Problems with mail server



  • I'm running pfsense 2.0rc1 within VMware ESKi Host 4

    I have created a second VM Gues and installed Ubuntu 10.04-LTS & Zimbra to run as my mail server.

    I can access the the VM Guest no problem with the IP address.  However, when I try to access my EXTERNAL IP (isp provided) via domain name or IP addres it does not NAT to the the Zimbra box correctly.  Instead, it automatically redirects to my pfSense port (under the same domain name or IP).  I'm not sure why it is automatically redirecting like this.

    External IP:   <ip>Internal IP of VM Guest:  192.168.2.50
    Domain name:  mail.redcarpetfinancial.ca (points to external IP)

    Error Message:  Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname.

    Can someone tell me what is going wrong?</ip>



  • My guess is that 206.248.167.232 is the IP address of your pfSense WAN interface and you haven't setup things correctly so that the corresponding access gets forwarded to your server so your access attempt winds up at the pfSense web server which is reporting that it is not expecting to be asked to serve pages for mail.redcarpetfinancial.ca.

    My pfSense box WAN interface is connected to an ADSL modem. I have a publicly accessible web server on an OPTx network connected to my pfSense box. I use DNS forwarder on pfSense. I have a DNS override in DNS forwarder so local (to my network) attempts to access the web server by public name get mapped to the web server's private IP address.  (e,g, in your case, DNS override for mail.redcarpetfinancial.ca to 192.168.2.50) For public access to the web server I have a Firewall -> NAT portforward rule to foward TCP port 80 accesses coming to the WAN interface to port 80 on the web server's private IP address.

    I use wireless broadband to test server access from Internet.



  • I have the following NAT Port Forwards setup:

    
    WAN  TCP  	* 	*  	WAN address  	 80 (HTTP)  	 192.168.2.50  	 80 (HTTP)  	 Webmail   	
    WAN 	TCP 	* 	* 	WAN address 	25 (SMTP) 	192.168.2.50 	25 (SMTP) 	Mail SMTP  	
    WAN 	TCP 	* 	* 	WAN address 	995 (POP3/S) 	192.168.2.50 	995 (POP3/S) 	Mail POP3S  	
    WAN 	TCP 	* 	* 	WAN address 	53 (DNS) 	192.168.2.50 	53 (DNS) 	DNS  	
    
    

    I have the following Firewall Rules setup:

    
      	TCP  	 *  	 *  	 192.168.2.50  	 80 (HTTP)  	 *  	 none  	    	 NAT Webmail   	
    	TCP 	 * 	 * 	 192.168.2.50 	 25 (SMTP) 	 *  	 none 	  	NAT Mail SMTP  	
    	TCP 	 * 	 * 	 192.168.2.50 	 995 (POP3/S) 	 * 	 none 	  	NAT Mail POP3S  	
    	TCP  	 *  	 *  	 192.168.2.50  	 53 (DNS)  	         *  	 none  	    	 NAT DNS  
    
    


  • @jim.thornton:

    I have the following NAT Port Forwards setup:

    
    WAN  TCP  	* 	*  	WAN address  	 80 (HTTP)  	 192.168.2.50  	 80 (HTTP)  	 Webmail   	
    WAN 	TCP 	* 	* 	WAN address 	25 (SMTP) 	192.168.2.50 	25 (SMTP) 	Mail SMTP  	
    WAN 	TCP 	* 	* 	WAN address 	995 (POP3/S) 	192.168.2.50 	995 (POP3/S) 	Mail POP3S  	
    WAN 	TCP 	* 	* 	WAN address 	53 (DNS) 	192.168.2.50 	53 (DNS) 	DNS  	
    
    

    I don't have enough information about what you are doing. Suppose you are attempting a web access to mail.redcarpetfinancial.ca from a system on your pfSense LAN interface and whatever DNS you are using translates mail.redcarpetfinancial.ca to your external IP. Your system sends that access attempt to pfSense where it arrives on the LAN interface where it doesn't match the port forwards you have setup (because it didn't arrive on the WAN interface) but it does match a pfSense IP address so it goes to the pfSense web server.

