Email Issue. Need Some badly needed Help.

  • I am running pfsense 2.3.4 p1

    My exchange server is is Exchange 2007.  My email is running fine if I am outside of my internal network.  The server is on the LAN.  Any clients that connect to the AP which is located in the DMZ.  Those clients cannot connect to email.  I can't seem to be able configure the rules which will allow my DMZ clients to connect to email.

    Any help is much appreciated.



  • LAYER 8 Global Moderator

    "My exchange server is is Exchange 2007"

    Wow talk about needing an update!! Even the extended support date was back in april of this year.  That is EOL..

    What are the rules on your dmz?  And how exactly do you have this dmz setup.. Is it front of pfsense, is it just a segment hanging off pfsense.  Have seen some really bad setups for what people call a "dmz" that amounts to asymmetrical routing nightmare.

    But you really need to move to something current for your email server.

  • Yes.  My setup could stand a update.  Just haven't done it.

    My DMZ rules are just the auto populated rules that pfblocker populates.  I have a DNS rule and a port 443 rule to the Exchange box.

    My DMZ setup is hanging off my pfsense setup.


  • Have you set up a DNS override for the Exchange?

  • No.  I haven't setup a DNS Override.  Can you please explain further.



  • LAYER 8 Global Moderator

    So your clients sitting on the dmz and they try and access your exchange via what FQDN - resolves to your public.. So you want to hit your public IP to get forwarded back in - this is a nat reflection did you allow for that?

    Or if the dmz is accessing it via fqdn that resolve to the exchange servers rfc1918 address (host override).

    "I have a DNS rule and a port 443 rule to the Exchange box"

    What exactly is a dns rule to the exchange - dns normally does not run on exchange..  Your clients point to your exchange box for their dns?

  • Yes, they will be accessing Exchange via the FQDN.  Yes, I want the clients to hit the Public IP and get forwarded back in.  How do I create a NAT reflection?  Is it just firewall rules?  I just want a simple way of making this work.

    I have DNS running on my AD server and all clients use DNS on the router via DNS Resolver

  • LAYER 8 Global Moderator

    Why do you want nat reflection?  Makes zero sense for client on your local network to go to your public just to be sent back in.  Why not just setup a host override so when your clients ask the resolver on pfsense they get exchange.yourdomain.tld is 192.168.x.x etc..  And just allow for that access on the network interface they are on.

    But if you have heart set on nat reflection, then you set that up on your port forward page that you forwarded the traffic into to your exchange.

  • I don't want NAT Reflection.  I thought that was needed from a routing perspective.  I never worked with DNS Overrides, so I didn't realize I needed to use those.

    I think you put me in a good place and I will work on this this evening.

    Thanks for your help.


  • LAYER 8 Global Moderator

    No problem - let me know if you have any other questions.

    override is simple just whatever fqdn your using to access your exchange with, just create the record so that when someone inside your network asks the resolver (unbound on pfsense) for that fqdn they get back the rfc1918 address vs the public one.

    People outside pfsense would still resolve whatever public IP you have the fqdn pointing to and your forward would allow them in.

  • Thanks Johnpoz & viragomann;

    I am home and my email is working internally.  I can"t believe that all it was was putting in a DNS host override.  Very Happy.  Now on to Exchange 2010 or 13 upgrade.

    Thanks guys


  • LAYER 8 Global Moderator

    2010?  That was end of mainstream support back in 2015

    2013 non sp1 is end of support in few months..

    You should be going to current 2016..

Log in to reply