Outgoing port 25 block workaround help request…



  • I've got a number of systems on the LAN that can report various things via email, however all use smtp (and thus port 25) by default.  Of course, my ISP blocks outgoing port 25 (Home environment).

    What I'd like to do is use pfsense to redirect anything going out on port 25 to some other port – say 1025.

    At the destination, I would then redirect anything received at 1025 back to port 25.

    I know how to do this with linux and iptables (what I have at the destination), but am not sure how to accomplish this with pfsense.

    Any guru's out there that can help?  It can be a blanket rule affecting all outgoing port 25 traffic.

    This is what I tried, but it didn't work:
    Firewall, NAT, Outbound.  Changed to "Hybrid."

    Added the following rule:
    Interface WAN
    Protocol TCP
    Source: Network - (entered in my lan network here / 24)
    Destination: Any, Port 25

    Translation:
    Address: Interface Address
    Port: 1025


  • Rebel Alliance Global Moderator

    So all of these systems are just trying to talk to your mail server, but only support smtp on port 25?

    Where is your mail server?  Outside your isp network I take it ;)  So couple of things you could run a local smtp server and have it forward this mail to your email server outside your isp network via some other port, typical would be 465 or 587 that are both open normally since not used to send unsolicited email to smtp on a global scale.

    You could create a vpn tunnel to where this smtp server sits on pfsense and route traffic that way.

    Personally if you have lots of systems locally that you want to be able to send email from and they only send to 25.. They prob need to be updated ;)  But running a smart host locally would be your best bet, and then have it forward on to your public email server.

    Why can you not just send to your isp email server, and have it forward to your other email server?

    I take it your talking about a server you control since you can not just change the port to 1025 if your sending to email to domains that are not yours, etc.


  • Netgate

    Yeah, you want to do a port forward on the LAN interface. I think you want something like this:

    Interface: LAN
    Protocol: TCP
    Source: Source addresses you want affected
    Source port: any
    Destination: any (This could also be the mail server IP address to further limit scope)
    Destination Port: 25
    Redirect Target IP: leave blank (you don't want to translate this. It is the destination mail server)
    Redirect Port: 1025
    Filter rule association: None (unless LAN is locked down and you need it for the traffic to pass)

    Then on the other side just do a normal WAN port forward translating outside:1025 to inside:25

    Or use a VPN.



  • @johnpoz:

    So all of these systems are just trying to talk to your mail server, but only support smtp on port 25?

    Where is your mail server?  Outside your isp network I take it ;)  So couple of things you could run a local smtp server and have it forward this mail to your email server outside your isp network via some other port, typical would be 465 or 587 that are both open normally since not used to send unsolicited email to smtp on a global scale.

    Yes.  For instance I'm running SecurityOnion.  That alone has about 4 different processes, each with their own smtp reporting mechanisms.  Pfsense also has email reporting abilities via that mailreport package addon.  Most of these are limited to "destination email" for a setting.  :(

    My first thought was to do what you suggest – get pfsense to receive and redirect, however there doesn't seem to be a mail server package, and when I searched for this ability, saw some fairly hostile "that's a no-no" responses here: (https://forum.pfsense.org/index.php?topic=34838.0)

    @johnpoz:

    You could create a vpn tunnel to where this smtp server sits on pfsense and route traffic that way.

    Personally if you have lots of systems locally that you want to be able to send email from and they only send to 25.. They prob need to be updated ;)  But running a smart host locally would be your best bet, and then have it forward on to your public email server.

    Why can you not just send to your isp email server, and have it forward to your other email server?

    I could do the vpn tunnel thing, but was hoping for a simpler solution.  The only email that would be outgoing on port 25 is stuff I want to go to my email server.

    Privacy reasons for not using the ISP's email server, that plus it's just something else that can break.

    @johnpoz:

    I take it your talking about a server you control since you can not just change the port to 1025 if your sending to email to domains that are not yours, etc.

    Correct.  I have a server that does normal internet stuff like web/email, etc, but is hosted elsewhere.  I have complete control over this  server and the traffic it receives.

    So I guess there is no simple port redirect solution for outgoing traffic from pfsense?



  • @Derelict:

    Yeah, you want to do a port forward on the LAN interface. I think you want something like this:

    Interface: LAN
    Protocol: TCP
    Source: Source addresses you want affected
    Source port: any
    Destination: any (This could also be the mail server IP address to further limit scope)
    Destination Port: 25
    Redirect Target IP: leave blank (you don't want to translate this. It is the destination mail server)
    Redirect Port: 1025
    Filter rule association: None (unless LAN is locked down and you need it for the traffic to pass)

    Then on the other side just do a normal WAN port forward translating outside:1025 to inside:25

    Or use a VPN.

    To be clear, I should be in Firewall -> Nat -> Outgoing for this?

    The GUI has a "Translation" area instead of redirect.  There has to be something entered here – the default is "Interface Address", which I had thought in this case would be the pfsense's internal ip address. This seems counter intuitive, and was why I originally tried this on the Wan port instead.

    I'll give it a try and see what happens.  :)


  • Netgate

    No Firewall > NAT, Port forward



  • @Derelict:

    No Firewall > NAT, Port forward

    Perfect, that worked.  The only thing I had to change from your instructions was to put in a Redirect Target IP address. The web GUI wouldn't let me leave it blank.


  • Netgate

    Hmm. I didn't think one was required if you were only translating the port. Could swear I have done that before. Maybe I did the same address in the destination IP and redirect target IP. That must be it.

    If it made you set one there I would set both so it only matches that specific address.

    Glad it worked.


  • Rebel Alliance Global Moderator

    Who said anything about running it on pfsense?  Sounds like you have plenty of resources to run a simple mail relay..  While your method works, not how I would do it.

    Glad you got it sorted.



  • @johnpoz:

    Who said anything about running it on pfsense?  Sounds like you have plenty of resources to run a simple mail relay..  While your method works, not how I would do it.

    Glad you got it sorted.

    Setting up a completely different server (virtual or otherwise) just to get past a port 25 block for some very specific traffic would be hugely wasteful, time consuming to maintain, and far more complex than necessary.

    That versus a one line rule in a firewall that already exists.

    To each their own.


  • Rebel Alliance Global Moderator

    And this SO box, can not run a simple email relay?  Now its just sending is email to localhost to have it forward on.

    https://github.com/Security-Onion-Solutions/security-onion/wiki/Email