Mail server rejecting connections

lewis · Dec 7, 2022, 10:37 PM

I had to move a mail server from a public IP to a private one.
I set up a virtual IP on pfsense but I suspect that one of the problems is that outgoing are taking the firewalls main IP.

Being in a panic, I can't seem to find how I can add a rule to ensure that the email server is always using its public IP for outgoing.

The config is set for hybrid outbound. I added this and the blurred part is the incoming virtual IP.

Can anyone shed some light so I can at least fix this part of the problem.

rcoleman-netgate · Dec 7, 2022, 10:36 PM

@lewis The general process:

Create a Virtual IP
Make a 1:1 NAT of Virtual IP to internal IP
Add rule in VIP's parent interface opening the ports you need on the destination IP of the internal IP address.

Save, apply, test.

lewis · Dec 7, 2022, 11:00 PM

This post is deleted!

lewis · Dec 7, 2022, 11:08 PM

Really frustrating. I cannot seem to edit or delete at will, the site keeps telling me I can't. Finally did.

Hi, sorry, I was still updating my post above. Can you take a peek.

I have the virtual IP.
I have a 1:1 rule.
I have a rule.

I'll upload images shortly to show.

Right now, always seeing;

Dec 7 15:45:50 mx postfix/error[21811]: B0BF5AE7F3: to=support@aaa.com, orig_to=<postmaster>, relay=none, delay=2183, delays=2056/127/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx.aaa.com[1.2.3.4]:7025: Connection timed out)

SteveITS · Dec 7, 2022, 11:24 PM

@lewis 1:1 NAT automatically handles outbound NAT.
"All traffic originating from that private IP address going to the Internet through the interface selected on the 1:1 NAT entry will be mapped by 1:1 NAT to the public IP address defined in the entry, overriding the Outbound NAT configuration."

Why do you think the timeout is a NAT issue?
On the mail server try "wget http://checkip.dyndns.com" and see what IP it downloads (it downloads to index.html by default).
From a different PC on LAN can you telnet to the MX, port 25?
Many ISPs block outbound port 25 on residential and sometimes business connections.

lewis · Dec 7, 2022, 11:25 PM

I wasn't sure what the issue was really so was looking for leads.
I finally found it, it was split DNS. The server was moved from a public IP to a private one behind the pfsense firewall but the DNS resolv was not updated. All is working now.

Thank you for your help!

Derelict · Dec 7, 2022, 11:30 PM

@lewis If you only have one IP address you almost never want to use a 1:1 NAT. It's too big a hammer.

Make an outbound NAT rule like you have there. Match the source address of the mail server, probably protocol TCP and a destination port of 25.

The log you pasted has destination port 7025. No global mail server is going to be listening on TCP/7025. If you know that one is, that's fine.

Almost all ISPs block connections to port TCP/25 unless it's business class service and even in that case you might have to ask to be excluded from such filtering.

Note also that outbound NAT does not route traffic. It only sets what NAT occurs if traffic is routed out that interface. If you have multiple WANs and want to specify which WAN to send SMTP out of you need to policy route it out that way.

This rule is on a DMZ interface with a mail server. There are three WANs. Only this VDSL allows outbound TCP/25. smtp_senders is an alias containing the addresses of the local hosts that should be allowed to send outbound SMTP.

lewis · Dec 7, 2022, 11:38 PM

I don't know where that port 7025 is/was coming from. Never seen that until now and certainly not something I set up.

Seems incoming is working now but outgoing is still using the firewall IP so the mail is bouncing.

I'm trying to find a way to post screen caps of the settings but having a hard time with the PC I'm on now. I'll do it asap.

I did create a 1:1 so I should remove it then? Sorry, really stressed here, trying to maintain calm.

lewis · Dec 7, 2022, 11:40 PM

The firewall has over a dozen virtual IPs and one of those is now for the mail server and only for the mail server.

All is coming in fine but outgoing is bouncing as it's showing the firewall IP. This server only has two interfaces and no way to add another for DMZ etc.

I just need to make sure that outgoing from the mail server is showing it's virtual public IP.

SteveITS · Dec 7, 2022, 11:44 PM

@lewis 1:1 forwards all ports to the private IP. If you have 1:1 set up, and outbound isn't using that IP, then double check the mail server has the expected IP...? Does it have two IPs configured maybe?

Your image shows 10.0.0.100/32 mapped to the WAN address. Is that your mail server private IP?

lewis · Dec 8, 2022, 4:25 AM

I removed the 1:1 and updated my outbound and it seems to be working now.

I thought I did enter port 25 but don't see that once saved or editing after. I guess clicking on Static port means all ports.

johnpoz · Dec 8, 2022, 4:27 AM

@lewis said in Mail server rejecting connections:

I guess clicking on Static port means all ports.

No - it means use the same source port as the original traffic.. Which sure isn't needed for a outbound connection to some other smtp server, etc. Which can be problematic when you have multiple devices behind the same public IP your natting too.. That should really be dynamic unless you specifically have some service where it expects a specific source port..

https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port

stephenw10 · Dec 8, 2022, 5:38 PM

Yes, you probably don't need the second rule at all. Since you're using hybrid outbound NAT mode there will already be an auto rule for 10.0.0.0/24 via WAN. You would only need that rule if you required static outbound ports for all connections from that subnet as the auto rules do not set that. But you almost certainly don't need that.

Steve

johnpoz · Dec 8, 2022, 5:55 PM

@stephenw10 do you happen to know what exactly would happen if say 2 machines tried to use the same source port when set static like that..

So you have

PC1 running say firefox and it makes connection with static port

192.168.1.100:55400 ---> google:443 (pfsense) publicIP:55400 --> google:443

PC2 just by chance uses the same source port..

192.168.1.200:55400 ---> yahoo:443 (pfsense) publicIP:55400 --> yahoo:443

I would assume that pc2 connection would just fail, and would need to try again with say source port 55401?

stephenw10 · Dec 8, 2022, 6:05 PM

Outbound NAT will fail if a state for that port already exists. But it would have to have the same destination IP address too. So multiple VoIP phones all using port 5060 as source and trying to register against the same external PBX is a common example. Traffic just leaves the WAN untranslated and obviously fails.

lewis · Dec 9, 2022, 5:05 PM

The SIP server is on the same LAN as the phones. It used to be external but it's local now.

Different lines use different ports, 5060, 5061, 5062, 5064 on 4 line phones for example but there's also just one phone.