Exchange Behind PFSense



  • Hello,

    I have installed Microsoft Exchange 2013 behind PFSense 2.1.3. The infrastructure is being described below:

    Infrastructure Details:

    • I have a pool of public IP's, 2 of which are being used in this deployment.We will use "PIP-1" and "PIP-2" as their aliases.

    • I configured the 3 interfaces in PFSense firewall. Namely WAN, LAN and Opt1

    • A WAN connection is being terminated at the firewall i.e. WAN interface with using "PIP-1 as the IP.

    • The PIP-2 is being used in NAT to route all traffic coming from the internet towards the DAG (Mail Exchange Connector) IP i.e. 192.168.8.174

    • Two connections from LAN and OPT1 interfaces of PFSense are being terminated into a single switch

    • The EXCH-1, EXCH-2 and the DAG servers are also connected to that switch.

    • EXCH-1 and EXCH-2 are connected to each other directly, to facilitate synchronization.

    The Problem:

    I can use the Microsoft Exchange OWA via HTTP to connect to my mailbox and I can conveniently connect to the remote administration for PFSense via web. My outlook clients can email people within the network and they are also able to POP emails from the web, when they have Outlook clients configured. But, when I try to send emails using Outlook clients to outside addresses, I get the "Unable to Relay" message from the email server. I have tried everything but, it's not working. I've checked the exchange as well and it's fine.

    The Request:
    If someone has any idea about what I did wrong in all this scenario, kindly help because I'm too stressed and currently in a fix. I can't send emails to outside domains via Outlook client. The server says that it is unable to relay SMTP messages. It's probably because I did something wrong. Kindly help.

    Thanks.



  • That is an Exchange specific question, so it is better to be asked in an Exchange forum.

    Sorry, I'm not familiar with Exchange 2013, only with elder versions.
    However, you have to allow relaying in SMTP settings for authenticated users or just another user-group you want. But don't allow it for everyone!

    If you want to access Exchange from outside over MAPI with Outlook you have to forward port 443 to the Exchange and change the port for pfSense webconfigurator to another one or better forbid access to it from WAN.



  • Couple of questions:

    1. Why do you have two interfaces on the same subnet, going to the same switch?
    2. Why are you using POP? Open 443 and use RPC over HTTPS.


  • I am new to networking. I have a small separate switch and I figured, both of them will work when I connect them to that single switch.

    POP is a requirement. (Weird I know!)



  • Either put everything off the LAN or change the subnet on the OPT. The way you have it setup now is going to cause problems.