.able.be[213.49.26.1]
3 18 ms 19 ms 19 ms 193.75.152.86
4 17 ms 19 ms 19 ms 194.119.224.54
5 15 ms 19 ms 19 ms 194.53.172.65
6 14 ms 19 ms 19 ms 193.191.1.1
7 22 ms 19 ms 19 ms 193.191.1.7
8 20 ms 29 ms 29 ms 193.191.4.94
9 * * * Request timed out.
10 29 ms 29 ms 29 ms mach.vub.ac.be [134.184.129.3]
Trace complete.
The tracert command identifies an IP datagram's route to a certain destination. The ICMP time-exceeded error message is used. See the document, aXs GUARD Basic Networking Concepts,available through the Documentation button in the administrator's tool, for information on the ICMP protocol. IP datagrams are sent with increasing values in the TTL field of the IP header. The first IP datagram sent has a low TTL value, causing the first router to drop the datagram and return an ICMP time-exceeded message to the source, which is the client running the tracert command. The tracert command retrieves the source of the ICMP message to identify the first router that the IP datagram traverses on its way to the destination. By increasing the TTL value in the IP header, subsequent IP datagrams reach other routers, from which further ICMP time-exceeded messages are sent in reaction to appropriate TTL values. Thus the tracert command traces the routers through which datagrams traverse to reach a certain destination.
As with the ping command, the destination can be specified as an IP address or with a name, if the DNS server is configured correctly. (See the section on DNS in the document, aXs GUARD Advanced Networking Concepts for more information on this).
6. How can I print the routing table?
The "route" command accesses the routing tables of the client computers, which is located in the Network layer of the TCP/IP stack. This routing table is used for the default gateway check on a client computer. The default gateway principle is explained in the document, aXs GUARD Basic Networking Concepts, available through the Documentation button in the administrator's tool. Other checks are possible, but are rarely needed on a client computer. Routers, however, use this routing table extensively. Routing tables are explained in the document aXs GUARD Advanced Networking Concepts.
The following command prints the routing table:
>route print <ENTER>
The output appears as follows:
Interface List
0x1 MS TCP Loopback interface
0x2 00 e0 7d 7d 8e 1a ...... Realtek RTL8139 Family PCI Fast Ethernet NIC- Packet Schedul er Miniport
Active Routes:
Network Destination |
Netmask |
Gateway |
Interface |
Metric |
0.0.0.0 |
0.0.0.0 |
192.168.5.254 |
192.168.5.117 |
20 |
127.0.0.0 |
255.0.0.0 |
127.0.0.1 |
127.0.0.1 |
1 |
192.168.5.0 |
255.255.255.0 |
192.168.5.117 |
192.168.5.117 |
20 |
192.168.5.117 |
255.255.255.255 |
127.0.0.1 |
127.0.0.1 |
20 |
192.168.5.255 |
255.255.255.255 |
192.168.5.117 |
192.168.5.117 |
20 |
224.0.0.0 |
240.0.0.0 |
192.168.5.117 |
192.168.5.117 |
20 |
255.255.255.255 |
255.255.255.255 |
192.168.5.117 |
192.168.5.117 |
1 |
Default Gateway: 192.168.5.254
Persistent Routes:
None
Whether the default gateway option is set correctly is the only thing you need to check in this output.
7. How do I check that the DNS settings are correct on my clients?
The "ping" command checks whether DNS settings are correct on your clients. The DNS system is explained in the document, aXs GUARD Advanced Networking Concepts, available through the Documentation button in the administrator's tool.
You need to enter the ping command followed by the host/computer name and domain (in the format "hostname.domain") for your aXs GUARD. The default host name for the aXs GUARD is "axsguard" and the default domain name is "domain.be".
> ping axsguard.domain.be <ENTER>
The DNS settings are correct if you receive a response containing your aXs GUARD IP address. For example:
PING axsguard.domain.be (192.168.5.244): 56 data bytes
64 bytes from 192.168.5.244: icmp_seq=0 ttl=64 time=0.761 ms
64 bytes from 192.168.5.244: icmp_seq=1 ttl=64 time=0.470 ms
64 bytes from 192.168.5.244: icmp_seq=2 ttl=64 time=0.460 ms
64 bytes from 192.168.5.244: icmp_seq=3 ttl=64 time=0.451 ms
You can check the client DNS suffix configuration by omitting the domain name:
> ping axsguard<ENTER>
The DNS suffix configuration is correct if you receive the same reply as received with the domain name.
