How to configure mail server behind pfsense router

nikla · Jul 20, 2021, 8:04 AM

I'm running a mail server on a Synology NAS behind my pfsense router. I have a public IP address and let the router handle the ssl certificates.
Before I started to use the pfsense router I port forwarded all traffic to the NAS and let it handle the ssl certificates. I assume this situation is quite common but I don't understand how I should configure it to work.

I would like to use the ssl ports for the mail server (143, 465, 587 and 993).

I'm using haproxy for a couple of other services that I run on my NAS. For those I run the ssl parts on the router and without ssl internally in my network.

Anyone who can point me in the right direction?

Gertjan · Jul 20, 2021, 9:51 AM

@nikla said in How to configure mail server behind pfsense router:

143, 465, 587 and 993

NAT these ports - all TCP - to the IP of your Syno NAS.

But, question : your email clients like Thundrenbird, Outlook365 etc can now 'post' mails to be send away, and retrieve mails from their mail box.
But how do these mails boxes get filled with mails from 'else where' ?
You should open port '25' TCP to your NAS also..

You should do the same thing as hosting a web server on one of your LAN's : open (= NAT/PAT) port 80 and 443 TCP and done. from a 'pfSense' point of view, there is not much to it.

General info :
You really missed the info from Synology that you should never ever you should make your Syno reachable from the outside == Internet. That is 'never' like in never.
To make a long story short :
You can't host a email server behind an ISP IP. The big ones, like Google, Microsoft, Yahoo, etc etc have these mails listed and won't send mails to these IP's.
Also : Do you control your reverse host name of your WAN IP? This is a requirement.

Yes, I know, you can install a mail server or even web server on your Syno.
It could probably even make you coffee.

But this doesn't mean you should actually do it.
You can try it, of course. After some test you'll run in issues, and you decide to not host the mail server yourself, but on where it belongs : on a 'server' type of device, some where on the Internet, with your 'real IPv4 and IPv6 for yourself.

edit : a minimal mail server setup needs :
A domain name - you have to rent one. - Give or take 5 $ a year.
A server, like a VPS, Something like 2$ a month will do.
An IPv4 and a IPv6 for yourself.
And a lot of time. Sending an receiving mails isn't rocket science, but yuo have to deal with a lot of aspects.
Btw : it's a command-line world only. There is no GUI thing that handles all the SPF/DKIM/DMARC/reverse hostname == DNS handling, certs etc.

nikla · Jul 20, 2021, 1:28 PM

@gertjan Thanks for taking all that time to answer!
Yes, I did not mention port 25 since that was the one I had maned to handle. My problem was the ports I did mention.

I have been running my mail server on a server/NAS at home since 15 years. I do it to motivate myself to learn things.
You might be correct when advise me not to run a server exposed on internet at home.

I still believe that it is possible to run a server at home using a pfsense router in front of a NAS. I still fail to configure that so my question remains.

edit: I forgot to answer on your proposal to NAT the ports to the NAS. Yes, that was my first try but I did not understand how to create the ssl certificates to the NAS then. As I have understood it I need to have the port 443 open on the same server as the server running the service on. Now I use the pfsense router to be responsible for 443. If there is a way to create ssl cerificates from let´s encrypt for both pfsense and my NAS it would be perfect. I don't know how though.

Regards,
Niklas

Bob.Dig · Jul 20, 2021, 1:28 PM

@nikla You don't need haproxy for an email server, do you?

nikla · Jul 20, 2021, 2:33 PM

@bob-dig You are probably right but my knowledge is too low to understand howto config the ports that need ssl certificate without haproxy.
I know how to NAT port 25 but I don't know howto NAT e.g. 993 who needs a ssl certificate. Please help me understand.

Bob.Dig · Jul 20, 2021, 3:12 PM

@nikla You just do portforwards to your NAS. There you have to create the TLS certificates.

viragomann · Jul 20, 2021, 3:13 PM

@nikla
Port forwarding doesn't care about TLS.
Simply forward all needed ports to the mail server as you do with e.g. 25 or 443.

You can also put all ports into an alias and forward them with a single rule using the alias at destination and target.

BTW: without having the SSL certs on the mail server, STARTTLS will not work.

nikla · Jul 20, 2021, 3:25 PM

@viragomann Ok, that sounds easy. I agree with the solution but it is still one thing that I don't understand. How do I create a certificate on the NAS when my router takes care of port 443? As I have understood it let´t encrypt require that port 443 is open to the server which is requesting the certificate. Have I misunderstood something here?

viragomann · Jul 20, 2021, 3:37 PM

@nikla
If you have different subdomains for the web server and mail server you can simply forward the mail servers one in HAproxy without TLS-offloading.

Another possibility would be to let pfSense to the LE stuff and pull the certs from it via SCP by a script.
There are threads here in this forum discussing this topic.

Gertjan · Jul 20, 2021, 4:52 PM

@nikla said in How to configure mail server behind pfsense router:

I have been running my mail server on a server/NAS at home since 15 years. I do it to motivate myself to learn things.
You might be correct when advise me not to run a server exposed on internet at home.
I still believe that it is possible to run a server at home using a pfSense router in front of a NAS. I still fail to configure that so my question remains.

I just wanted to warn you, that using a 'mail server at home, behind an ISP type WAN IP' is cumbersome.
It's excellent for the "how to do so" and "learn" practises, I agree.

But as soon as you get the hang of it, you want an always-on solution, which means : no bad ISP land lines problems, No DNS issues, no power issues, no drive-went-bad issues : you don't want to bother with all the hardware details. You want to be reachable (by mail) at all times, even when you go off the beach for a couple of days.
That's why advise the "2$ / month solution".

For my, my Synology devices are just used for what they are meant to be : backing up local devices.

Btw :
NATting port 25 TCP to an internal device
is like
NATting port 143 TCP to an internal device
is like
NATting port 110 TCP to an internal device
is like
NATting port 993 TCP to an internal device
etc etc

Just that one number changes.

About the certs (from Letenscrypt) : The pfSense package 'acme.sh' is handling the renewal.
Every 60 days or so, when I get a mail that informs me that the cert "*.mydomain.tld" has been renewed, I export the two new 'cert' files, and import them in my Synos.
True, this is a manual operation and I have one month (after renewal) to do so.
I actually do not really need 'known' certs on my Syno, self signed or over-time certs will get flagged by my browser (if I didn't create an exception for my internal 'LAN-bases' internal devices, as I do trust them anyway).

You can probably also have the Syno ask for 'letensrypt' certs.