Blocked SMPT port 25

Hi everyone,
I’m a newbe trying to setup my internal server mail using SMPT port
At the beginning, port 25 was blocked in the router so when I try “telnet gmail-smtp-in.l.google.com 25” I got this:

telnet gmail-smtp-in.l.google.com 25
Trying 74.125.133.27...
Trying 2a00:1450:400c:c0c::1b...
telnet: Unable to connect to remote host: Network is unreachable

To get ride of this I put the rule bellow:

ip firewall address-list
add list=smtp_server address=192.168.1.4
/ip firewall filter
add chain=forward action=accept dst-port=25 src-address-list=smtp_server
add chain=forward action=drop dst-port=25

But when telneting gmail-smtp-in.l.google.com 25 I got this:

telnet gmail-smtp-in.l.google.com 25
Trying 108.177.15.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.

The rule seems working but the “220 mx.google.com ESMTP blahblahblah” is missing
I have already installed postfix on my server and try to send a mail to my gmail acount but I got this error:

Oct 12 13:09:13 mail postfix/smtp[8850]: A70562201F3: to=<> xxxxxx@gmail.com> >, relay=alt4.gmail-smtp-in.l.google.com[74.125.28.27]:25, delay=1693, delays=191/0.08/1502/0, dsn=4.4.2, status=deferred (conversation with alt4.gmail-smtp-in.l.google.com[74.125.28.27] > timed out while receiving the initial server greeting)

Two things:

1. apart from the firewall fiter rules you showed, do you have anything else in firewall config which might interfer? An other NAT (SRC or DST) rules (if yes, please post all of them, they might be set in a way that they interfere but in a way not obvious to you) or filter rules blocking it?
2. Are you sure your ISP is not blocking outgoing SMTP connections as attempt to reduce spamming traffic? Perhaps forwarding it to some SMTP/SSL (it behaves just like you observed if SMTP server expects SSL handshake).

I just have 3 rules about port 25 on filter : logchain, action=accept and the action drop
But on NAT I have other rules for my webserver:

/ip firewall nat
add chain=dstnat dst-address=IP_public protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.5 to-port=80
  
  /ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.5 protocol=tcp dst-port=80 out-interface=LAN action=masquerade

I am sure that ISP is not blocking outgoing SMTP connections because I have already talk with them and they said that the filter rule I put should works

What about the rest of filter rules? As I wrote, they might be interfering without being obvious to you (and we might spot the problem because we don’t have our minds set to what rules are meant to be doing). So if you want to get some solid advice (instead of guess work), you should post your complete firewall configuration (obfuscate public IP addresses).

BTW, I’m sure you have reasons to flush default firewall setup, but default firewall setup doesn’t filter any outgoing traffic in chain=firward nor in chain=output. It would be beneficial to debuging process if you could try SMTP either using default firewall or with firewall (temporarily) disabled. This way you would be entirely sure it’s not something outside router interfering (and no, ISP tech guys telling that it should work is not a proof, with larger ISPs most of techs don’t know all the setup well enough to give definitive answers).

rags, is there any rule that is actively blocking SMTP traffic (either way)?

Otherwise, is your ISP allowing SMTP traffic (inbound and / or outbound)?

For an email / SMTP server, you should allow traffic towards that server, normally from everywhere. Depending on your configuration, in a simple dstnat rule, this should be something like this (of course, you can spice it with different other config elements: more / different ports, dst-address if needed, in-interface, hairpin nat etc):

/ip firewall nat
add action=dst-nat chain=dstnat comment="SMTP inbound" (dst-address=****) dst-port=25,465,587 protocol=tcp to-addresses=192.168.x.y

Also, a good practice is to allow outbound SMTP traffic only from and / or to devices / destinations that require this type of traffic, and drop all others - and thus having a simple, but pretty effective setup.