Incorrect DNS settings return the following response:
ping: unknown host aXs GUARD or ping: unknown host axsguard.domain.be
You can check your DNS settings using the ipconfig command.
Note: If the ping test using the "hostname.domain" doesn't work, try pinging the IP address of the aXs GUARD. No reply to the IP address ping indicates that the problem lies with the basic network settings (IP address, netmask, default gateway) rather than with the DNS settings.
8. How do you do a DNS lookup?
The DNS lookup command performs a query in the DNS database, based on a Fully Qualified Domain Name (FQDN) or IP address, and allows specific DNS entries to be checked. The DNS system is explained in the document, aXs GUARD Advanced Networking Concepts, available through the Documentation button in the administrator's tool.
For example:
>nslookup www.axsguard.com <ENTER>
returns a response similar to the following:
Server: axsguard.domain.be
Address: 195.0.83.1
Non-authoritative answer:
Name: ibase425.kpn.be
Address: 195.207.40.26 Aliases: www.axsguard.com
The first two lines report which DNS server was used, which in this example is the aXs GUARD DNS server. The remaining lines are retrieved from the DNS database.
The following example uses an IP address and is therefore a reverse lookup using the pointer (PTR) records:
>nslookup 195.0.83.2 <ENTER>
This returns a response similar to the following:
Server: axsguard.domain.be
Address: 195.0.83.1
Name: geeraard.domain.be
Address: 195.0.83.2
The following is an example using a Mail eXchange record:
>nslookup -q=mx domain.be<ENTER>
This returns a response similar to the following:
Server: axsguard.domain.be
Address: 195.0.83.1
Non-authoritative answer:
Name: mx.able.be
A new lookup for mx.able.be returns the requested IP address :
>nslookup mx.able.be <ENTER>
This returns a response similar to the following:
Server: axsguard.domain.be
Address: 195.0.83.1
Name: mx.able.be
Address: 195.0.83.3
9. How do you test DHCP settings?
The DHCP system is explained in the document, aXs GUARD Advanced Networking Concepts, available through the Documentation button in the administrator's tool.
The following command returns a full description of the Ethernet NICs :
>ipconfig /all <ENTER>
Example output:
Windows IP Configuration
Host Name . . . . . . . . . . . . : wimxp
Primary Dns Suffix . . . . . . . : able.be
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : able.be
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : able.be
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-E0-7D-7D-8E-1A
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.5.117
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.254
DHCP Server . . . . . . . . . . . : 192.168.5.254
DNS Servers . . . . . . . . . . . : 192.168.5.254
192.168.5.27
Primary WINS Server . . . . . . . : 192.168.5.7
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : woensdag 15 oktober 2003 15:32:14
Lease Expires . . . . . . . . . . : zondag 14 december 2003 15:32:14
In the above example, the DHCP Enable option is set to "Yes". This means that the Ethernet card is configured with a dynamically assigned IP address through the DHCP system. The DHCP server used for this client is 192.168.5.254. If you enter a static IP address for the Ethernet card, the DHCP Enabled option will be set to "No".
The ipconfig command can also be used to release DHCP parameters, which are held in reserve by the issuing DHCP server. The parameters then become available for other computers configured by the DHCP server. The following command is used:
>ipconfig /release <ENTER>
A response is received similar to the following:
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
The "0.0.0.0" indicates that no value is specified, and all parameters have been erased.
New DHCP parameters can be requested using the following command:
>ipconfig /renew <ENTER>
This returns a response similar to the following.
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : able.be
IP Address. . . . . . . . . . . . : 192.168.5.117
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.254
Note: The aXs GUARD DHCP server can reassign the same DHCP parameters to a client because it remembers the MAC address/IP combinations previously used.
