Just installed pfsense firewall. Getting mail error…

nocer

Hi,

You would probably need to check your cf or his cf and/or look for spf record carefully,
and also check your addresses/domains are not listed in any of RBL sites.

It used to work and now stopped, then there must have been changes.

cheers,

GruensFroeschli

@bob76535:

I have a mail server (and other servers) that sits behind our new pfsense firewall. We put the firewall in so we can block ips from connecting to our servers, especially the mail server. The firewall has a single wan with its own ip, single lan with its own ip (the gateway IP that all the servers are pointed at) and the mail server (imail 10) has 2 ips (one dedicated for a customer and on that ours and all our virtual domains use). All the ips are within the same subnet if that matters. This is the first firewall I have set up in this scale and I am a noob to all this so please be gentle.

I'm a bit worried about your statment: "All the ips are within the same subnet if that matters."
Did you set up a transparent firewall?
If not: cannot have the WAN and the LAN in the same subnet.

dotdash

You need to provide details of your configuration. The error sounds like what happens when you run NAT with port-forwards and don't put in an outbound AON rule. Your description sounds more like you have public IPs on your servers, but in that case, you would not be pointing the gateway to the firewall…

Cry Havok

@bob76535:

When someone sends an e-mail from our domain to an outside domain we get this error:
_–---Original Message-----
From: postmaster@mail.xyz.com [mailto:postmaster@mail.xyz.com]
Sent: Saturday, August 30, 2008 3:00 PM
To: boss@xyz.com
Subject: Undeliverable Mail

undeliverable to recipient@1234.com

Server response to MAIL FROM:

550 domain of boss@xyz.com does not designate 66.153.204.49 as permitted sender_

That looks like an SPF error - check to see if the domain xyz.com has an SPF record (see http://www.openspf.org/).

bob76535

I'm a bit worried about your statment: "All the ips are within the same subnet if that matters."
Did you set up a transparent firewall?
If not: cannot have the WAN and the LAN in the same subnet.

I'm not familiar with the term "transparent firewall", please explain.

We get a "connection" from our Colocation provider. We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side. There is no DHCP on the lan side (if that matters) and all the machines have multiple static IPs on them. All are from that same subnet. Th co-lo uses the lower half of the subnet for thier stuff.

I did find out that this is only happening when sending to that particular domain. It is not happening when sending anywhere else (that we are aware of). Apparently thier mail setup sees the sending mail server as .49 which instead of the actual mail server ip .137. It fails the message since the sending ip does not match the SPF. The correct mail server IP is .137 and the SPF is correct for the sending domain. Why would they be seeing the firewall ip?

Thanks for your help. I really appreciate it.

Bob

bob76535

@dotdash:

You need to provide details of your configuration. The error sounds like what happens when you run NAT with port-forwards and don't put in an outbound AON rule. Your description sounds more like you have public IPs on your servers, but in that case, you would not be pointing the gateway to the firewall…

I didn't touch the NAT and there is no port forwarding set up. Yes they all have public ips on them. Not pointing the gateway to the firewall? I'm not following you here?

Thanks

Bob

bob76535

That looks like an SPF error - check to see if the domain xyz.com has an SPF record (see http://www.openspf.org/).

Yes it does and I verified it to be correct. It has not been touched and was correct before the firewall was installed.

Thanks

Bob

bob76535

I just read the PDF on having a transparent firewall. We do not have it set up that way. Should we?

The purpose of the pfsense box was to be able to block all traffic on ports we are not using and block unwanted external ips from connecting to all our servers. We do not need any other functions from the pfsense box.

What should I do here?

Thanks for your support.

Bob

dotdash

I'm assuming you read this document: http://pfsense.trendchiller.com/transparent_firewall.pdf
Yes, if you have all public IPs in the same subnet, the firewall should be a bridge, not a router. You should not be natting and the machines should have the upstream router as the gateway and not the firewall.

GruensFroeschli

We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side.

Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

In this case you just have to disable NAT on pfSense.
–> "Firewall" --> "NAT" --> "outbound"
--> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
--> delete all rules that are there.

You now have a routing only platform with Firewall capabilities.

Just make sure that the subnetmask on the LAN side is actually /25 and not /24

dotdash

@GruensFroeschli:

Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

Oops, missed that. That's what I get for skimming ahead.

bob76535

@GruensFroeschli:

We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side.

Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

In this case you just have to disable NAT on pfSense.
–> "Firewall" --> "NAT" --> "outbound"
--> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
--> delete all rules that are there.

You now have a routing only platform with Firewall capabilities.

Just make sure that the subnetmask on the LAN side is actually /25 and not /24

Ok thats what I will do. Can this be done through the remote interface without losing connectivity? The firewall is located in another city and the boss hates having me gone that long. If not, thats fine. They have good cheese steak there.

Thanks

Bob

GruensFroeschli

You shouldnt loose connectivity upon disabling NAT.

bob76535

Just wanted to thank everyone for thier help. The change to transparent bridge filter fixed the 550 problem. The web gui doesn't work on the wan side anymore but I posted that question in a different message.

I appreciate your help.

Thanks

Bob