pfBlockerNG blocking SMTP

Alek · Apr 12, 2022, 7:48 AM

Hello there,

I have a pfsense box with pfBlockerNG set up like that :

default gateway x.x.x.13/29

VIP x.x.x.14/29

I'm trying to set up a mail server on my x.x.x.14 IP. I setup Outbound rule and NAT on all necessary port between my host and my VIP x.x.x.14.

I find out that pfBlocker is blocking SMTP request on my VIP.

Any idea how I can either :

exclude regex domain (outlook.protection.microsoft.com or .mailjet.com....) from pfBlockerNG
exclude my VIP from pfBlockerNG

?

Gertjan · Apr 12, 2022, 8:19 AM

@alek

What about : don't use feeds within pfBlockerNG that include your IPs § DNSBLs ?
Or, white list them .

Alek · Apr 12, 2022, 8:23 AM

@gertjan
It's Microsoft, Mailjet, Google...etc SMTP servers that are blocked.
These IPs are in multiple feeds so seems a bit too much to disable all these feeds

Gertjan · Apr 12, 2022, 8:43 AM

You can white list here :
login-to-view

and whatever you list will be removed from all the lists.

You are hosting a mail server : be very careful with what you block, because if you block them, they can start to block you, as "Microsoft, Mailjet, Google...etc SMTP" can also send you ligit mails ....

I'm use myself a mail server (postfix), with a dozen or so domain names and as much IPv4 (and IPv6).
No pfSense in front of it, and certainly not something like pfBlockerNG, as it isn't ment to be used like that ( IMHO ).

Alek · Apr 12, 2022, 8:51 AM

@gertjan
My mail server is in my lab so behind my pfsense.
That why i'm looking for a way to exluce my VIP from pfBlockerNG

Gertjan · Apr 12, 2022, 1:03 PM

@alek

I understood.

Why would you need a VIP ? What about a dedicated interface network for your mail server, NAT port 25 from WAN to the 'mail' interface, mail server IP port 25 and done.
Exclude this mail server interface from any pfblockerng interference. This will also solve your issue (subject).

Your WAN IP isn't an IP from some ISP, right ? As most, if not all, of them are known, and serious mail servers (the big ones) will not accept mail from servers "@home".

As soon as you are able to send a mail, send one to gmail.
Your mission : don't stop before you have 3 x ¨PASS". SPF+DKIM+DMARC isn't optional any more. I wonder if they will be strict with the PTR of your WAN IP ....

edit :

login-to-view

Alek · Apr 13, 2022, 8:01 AM

@gertjan
Great idea, didn't think about that !
I've asked my ISP to fix my VIP on available ports.
I already have PTR on these VIP.
Thanks mate

Alek · Apr 13, 2022, 12:20 PM

@gertjan
This solution brought me another problem ^^
Did you find a way to assign a dedicated interface ?
My ISP gave me multiple IPs but with only one WAN.
As you may know, it's impossible to assign another interface with the same gateway.

Gertjan · Apr 13, 2022, 12:49 PM

@alek said in pfBlockerNG blocking SMTP:

My ISP gave me multiple IPs but with only one WAN.

Ok, I get it, I think : you've created VIP using Firewall > Virtual IPs and multiple IP aliases to your WAN interface.

These IP+port 25 could be NATted to the right local IP+port 25 == mail server, right ?

Assigning an interface to a gateway is needed here (I think again).
You will have to map the mailserver's outgoing traffic through to VIP IP. (I keep on thinking ;))

Can say more, as I have never dealt with these multi IPs on WAN before.
I do use a lot of IPv4 addresses on the NIC of my mail server, :

root@ns311465:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 188.xxx.201.123  netmask 255.255.255.0  broadcast 188.xxx.201.255
        inet6 2001:41d0:2:xxx::10  prefixlen 128  scopeid 0x0<global>
        inet6 2001:41d0:2:xxxx::2  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::225:yyy:fe71:bf86  prefixlen 64  scopeid 0x20<link>
        inet6 2001:41d0:2:xxxx::11  prefixlen 128  scopeid 0x0<global>
        inet6 2001:41d0:2:xxxx::15  prefixlen 128  scopeid 0x0<global>
        inet6 2001:41d0:2:xxxx::3  prefixlen 128  scopeid 0x0<global>
        inet6 2001:41d0:2:xxxx::  prefixlen 64  scopeid 0x0<global>
        inet6 2001:41d0:2:xxxx::20  prefixlen 128  scopeid 0x0<global>
        inet6 2001:41d0:2:xxxx::1  prefixlen 128  scopeid 0x0<global>
        ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
        RX packets 152768770  bytes 37714762815 (35.1 GiB)
        RX errors 2  dropped 123638  overruns 0  frame 2
        TX packets 201134377  bytes 186610834588 (173.7 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xfbce0000-fbd00000

eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 46.xxx.79.38  netmask 255.255.255.255  broadcast 46.xxx.79.38
        ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
        device interrupt 16  memory 0xfbce0000-fbd00000

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 87.xxx.136.44  netmask 255.255.255.255  broadcast 87.xxx.136.44
        ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
        device interrupt 16  memory 0xfbce0000-fbd00000

eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 5.xxx.43.182  netmask 255.255.255.255  broadcast 5.xxx.43.182
        ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
        device interrupt 16  memory 0xfbce0000-fbd00000

eth0:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 87.xxx.174.106  netmask 255.255.255.255  broadcast 87.xxx.174.106
        ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
        device interrupt 16  memory 0xfbce0000-fbd00000

eth0:4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 188.165.53.87  netmask 255.255.255.255  broadcast 188.165.53.87
        ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
        device interrupt 16  memory 0xfbce0000-fbd00000

eth0:5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 217.xxxx.46.28  netmask 255.255.255.255  broadcast 217.xxx.46.28
        ether 00:25:00:71:bf:86  txqueuelen 1000  (Ethernet)
        device interrupt 16  memory 0xfbce0000-fbd00000

My firewall (iptables) is close to empty - no NAT rules neither.
Works great for the last 15 years or so.
This is a dedicated bare bone server in a data centre.

Alek · Apr 13, 2022, 12:47 PM

@gertjan
Yes I did it this way.
I got a port forward + outbound rule between one VIP to my local IP.
I didn't understand, you mean adding a new interface ? Because this is exactly what I'm trying to do but can't coz same gw.

Gertjan · Apr 13, 2022, 12:52 PM

@alek said in pfBlockerNG blocking SMTP:

I didn't understand, you mean adding a new interface ? Because this is exactly what I'm trying to do but can't coz same gw

I thought it was like adding interfaces, but it isn't.
I've edited my post above to show you that I also add several IPv4 (and IPv6) to the same physical interface. That is a standard Debian based web mail server.

Alek · Apr 13, 2022, 1:41 PM

@alek
My bad, didn't get the whole text.
I guess the best way would be to have a dedicated pfsense box without pfblocker, assigned to one of my VIP and serving my mails servers. No ?

Gertjan · Apr 13, 2022, 1:41 PM

@alek said in pfBlockerNG blocking SMTP:

No ?

That's the easy / easier way.

Have a look at this list : Youtube Netgate everything you always wanted to know, and more.
There is a Muti WAN video. There is a video about VIP, Carps, etc.

The videos are old, but still very valid and very informative. It's a guy from Netgate talking about Netgate/pfSense.