Problem with Mailserver because reverse lookup failes



  • Hey all together,
    I installed pfSense on a wrap board to replace an old server that serves as a firewall and as DNS for the local networks.

    I have three interfaces: The WAN interface with a fixed external IP (and two additional virtual IPs which do not work currently as well)
    A local 192.168.0.0 net which is the main LAN (LAN) and another segment which is 192.168.1.0. (LAN1) which contains the mail and webserver. I configured portforwarding for the two external IPs for smtp and http. I activated the DNS forwarder function and added the hostnames of the mail and webserver that they are resolved with their private IP because they are not accessible with their public IP from LAN.

    When I connect to the webserver from LAN erverything works fine, when I try to send or receive Mail everything is extremely slow and after five minutes I get the error message that sendmail cannot resolve the domain of the senderadress. I think that this is because the reverse lookup on the local adress from LAN1 is not succesfull.

    As far as I know dnsmasq is not capable to provide reverse lookups and if I would use an external DNS server I would get the external IP within the LAN.
    Is there any chance to get this constellation working without changes on the existing structure?

    My alternative idea was to replace LAN1 with a DMZ in bridged mode with the WAN interface and external IPs for the mail and webserver but I dont want to change to much on the configuration of the server because Im not that familiar with its configuration.

    I hope its possible to follow my descrition and would be glad about helpful comments…

    Thanks in advance

    Arne



  • Not sure how pfsense uses dnsmasq, but dnsmasq does have the option -h, –no-hosts which does not read the /etc/hosts file, there is also -H which can read an alternate hosts file.
    So you can set host descriptions interanlly this way using dnsmasq.
    You can also use dnsmasq as a MX look up intercept, where by any MX look up is intercepted and you can set your mail server as the default mail server for the LAN interface.
    I personally, set a NAT that intercepts all outbound mail from the LAN and redirect it to  the mail server in my DMZ.  This way no matter what they enter as mail server it hits my server in the DMZ.
    rdr on xl1 inet proto tcp from <emailserver>to any port = smtp -> 192.168.0.50
    <emailserver>is a table of internal hosts that should be intercepted, there are a few hosts I did not want to intercept.
    Remember to install spamd and help everyone.</emailserver></emailserver>



  • Some things to try (though I'm pretty tired atm so if I talk nonsense please forgive me):

    • enable nat reflection at system>advanced. This way your server should be accessable even by it's WAN IP
    • enable "Register DHCP leases in DNS forwarder" at services>dns forwarder. this way your dhcp clients should be resolvable via their hostname
    • add forwarding DNS-Servers for your clientsdomain if you are running another dns server for these clients at services>dns forwarder

Locked