Just installed pfsense firewall. Getting mail error…



  • I have a mail server (and other servers) that sits behind our new pfsense firewall. We put the firewall in so we can block ips from connecting to our servers, especially the mail server. The firewall has a single wan with its own ip, single lan with its own ip (the gateway IP that all the servers are pointed at) and the mail server (imail 10) has 2 ips (one dedicated for a customer and on that ours and all our virtual domains use). All the ips are within the same subnet if that matters. This is the first firewall I have set up in this scale and I am a noob to all this so please be gentle.

    When someone sends an e-mail from our domain to an outside domain we get this error:
    _–---Original Message-----
    From: postmaster@mail.xyz.com [mailto:postmaster@mail.xyz.com]
    Sent: Saturday, August 30, 2008 3:00 PM
    To: boss@xyz.com
    Subject: Undeliverable Mail

    undeliverable to recipient@1234.com

    Server response to MAIL FROM:

    550 domain of boss@xyz.com does not designate 66.153.204.49 as permitted sender_

    The ip shown is the wan IP. The mail server IP is the same but ends in .137 (or .153 for the other customer).

    What do I need to do to fix this?

    I have searched the forums and did not find anyone who talked about this problem.

    Thanks

    Bob



  • This looks like the server that you are using to relay your email doesn't allow that message to be delivered from your mail server. If it were a firewall issue, I believe that the mail would not even leave your mail server and you would be getting an error from your own server.



  • Hi,

    You would probably need to check your cf or his cf and/or look for spf record carefully,
    and also check your addresses/domains are not listed in any of RBL sites.

    It used to work and now stopped, then there must have been changes.

    cheers,



  • @bob76535:

    I have a mail server (and other servers) that sits behind our new pfsense firewall. We put the firewall in so we can block ips from connecting to our servers, especially the mail server. The firewall has a single wan with its own ip, single lan with its own ip (the gateway IP that all the servers are pointed at) and the mail server (imail 10) has 2 ips (one dedicated for a customer and on that ours and all our virtual domains use). All the ips are within the same subnet if that matters. This is the first firewall I have set up in this scale and I am a noob to all this so please be gentle.

    I'm a bit worried about your statment: "All the ips are within the same subnet if that matters."
    Did you set up a transparent firewall?
    If not: cannot have the WAN and the LAN in the same subnet.



  • You need to provide details of your configuration. The error sounds like what happens when you run NAT with port-forwards and don't put in an outbound AON rule. Your description sounds more like you have public IPs on your servers, but in that case, you would not be pointing the gateway to the firewall…



  • @bob76535:

    When someone sends an e-mail from our domain to an outside domain we get this error:
    _–---Original Message-----
    From: postmaster@mail.xyz.com [mailto:postmaster@mail.xyz.com]
    Sent: Saturday, August 30, 2008 3:00 PM
    To: boss@xyz.com
    Subject: Undeliverable Mail

    undeliverable to recipient@1234.com

    Server response to MAIL FROM:

    550 domain of boss@xyz.com does not designate 66.153.204.49 as permitted sender_

    That looks like an SPF error - check to see if the domain xyz.com has an SPF record (see http://www.openspf.org/).



  • I'm a bit worried about your statment: "All the ips are within the same subnet if that matters."
    Did you set up a transparent firewall?
    If not: cannot have the WAN and the LAN in the same subnet.

    I'm not familiar with the term "transparent firewall", please explain.

    We get a "connection" from our Colocation provider. We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side. There is no DHCP on the lan side (if that matters) and all the machines have multiple static IPs on them. All are from that same subnet. Th co-lo uses the lower half of the subnet for thier stuff.

    I did find out that this is only happening when sending to that particular domain. It is not happening when sending anywhere else (that we are aware of). Apparently thier mail setup sees the sending mail server as .49 which instead of the actual mail server ip .137. It fails the message since the sending ip does not match the SPF. The correct mail server IP is .137 and the SPF is correct for the sending domain. Why would they be seeing the firewall ip?

    Thanks for your help. I really appreciate it.

    Bob



  • @dotdash:

    You need to provide details of your configuration. The error sounds like what happens when you run NAT with port-forwards and don't put in an outbound AON rule. Your description sounds more like you have public IPs on your servers, but in that case, you would not be pointing the gateway to the firewall…

    I didn't touch the NAT and there is no port forwarding set up. Yes they all have public ips on them. Not pointing the gateway to the firewall? I'm not following you here?

    Thanks

    Bob



  • That looks like an SPF error - check to see if the domain xyz.com has an SPF record (see http://www.openspf.org/).

    Yes it does and I verified it to be correct. It has not been touched and was correct before the firewall was installed.

    Thanks

    Bob



  • I just read the PDF on having a transparent firewall. We do not have it set up that way. Should we?

    The purpose of the pfsense box was to be able to block all traffic on ports we are not using and block unwanted external ips from connecting to all our servers. We do not need any other functions from the pfsense box.

    What should I do here?

    Thanks for your support.

    Bob



  • I'm assuming you read this document: http://pfsense.trendchiller.com/transparent_firewall.pdf
    Yes, if you have all public IPs in the same subnet, the firewall should be a bridge, not a router. You should not be natting and the machines should have the upstream router as the gateway and not the firewall.



  • We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side.

    Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

    In this case you just have to disable NAT on pfSense.
    –> "Firewall" --> "NAT" --> "outbound"
    --> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
    --> delete all rules that are there.

    You now have a routing only platform with Firewall capabilities.

    Just make sure that the subnetmask on the LAN side is actually /25 and not /24



  • @GruensFroeschli:

    Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

    Oops, missed that. That's what I get for skimming ahead.



  • @GruensFroeschli:

    We have the upper half of the IP range I listed (.128 thru .255). The colo told us to put .49 on the wan side of our firewall and .129 (gateway ip) on the lan side.

    Dotdash i think his ISP just routes the public IP's on his LAN side to the IP on the WAN side.

    In this case you just have to disable NAT on pfSense.
    –> "Firewall" --> "NAT" --> "outbound"
    --> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
    --> delete all rules that are there.

    You now have a routing only platform with Firewall capabilities.

    Just make sure that the subnetmask on the LAN side is actually /25 and not /24

    Ok thats what I will do. Can this be done through the remote interface without losing connectivity? The firewall is located in another city and the boss hates having me gone that long. If not, thats fine. They have good cheese steak there.

    Thanks

    Bob



  • You shouldnt loose connectivity upon disabling NAT.



  • Just wanted to thank everyone for thier help. The change to transparent bridge filter fixed the 550 problem. The web gui doesn't work on the wan side anymore but I posted that question in a different message.

    I appreciate your help.

    Thanks

    Bob


Locked