Mail servers imap behind pfsense not reachable



  • Hi,

    My mail servers IMAP is not reachable outside of my network.
    I can access the mail server in my LAN network.

    I already created firewall and NAT rules, the ports are open but the IMAP server is not reachable.
    NAT:
    WAN TCP * * WAN address 143 (IMAP) 192.168.1.200 143 (IMAP) IMAP

    Firewall rule WAN:
    IPv4 TCP * * 192.168.1.200 143 (IMAP) * none NAT IMAP

    Firewall rule LAN:
    IPv4 TCP LAN net * * 143 (IMAP) * none IMAP Rule



  • So your Clients connect to the server without SSL encryption? Are you sure?

    Possibly the server itself blocks the access from outside its subnet. Check its firewall.

    The firewall rule on LAN allows only outbound connection. It is useless for incoming traffic.



  • Clients connect via STARTTLS on port 143.
    I do not have any firewall rules on the mail server itself...



  • Do you have other port forwarding to internal services behind pfSense which are accessible from the internet for reference?



  • Yes I have http and https services, they work..
    WAN TCP * * WAN address 443 (HTTPS) 192.168.1.155 443 (HTTPS) HTTPS Server

    WAN TCP * * WAN address 80 (HTTP) 192.168.1.155 80 (HTTP) HTTP Server



  • Anyway, ensure that requests on port 143 arrive on your WAN interface. You may use the Packet Capture tool for investigating.



  • @daan said in Mail servers imap behind pfsense not reachable:

    I already created firewall and NAT rules, the ports are open but the IMAP server is not reachable.
    NAT:
    WAN TCP * * WAN address 143 (IMAP) 192.168.1.200 143 (IMAP) IMAP
    Firewall rule WAN:
    IPv4 TCP * * 192.168.1.200 143 (IMAP) * none NAT IMAP
    Firewall rule LAN:
    IPv4 TCP LAN net * * 143 (IMAP) * none IMAP Rule

    You have only a LAN and a WAN interface ?

    Then you don't need to create a LAN firewall rule.
    And just a (one) NAT rule (this action will create a firewall rule, which is, look carefully, linked to the NAT rule - you shoiuld NOT create a WAN firewall rule).

    HTTPS and HTTP works ? IMAP on port 143 is exactly the same rule, only the port number changes (and your LAN IMAP mail server is on another LAN device)

    Btw : 99 % of all web traffic is https now, so you can ditch the http (port 80). The same thing goes for IMAP, do not force people - including yourself - to use 143 = mail goes in clear over the net. NAT port 993 TCP, and, because they are free, easy to set up, use certs that everybody trusts.
    Same thing for POP => POPS using port 995 TCP - "110" is dead these days.

    edit : and forgot the mention the classic one : did you also "NAT" the upstream 'ISP' router ?
    Less classic, but it has been seen : your ISP permits a '143' access ?
    As @viragomann : launch a packet capture on WAN and you have your answer in a second or two.



  • Yes currently I only have a WAN and LAN.
    My 143 port is running on STARTTLS, clear text is not allowed.

    My ISP allows it, because with my previous router (not a pfsense router) it worked fine. Never had any problems.

    I just tried to capture packets, I think something is wrong I get TCP Retransmission in Wireshark. I do not know what it means, I want and am currently learning networking..



  • @daan said in Mail servers imap behind pfsense not reachable:

    wrong I get TCP Retransmission in Wireshark

    You pre selected
    Port 143
    Protocom TCP
    Interface : WAN
    right ?

    You will probably find the same traffic on the LAN side which implies that pfSense :: the NAT rule, is working correcly.

    Your IMAP server on LAN accepts connection from the LAN network, not connection from 'else where' like the Internet. Check this.



  • Yes I did
    6b3620f5-4523-4ddf-9d7a-f2cd62d4ceaf-image.png



  • Do a packet capture on your LAN port while someone tries to connect from outside and see if the traffic shows up there or not.



  • This is what I get, 192.168.1.118 is my pc.
    12:44:52.525535 IP 192.168.1.118.39414 > MY.IP.00.00.143: tcp 0

    The capture is full with these packets, no incoming packets found..


