Mail servers imap behind pfsense not reachable
-
@daan said in Mail servers imap behind pfsense not reachable:
When I do not specify a port I see loads of traffic, HTTPS traffic
You can also limit the capture to multiple port by entering "143|587|993" for instance to take all IMAP ports.
-
@daan
You can check your real public IP on web services like https://whatismyipaddress.comThe IP you get displayed there must match your pfSense WAN IP, otherwise there is a router in front of pfSense.
-
@viragomann I know my it is the same IP as the pfsense WAN interface IP
-
@johnpoz this is my capture with 143|465|587|993 as ports
-
Do a simple sniff on 143 then..
Then go to can you see me . org and put in 143..
You should see this traffic. Clearly sniffing is working.. But I don't see any traffic for 143.
To be honest, sure looks to be working to me.. Whatever issues you might be having with imap has nothing to do with pfsense. I get a connection to 143, and sure seems to be whatever server your running behind pfsense.. reports Dovecot (Debian), which is what your Poste.io server uses for imap..
btw I see 993 there in your sniff which would be imap over tls. Maybe your client is just not using 143 when you tested which is why you didn't see on sniff.. Do can you see me . org so you know exactly what port is being sent.
-
@daan said in Mail servers imap behind pfsense not reachable:
this is my capture with 143|465|587|993 as ports
Ther is obviously a communiction on 993. Possibly your client switches automatically to 993 (SSL)?
However, the traffic may be outbound as well. You're the only one who knows the destination IP, we cannot see it.
-
@viragomann said in Mail servers imap behind pfsense not reachable:
Ther is obviously a communiction on 993. Possibly your client switches automatically to 993 (SSL)?
Hummm : 993 was already mentioned above.
Check if the mail server "IMAPS" is listening on port 993 on the IMAP server before you NAT that port (TCP). -
@johnpoz These are my client settings, the settings worked fine with my previous router.
And yes I am using poste.io
-
@viragomann My public IP reports in inbound as well as outbound traffic on port 993
-
Well your client not set to use 143 in that setup. So why would you think you would see traffic on 143?
Not sure what to tell you... Pfsense only job in this is sending the traffic on to where you tell it to send it. Clearly from your sniff that is happening on 993.. So whatever issues you have with imap has nothing to do with pfsense.. Its a dumb doorman in the big picture.. It sees traffic on port X, and sends it on to where you told it to send it.. And then sends the answer back - it has nothing to do with the workings of the conversation.. Nor does it care..
-
@Gertjan Yes I did I uploaded a screenshot of it
-
STARTTLS seems strange when using 993 as there can't be a TLS negotiation - it will be a direct SSL/TLS connection, like your 465 = SMTPS outgoing mail connection.
-
@johnpoz Same story when I use port 143, it does not connect.
Yes I know what pfsense does, but why did it work fine on my previous router and not on my pfsense router? -
@Gertjan My mail server does TLS over port 993
(POP, HTTP and HTTPS are not forwarded) -
@daan said in Mail servers imap behind pfsense not reachable:
Same story when I use port 143, it does not connect.
It does connect.. I have connected via 143..
-
Since we cannot see any unencryted connection attempts, I think it's a legitimate question, if there is a valid SSL certificate installed on the IMAP server.
-
@johnpoz Wattt the hell, when I do the same it returns
-
@viragomann Yes there is, I am using Let's encrypt mail certificates.
-
@daan
Let's Encrypt is no surety for validation. Possibly the update job failed. -
@daan said in Mail servers imap behind pfsense not reachable:
@johnpoz Wattt the hell, when I do the same it returns
Is your client trying to connect from inside your LAN or outside? This could be a NAT reflection issue. Unless you have split DNS set up so that internal clients get routed straight to the mail server's internal IP and not out the WAN, then they can't connect unless you configure that ugly beast, NAT reflection.
That might be why @johnpoz can connect, but you can't. He is outside of your LAN. The standard port forward setup is going to port forward only traffic coming from the Internet into your WAN connection. It won't port forward traffic coming from your LAN side. Your previous router may have automatically configured NAT reflection when you configured a port forward. pfSense does not automatically configure NAT reflection for you.
Your screenshot of the email client shows that you have configured the mail server with its hostname of "mail.xxxx.xxx", so your client will ask DNS for the corresponding IP. Since I'm betting you have your MX record in DNS pointing to your WAN IP, then your internal client will try to connect to the IMAP server using your WAN's external public IP. That's where the NAT reflection would come in. Without it, that traffic does not find your internal mail host. To see if I am correct, instead of the mail server's hostname, put it's actual internal IP address in the mail client's setup and see if it works then.
