Email Client times out trying to reach mailserver in lan

TomNick

Hi everybody, I an trying to reach my mailserver with a client in Windows Server and it times out.

My setup:
Proxmox with pfsense, mailcow and Windows Server. All in lan 192.168.21.0/24. All nodes are running fine. I can reach mailcow from outside my lan through NAT at my maildomain from any client but not from my Windows Server Mail client.

What ports for Windows do I still have to open? Thanks for some help!

viragomann

@TomNick said in Email Client times out trying to reach mailserver in lan:

Proxmox with pfsense, mailcow and Windows Server. All in lan 192.168.21.0/24.

So I don't expect the access even to pass pfSense.

Maybe a TLS problem? Does your mailcow provide TLS (STARTTLS)? Maybe the Windows client doesn't trust it.

Gertjan

@TomNick said in Email Client times out trying to reach mailserver in lan:

All in lan 192.168.21.0/24.

You mean then cow, the mail server and the client are all in that same network ?
Then none of the traffic flows through pfSense. Better : the traffic never reaches pfSense.

So, it's a VM-network setup issue.

Your pfSense rules, for if the traffic reached the LAN interface as is has to leave the LAN network :

The first line (disregard the anti lockout rule) will pass/accept all IPv4 traffic.
The next line will do the same thing for the IPv6 traffic - but there was none.
The third line will pass IPv4 traffic (remember ::m was already accept two lines above) and it must also be : TCP - and a have a destination that matches the alias and matches destination port 25.
But all these extra conditions are a big don't care.
Your first rule took already care of this traffic.

Btw : remember : rules are applied / tested from TOP to BOTTOM.
And the hidden last rules is : "block everything".

TomNick

@viragomann said in Email Client times out trying to reach mailserver in lan:

Maybe a TLS problem? Does your mailcow provide TLS (STARTTLS)? Maybe the Windows client doesn't trust it.

It is SSl/TLS 993 and 465. I tried with 2 clients (Windows) Thunderbird and Outlook. None of them worked. I even set the mail up from scratch and did not work. So what I found out now is that the client is getting the pfsense cert and not the mailserver cert. How can that be?

TomNick

@Gertjan The pfsense has vmbr0 WAN and vmbr1 lan (192.168.21.0). So all the VMs are behind the pfsense. The mailcow is reachable by the pfsenses WAN routed to the lan. Eg. 192.168.21.7. This configuration is running like a charm outside the lan

viragomann

@TomNick said in Email Client times out trying to reach mailserver in lan:

So what I found out now is that the client is getting the pfsense cert and not the mailserver cert. How can that be?

I don't expect this, since no packet form the client to the server should go to pfSense.
Maybe we get closer, however, if you give some details about your network.

Gertjan

@TomNick said in Email Client times out trying to reach mailserver in lan:

It is SSl/TLS 993 and 465. I tried with 2 clients (Windows) Thunderbird and Outlook. None of them worked.

They connect to what IP ?
The one of the mail server ?

Where are your client ? On the pfSense WAN ? Show your NAT rule(s) and related firewall rules.

TomNick

@Gertjan said in Email Client times out trying to reach mailserver in lan:

They connect to what IP ?
The one of the mail server ?

Where are your client ? On the pfSense WAN ? Show your NAT rule(s) and related firewall rules.

@viragomann said in Email Client times out trying to reach mailserver in lan:

Maybe we get closer, however, if you give some details about your network.

Ok, WAN IP 37.27.xx.xx.xxx which is mail.mydomain goes to pfsense
NAT is:

The aliases are:

The Windows Server is 192.168.21.103 and not able to connect via a client on that Windows server

Pfsense is 192.168.21.100

viragomann

@TomNick
What give us concerns is that client and server are within the same subnet. So access from client to server should not pass pfSense at all.

But just got an idea. I guess, your client uses your public FQDN?
This would explain, why packets go to pfSense.

If so, you should add an host override for the FQDN to your local DNS. Assuming, you're using DNS Resolver on pfSense.
Otherwise you can enable NAT reflection in the port forwarding rule.

TomNick

This post is deleted!

TomNick

@viragomann said in Email Client times out trying to reach mailserver in lan:

If so, you should add an host override for the FQDN to your local DNS. Assuming, you're using DNS Resolver on pfSense.
Otherwise you can enable NAT reflection in the port forwarding rule.

I tried all but no sucess. Maybe I did something wrong with the host override, here it is:

viragomann

@TomNick
Possibly the public IP is still present in the clients DNS cache.
Try to flush it (ipconfig /flushdns) or reboot the machine.

Gertjan

@TomNick

The NAT rules.

I still like to see the WAN firewall rules.
The (WAN) firewall rules contains packet counters, like these :

so you can see right away if there was traffic from the Internet coming into the WAN interfaces that matches one of your WAN pass rules - these rules can be part of a NAT rule - as my third WAN firewall rule, as it NATs to a port on my syno disk-station, which is a pfSense LAN device.

So, again : your firewall rules ?

The port alias contains :

25,465, etc

So your the first NAT rules 'NATs' port 25.
Your third rules isn't needed and should be removed.

TomNick

@Gertjan said in Email Client times out trying to reach mailserver in lan:

So, again : your firewall rules ?

@Gertjan said in Email Client times out trying to reach mailserver in lan:

So your the first NAT rules 'NATs' port 25.
Your third rules isn't needed and should be removed.

Done!

Ok, what I found out is, that if you call mail.mydomain from inside the windows client you get the pfsense cert. If you call mail.mydomain from outside your will get the letsencrypt cert which is correct.

viragomann

@TomNick
The only possible reason for this is that your client resolves the host name to the public FQDN as already mentioned yesterday.

If you're not able to get your local DNS to work properly, edit the port forwarding rule for the mailserver ports and enable NAT reflection.

TomNick

@viragomann said in Email Client times out trying to reach mailserver in lan:

If you're not able to get your local DNS to work properly, edit the port forwarding rule for the mailserver ports and enable NAT reflection.

It is already enabled I guess. The NAT reflection gives me 4 options:

default
NAT+Proxy
Pure NAT
Disable

Mine is on default, still not working

TomNick

@viragomann 'It is working by setting "host override". Thanks a lot for your trouble and have a good weekend

viragomann

@TomNick said in Email Client times out trying to reach mailserver in lan:

Mine is on default, still not working

"default" means "System default". If this is set in the NAT rule, the setting in System > Advanced > Firewall & NAT > NAT Reflection mode for port forwards is used.