I verified that I could connect to the email server on the SMTP port, port 25, and the POP3 port, port 110, from external systems and she told me that her husband's system was able to check his email successfully. Since I knew his system was establishing a POP3 connection to the mail server to check email, but her system was establishing an encrypted POP3S connection on port 995, I checked the Linux email server to verify that it was listening for connections on port 995, since there had been a power outage at its location recently that I thought might have caused it to reboot. It was listening on that port.
$ netstat -a | grep -i pop3s tcp 0 0 0.0.0.0:pop3s 0.0.0.0:* LISTEN tcp6 0 0 [::]:pop3s [::]:* LISTEN
So I thought the problem was likely at a NetScreen firewall between the
user and the server. I logged into the firewall via
Secure Shell (SSH).
I verified that there were no filters currently set for the firewall and
then set a filter for destination port 995 with the command
set ffilter dst-port 995. I then cleared the debug buffer with
clear db and started debugging on the router/firewall with
debug flow basic - see
NetScreen Debugging
Commands for an explanation of the debugging commands. I could see
that TCP packets were reaching the firewall, but the firewall
was reporting "packet dropped: for self but not interested".
ns5gt-> get ffilter ns5gt-> ns5gt-> set ffilter dst-port 995 filter added ns5gt-> clear db ns5gt-> debug flow basic ns5gt-> get db str ****** 65670.0: <Untrust/untrust> packet received [52]****** ipid = 30947(78e3), @03c1ac30 packet passed sanity check. untrust:10.15.2.72/59403->192.168.0.10/995,6<Root> self check, not for us chose interface untrust as incoming nat if. packet dropped: for self but not interested ****** 65673.0: <Untrust/untrust> packet received [52]****** ipid = 30950(78e6), @03c41430 packet passed sanity check. untrust:10.15.2.72/59403->192.168.0.10/995,6<Root> self check, not for us chose interface untrust as incoming nat if. packet dropped: for self but not interested ****** 65679.0: <Untrust/untrust> packet received [48]****** ipid = 30951(78e7), @03c2ac30 packet passed sanity check. untrust:10.15.2.72/59403->192.168.0.10/995,6<Root> self check, not for us chose interface untrust as incoming nat if. packet dropped: for self but not interested ns5gt->
I checked for any firewall rules that applied to POP3 and saw that policy id 23 was the one for POP3S - the "| i" indicates that only policies should be displayed that includes the string that follows, which in this case is "POP3".
ns5gt-> get policy from untrust to trust | i "POP3"
15 Untrust Trust Any VIP(untrust) POP3 Permit enabled ---XXX
23 Untrust Trust Any VIP(untrust) POP3S Permit enabled ---XXX
ns5gt->I checked the policy with get policy id 23 and found it
looked ok.
ns5gt-> get policy id 23 get policy id 23 name:"POP3S" (id 23), zone Untrust -> Global,action Permit, status "enabled" src "Any", dst "VIP(untrust)", serv "POP3S" Policies on this vpn tunnel: 0 nat off, url filtering : disabled vpn unknown vpn, policy flag 0000, session backup: on traffic shapping off, scheduler n/a, serv flag 00 log yes, log count 0, alert no, counter yes(17) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/17 priority 7, diffserv marking Off tadapter: state off, gbw/mbw 0/-1 No Authentication No User, User Group or Group expression set ns5gt->
I then remembered that there had been an issue with the server recently
regarding the virtual IP (VIP) address configuration related to POP3S. The
firewall is performing
network address translation (NAT) and needs to be
configured to use a VIP to connect to the actual IP address of the email server
on the trusted side of the firewall on port 995. I had configured it to do
so previously, but apparently forgot to save the NetScreen configuration
afterwards, so I assume the power outage at the location of the firewall and
server resulted in the firewall "forgetting" the recently changed configuration
when it rebooted. I entered the command set interface untrust vip untrust
"POP3S" 192.168.0.5 to correct the problem and this time saved the
configuration immediately aftewards.
ns5gt-> set interface untrust vip untrust 995 "POP3S" 192.168.0.5 ns5gt-> save config ns5gt->
I then verified that the user's system could successfully retrieve her email.