10. How can I find information on my Ethernet NIC(s), DNS and DHCP settings?
Entering the following provides a full description of the Ethernet NIC(s), including the DNS and DHCP settings:
>ipconfig /all <ENTER>
Example output:
Windows IP Configuration
Host Name . . . . . . . . . . . . : wimxp
Primary Dns Suffix . . . . . . . : able.be
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : able.be
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-E0-7D-7D-8E-1A
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 195.0.83.117
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 195.0.83.1
DNS Servers . . . . . . . . . . . : 195.0.83.1
NetBIOS over Tcpip. . . . . . . . : Disabled
In this example, the Primary DNS suffix is set to "able.be." and the DNS server is set to 195.0.83.1.
Firewall Difficulties
1. How can I view the rules and chains in the firewall?
It's possible to view the firewall configuration in the aXs GUARD administrator's tool (under the menu topic Firewall, View). The tool interfaces with the IPTables firewall and shows the different chains of rules traversed across the entire firewall structure.
The firewall viewer option shows the steps in the path of a packet entering the firewall. Packets traverse through the rules listed from the top downwards moving through the screens chronologically. The viewer shows the rule name, characteristics for matching with the rule, actions in the rule, and the number of packets and bytes matched by a rule or policy.
2.How can I test if a specific TCP based protocol is permitted by the firewall?
The Telnet program offers an easy option for identifying firewall problems, and can be used to test if a specific TCP based protocol is permitted by the firewall. It cannot be used for UDP based protocols. An example is when you need to test whether the SMTP service is available from the secure LAN. SMTP is a TCP protocol which uses TCP port 25. To achieve this requires the following steps:
Open a DOS window on a Windows client, which is connected to the secure LAN of your aXs GUARD, by clicking on Start ->Run and typing:
cmd for Windows 2000, NT and XP,
command for Windows 95, 98 and ME.
A DOS box opens and a command prompt (shown as ">" below) is displayed. "<ENTER>" indicates that the ENTER key should be pressed to activate a command.
Enter the following command:
>telnet axsguard 25 <ENTER>
If the service is available, a result similar to the following appears:
Trying 192.168.5.200...
Connected to axsguard.domain.be.
Escape character is '^]'.
220 At ESMTP your service ...
If the service is not reachable, a result similar to the following appears:
Trying 192.168.5.200...
If the service is not reachable, the firewall is blocking the connection to the service or the service is not running. In the first case, enabling the sec-smtp rule solves the problem. The rule can be enabled in the stat-int static policy or even in a dynamic policy added to the client computer or user configuration.
The Telnet tool facilitates checking whether a certain rule, using the TCP protocol, is enabled for a specific user, client computer or network (secure LAN, DMZ zone).
3. Where should I look first when I can't get a connection?
The first thing you should check when you can't get a connection is the logging. Log entries are recorded for any dropped packets and this information can help you to determine why a packet was dropped.
Surfing and Internet difficulties
1. We can't surf to our own site
If no-one can access the company's own site, for example www.mycompany.be, and the aXs GUARD has the domain mycompany.be, you need to fill in the IP address of the www server under General Parameters, i.e. the IP Address of www.mycompany.be.
2. Can we have multiple Internet Connections?
Yes, you can.
However, one of the two connections will be the ‘Master', and will be the Default Gateway for e-mail, and the other can be used for surfing the web, for example.
Static routes need to be implemented for multiple Internet connections.
3. Problems with surfing
When a client PC host cannot surf the web, check that the Proxy Settings on the host's Internet Explorer or other browser are set to use the aXs GUARD with port 3128.
Also check that the host is in the aXs GUARD Host List.
E-mail Difficulties
1. Where should I look first if I have a mail transfer problem?
If a mail has been accepted for delivery by the client, but not delivered to its destination, you need to check the e-mail logs and mail queues in the aXs GUARD administrator's tool. If the mail has not left the aXs GUARD MTA, there will be an entry in the mail queue, with the reason why the message has not been sent. If the mail was blocked by the spam or e-mail filtering system, it will be queued in the quarantine queue. Quarantined mails are kept for 10 days, and can be sent manually.