  • LAYER 8 Global Moderator

    @daan said in Mail servers imap behind pfsense not reachable:

    This is what I get, 192.168.1.118 is my pc.
    12:44:52.525535 IP 192.168.1.118.39414 > MY.IP.00.00.143: tcp 0

    Where Exactly are you sniffing for that? Sure isn't your wan of pfsens showing traffic getting to it.. Since the source is rfc1918, doesn't go over the internet.

    Step 1 in troubleshooting port forwarding is VALIDATION that traffic gets to wan of pfsense, pfsense can not forward something it never sees..

    Then validate it sends it on by sniffing on lan side of pfsense.. Here is example

    imap.png

    That is my wan... Here is sniff on lan side, showing sending to IP on inside.. And my machine sending back a RST

    rst.png

    After I setup a port forward.

    portforward.png

    Everything you need to troubleshoot port forwarding is here
    https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html

    just use can you see me . org to send traffic from the outside.



  • When I check for open LAN ports on 192.168.1.200 (My mail server IP, running in docker) I get the expected output.
    67ba5462-6d0e-40ae-b795-0ad277009af9-image.png

    When I check for open ports on " https://www.yougetsignal.com/tools/open-ports/ " the imap and smtp ports are all reachable.

    And there is another weird thing, I have my mail setup on my phone. I do get notifications from my email app when I get a new mail (The title and part of the message is readable in the notification), but when I open the app the email is not there and it throws a IMAP connection error..


  • LAYER 8 Global Moderator

    Dude I can not help you if you can not provide the simple info that would take you 10 seconds to provide.

    Do a sniff on pfsense wan... Not go to can you see me . org.. put in 143 - do you see the packets on pfsense? If so,

    Then sniff on the lan side and repeat the process.. If you see traffic going to your imap server rfc1918 IP.. Then pfsense has done its job.. .Whatever other issues you might be having nothing to do with the simple act of forwarding a port.

    I just hit the IP you used to connect to the forum and it is answers via 143

    Escape character is '^]'.
    * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE XLIST LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Debian) ready.
    


  • Yes I know, when I do a packet capture on my WAN. I get an empty log
    76a90efe-9310-4c75-923f-340bcb2ecc44-image.png

    I know that the IMAP responds but I can't reach it with a E-Mail client


  • LAYER 8 Global Moderator

    Well then you not sniffing on the right interface, or the correct port?

    Are you using PPPoE for your connection?

    Or maybe there is something in front of your device answering for these ports? If what your saying is pfsense never sees the traffic. Then you have something in front of pfsense answering?

    If your not seeing loads of traffic when you sniff on your wan... Then your sniffing on the wrong interface or you have something wrong with your packet capture.. Do a simple tcpdump from pfsense console.



  • I used these settings
    c32204af-dda3-4113-9070-dc960b91e94d-image.png

    Pfsense is hooked up straight to my ISP modem, my LAN interface goes to a layer 2 cisco switch, the mail server is attached to the switch


  • LAYER 8 Global Moderator

    Well do it without 143, do you see lots of traffic?

    If you see lots of normal traffic, and nothing on 143 - then something in front of pfsense is answering for 143..



  • When I do not specify a port I see loads of traffic, HTTPS traffic


  • LAYER 8 Global Moderator

    Well then 143 is not getting to pfsense, but something answers on your IP (one connected to the forum with)

    Maybe your ISP intercepts this traffic... But if pfsense never sees traffic to 143, how could it ever forward it?

    This is why step one in any sort of this troubleshooting, is to actually VALIDATE traffic is getting to pfsense.. Pfsense can not do anything with something it never sees.

    You sure pfsense wan is public address? Its not a rfc1918 address?



  • @johnpoz said in Mail servers imap behind pfsense not reachable:

    This is why step one in any sort of this troubleshooting, is to actually VALIDATE traffic is getting to pfsense.

    Mentioned about eight times in this thread, but still seems to be ignored.



  • The mail server is on my current IP, but with my previous router it worked fine (Non pfsense).
    And yes I am 1000% sure my pfsense WAN IP is my public IP, because all of my websites running from this network are up and reachable.


