Problems with port forwarding to mail server inside LAN

anduq

Hello all,
I have the folowing setup:

| –-> Computer1...ComputerX
                                         |                     
WAN--->pfSense 1.2.1---LAN |                     
                                         |                     
                                         |---> Mailserver

I have portforwarded all needed pop/imap/smtp/http ports from WAN to Mailserver. SMTP only works if I disable reflection, otherwise it cannot relay anything. Bellow is a prtscr of portforwarding:
(not sure if it works …i attached it, also)
However, if i disable reflection, I can not acces Mailserver from inside the LAN by mail.domain.tld, only by internal IP (from outside the LAN it works like a charm, tough).  Right now I use for all workstations email accounts w/ LAN IP calling the mailserver, and for all laptops 2 e-mail accounts, one w/ LAN IP and one w/ mail.domain.tld for when they connect from outside the LAN. It's ugly and I don't like it, nothing should connect from inside the LAN to the mail server directly.

How can I adress the problem? Any advice, no matter how small would be greatly apreciated.

GruensFroeschli

What exactly do you mean with: "SMTP only works if I disable reflection" ?

anduq

I mean if I have reflection enabled, if I try to send any mail I get this:

66.249.91.83 does not like recipient.
Remote host said: 550 sorry, relaying denied from your location [XXX.XXX.XXX.XXX]
Giving up.

I used another mail server as relay, when I did {i]telnet mail.relay.tld 25 my mailserver responded instead. I checked /var/log/qmail/smtp of that server, no incoming "requests" were detected from me. I considerred this as a sign that ports 25/465 were nat-reflected back inside. I was right. Disabling reflection, made it possible for SMTP to relay anywhere.

L.E.
This is the message from the mailer-daemon@mailserver

_Hi. This is the qmail-send program at "domain.tld".
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

alexandru.vasilescu@gmail.com:
209.85.129.114 does not like recipient.
Remote host said: 550 relaying denied alexandru.vasilescu@gmail.com Giving up on 209.85.129.114./alexandru.vasilescu@gmail.com_

GruensFroeschli

NAT reflection should only reflect if you try to access your own public IP.
NOT if you try to access a different remote IP.

Basically what you see should not happen.
Do you have any firewall rules in place that block/redirect outbound traffic to your internal server?

anduq

LAN Rules

WAN Rules

I added the "Allow everything from everywhere" rule on WAN for testing.

You said:

@GruensFroeschli:

NOT if you try to access a different remote IP.

Mailserver and Computer1…ComputerX are on the same interface, maybe I don't understand you question.