Something like this (allowing traffic from local MTA servers, allowing traffic from LAN only to specific outside SMTP servers, and drop everything else towards TCP 25):

/ip firewall filter
# outbound SMTP allowed from local servers
add action=accept chain=forward comment="outbound SMTP allowed from local servers" dst-port=25 protocol=tcp src-address-list=inside-to-out-SMTP-allowed
# external specific SMTP servers - ACCEPT
add action=accept chain=forward comment="external specific SMTP servers - ACCEPT" dst-address-list=ext-SMTP-allow src-address=192.168.x.0/24
# Outbound SMTP from LAN - DROP
add action=drop chain=forward comment="Outbound SMTP from LAN - DROP" dst-port=25 protocol=tcp src-address=192.168.x.0/24

Waiting for your update.

Sorry for the delay but I used the rules which tyby wrote above but the result was the same
And I also check what mkx said and disable all the filter rules in my router but the result was always the same
Is there a way that I can use smpt with another port like just using 587 and 465? or is there a solution if i put another router under the mikrotik router?

how bout you post your config not snippets, to get a proper view.
/export hide-sensitive file=anynameyouwish

rags, can you post an export of your config here?

/export compact hide-sensitive

Copy all and put result here. It’s hard to guess what is happening there.

OR, dont post your config and the folks before me will continue to guess, I am assuming they thrive or perhaps get off on trying to attempt assistance without getting the full story.
Never ceases to amaze me. Must be something in the MT certification process, thou shalt be a masochist :-PPPP ( another reason MTUNA is a preferred accreditation by sane folks )

