1:1 NAT entry for email servers

mrbostn

Yesterday I had an issue with my email server. It's working now but I'm trying to understand what happend.

I'm running PF 2.0.1.
I came into work yesterday and was told email was down. I RDP'd into the server it looked normal-then I tried to open a web page and nothing. Page not found.

It felt like a DNS issue. For hours I dug into the DNS-nothing worked. I then set the email server to DHCP and bam I got internet. Crazy. Back to static IP and no internet.

This all started at 9am. at 1pm I started to look at PFsense. I had not touched it in a month since I installed the country block.
I disabled that, nothing.

I started toying with rules, nothing, I then deleted ALL the entries including the 1:1 NAT. At that time I noticed a pattern. When the 1:1 NAT entry was deleted Internet worked.

So I deleted ALL the rules, recreated them expect the 1:1 NAT entry and everything is workining Email flows in and out.

I thought inbound email would fail without the 1:1 NAT but everything is working. Can anyone shed some light on this?
Thank you

johnpoz

Why did you think you needed a 1:1?

Your email server needs 25 sent to it, and any other possible protocols you want to allow like pop or imap, etc.

Do you have multiple public IPs on the wan of pfsense that you want to make sure your email server was associated with specific one of those.

As long as port 25 is forwarded to your email server, then inbound email should work just fine.

Did your wan IP change?  You say it worked when you put the email server dhcp, well that would of removed it from the 1:1 nat

mrbostn

Yes I have multiple IPs WAN IP is static….one of which is assigned to the email server. I thought I needed a 1:1 NAT for an email server with an assigned IP which is why I put created the 1:1 entry.

johnpoz

yeah if your going to want to have traffic from this server come from one of your specific IPs.. Does it send mail?  Then sure 1:1 would do that.  But as far as 25 to it, that has nothing to do with a 1:1 – 1:1 would be for outbound traffic from 1 of your IPs when coming from that inside box.  Or sending ALL traffic from specific IP to specific inside IP, etc.

Not really required to run a mail server to be honest..  As long as mail is sent to one of your public IPs and your forward to your mail server that would work for inbound.  And for outbound, as long as your IP is not listed as dynamic and you have PTR for it - it should be able to send email, no reason to specifically lock it down to 1 of your public IPs to be honest.

mrbostn

@johnpoz:

yeah if your going to want to have traffic from this server come from one of your specific IPs.. Does it send mail?  Then sure 1:1 would do that.  But as far as 25 to it, that has nothing to do with a 1:1 – 1:1 would be for outbound traffic from 1 of your IPs when coming from that inside box.  Or sending ALL traffic from specific IP to specific inside IP, etc.

Not really required to run a mail server to be honest..  As long as mail is sent to one of your public IPs and your forward to your mail server that would work for inbound.  And for outbound, as long as your IP is not listed as dynamic and you have PTR for it - it should be able to send email, no reason to specifically lock it down to 1 of your public IPs to be honest.

Well everything is working now since I deleted the 1:1 mapping. I just don't know why everything came to a halt suddenly when nothing on my end was changed. I had the 1:1 mapping for working for months.

Thank you for your input.

Enjoy the weekend.