    Suppose you have setup the port forwards but not reset the firewall states. An access attempt from the internet might not match the port forwards because the firewall states haven't been reset. See Diagnostics -> States, click on Reset States tab for more information.



  • I haven't recently set those rules…  They have been running for quite some time and I have rebooted the box since setting up those rules.

    I don't know a whole lot about networking, so please excuse my ignorance.

    I have setup an internal DNS server on 192.168.2.50 so that the Zimbra install will work.  None of my other computers on the the LAN use this as the DNS server.

    This error message comes up whether I goto the domain from my laptop within the network or via wireless broadband tethering to my cell phone (wifi turned off).

    Not really sure how to troubleshoot this so if you can dumb it down a bit and let me know where to go from start to finish, that would be great!



  • @jim.thornton:

    Not really sure how to troubleshoot this so if you can dumb it down a bit and let me know where to go from start to finish, that would be great!

    Dumbing down is not as easy as it might seem, but lets try.

    Lets start with the access from your laptop through the pfSense LAN interface. What is the laptop's gateway and name server? And what OS does it run?



  • My laptop is running Windows 7 (32-bit)
    ip: 192.168.1.3 (DHCP)
    gateway:  192.168.1.1
    DNS:  192.168.1.1

    ** If it is easier for you to look rather than post on the boards, I can set you up with access.



  • OK, so pfSense LAN interface has IP address 192.168.1.1? and you have DNS forwarder enabled on pfSense? And ping mail.redcarpetfinancial.ca on the laptop says it is going to 206.248.167.232?



  • Using dig and other tools, mail.redcarpetfinancial.com is pointing to the external IP address:  206.248.167.232



  • @jim.thornton:

    Using dig and other tools, mail.redcarpetfinancial.com is pointing to the external IP address:  206.248.167.232

    Looks like I dumbed down too much technically but not enough in attention span - you answered only one of my last three questions.  :)



  • Sorry…  DNS Forwarder is ENABLED and the other two boxes are UNCHECKED.

    I don't know how to check the pfSense LAN interface (I don't think).  I went into the SSH shell for pf sense and there are 6 interfaces.  the LAN interface is 192.168.1.1 if that is what you are asking.



  • OK, so you should add a DNS forwarder override for mail.redcarpetfinancial.com so that from your private network you access it via its private IP address:

    Go to Services -> DNS Forwarder, scroll down to the table with headings Host Domain IP Description click on the "+" button on the right and add an override entry for host mail on domain redcarpetfinancial.com with IP address 192.168.2.50 and some useful (to you) description. Click on the save button.

    Then go back to your Windows laptop and attempt to ping mail.redcarpetfinancial.com. If the IP address is not the private IP address wait a few seconds (for the laptop's DNS cache entry to time out) and repeat if necessary (it shouldn't be necessary to repeat this more than a few times). Then try your web access by hostname.



  • I did as you suggested and when I went to ping redcarpetfinancial.ca it worked but when I pinged mail.redcarpetfinancial.ca it still went to the external IP.



  • I spoke too soon.  It know resolves to 192.168.2.50



  • OK, so your access from LAN now works OK?

    Lets try access from the internet. With your laptop disconnected from the LAN (to force access over wireless broadband) what IP address is accessed if you ping mail.redcarpetfinancial.ca? What happens with a web access to mail.redcarpetfinancial.ca?



  • Okay…  I turned off my NIC and tethered my phone to my laptop forcing wireless broadband.

    I tried pinging mail.redcarpetfinancial.ca and it was trying to resolve to my external IP address but it timed out.

    I then tried in my normal (Firefox) browser to go to mail.redcarpetfinancial.ca and it automatically redirected to the pfSense PORT (mail.redcarpetfinancial.ca:PORT) and it gave me the re-binding attack error message again.

    I wasn't sure if this is Firefox is, for some reason, redirecting so I tried in IE as well.  It took a while but connected to my Zimbra machine.



  • AWESOME!  I just cleared my Firefox cache and it worked there as well.

    Thank you!!!


Log in to reply