2. There is no SMTP Access to the aXs GUARD MTA
If the aXs GUARD MTA cannot be reached from the outside world, i.e. the firewall does not allow this, no new messages arrive. You can verify this problem by checking the state of port 25. If the port is open, mail arrives.
If no mail can be sent from within the secure LAN you can check the firewall settings for port 25 with the telnet program, as follows:
>telnet axsguard 25
The same command can be used to check firewall settings from the outside world from a computer outside your secure LAN using the Internet IP address of the aXs GUARD.
See the section above on Firewall Difficulties for more information on the telnet program.
If you are granted a connection, firewall settings are correct; otherwise they need checking. See the section on Firewall Difficulties for instructions on how to check the firewall settings.
3. Mail is rejected by the aXs GUARD MTA
Mail can be rejected by the aXs GUARD MTA for various reasons, all of which are explained in the document aXs GUARD E-mail Concepts, and some of which are listed here.
Open-relay Settings: Permitted domains must be specified for mails coming from the outside world. If the recipient's domain is not defined as a forwarded or local domain, the mail is rejected by the aXs GUARD MTA.
Bad headers: The mail is rejected because the header contains illegal characters (i.e. non-ASCII characters). This check is performed because spammers (senders of junk mail) and virus mails frequently use illegal headers. Add the sender and/or recipient e-mail address as a "white list" entry to bypass security checks, if this mail should be delivered.
Dynamic IP addresses: The mail is blocked because it was sent from a dynamic IP address. This check is performed because dynamic IP addresses are usually only allocated to end customers who do not have MTAs. Mail sent using a dynamic IP address is likely to have been sent by spammers and is therefore rejected. Add the sender and/or recipient e-mail address as a "white list" entry to bypass security checks, if this mail should be delivered.
HELO command rejected: The mail is rejected because the remote MTA did not identify itself correctly with a valid FQDN. If this mail should be delivered, add the sender and/or recipient e-mail address as a "white list" entry to bypass security checks. Note that this only solves the problem for one e-mail address or even one domain if you add the domain to a white list. As MTAs on the Internet are increasingly tightening up their security, delivery of e-mails sent by the remote MTA will increasingly fail. The only solution is for the remote MTA to be reconfigured with a valid FQDN.
4. How do I know if an address is blacklisted?
For the first checks, please see the beginning of this section on E-mail diagnostics.
If all configurations appear to be correct, rejection may be due to the sender's or receiver's e-mail address or domain being listed in a black list. To identify whether the mail was blocked due to a black list entry, check for reasons listed in the Detailed E-mail log. Either a black list configured on the aXs GUARD, or a black list on the Internet used by the aXs GUARD could be the cause. Check the black list created on the aXs GUARD for a matching entry; if no entry is found, disable use of the Internet black list to see if this resolves the problem.
The following example is a log line from the Detailed E-mail log concerning a mail blocked by an aXs GUARD black list entry:
16:06:24 C317EB6816: reject: RCPT from unknown[194.78.62.146]: 554 <pv@test.be>:
Recipient address rejected: You are in our black list;
from=<test@domain.be> to=<pv@test.be> proto=SMTP helo=<test.be>
The following example is a log line from the Detailed E-mail log concerning a mail blocked by an Internet black list:
reject: RCPT from 254.166-201-80.adsl.skynet.be[80.201.166.254]: 554 Service unavailable; Client host [80.201.166.254] blocked using dul.dnsbl.sorbs.net; Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=80.201.166.254; from=<498@ge.cokecce.com> to=<rootel@domain.be> proto=ESMTP helo=<domain.be>
5. Why have I received the message "User unknown"?
If a mail is rejected with the 'User unknown' message, the message is blocked by the MTA, because the part before the "@" symbol in the e-mail address is not registered as an alias, distribution list or user on the aXs GUARD. The message passed the anti-open relay because the domain part of the recipient's e-mail address is defined as a local domain.
The anti-relay and user unknown checks are explained in the document, aXs GUARD E-mail Concepts, available through the Documentation button in the administrator's tool.
6. Why have I received the message "Company Policy Forbids..."?
This messages is shown when an e-mail has been rejected by the content mail filtering system. Check the aXs GUARD detailed e-mail filter log to determine which policy has blocked the e-mail. Check the policy configuration to identify which filter has blocked the e-mail. The E-mail log will indicate why the mail was blocked in the reason field.
