Cannot send but receive email



  • Hello guys.
    I got a "new" problema about pfsense and mail sending.

    My setup is: WAN (valid IP) > Pfsense > LAN

    I have squid and squidguard packages installed, blocking and allowing website normaly by active proxy.

    My top rule (the first one) is:

    ALLOW from LAN net - anyport > LAN Address > 3128

    I've already allowed port 587 and 25, as just as the Mail Network (another rules, right below the fist I metioned)

    The problem is that I can't send any mail. I got a timeout from mail server. And the strangest thing is that sometimes it works, 30min later, it stops to work.

    At SystemLogs > Firewall, I got some blocking logs, from a random local IP to SMTP Server TCP:A or TCP:FA
    No blocking log from squidguard

    Could you guys help me?

    Regards



  • Why on Earth are you routing your outbound email through squid???  It's a web proxy, not a mail relay.  You make your users go through the proxy for web access but your servers should have direct access, or at least they should only use the proxy for WWW access.



  • So your mail relay host is presumably on the WAN side and you're trying to connect to it from the LAN? You're allowing port 25 and 587 out. So when you lose connectivity to the mail server, can you still ping it? Is the mail relay being hosted for you or are you running it yourself? Can you get onto the mail server and check that the SMTP service is still running when the service drops?

    As KOM says, the Squid part is immaterial. It has nothing to do with email, unless you're trying to use the proxy itself to act as a mail proxy - in which case, I think it's obvious what the problem is from the outset.



  • Thanks the reply.

    I've posted the rule wrong, that's the current one

    ALLOW from LAN net - anyport > LAN Address > *

    I can't understand why some users can't send e-mail while others send it normally. At my system log > firewall I just see some TCP:R being block, but, as I checked it's a normal behavior.

    Any suggestion?

    Regards



  • Your firewall does not care about users.  if one user can send mail through the same mechanism as all the others, then all the others should work as well.  For example, if they're all on the same network segment and talking to the same mail server then it should work the same for everyone.  pfSense by default does not block anything outgoing.  Also, based on what you've said before I suspect your firewall rules are probably a mess.  Post a screenshot of your LAN rules and we can take a look.



  • I've found a pattern…if I try to send an email with more than 1mb it won't be sent.

    If I change the gw to another link (out of pfsense) it work.

    Any suggestion?

    @KOM:

    Your firewall does not care about users.  if one user can send mail through the same mechanism as all the others, then all the others should work as well.  For example, if they're all on the same network segment and talking to the same mail server then it should work the same for everyone.  pfSense by default does not block anything outgoing.  Also, based on what you've said before I suspect your firewall rules are probably a mess.  Post a screenshot of your LAN rules and we can take a look.

    as you asked…

    LAN NET * > LAN ADD *
    LAN NET * > ALLOWED NETWORKS
    IP_FULL_ACCESS * > * *
    LAN NET * > ALLOWED_PORTS

    Regards



  • That's very difficult to read.  I was expecting something more like:



  • LAYER 8 Global Moderator

    pfsense gives 2 shits how big or how long a session is open as long as there are packets moving the session would remain open forever.  That is how tcp works, now if your sending through some proxy it might have an issue with size of data trying to be moved.

    So when you change your gateway to something other than pfsenes is it going through the same proxy?

    So are trying to go through the proxy for these connections or not?  I am with KOM ascii art while can be kewl and all is not the best way to show the pfsense firewall rules.  Either dump the rules directly from https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

    Or post up a screenshot of the pfsense web gui as KOM did for example.


Log in to reply