Here is my configuration

/interface bridge
add admin-mac=mac arp=proxy-arp auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
add name=lo
/interface ethernet
set [ find default-name=ether1 ] name=ether1_MAINFO speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] arp=proxy-arp name=ether3_LAN speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] name=ether10_Management speed=100Mbps
set [ find default-name=ether11 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add disabled=no interface=ether1_MAINFO keepalive-timeout=60 max-mru=1480 \
    max-mtu=1480 name=pppoe-out1 user=fo.omnisdg@moov.mg
/interface ipip
add local-address=IPPUBLIC name=ipip-to-Andraharo remote-address=\
    X.Y.49.168
add local-address=IPPUBLIC name=ipip-to-Mangasoavina remote-address=\
    X.Y.49.176
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] disable-pmkid=yes supplicant-identity=\
    RTR-OMNIS-AMBOHIJATOVO
/ip dhcp-server option
add code=43 name=unifi value=0x0104C0A8030A
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.200
add name=l2tp-pool ranges=192.168.2.10-192.168.2.250
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
    disabled=no interface=bridge1 lease-time=6h name=dhcp1
/ppp profile
add name=profile1
/snmp community
set [ find default=yes ] addresses=\
    196.192.32.242/32,X.Y.35.92/32,X.Y.35.93/32 name=dts-customer
/system logging action
set 1 disk-lines-per-file=100
set 3 bsd-syslog=yes remote=10.200.200.32 syslog-facility=local0
add bsd-syslog=yes name=ISPSyslogAuth remote=X.Y.17.5 remote-port=51466 \
    target=remote
add bsd-syslog=yes name=ISPSyslogFW remote=X.Y.17.5 remote-port=51467 \
    target=remote
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether3_LAN
/ip firewall connection tracking
set tcp-established-timeout=1h
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether12 list=discover
add interface=ether13 list=discover
add interface=ether1_MAINFO list=discover
add interface=ether2 list=discover
add interface=bridge1 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10_Management list=discover
add interface=ether11 list=discover
/interface pptp-server server
set default-profile=default enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether10_Management network=192.168.88.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=IPPUBLIC interface=lo network=IPPUBLIC
add address=10.10.10.1/30 interface=ipip-to-Andraharo network=10.10.10.0
add address=10.10.11.1/30 interface=ipip-to-Mangasoavina network=10.10.11.0
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dhcp-option=unifi dns-server=\
    192.168.1.250,196.192.32.5,X.Y.9.130 gateway=192.168.1.1
/ip dns
set cache-max-ttl=2d servers=196.192.32.5,X.Y.9.130
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=0.0.0.0/8 comment="Factory Rules by ISP: Block RFC6890" list=\
    not_from_internet
add address=172.16.0.0/12 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=192.168.0.0/16 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=10.0.0.0/8 comment="Factory Rules by ISP: Block RFC6890" list=\
    not_from_internet
add address=169.254.0.0/16 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=127.0.0.0/8 comment="Factory Rules by ISP: Block RFC6890" list=\
    not_from_internet
add address=224.0.0.0/4 comment=\
    "Factory Rules by ISP: Block Multicast from Internet" list=\
    not_from_internet
add address=198.18.0.0/15 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=192.0.0.0/24 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=192.0.2.0/24 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=198.51.100.0/24 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=203.0.113.0/24 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=100.64.0.0/10 comment="Factory Rules by ISP: Block RFC6890" \
    list=not_from_internet
add address=240.0.0.0/4 comment="Factory Rules by ISP: Block RFC6890" list=\
    not_from_internet
add address=192.88.99.0/24 comment=\
    "Factory Rules by ISP: 6to4 relay Anycast [RFC 3068]" list=\
    not_from_internet
add address=8.8.8.8 comment="Factory Rules by ISP: Google DNS Servers" \
    list=Google_DNS
add address=8.8.4.4 comment="Factory Rules by ISP: Google DNS Servers" \
    list=Google_DNS
add address=X.Y.35.92 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=41.207.37.254 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=196.192.32.187 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=196.192.32.242 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=41.207.32.82 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=X.Y.35.93 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=X.Y.35.92 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=41.207.37.254 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=196.192.32.187 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=196.192.32.242 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=41.207.32.82 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=X.Y.35.93 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=X.Y.0.0/18 comment="Factory Rules by ISP: " list=as37054
