Mail servers imap behind pfsense not reachable
-
@viragomann My public IP reports in inbound as well as outbound traffic on port 993
-
Well your client not set to use 143 in that setup. So why would you think you would see traffic on 143?
Not sure what to tell you... Pfsense only job in this is sending the traffic on to where you tell it to send it. Clearly from your sniff that is happening on 993.. So whatever issues you have with imap has nothing to do with pfsense.. Its a dumb doorman in the big picture.. It sees traffic on port X, and sends it on to where you told it to send it.. And then sends the answer back - it has nothing to do with the workings of the conversation.. Nor does it care..
-
@Gertjan Yes I did I uploaded a screenshot of it
-
STARTTLS seems strange when using 993 as there can't be a TLS negotiation - it will be a direct SSL/TLS connection, like your 465 = SMTPS outgoing mail connection.
-
@johnpoz Same story when I use port 143, it does not connect.
Yes I know what pfsense does, but why did it work fine on my previous router and not on my pfsense router? -
@Gertjan My mail server does TLS over port 993
(POP, HTTP and HTTPS are not forwarded) -
@daan said in Mail servers imap behind pfsense not reachable:
Same story when I use port 143, it does not connect.
It does connect.. I have connected via 143..
-
Since we cannot see any unencryted connection attempts, I think it's a legitimate question, if there is a valid SSL certificate installed on the IMAP server.
-
@johnpoz Wattt the hell, when I do the same it returns
-
@viragomann Yes there is, I am using Let's encrypt mail certificates.
-
@daan
Let's Encrypt is no surety for validation. Possibly the update job failed. -
@daan said in Mail servers imap behind pfsense not reachable:
@johnpoz Wattt the hell, when I do the same it returns
Is your client trying to connect from inside your LAN or outside? This could be a NAT reflection issue. Unless you have split DNS set up so that internal clients get routed straight to the mail server's internal IP and not out the WAN, then they can't connect unless you configure that ugly beast, NAT reflection.
That might be why @johnpoz can connect, but you can't. He is outside of your LAN. The standard port forward setup is going to port forward only traffic coming from the Internet into your WAN connection. It won't port forward traffic coming from your LAN side. Your previous router may have automatically configured NAT reflection when you configured a port forward. pfSense does not automatically configure NAT reflection for you.
Your screenshot of the email client shows that you have configured the mail server with its hostname of "mail.xxxx.xxx", so your client will ask DNS for the corresponding IP. Since I'm betting you have your MX record in DNS pointing to your WAN IP, then your internal client will try to connect to the IMAP server using your WAN's external public IP. That's where the NAT reflection would come in. Without it, that traffic does not find your internal mail host. To see if I am correct, instead of the mail server's hostname, put it's actual internal IP address in the mail client's setup and see if it works then.
-
^exactly.
To be honest this comes up pretty much every single day.. Which is why I suggested can you see me . org... You have to validate traffic is getting to you from the public internet.
If your setting on some box on your local network, and hitting your wan IP.. Its only going to work if you have nat reflection setup, and that is actually working. depending on the protocol, and how you set it up, or where your client is exactly compared to you, same vlan or different..
And its just plain an abominations to all things holy about networking in the first place.
Maybe your setup worked how you were testing it before with your old router because it was doing nat reflection. Which pfsense doesn't do without you actually setting it up.
If was up to me - the whole nat reflection nonsense wouldn't even be an option.. Because its a hack, always has been a hack.. And really should never be used on any sort of real network.. Its fine for billy the user and his soho router that doesn't understand dns, doesn't really understand IPs anyway... And think he should just be able to put in his ddns address into his browser and hit xyz that is running on his own freaking box, or the raspberry pie he clicked go on for some service.
But if your to the point where your running something like pfsense, and working with email servers and the like.. Time to leave the hacky lets make it work for billy bob the user because he doesn't know how to actually setup a real network anyway toys away.
-
@bmeeks Thanks for the explanation, When I use my IP as IMAP and SMTP it can't connect either.
-
@daan said in Mail servers imap behind pfsense not reachable:
When I use my IP as IMAP and SMTP it can't connect either.
What IP?? Again you need to be OUTSIDE YOUR NETWORK!! If your going to do it from inside, you need to setup nat reflection. Or just use your internal IP.
I can connect to your IP just fine from outside..
Just tested again, and pops right in...
-
Yes I understand, chill bro. I got it working I did not know that I had to setup NAT reflection, like I said earlier I am new to pfsense.
Thanks for the help and detailed explanations, have a good day! -
Then what was the point of this
When I use my IP as IMAP and SMTP it can't connect either.
If you have it working?
-
@daan said in Mail servers imap behind pfsense not reachable:
@johnpoz this is my capture with 143|465|587|993 as ports
It looks to me like you are closer than you think - you're simply using all encrypted ports. I see traffic on port 993, which is imap over SSL. I also see port 465, which is SMTP over SSL.
Furthermore, the traffic is actually flowing in both directions. You can see port 993 going from left to right in the first line, and you can see the reply coming back on the second line. The conversation is taking place with ports 993 and 7256. (Original connection on port 993 with reply requested on 7256). Later down you see the same thing happening with port 465.
It looks like everything is working. I'm wondering why you don't see IMAP mail in your mail client, because the connection is there.
Incidentally, the way I would test something like this is to put a laptop directly on the WAN side of the firewall - you can use it in place of your cable modem and use the same IP address on the laptop as the gateway. Or plug it in in parallel with the internet but give yourself a public IP in the same subnet as the WAN IP address. Then test to the pfSense IP while running wireshark to see if your mail client is even sending port 143.
-
-
@PhxAzCraig It is working now I had to setup NAT reflection, Thanks!