E-mail logs are explained in the document, aXs GUARD E-mail Concepts, available through the Documentation button in the administrator's tool.
7. What should I check first if I have mail client problems?
If you have a mail client problem, first check the firewall settings for the client computer.
If you fetch your messages with the POP3 protocol, check port 110 with the telnet program on the client; if you use the IMAP protocol, check port 143:
>telnet axsguard 110 or,
>telnet axsguard 143(See the Firewall Difficulties section for more information on the telnet program.)
If you are granted a connection, firewall settings are correctly configured; otherwise they need checking. See the Firewall Difficulties section for more information on how to check the firewall settings.
Please refer to the document, aXs GUARD Client E-mail Configurations for more information on configuring the mail client, or to your mail client's documentation, if firewall settings are correct.
8. I've received an e-mail notifying that I've sent a virus. Is that possible?
Due to a flaw in the SMTP protocol, e-mail addresses can be falsely used as source addresses for sending viruses or spam.
Check the headers of the original mail included in the notification mail. If the IP address of the sending MTA is not your public IP, someone has spoofed your e-mail address, for example:
*Received:* from outmx017.isp.belgacom.be (outmx017.isp.belgacom.be [195.238.2.116])
by hoover.skynet.be (8.12.9/8.12.9/Skynet-OUT-FALLBACK-2.22) with ESMTP id i2AENIUc024526;
Wed, 10 Mar 2004 15:23:18 +0100(MET)(envelope-from <jeke@skynet.be>
This example shows details of the sender and receiving MTA. The sender's IP address is 195.238.2.116.
You can also check the aXs GUARD e-mail logs to confirm that the message was not sent from the aXs GUARD.
Abuse of the SMTP protocol is discussed in the document, aXs GUARD E-mail Concepts, available through the Documentation button in the administrator's tool.
9. What does "Sender <-> Recipient Rejected by Mail Policy" mean?
This message in the e-mail logs means that the e-mail message is rejected by the aXs GUARD mail content filtering system. aXs GUARD mail content filtering and mail policies are explained in the document, aXs GUARD E-mail Concepts, available through the Documentation button in the administrator's tool.
E-mails may be blocked for various reasons and information about these can be found in the Detailed E-mail Filter log. Four possibilities exists :
IN e-mail: Only the recipient's e-mail address is configured on the aXs GUARD; thus only the recipient's mail policy is used for mail content filtering;
OUT e-mail: Only the sender's e-mail address is configured on the aXs GUARD; thus only the sender's mail policy is used for mail content filtering;
OUTIN e-mail: both sender and recipient e-mail addresses are configured on the aXs GUARD; thus two mail policies – one for each e-mail address - are combined for mail content filtering;
EXTERNAL e-mail: neither the sender's nor the recipient's e-mail addresses are configured on the aXs GUARD; thus no mail policies can be used for mail content filtering and the e-mail is blocked.
The last situation occurs when someone has tried to send an e-mail from an e-mail domain which is not an own domain (not local or forwarded) to another non-own domain. The message is therefore blocked. To permit this message requires adding an external e-mail address entry for the destination or source e-mail address, with a mail policy specified. The following log entry shows this fourth situation:
17:52:59 amavis[14174]: (14174-04) WARNING:
Sender AND Recipient domain are unknown to the E-mail filter.
Reject dummy@domain.be
'pruts@hotmail.com in E-mail filter.
Somebody trying to forge his sender address ?
10. What does "Mailbox over quota" mean?
This message may appear if you're using the IMAP protocol to view your mail or the POP3 protocol with the "leave mail on server" option. If a user's mailbox exceeds the quota configured for the user in the aXs GUARD administrator's tool, no further actions are permitted in the mailbox, except the deletion of old mail and folders. No new mails will be delivered once the hard quota is exceeded.
With the IMAP protocol, old e-mails or folders can be deleted directly. Check that deleting e-mails is not configured to store the e-mail in the trash folder in the same mailbox, as this is not allowed. Moving to a local trash folder on delete however is permitted. Another option is remove the e-mail from disk on delete instead of moving it to the trash folder. A further option is to disable the user's quota by setting it to 0, clear the mailbox and re-set the quota.
