Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access Mailserver through VPN from Firewall itself

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 883 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mOrbo
      last edited by mOrbo

      Hi,

      forget about the topic , it try to explain my problem.

      Two pfsense connected with ipsec. Everything works great.
      Behind pfsense-01 (10.10.0.0/16) is a Mailserver, Clients behind pfsense-02 (10.11.0.0/16) can connect without a problem.
      I now want pfsense-02 itself to send notifications (System -> Advanced -> Notifications) to this Mailserver

      If I do a test, the Error is:

      Error: Failed to connect to MAILSERVER:587 [SMTP: Failed to connect socket: Permission denied (code: -1, response: )]
      

      I think the problem is, pfsense-02 i trying to send the Mail as localhost 127.0.0.1 and gets a "Permission denied" Error.

      Same error occurs with a ping test in the ssh console:

      [2.4.5-RELEASE][PFSENSE-02]/: ping 10.10.0.200
      PING 10.10.0.200 (10.10.0.200): 56 data bytes
      ping: sendto: Permission denied
      ping: sendto: Permission denied
      ping: sendto: Permission denied
      
      [2.4.5-RELEASE][PFSENSE-02]/: ping -S 127.0.0.1 10.10.0.200
      PING 10.10.0.200 (10.10.0.200) from 127.0.0.1: 56 data bytes
      ping: sendto: Permission denied
      ping: sendto: Permission denied
      ping: sendto: Permission denied
      

      Pinging directly from the interface IP-Address works without a problem:

      [2.4.5-RELEASE][PFSENSE-02]/: ping -S 10.11.0.1 10.10.0.200
      PING 10.10.0.200 (10.10.0.200) from 10.11.0.1: 56 data bytes
      64 bytes from 10.10.0.200: icmp_seq=0 ttl=127 time=16.556 ms
      64 bytes from 10.10.0.200: icmp_seq=1 ttl=127 time=16.543 ms
      64 bytes from 10.10.0.200: icmp_seq=2 ttl=127 time=16.676 ms
      

      Is it possible to set an outgoing interface for the mailer-deamon?
      Thanks for any help :-)

      N 1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        If that is tunneled IPsec (not routed) then it's the same concept as this:

        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M Offline
          mOrbo
          last edited by

          Thanks, I already found that link, but the ping test in that article is working as expected:

          ping -S <pfsense LAN ip> <remote IP address>

          [2.4.5-RELEASE][PFSENSE-02]/: ping -S 10.11.0.1 10.10.0.200
          PING 10.10.0.200 (10.10.0.200) from 10.11.0.1: 56 data bytes
          64 bytes from 10.10.0.200: icmp_seq=0 ttl=127 time=16.556 ms
          64 bytes from 10.10.0.200: icmp_seq=1 ttl=127 time=16.543 ms
          64 bytes from 10.10.0.200: icmp_seq=2 ttl=127 time=16.676 ms
          

          I was looking for the alternative mentioned at the end of the article:
          "Another alternative, depending on the version, would be to change the interface binding of the target service so that it only listens on the LAN IP address. [...] The interface binding for SNMP, NTP, the DNS Forwarder, and several other services can be set in this way."

          I need to do this for sendmail or whatever mailer is used for the webgui.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            There is no sendmail, it's just a PHP mailing script. No way to bind to an interface, you must use the routing trick. (Or switch to routed IPsec...)

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • N Offline
              NSuttner @mOrbo
              last edited by

              @morbo Hi, i've the same problem as you in 2020! Do you have solved it and if yes, how? Thanks for a short response! Regards, Norbert

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                mOrbo @NSuttner
                last edited by

                @nsuttner Kind of, but not satisfying.. I'm using an external smarthost relay-server to send the mails over the internet an not the tunnel. A bit dirty, but it works..

                N 1 Reply Last reply Reply Quote 0
                • N Offline
                  NSuttner @mOrbo
                  last edited by

                  @morbo Haha, smile, i had the same idea a few minutes ago and it works with our Office365 mailer! Thanks for your answer and have a nice day! Regards, Norbert

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.