add address=41.207.32.0/19 comment="Factory Rules by ISP: " list=as37054
add address=196.192.32.0/20 comment="Factory Rules by ISP: " list=as37054
add address=197.149.0.0/18 comment="Factory Rules by ISP: " list=as37054
add address=154.126.0.0/17 comment="Factory Rules by ISP: " list=as37054
add address=196.192.32.5 comment="Factory Rules by ISP: " list=ISP_DNS
add address=185.228.168.168 comment="Factory Rules by ISP: ClearBrowsing" \
    list=ISP_DNS
add address=185.228.169.168 comment="Factory Rules by ISP: ClearBrowsing" \
    list=ISP_DNS
add address=X.Y.9.130 comment="Factory Rules by ISP: " list=ISP_DNS
add address=X.Y.33.6 comment="Factory Rules by ISP: " list=ISP_NTP
add address=ntp.dts.mg comment="Factory Rules by ISP: " list=ISP_NTP
add address=time.euro.apple.com comment="Factory Rules by ISP: " list=\
    ISP_NTP
add address=time.asia.apple.com comment="Factory Rules by ISP: " list=\
    ISP_NTP
add address=time.apple.com comment="Factory Rules by ISP: " list=ISP_NTP
add address=time.windows.com comment="Factory Rules by ISP: " list=\
    ISP_NTP
add address=pool.ntp.org comment="Factory Rules by ISP: " list=ISP_NTP
add address=51.140.127.197 comment="Factory Rules by ISP: " list=ISP_NTP
add address=192.168.1.0/24 comment="Factory Rules by ISP: " list=Local_LAN
add address=192.168.88.0/24 comment="Factory Rules by ISP: " list=Local_LAN
add address=192.168.0.0/16 comment="Factory Rules by ISP: " list=Local_LAN
add address=154.126.74.0/24 comment="Factory Rules by ISP: CDN Servers" \
    list=Whitelist
add address=197.149.58.0/24 comment="Factory Rules by ISP: CDN Servers" \
    list=Whitelist
add address=216.239.32.0/19 comment="Factory Rules by ISP: " list=Whitelist
add address=172.217.0.0/16 comment="Factory Rules by ISP: " list=Whitelist
add address=172.253.0.0/16 comment="Factory Rules by ISP: " list=Whitelist
add address=173.194.0.0/16 comment="Factory Rules by ISP: " list=Whitelist
add address=216.73.80.0/20 comment="Factory Rules by ISP: " list=Whitelist
add address=216.58.192.0/19 comment="Factory Rules by ISP: " list=Whitelist
add address=74.125.0.0/16 comment="Factory Rules by ISP: " list=Whitelist
add address=dl.google.com comment="Factory Rules by ISP: " list=Whitelist
add address=www.google.com comment="Factory Rules by ISP: " list=Whitelist
add address=docs.google.com comment="Factory Rules by ISP: " list=Whitelist
add address=map.google.com comment="Factory Rules by ISP: " list=Whitelist
add address=www.yahoo.com comment="Factory Rules by ISP: " list=Whitelist
add address=www.yahoo.fr comment="Factory Rules by ISP: " list=Whitelist
add address=104.244.14.252 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=104.42.225.122 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=148.81.111.121 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=178.162.217.107 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=184.105.192.2 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=192.42.116.41 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=192.42.119.41 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=212.227.20.93 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=38.229.134.27 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=38.229.135.134 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=38.229.145.156 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=38.229.153.251 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=38.229.163.2 comment="Factory Rules by ISP: C&C BotNet Servers" \
    list=BotNet
add address=38.229.175.132 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=38.229.175.194 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=38.229.182.117 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=5.79.71.205 comment="Factory Rules by ISP: C&C BotNet Servers" \
    list=BotNet
add address=5.79.71.225 comment="Factory Rules by ISP: C&C BotNet Servers" \
    list=BotNet
add address=85.17.31.122 comment="Factory Rules by ISP: C&C BotNet Servers" \
    list=BotNet
add address=85.17.31.82 comment="Factory Rules by ISP: C&C BotNet Servers" \
    list=BotNet
add address=87.106.190.153 comment=\
    "Factory Rules by ISP: C&C BotNet Servers" list=BotNet
add address=X.Y.49.168 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=X.Y.49.176 comment="Factory Rules by ISP: " list=\
    ISP_Orchestrator
add address=X.Y.49.168 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=X.Y.49.176 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=192.168.0.0/16 comment="Factory Rules by ISP: " list=\
    WinBOX_Whitelist
add address=192.168.1.4 list=SMTP_server
/ip firewall filter
add action=accept chain=forward comment=\
    "outbound SMTP allowed from local servers" dst-port=25 protocol=tcp \
    src-address=192.168.1.4
add action=drop chain=forward comment=\
    "Factory Rules by ISP: drop SMTP port - Use 465 or 587 instead" \
    dst-port=25 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.3 dst-port=8006 \
    protocol=tcp
add action=accept chain=input comment="oPOEN PORT vpn 1723" disabled=yes \
    dst-address=192.168.1.37 dst-port=1723 protocol=tcp
add action=accept chain=input comment=\
    "Custom Rules: Failsafe - ISP Orchestrator" src-address=41.207.37.254
add action=accept chain=input comment=\
    "Custom Rules: Failsafe - ISP Orchestrator" src-address=X.Y.35.92
add action=accept chain=input comment=\
    "Custom Rules: Failsafe - ISP Orchestrator" src-address=X.Y.35.93
add action=accept chain=input comment=\
    "Custom Rules: Failsafe - ISP SNMP Server" dst-port=161 protocol=udp \
    src-address=196.192.32.242
add action=accept chain=input comment=\
    "Custom Rules: Failsafe - ISP SNMP Server" dst-port=161 protocol=tcp \
    src-address=196.192.32.242
add action=accept chain=input comment=\
    "Custom Rules: Failsafe - ISP Orchestrator list" src-address-list=\
    ISP_Orchestrator
add action=accept chain=forward comment=\
    "Custom Rules: Failsafe - DNS Requets" dst-address=196.192.32.5 dst-port=\
    53 protocol=udp
add action=accept chain=forward comment=\
    "Custom Rules: Failsafe - DNS Requets" dst-address=X.Y.9.130 dst-port=\
    53 protocol=udp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: drop invalid packets on forward chain" \
    connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input comment=\
    "Factory Rules by ISP: drop invalid packets on input chain" \
    connection-state=invalid in-interface=pppoe-out1
add action=accept chain=input comment=\
    "Factory Rules by ISP: Allow identified SNMP Servers" dst-port=161 \
    protocol=udp src-address-list=SNMP_Server
add action=accept chain=input comment=\
    "Factory Rules by ISP: Allow identified SNMP Servers" dst-port=161 \
    protocol=tcp src-address-list=SNMP_Server
add action=drop chain=input comment=\
    "Factory Rules by ISP: Drop SNMP from outside" dst-port=161 \
    in-interface=pppoe-out1 protocol=udp
add action=drop chain=input comment=\
    "Factory Rules by ISP: Drop SNMP from outside" dst-port=161 \
    in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment=\
    "Factory Rules by ISP: BTest Allowed only from ISP - BTest Server" \
    dst-port=2000 protocol=tcp src-address-list=!ISP_Orchestrator
add action=accept chain=input comment=\
    "Factory Rules by ISP: allow all establised and related traffics" \
    connection-state=established,related
add action=accept chain=input comment="Factory Rules by ISP: " \
    src-address-list=ISP_Orchestrator
add action=drop chain=forward comment=\
    "Factory Rules by ISP: Log BotNet activity" log=yes log-prefix=BotNet: \
    src-address-list=BotNet
add action=add-src-to-address-list address-list=Infected_LAN \
    address-list-timeout=2h chain=forward comment=\
    "Factory Rules by ISP: Log Infected LAN" dst-port=\
    135-139,445,2323,6789,8866,23231 log-prefix=Infected_LAN: out-interface=\
    pppoe-out1 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: Block outbound scan from Infected machines" \
    dst-port=135-139,445,2323,6789,8866,23231 log-prefix=Infected_LAN: \
    out-interface=pppoe-out1 protocol=tcp src-address-list=Infected_LAN
add action=drop chain=forward comment=\
    "Factory Rules by ISP: Block DDOS on SOAPoverUDP" port=3702 protocol=\
    tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: Block DDOS on SOAPoverUDP" port=3702 protocol=\
    udp
add action=drop chain=input comment="Factory Rules by ISP: RFC6890 Should no\
    t be found comming from Internet" disabled=yes in-interface=pppoe-out1 \
    src-address-list=not_from_internet
add action=drop chain=forward comment="Factory Rules by ISP: RFC6890 Should \
    not be found comming from Internet" disabled=yes in-interface=pppoe-out1 \
    src-address-list=not_from_internet
add action=drop chain=forward comment="Factory Rules by ISP: drop port-scan \
    address list to our infrastructure on forward chain" src-address-list=\
    PortScan
add action=drop chain=input comment="Factory Rules by ISP: drop port-scan ad\
    dress list to our infrastructure on input chain" src-address-list=\
    PortScan
add action=accept chain=input comment="Factory Rules by ISP: " dst-port=21 \
    protocol=tcp src-address-list=FTP_allow
add action=accept chain=input comment="Factory Rules by ISP: " dst-port=22 \
    protocol=tcp src-address-list=SSH_allow
add action=accept chain=input comment="Factory Rules by ISP: " dst-port=\
    8291 protocol=tcp src-address-list=Local_LAN
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - FTP" dst-port=21 \
