Mail problems caused by firewall?

  • I have a strange situation with my mailservers. Most of the mails get delivered without any problems. There are two exceptions:

    *Problem one (Both mail servers are in the same network but route over the internet [they don't know internal adresses])

    If a customer with its own mail server (getting official IP adresses from a /27 network) tries to send a mail to another mailserver with an IP from the same network it gets a timeout error. Example (using private IP adresses, not the real ones):

    Mail Server A:
    Mail Server B:

    The network is

    Both mail servers host completely different domains and have completely different internal networks. Mapping between official and internal IPs is made with NAT. Each server gets a timeout error, when it sends mail to a domain hosted on the other server.

    • problem two (all mail servers deliver with the WAN IP as sender)
      My pfSense box has one WAN and ONE LAN interface. Traffic is routed through NAT. It seems like all mail sent out, (no matter from which mail server they are sent) have the same source address, the one of the LAN interface. This seems to cause problems on some mail servers, since the reverse lookup of a mail domain returns a different IP adress than the WAN interface is assigned to. I think for these cases I need someting like an outbound NAT that resolves to the correct IP adress. Example:

    Default Gateway has
    WAN Port      
    Mail Server    

    The receiving Mail server (lets say gmail) sees as sender of When it does a reverse lookup it finds the official IP adress of mail server ( which is correct but different from the sender IP. This seems to cause problems with only a few mail servers.

    I think I need some additional configuration either on pfSense or on postfix. Can anybody give me a hint where to research further?

    Many thanks


  • Rebel Alliance Developer Netgate

    #1 can be solved with NAT reflection or split DNS.

    #2 is outbound NAT or 1:1 - make sure the mail servers are set to use the same IPs outbound as they are inbound (or use 1:1 NAT instead of port forwards)

Log in to reply