Blocking Internet Access but allow Outlook for Mail



  • I setup Pfsense 2.3.5 in my company. Our requirement is that for some Clients machine I have to block the Internet access aka port 80 and 443 but allow outlook aka 995 and 465.

    Now I made 4 alias

    1. blocked_IP
    2. pop_port
    3. smtp_port
    4. gmail_hosts

    I made the rule for LAN starting from the top

    1. Allow blocked_ip with port pop_port to any destination
    2. Allow blocked_ip with port smtp_port to any destination
      3 Block blocked_IP with any port to any destination

    Problem is when all three rules are enable the internet access blocked for the blocked_IP, but outlook could not connect. I think the problem is related to the DNS for the pop.gmail.com and smtp.gmail.com.

    Pls guide me where I am making the mistake.


  • Netgate

    Yeah you probably have to pass DNS (TCP/UDP dest port 53) from blocked_ip or they won't be able to resolve names.



  • @derelict
    Tried to make the rule to allow the tcp/udp connection for the dns, but it is not working.

    Read some articles, which hinted to set the ip for the pop.gmail.com and smtp.gmail.com manually, but again the sites like gmail keeps on changing. Going to give it a try for the present ip derieved from the ping.


  • Netgate

    I would use FQDN Host Aliases for that. They should work reasonably well.



  • @derelict
    I tried it by creating an alias name mail_hosts with FQDN Host of pop.gmail.com, smtp.gmail.com, imap.gmail.com, pop3.gmail.com.

    But still the setup is not working, and the log still shows the DNS error.

    1. Should I have to create the alias one at a time like one alias for pop.gmail.com and another for the smtp.gmail.com insteat of one alias for all the gmail hosts.

  • Netgate

    Use Diagnostics > Tables to view the contents of the table and the IP addresses they resolved to. Do they match with what you get when you look up the names yourself? Look at the firewall log to see what's being blocked. Be able to understand what is failing (DNS, the connection itself, etc) instead of just saying "it doesn't work."

    Use Diagnostics > Test Port as I have recommended at least a couple of times with no results from you communicated.



  • @derelict
    dignostic->test port results ok for host pop.gmail.com and smtp.gmail.com

    problem is with the client computer running outlook 2007, when trying to communicate the pop.gmail.com and smtp.gmail.com at port 995 and 465 respectively could not resolve the ip of hostname


  • Netgate

    Then fix your DNS.

    What are the DNS servers the client is configured to use to resolve names?

    Pass the TCP/UDP 53 traffic to those servers.

    Look at the firewall logs. Look at packet captures. Who knows what other ports Microsoft decided to make outlook use besides the main ports.



  • Ok after few more tests, the outlook was able to send the mail, but fails in receiving. The error for the outlook is receiving reported error (0x800CCCIA):' Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider for additional assistance.

    It means the DNS part of PFsense is resolving the IP, the error is for the pop3.gmail.com

    1. failed to resolve host pop3.gmail.com will retry later
      again.

    2. Jul 11 11:13:40 filterdns IP address 74.125.24.109 already present on table mail_hosts as address of hostname pop.gmail.com ---> IS it normal ????


  • Netgate

    That is something you will have to fix between outlook and the mail server.

    Looks like pfSense is facilitating the connection but the client and server disagree about how to talk to each other.

    pop3.gmail.com is not a valid hostname for gmail's pop service. Try pop.gmail.com.

    https://support.google.com/mail/answer/7104828


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy