Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Just installed pfsense firewall. Getting mail error…

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 6 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bob76535
      last edited by

      I have a mail server (and other servers) that sits behind our new pfsense firewall. We put the firewall in so we can block ips from connecting to our servers, especially the mail server. The firewall has a single wan with its own ip, single lan with its own ip (the gateway IP that all the servers are pointed at) and the mail server (imail 10) has 2 ips (one dedicated for a customer and on that ours and all our virtual domains use). All the ips are within the same subnet if that matters. This is the first firewall I have set up in this scale and I am a noob to all this so please be gentle.

      When someone sends an e-mail from our domain to an outside domain we get this error:
      _–---Original Message-----
      From: postmaster@mail.xyz.com [mailto:postmaster@mail.xyz.com]
      Sent: Saturday, August 30, 2008 3:00 PM
      To: boss@xyz.com
      Subject: Undeliverable Mail

      undeliverable to recipient@1234.com

      Server response to MAIL FROM:

      550 domain of boss@xyz.com does not designate 66.153.204.49 as permitted sender_

      The ip shown is the wan IP. The mail server IP is the same but ends in .137 (or .153 for the other customer).

      What do I need to do to fix this?

      I have searched the forums and did not find anyone who talked about this problem.

      Thanks

      Bob

      1 Reply Last reply Reply Quote 0
      • B
        blak111
        last edited by

        This looks like the server that you are using to relay your email doesn't allow that message to be delivered from your mail server. If it were a firewall issue, I believe that the mail would not even leave your mail server and you would be getting an error from your own server.

        1 Reply Last reply Reply Quote 0
        • N
          nocer
          last edited by

          Hi,

          You would probably need to check your cf or his cf and/or look for spf record carefully,
          and also check your addresses/domains are not listed in any of RBL sites.

          It used to work and now stopped, then there must have been changes.

          cheers,

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            @bob76535:

            I have a mail server (and other servers) that sits behind our new pfsense firewall. We put the firewall in so we can block ips from connecting to our servers, especially the mail server. The firewall has a single wan with its own ip, single lan with its own ip (the gateway IP that all the servers are pointed at) and the mail server (imail 10) has 2 ips (one dedicated for a customer and on that ours and all our virtual domains use). All the ips are within the same subnet if that matters. This is the first firewall I have set up in this scale and I am a noob to all this so please be gentle.

            I'm a bit worried about your statment: "All the ips are within the same subnet if that matters."
            Did you set up a transparent firewall?
            If not: cannot have the WAN and the LAN in the same subnet.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              You need to provide details of your configuration. The error sounds like what happens when you run NAT with port-forwards and don't put in an outbound AON rule. Your description sounds more like you have public IPs on your servers, but in that case, you would not be pointing the gateway to the firewall…

              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                @bob76535:

                When someone sends an e-mail from our domain to an outside domain we get this error:
                _–---Original Message-----
                From: postmaster@mail.xyz.com [mailto:postmaster@mail.xyz.com]
                Sent: Saturday, August 30, 2008 3:00 PM
                To: boss@xyz.com
                Subject: Undeliverable Mail

                undeliverable to recipient@1234.com

                Server response to MAIL FROM:

                550 domain of boss@xyz.com does not designate 66.153.204.49 as permitted sender_

                That looks like an SPF error - check to see if the domain xyz.com has an SPF record (see http://www.openspf.org/).

                1 Reply Last reply Reply Quote 0
                • B
                  bob76535
                  last edited by

                  I'm a bit worried about your statment: "All the ips are within the same subnet if that matters."
                  Did you set up a transparent firewall?
                  If not: cannot have the WAN and the LAN in the same subnet.

                  I'm not familiar with the term "transparent firewall", please explain.

                  We get a "connection" from our Colocation provider. We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side. There is no DHCP on the lan side (if that matters) and all the machines have multiple static IPs on them. All are from that same subnet. Th co-lo uses the lower half of the subnet for thier stuff.

                  I did find out that this is only happening when sending to that particular domain. It is not happening when sending anywhere else (that we are aware of). Apparently thier mail setup sees the sending mail server as .49 which instead of the actual mail server ip .137. It fails the message since the sending ip does not match the SPF. The correct mail server IP is .137 and the SPF is correct for the sending domain. Why would they be seeing the firewall ip?

                  Thanks for your help. I really appreciate it.

                  Bob

                  1 Reply Last reply Reply Quote 0
                  • B
                    bob76535
                    last edited by

                    @dotdash:

                    You need to provide details of your configuration. The error sounds like what happens when you run NAT with port-forwards and don't put in an outbound AON rule. Your description sounds more like you have public IPs on your servers, but in that case, you would not be pointing the gateway to the firewall…

                    I didn't touch the NAT and there is no port forwarding set up. Yes they all have public ips on them. Not pointing the gateway to the firewall? I'm not following you here?

                    Thanks

                    Bob

                    1 Reply Last reply Reply Quote 0
                    • B
                      bob76535
                      last edited by

                      That looks like an SPF error - check to see if the domain xyz.com has an SPF record (see http://www.openspf.org/).

                      Yes it does and I verified it to be correct. It has not been touched and was correct before the firewall was installed.

                      Thanks

                      Bob

                      1 Reply Last reply Reply Quote 0
                      • B
                        bob76535
                        last edited by

                        I just read the PDF on having a transparent firewall. We do not have it set up that way. Should we?

                        The purpose of the pfsense box was to be able to block all traffic on ports we are not using and block unwanted external ips from connecting to all our servers. We do not need any other functions from the pfsense box.

                        What should I do here?

                        Thanks for your support.

                        Bob

                        1 Reply Last reply Reply Quote 0
                        • dotdashD
                          dotdash
                          last edited by

                          I'm assuming you read this document: http://pfsense.trendchiller.com/transparent_firewall.pdf
                          Yes, if you have all public IPs in the same subnet, the firewall should be a bridge, not a router. You should not be natting and the machines should have the upstream router as the gateway and not the firewall.

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side.

                            Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

                            In this case you just have to disable NAT on pfSense.
                            –> "Firewall" --> "NAT" --> "outbound"
                            --> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
                            --> delete all rules that are there.

                            You now have a routing only platform with Firewall capabilities.

                            Just make sure that the subnetmask on the LAN side is actually /25 and not /24

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • dotdashD
                              dotdash
                              last edited by

                              @GruensFroeschli:

                              Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

                              Oops, missed that. That's what I get for skimming ahead.

                              1 Reply Last reply Reply Quote 0
                              • B
                                bob76535
                                last edited by

                                @GruensFroeschli:

                                We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side.

                                Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

                                In this case you just have to disable NAT on pfSense.
                                –> "Firewall" --> "NAT" --> "outbound"
                                --> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
                                --> delete all rules that are there.

                                You now have a routing only platform with Firewall capabilities.

                                Just make sure that the subnetmask on the LAN side is actually /25 and not /24

                                Ok thats what I will do. Can this be done through the remote interface without losing connectivity? The firewall is located in another city and the boss hates having me gone that long. If not, thats fine. They have good cheese steak there.

                                Thanks

                                Bob

                                1 Reply Last reply Reply Quote 0
                                • GruensFroeschliG
                                  GruensFroeschli
                                  last edited by

                                  You shouldnt loose connectivity upon disabling NAT.

                                  We do what we must, because we can.

                                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    bob76535
                                    last edited by

                                    Just wanted to thank everyone for thier help. The change to transparent bridge filter fixed the 550 problem. The web gui doesn't work on the wan side anymore but I posted that question in a different message.

                                    I appreciate your help.

                                    Thanks

                                    Bob

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.