Email Client times out trying to reach mailserver in lan

viragomann

@TomNick
What give us concerns is that client and server are within the same subnet. So access from client to server should not pass pfSense at all.

But just got an idea. I guess, your client uses your public FQDN?
This would explain, why packets go to pfSense.

If so, you should add an host override for the FQDN to your local DNS. Assuming, you're using DNS Resolver on pfSense.
Otherwise you can enable NAT reflection in the port forwarding rule.

TomNick

This post is deleted!

TomNick

@viragomann said in Email Client times out trying to reach mailserver in lan:

If so, you should add an host override for the FQDN to your local DNS. Assuming, you're using DNS Resolver on pfSense.
Otherwise you can enable NAT reflection in the port forwarding rule.

I tried all but no sucess. Maybe I did something wrong with the host override, here it is:

viragomann

@TomNick
Possibly the public IP is still present in the clients DNS cache.
Try to flush it (ipconfig /flushdns) or reboot the machine.

Gertjan

@TomNick

The NAT rules.

I still like to see the WAN firewall rules.
The (WAN) firewall rules contains packet counters, like these :

so you can see right away if there was traffic from the Internet coming into the WAN interfaces that matches one of your WAN pass rules - these rules can be part of a NAT rule - as my third WAN firewall rule, as it NATs to a port on my syno disk-station, which is a pfSense LAN device.

So, again : your firewall rules ?

The port alias contains :

25,465, etc

So your the first NAT rules 'NATs' port 25.
Your third rules isn't needed and should be removed.

TomNick

@Gertjan said in Email Client times out trying to reach mailserver in lan:

So, again : your firewall rules ?

@Gertjan said in Email Client times out trying to reach mailserver in lan:

So your the first NAT rules 'NATs' port 25.
Your third rules isn't needed and should be removed.

Done!

Ok, what I found out is, that if you call mail.mydomain from inside the windows client you get the pfsense cert. If you call mail.mydomain from outside your will get the letsencrypt cert which is correct.

viragomann

@TomNick
The only possible reason for this is that your client resolves the host name to the public FQDN as already mentioned yesterday.

If you're not able to get your local DNS to work properly, edit the port forwarding rule for the mailserver ports and enable NAT reflection.

TomNick

@viragomann said in Email Client times out trying to reach mailserver in lan:

If you're not able to get your local DNS to work properly, edit the port forwarding rule for the mailserver ports and enable NAT reflection.

It is already enabled I guess. The NAT reflection gives me 4 options:

default
NAT+Proxy
Pure NAT
Disable

Mine is on default, still not working

TomNick

@viragomann 'It is working by setting "host override". Thanks a lot for your trouble and have a good weekend

viragomann

@TomNick said in Email Client times out trying to reach mailserver in lan:

Mine is on default, still not working

"default" means "System default". If this is set in the NAT rule, the setting in System > Advanced > Firewall & NAT > NAT Reflection mode for port forwards is used.