Mail problems caused by firewall?
-
I have a strange situation with my mailservers. Most of the mails get delivered without any problems. There are two exceptions:
*Problem one (Both mail servers are in the same network but route over the internet [they don't know internal adresses])
If a customer with its own mail server (getting official IP adresses from a /27 network) tries to send a mail to another mailserver with an IP from the same network it gets a timeout error. Example (using private IP adresses, not the real ones):
Mail Server A: 172.15.15.167
Mail Server B: 172.15.15.175The network is 172.15.15.160/27
Both mail servers host completely different domains and have completely different internal networks. Mapping between official and internal IPs is made with NAT. Each server gets a timeout error, when it sends mail to a domain hosted on the other server.
- problem two (all mail servers deliver with the WAN IP as sender)
My pfSense box has one WAN and ONE LAN interface. Traffic is routed through NAT. It seems like all mail sent out, (no matter from which mail server they are sent) have the same source address, the one of the LAN interface. This seems to cause problems on some mail servers, since the reverse lookup of a mail domain returns a different IP adress than the WAN interface is assigned to. I think for these cases I need someting like an outbound NAT that resolves to the correct IP adress. Example:
Default Gateway has xxx.xxx.xxx.161
WAN Port xxx.xxx.xxx.162
Mail Server xxx.xxx.xxx.175The receiving Mail server (lets say gmail) sees xxx.xxx.xxx.162 as sender of mailserver.mydomain.com. When it does a reverse lookup it finds the official IP adress of mail server (xxx.xxx.xxx.175) which is correct but different from the sender IP. This seems to cause problems with only a few mail servers.
I think I need some additional configuration either on pfSense or on postfix. Can anybody give me a hint where to research further?
Many thanks
Rumpi
- problem two (all mail servers deliver with the WAN IP as sender)
-
#1 can be solved with NAT reflection or split DNS.
#2 is outbound NAT or 1:1 - make sure the mail servers are set to use the same IPs outbound as they are inbound (or use 1:1 NAT instead of port forwards)