    in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - SSH" dst-port=22 \
    in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - TELNET" dst-port=\
    23 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - DNS Server" \
    dst-port=53 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=udp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - NTP Server" \
    dst-port=123 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=udp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Blaster Worm" dst-port=135-139 in-interface=\
    pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Messenger Worm" dst-port=135-139 in-interface=\
    pppoe-out1 limit=2/1m,4:packet protocol=udp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Blaster Worm" dst-port=445 in-interface=\
    pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Blaster Worm" dst-port=445 in-interface=\
    pppoe-out1 limit=2/1m,4:packet protocol=udp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Confiker" dst-port=539 in-interface=pppoe-out1 \
    limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Mirai bots" dst-port=\
    2323,6789,23231 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - NodeJS" dst-port=\
    3000 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - Open SQUID Proxy" \
    dst-port=3129 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - TR069" dst-port=\
    7547 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - TR069" dst-port=\
    30005 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users" dst-port=8000 \
    in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - WINBOX" dst-port=\
    8291 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp \
    src-address-list=!WinBOX_Whitelist
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - OpenProxy" \
    dst-port=8080 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users - Mikrotik API" \
    dst-port=8728-8729 in-interface=pppoe-out1 limit=2/1m,4:packet protocol=\
    tcp
add action=drop chain=forward comment="Factory Rules by ISP: " dst-port=\
    8728-8729 protocol=tcp src-address-list=!as37054
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Beagle.B virus" dst-port=8866 in-interface=\
    pppoe-out1 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: drop TELNET port" dst-port=23 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: drop TR069 port" dst-port=7547 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: drop TR069 port" dst-port=30005 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: block all DNS sessions not going to ISP" \
    dst-address-list=!ISP_DNS dst-port=53 protocol=udp
add action=drop chain=forward comment="Factory Rules by ISP: " \
    dst-address-list=!ISP_NTP dst-port=123 protocol=udp
add action=fasttrack-connection chain=forward comment=\
    "Factory Rules by ISP: FastTrack" connection-bytes=10000-0 \
    connection-mark=!ipsec
add action=accept chain=forward comment="Factory Rules by ISP: FastTrack" \
    connection-bytes=10000-0 connection-mark=!ipsec
add action=accept chain=forward comment="Factory Rules by ISP: " \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Factory Rules by ISP: Android Market" connection-state=new dst-port=\
    5222,5228 out-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward comment=\
    "Factory Rules by ISP: Android Market" connection-state=new dst-port=\
    5222,5228 out-interface=pppoe-out1 protocol=udp
add action=log chain=forward comment=\
    "Factory Rules by ISP: Log BotNet activity" dst-address-list=BotNet \
    log=yes log-prefix=BotNet:
add action=add-src-to-address-list address-list=PortScanAS37054 \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users" dst-port=23 \
    in-interface=pppoe-out1 log=yes log-prefix=as37054scan: protocol=tcp \
    src-address-list=as37054
add action=add-src-to-address-list address-list=PortScanAS37054 \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Trap External Abusive Users" dst-port=7547 \
    in-interface=pppoe-out1 log=yes log-prefix=as37054scan: protocol=tcp \
    src-address-list=as37054
add action=add-src-to-address-list address-list=PortScanLAN \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: Block LAN Abusive Attemps" dst-port=23 protocol=\
    tcp src-address-list=Local_LAN
add action=jump chain=input comment="Factory Rules by ISP: " jump-target=\
    LogChain src-address-list=PortScan
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=22 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=23 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=25 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=123 \
    protocol=udp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=445 \
    protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    3389 protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    2323 protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    3129 protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    8080 protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    5900 protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    6789 protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    23231 protocol=tcp
add action=log chain=LogChain comment="Factory Rules by ISP: " dst-port=\
    37777 protocol=tcp
add action=drop chain=LogChain comment="Factory Rules by ISP: " \
    src-address-list=PortScan
add action=drop chain=input comment="Factory Rules by ISP: " dst-port=21 \
    protocol=tcp
add action=drop chain=input comment="Factory Rules by ISP: " dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="Factory Rules by ISP: " dst-port=8291 \
    protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: drop windows ports" port=135-139 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: block Mirai bot" dst-port=2323 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: block Mirai bot" dst-port=6789 protocol=tcp
add action=drop chain=forward comment=\
    "Factory Rules by ISP: block Mirai bot" dst-port=23231 protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: SYN/FIN scan" protocol=tcp src-address-list=\
    !Local_LAN tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: SYN/RST scan" protocol=tcp src-address-list=\
    !Local_LAN tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=input comment=\
    "Factory Rules by ISP: FIN/PSH/URG scan" protocol=tcp src-address-list=\
    !Local_LAN tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=accept chain=output comment=\
    "Factory Rules by ISP: Detect failed FTP login attemps" content=\
    "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=PortScan \
    address-list-timeout=2h chain=output comment="Factory Rules by ISP: Send\
    \_IP to PortScan after failed FTP Login attemps detected" content=\
    "530 Login incorrect" protocol=tcp
add action=add-src-to-address-list address-list=PortScan \
    address-list-timeout=8w4d chain=input comment="Factory Rules by ISP: TCP\
    \_- Bruteforce detectors - PPTP Server - Final stage" connection-state=\
    new dst-port=500,1723 in-interface=pppoe-out1 log=yes log-prefix=\
    Bruteforce: protocol=udp src-address-list=bruteforce_stage5
add action=add-src-to-address-list address-list=bruteforce_stage5 \
    address-list-timeout=10m chain=input comment="Factory Rules by ISP: TCP \
    - Bruteforce detectors - PPTP Server - Stage 5" connection-state=new \
    dst-port=500,1723 in-interface=pppoe-out1 protocol=udp src-address-list=\
    bruteforce_stage4
add action=add-src-to-address-list address-list=bruteforce_stage4 \
    address-list-timeout=10m chain=input comment="Factory Rules by ISP: TCP \
    - Bruteforce detectors - PPTP Server - Stage 4" connection-state=new \
    dst-p/ort=500,1723 in-interface=pppoe-out1 protocol=udp src-address-list=\
    bruteforce_stage2
add action=add-src-to-address-list address-list=bruteforce_stage2 \
    address-list-timeout=10m chain=input comment="Factory Rules by ISP: TC# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0FP \
    - Bruteforce detectors - PPTP Server - Stage 2" connection-state=new \
    dst-port=500,1723 in-interface=pppoe-out1 protocol=udp src-address-list=\
    bruteforce_stage1
add action=add-src-to-address-list address-list=bruteforce_stage1 \
    address-list-timeout=30m chain=input comment="Factory Rules by ISP: TCP \
    - Bruteforce detectors - PPTP Server - Stage 1" connection-state=new \
    dst-port=500,1723 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment=\
    "Factory Rules by ISP: PPTP control path" dst-port=1723 protocol=tcp
add action=accept chain=input comment=\
    "Factory Rules by ISP: PPTP datal path" protocol=gre
add action=accept chain=input comment=\
    "Factory Rules by ISP: L2TP control/data path" dst-port=1701 protocol=\
    udp
add action=accept chain=input comment=\
    "Factory Rules by ISP: IPSec data path" protocol=ipsec-esp
add action=accept chain=input comment=\
    "Factory Rules by ISP: IPSec control path" dst-port=500,4500 protocol=\
    udp
add action=drop chain=input comment=\
    "Factory Rules by ISP: Drop all not explicitly allowed" in-interface=\
    pppoe-out1 log-prefix=DropAll:
/ip firewall mangle
add action=mark-connection chain=forward comment="Factory Rules by ISP: mark\
    \_ipsec connections to exclude them from fasttrack" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Factory Rules by ISP: mark\
    \_ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec \
    new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat dst-address=149.255.59.17 out-interface=\
    pppoe-out1
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=\
    IPPUBLIC