  • LAYER 8 Global Moderator

    Well something is answering on his IP he is connecting to the forum with, which I would assume his IP... But from his packet capture - nothing is getting to pfsense..

    Pfsense can not forward what it does not see.. This is basic 101 stuff here..

    edit: I do not know what to tell you.. This is basic 101 stuff here, if you can not show us pfsense seeing the traffic on its wan... How could it ever do anything with it.. All I can tell you is something answers on 143 when I hit the IP you connected to the forum from..



  • @daan said in Mail servers imap behind pfsense not reachable:

    When I do not specify a port I see loads of traffic, HTTPS traffic

    You can also limit the capture to multiple port by entering "143|587|993" for instance to take all IMAP ports.



  • @daan
    You can check your real public IP on web services like https://whatismyipaddress.com

    The IP you get displayed there must match your pfSense WAN IP, otherwise there is a router in front of pfSense.



  • @viragomann I know my it is the same IP as the pfsense WAN interface IP



  • @johnpoz this is my capture with 143|465|587|993 as ports
    Screenshot 2020-09-25 1449523.png


  • LAYER 8 Global Moderator

    Do a simple sniff on 143 then..

    Then go to can you see me . org and put in 143..

    You should see this traffic. Clearly sniffing is working.. But I don't see any traffic for 143.

    To be honest, sure looks to be working to me.. Whatever issues you might be having with imap has nothing to do with pfsense. I get a connection to 143, and sure seems to be whatever server your running behind pfsense.. reports Dovecot (Debian), which is what your Poste.io server uses for imap..

    btw I see 993 there in your sniff which would be imap over tls. Maybe your client is just not using 143 when you tested which is why you didn't see on sniff.. Do can you see me . org so you know exactly what port is being sent.



  • @daan said in Mail servers imap behind pfsense not reachable:

    this is my capture with 143|465|587|993 as ports

    Ther is obviously a communiction on 993. Possibly your client switches automatically to 993 (SSL)?

    However, the traffic may be outbound as well. You're the only one who knows the destination IP, we cannot see it.



  • @viragomann said in Mail servers imap behind pfsense not reachable:

    Ther is obviously a communiction on 993. Possibly your client switches automatically to 993 (SSL)?

    Hummm : 993 was already mentioned above.
    Check if the mail server "IMAPS" is listening on port 993 on the IMAP server before you NAT that port (TCP).



  • @johnpoz These are my client settings, the settings worked fine with my previous router.
    Screenshot 2020-09-25 151153.png

    And yes I am using poste.io



  • @viragomann My public IP reports in inbound as well as outbound traffic on port 993


  • LAYER 8 Global Moderator

    Well your client not set to use 143 in that setup. So why would you think you would see traffic on 143?

    Not sure what to tell you... Pfsense only job in this is sending the traffic on to where you tell it to send it. Clearly from your sniff that is happening on 993.. So whatever issues you have with imap has nothing to do with pfsense.. Its a dumb doorman in the big picture.. It sees traffic on port X, and sends it on to where you told it to send it.. And then sends the answer back - it has nothing to do with the workings of the conversation.. Nor does it care..



  • @Gertjan Yes I did I uploaded a screenshot of it
    alt text



  • 1e7b2090-74e1-4446-8e3b-ca3df2f86c2b-image.png

    STARTTLS seems strange when using 993 as there can't be a TLS negotiation - it will be a direct SSL/TLS connection, like your 465 = SMTPS outgoing mail connection.



  • @johnpoz Same story when I use port 143, it does not connect.
    Yes I know what pfsense does, but why did it work fine on my previous router and not on my pfsense router?



  • @Gertjan My mail server does TLS over port 993
    df9c81dd-cd73-48c9-928b-5ae0cd9c6053-image.png
    (POP, HTTP and HTTPS are not forwarded)


  • LAYER 8 Global Moderator

    @daan said in Mail servers imap behind pfsense not reachable:

    Same story when I use port 143, it does not connect.

    It does connect.. I have connected via 143..

    connect.png



  • Since we cannot see any unencryted connection attempts, I think it's a legitimate question, if there is a valid SSL certificate installed on the IMAP server.


Log in to reply