With the POP3 protocol and the "leave message on server" option, no direct access is possible. Mail can be removed from the mail server by disabling the "leave message on server" option or by setting a time restriction on this option, for example "keep mail for 10 days". For further information, see the aXs GUARD E-mail Client Configuration manual and the documentation for your mail client software.
11. User quota problem: not receiving e-mail
When receiving the message: "User xxxx, disk space usage on the aXs GUARD has exceeded the warning level of 20MB, the hard limit is 30 MB."
- Open the aXs GUARD Administrator Tool.
- Go to User Management.
- Click on the user name for the person who has the problem.
- Scroll down to the Disk Quota lines.
- Enter '0' in both fields.
- Let the user retrieve the e-mail and then reset the Disk Quota to the original values.
12. Why can't I get a Webmail connection?
The webmail feature must be activated in the aXs GUARD administrator's tool for connections to be possible.
13. Webmail is enabled, but I still can't get a connection.
The webmail program runs on the secure extranet server, so port 443 needs to be open for the location to which you are trying to connect. Check this as follows:
>telnet axsguard 443
See the Firewall Difficulties section for more information on the telnet program.
Use the public IP address of the aXs GUARD if you're trying to connect from the Internet. If you are granted a connection, firewall settings are correct; otherwise they need checking. See the the Firewall Difficulties section on how to check the firewall settings.
14. Webmail works for other users, but not for this one.
In the aXs GUARD administrator's tool, the access rights for users can be specified. If a user does not have the webmail option enabled, webmail login is not possible, although the webmail login page may be accessible.
15. What Webmail configurations should I check if I can't get a connection?
Check the IMAP and SMTP settings for webmail in the aXs GUARD administrator's tool. If webmail is used with a remote mail server, please check if the remote mail server can be reached from the aXs GUARD. You can check this by using the ping utility in the aXs GUARD administrator's tool.
16. Anti-spam List problems
If a mail header has been forged, it's possible that the spam detector will be unable to identify the sender's e-mail-address correctly.
17. E-mail issue when changing Provider
When changing ISP or changing connection ISDN to ADSL, for example, you need to contact your new ISP to modify the MX records to the new IP address, in order to receive your company's e-mail.
Technical Questions
1. ACL Access Control List doesn't work
- For the ACL to work properly, you must ensure that the Host Computer has the Internet Access via Proxy set to: "Yes with User Authentication".
- Users may not bypass the aXs GUARD proxy, so check that the "No Outgoing restrictions" and the "Direct WWW Access" fields are unchecked.
- Under User Management, select the appropriate setting in the Proxy Access List. Alternatively, if the Host Computer has the Internet Access via Proxy field set to: "Yes without User Authentication", the aXs GUARD will use the Company Wide Access Control List, as set under General Parameters.
Warning: for this to work, the user's PC MUST use the aXs GUARD as proxy.
2. Messages in Tool: /ub/scripts/svc-virus: kill
These messages will occasionally appear when adding or modifying a user, if you have the Anti-virus Option installed. These can be ignored as they are ‘cosmetic' errors in the Tool interface.
3. Duplicate error when adding or modifying a Host or User
If you receive the duplicate error after clicking the Save button, check the other entries for existing names, INCLUDING the Alias.
4. How to analyze Log files
You can download the log files with an FTP client and run them through a log file analyzer, such as Surfstats www.surfstats.com.
5. How to fax Photos
You cannot fax a photo or picture directly, as there is no way to insert the *NR line.
The easy way to do this, is to insert the picture in Word.
Make sure the picture you need to insert is small enough, preferably in GIF format and no bigger than +/- 100 KB in size. Once inserted, in recent versions of Word, you can right-click the inserted picture, select properties an compress even more. After some checking, it seems the page size in Word should never be more than +/- 100 KB.
The filesize of a GIF is larger then a JPG, but the compression is lower. If you still receive an error when faxing format failed, try again with a smaller picture.
Extra tip: Convert your picture to black&white first, the FAX will not be in color anyway.