Mail servers imap behind pfsense not reachable
-
@viragomann Yes there is, I am using Let's encrypt mail certificates.
-
@daan
Let's Encrypt is no surety for validation. Possibly the update job failed. -
@daan said in Mail servers imap behind pfsense not reachable:
@johnpoz Wattt the hell, when I do the same it returns
Is your client trying to connect from inside your LAN or outside? This could be a NAT reflection issue. Unless you have split DNS set up so that internal clients get routed straight to the mail server's internal IP and not out the WAN, then they can't connect unless you configure that ugly beast, NAT reflection.
That might be why @johnpoz can connect, but you can't. He is outside of your LAN. The standard port forward setup is going to port forward only traffic coming from the Internet into your WAN connection. It won't port forward traffic coming from your LAN side. Your previous router may have automatically configured NAT reflection when you configured a port forward. pfSense does not automatically configure NAT reflection for you.
Your screenshot of the email client shows that you have configured the mail server with its hostname of "mail.xxxx.xxx", so your client will ask DNS for the corresponding IP. Since I'm betting you have your MX record in DNS pointing to your WAN IP, then your internal client will try to connect to the IMAP server using your WAN's external public IP. That's where the NAT reflection would come in. Without it, that traffic does not find your internal mail host. To see if I am correct, instead of the mail server's hostname, put it's actual internal IP address in the mail client's setup and see if it works then.
-
^exactly.
To be honest this comes up pretty much every single day.. Which is why I suggested can you see me . org... You have to validate traffic is getting to you from the public internet.
If your setting on some box on your local network, and hitting your wan IP.. Its only going to work if you have nat reflection setup, and that is actually working. depending on the protocol, and how you set it up, or where your client is exactly compared to you, same vlan or different..
And its just plain an abominations to all things holy about networking in the first place.
Maybe your setup worked how you were testing it before with your old router because it was doing nat reflection. Which pfsense doesn't do without you actually setting it up.
If was up to me - the whole nat reflection nonsense wouldn't even be an option.. Because its a hack, always has been a hack.. And really should never be used on any sort of real network.. Its fine for billy the user and his soho router that doesn't understand dns, doesn't really understand IPs anyway... And think he should just be able to put in his ddns address into his browser and hit xyz that is running on his own freaking box, or the raspberry pie he clicked go on for some service.
But if your to the point where your running something like pfsense, and working with email servers and the like.. Time to leave the hacky lets make it work for billy bob the user because he doesn't know how to actually setup a real network anyway toys away.
-
@bmeeks Thanks for the explanation, When I use my IP as IMAP and SMTP it can't connect either.
-
@daan said in Mail servers imap behind pfsense not reachable:
When I use my IP as IMAP and SMTP it can't connect either.
What IP?? Again you need to be OUTSIDE YOUR NETWORK!! If your going to do it from inside, you need to setup nat reflection. Or just use your internal IP.
I can connect to your IP just fine from outside..
Just tested again, and pops right in...
-
Yes I understand, chill bro. I got it working I did not know that I had to setup NAT reflection, like I said earlier I am new to pfsense.
Thanks for the help and detailed explanations, have a good day! -
Then what was the point of this
When I use my IP as IMAP and SMTP it can't connect either.
If you have it working?
-
@daan said in Mail servers imap behind pfsense not reachable:
@johnpoz this is my capture with 143|465|587|993 as ports
It looks to me like you are closer than you think - you're simply using all encrypted ports. I see traffic on port 993, which is imap over SSL. I also see port 465, which is SMTP over SSL.
Furthermore, the traffic is actually flowing in both directions. You can see port 993 going from left to right in the first line, and you can see the reply coming back on the second line. The conversation is taking place with ports 993 and 7256. (Original connection on port 993 with reply requested on 7256). Later down you see the same thing happening with port 465.
It looks like everything is working. I'm wondering why you don't see IMAP mail in your mail client, because the connection is there.
Incidentally, the way I would test something like this is to put a laptop directly on the WAN side of the firewall - you can use it in place of your cable modem and use the same IP address on the laptop as the gateway. Or plug it in in parallel with the internet but give yourself a public IP in the same subnet as the WAN IP address. Then test to the pfSense IP while running wireshark to see if your mail client is even sending port 143.
-
-
@PhxAzCraig It is working now I had to setup NAT reflection, Thanks!
-
@johnpoz In my home setup, I can "test port" my own email server on my public IP. I also can connect my xmpp Client to my XMPP Server. I have not setup any NAT Reflection in my pfsense or rules.
-
@daan said in Mail servers imap behind pfsense not reachable:
@daan, when we say from "inside the LAN" we meant put in the actual internal RFC1918 address of your mail server. So maybe something like 192.168.1.xxx or whatever -- NOT your DNS entry IP (in other words, not the public IP). If using the actual internal non-NAT IP of the mail server didn't work, then a firewall rule must have been blocking. Is that mail server on a separate interface perhaps such as some kind of DMZ?
Glad you got it working with NAT reflection, but the preferred way of doing this is with a split-DNS arrangement such that clients on your LAN connect directly to the mail server using it's local non-NAT IP address. For users out on the Internet, they would get the WAN public IP when asking for the mail server. You can research split-DNS to see how this works and why it is the preferred solution over NAT reflection.
-
@bmeeks Ah okay, I'll take a look at that. Thanks for the tip!
-
@Bob-Dig, then its setup without your knowledge or understanding that you did it.
You can not hit your public IP from your lan side to be reflected back in without nat reflection being enabled.
-
@johnpoz My ISP is doing 1:1-NAT, maybe that is why this works? How to test for that easily, if of any interest?
One reason I don't use split-DNS on everything is to get easily notified of "hosting"-problems, like not have ports reachable, which sometimes is happening with my ISP after an IP change.
-
@Bob-Dig said in Mail servers imap behind pfsense not reachable:
My ISP is doing 1:1-NAT
Huh? You mean you have a rfc1918 address on pfsense wan, and they do a 1:1 nat with a public IP upstream?
-
@johnpoz It is a CG-NAT-address (100.65..), but yes.
-
Well nat reflection isn't done on your end then its done on their end..
edit: To be honest that is almost worse than local nat reflection. Since not only do you have the hairpin on pfsense. But you also have to deal with all the added latency and hairpin on their system ;)
When if you used split dns and just pointed to local IP, you just go through your local network to get to your server when your on the local network..
-
@johnpoz said in [Mail servers imap behind pfsense not
edit: To be honest that is almost worse than local nat reflection. Since not only do you have the hairpin on pfsense. But you also have to deal with all the added latency and hairpin on their system ;)
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 14ms, Maximum = 18ms, Average = 15ms PS C:\WINDOWS\system32>
It is ok for some messages I guess.
Suricata things I got attacked..
SERVER-OTHER MRLG fastping echo reply memory corruption attempt
Then this mystery is solved and I will not mention it anymore, because I am special.