Problems with port forwarding to mail server inside LAN

  • Hello all,
    I have the folowing setup:

    | –-> Computer1...ComputerX
    WAN--->pfSense 1.2.1---LAN |                     
                                             |---> Mailserver

    I have portforwarded all needed pop/imap/smtp/http ports from WAN to Mailserver. SMTP only works if I disable reflection, otherwise it cannot relay anything. Bellow is a prtscr of portforwarding:
    (not sure if it works …i attached it, also)
    However, if i disable reflection, I can not acces Mailserver from inside the LAN by mail.domain.tld, only by internal IP (from outside the LAN it works like a charm, tough).  Right now I use for all workstations email accounts w/ LAN IP calling the mailserver, and for all laptops 2 e-mail accounts, one w/ LAN IP and one w/ mail.domain.tld for when they connect from outside the LAN. It's ugly and I don't like it, nothing should connect from inside the LAN to the mail server directly.

    How can I adress the problem? Any advice, no matter how small would be greatly apreciated.

  • What exactly do you mean with: "SMTP only works if I disable reflection" ?

  • I mean if I have reflection enabled, if I try to send any mail I get this: does not like recipient.
    Remote host said: 550 sorry, relaying denied from your location [XXX.XXX.XXX.XXX]
    Giving up.

    I used another mail server as relay, when I did {i]telnet mail.relay.tld 25 my mailserver responded instead. I checked /var/log/qmail/smtp of that server, no incoming "requests" were detected from me. I considerred this as a sign that ports 25/465 were nat-reflected back inside. I was right. Disabling reflection, made it possible for SMTP to relay anywhere.

    This is the message from the mailer-daemon@mailserver

    _Hi. This is the qmail-send program at "domain.tld".
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out. does not like recipient.
    Remote host said: 550 relaying denied Giving up on

  • NAT reflection should only reflect if you try to access your own public IP.
    NOT if you try to access a different remote IP.

    Basically what you see should not happen.
    Do you have any firewall rules in place that block/redirect outbound traffic to your internal server?

  • LAN Rules

    WAN Rules

    I added the "Allow everything from everywhere" rule on WAN for testing.

    You said:


    NOT if you try to access a different remote IP.

    Mailserver and Computer1…ComputerX are on the same interface, maybe I don't understand you question.

Log in to reply