Problems with port forwarding to mail server inside LAN
-
Hello all,
I have the folowing setup:| –-> Computer1...ComputerX
|
WAN--->pfSense 1.2.1---LAN |
|
|---> MailserverI have portforwarded all needed pop/imap/smtp/http ports from WAN to Mailserver. SMTP only works if I disable reflection, otherwise it cannot relay anything. Bellow is a prtscr of portforwarding:
(not sure if it works …i attached it, also)
However, if i disable reflection, I can not acces Mailserver from inside the LAN by mail.domain.tld, only by internal IP (from outside the LAN it works like a charm, tough). Right now I use for all workstations email accounts w/ LAN IP calling the mailserver, and for all laptops 2 e-mail accounts, one w/ LAN IP and one w/ mail.domain.tld for when they connect from outside the LAN. It's ugly and I don't like it, nothing should connect from inside the LAN to the mail server directly.How can I adress the problem? Any advice, no matter how small would be greatly apreciated.
-
What exactly do you mean with: "SMTP only works if I disable reflection" ?
-
I mean if I have reflection enabled, if I try to send any mail I get this:
66.249.91.83 does not like recipient.
Remote host said: 550 sorry, relaying denied from your location [XXX.XXX.XXX.XXX]
Giving up.I used another mail server as relay, when I did {i]telnet mail.relay.tld 25 my mailserver responded instead. I checked /var/log/qmail/smtp of that server, no incoming "requests" were detected from me. I considerred this as a sign that ports 25/465 were nat-reflected back inside. I was right. Disabling reflection, made it possible for SMTP to relay anywhere.
L.E.
This is the message from the mailer-daemon@mailserver_Hi. This is the qmail-send program at "domain.tld".
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.alexandru.vasilescu@gmail.com:
209.85.129.114 does not like recipient.
Remote host said: 550 relaying denied alexandru.vasilescu@gmail.com Giving up on 209.85.129.114./alexandru.vasilescu@gmail.com_ -
NAT reflection should only reflect if you try to access your own public IP.
NOT if you try to access a different remote IP.Basically what you see should not happen.
Do you have any firewall rules in place that block/redirect outbound traffic to your internal server? -
LAN Rules
WAN Rules
I added the "Allow everything from everywhere" rule on WAN for testing.
You said:
NOT if you try to access a different remote IP.
Mailserver and Computer1…ComputerX are on the same interface, maybe I don't understand you question.