add action=dst-nat chain=dstnat dst-address=IPPUBLIC dst-port=80,443 \
    protocol=tcp to-addresses=192.168.1.5
add action=masquerade chain=srcnat dst-address=192.168.1.5 dst-port=80,443 \
    protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=IPPUBLIC dst-port=25,465,587 \
    protocol=tcp to-addresses=192.168.1.4
add action=dst-nat chain=dstnat comment="Factory Rules by ISP: " \
    dst-address-list=Google_DNS to-addresses=196.192.32.5
/ip firewall raw
add action=accept chain=prerouting comment=\
    "Factory Rules by ISP: Whitelist traffic" src-address-list=Whitelist
add action=accept chain=prerouting comment=\
    "Factory Rules by ISP: Orchestrator traffic" src-address-list=\
    ISP_Orchestrator
add action=accept chain=prerouting comment=\
    "Factory Rules by ISP: Allow WinBOX authorized hosts" src-address-list=\
    WinBOX_Whitelist
add action=drop chain=prerouting comment=\
    "Factory Rules by ISP: Drop Mirai scanning to specified ports" \
    dst-port=32,2222,2323,3702,6789,19058,23231,37215,37777,52869 protocol=\
    tcp src-address-list=Local_LAN
add action=drop chain=prerouting comment=\
    "Factory Rules by ISP: Drop Mirai scanning to specified ports" \
    dst-port=32,2222,2323,3702,6789,19058,23231,37215,37777,52869 protocol=\
    udp src-address-list=Local_LAN
add action=drop chain=prerouting comment="Factory Rules by ISP: All new TCP \
    connections from IPs in PortScan to specified ports" dst-address-list=\
    !Local_LAN dst-port=21-23,135-139,445,1723,3389,8291 protocol=tcp \
    src-address-list=PortScan
add action=accept chain=prerouting comment=\
    "Factory Rules by ISP: Whitelist traffic Local_LAN" src-address-list=\
    Local_LAN# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0F
add action=drop chain=prerouting comment=\
    "Factory Rules by ISP: Drop All BotNet IPs" src-address-list=BotNet
add action=drop chain=prerouting comment=\
    "Factory Rules by ISP: Drop All Banned IPs" src-address-list=PortScan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp /ddress=X.Y.35.92/32,X.Y.35.93/32 disabled=yes
set www disabled=yes
set ssh address=X.Y.35.92/32,X.Y.35.93/32 disabled=yes
set api address="X.Y.35.92/32,41.207.37.254/32,196.192.32.187/32,41.207.32.\
    82/32,X.Y.35.93/32" disabled=yes
set winbox address=\
    IPPUBLIC/32,X.Y.49.176/32,X.Y.49.168/32,192.168.0.0/16
set api-ssl address="X.Y.35.92/32,41.207.37.254/32,196.192.32.187/32,41.207\
    .32.82/32,X.Y.35.93/32" disabled=yes
/ip ssh
set strong-crypto=yes
/ppp l2tp-secret
add
/ppp secret
add local-address=192.168.2.133 name=AngeloAmb remote-address=192.168.2.134
add local-address=192.168.2.25 name=andr12Tojo24ninAND remote-address=\
    192.168.2.26
add disabled=yes local-address=192.168.2.124 name=test remote-address=\
    192.168.2.125
add local-address=192.168.2.135 name=Olivier remote-address=192.168.2.136
/radius
add address=X.Y.35.124 service=login
/snmp
set contact=OMNIS enabled=yes location=Ambohijatovo
/system clock
set time-zone-name=Indian/Antananarivo
/system identity
set name=45aa02a58c0fd94d5b
/system logging
add action=ISPSyslogFW topics=firewall,!info,!web-proxy,!hotspot
add action=ISPSyslogAuth topics=account,!web-proxy,!hotspot
/system note
set note="Telecom Malagasy, ISP - Authorized administrators only. Access is \
    monitored."
/system ntp client
set enabled=yes primary-ntp=196.192.32.7 secondary-ntp=196.192.32.7 \
    server-dns-names=ntp.dts.mg
/system package update
set channel=long-term
/system scheduler
add comment=8.4.3 interval=1m name=IPLoginUpdate on-event=\
    UpdateAlfred-IPLogin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/01/2008 start-time=06:00:00
add comment=8.4.3 interval=4w name=AutoUpgrade on-event=AutoUpgrade policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/01/2008 start-time=05:27:33
add comment=8.4.3 interval=4w name=RegistrationUpdate on-event=\
    UpdateRegistrationInfo policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/01/2008 start-time=06:27:33
/system script
add comment=8.4.3 dont-require-permissions=yes name=AutoUpgrade owner=\
    AlfredBot policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 15s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }"
add comment=8.4.3 dont-require-permissions=yes name=UpdateAlfred-IPLogin \
    owner=AlfredBot policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global pppoeClient [/interface pppoe-client get [find name~\"pppoe-out1\" \
    ] name];\r\
    \n:global pppoeLogin [/interface pppoe-client get [find name=\$pppoeClient\
    ] user];\r\
    \n\r\
    \n:global pppoeIP ([/ip address get [find interface=\$pppoeClient] address\
    ]);\r\
    \n:set pppoeIP [:pick \$pppoeIP 0 [:find \$pppoeIP \"/\"]];\r\
    \n\r\
    \n:global currentIP;\r\
    \n\r\
    \n:if (\$currentIP != \$pppoeIP) do={\r\
    \n    :put \"ip address \$currentIP changed to \$pppoeIP\";\r\
    \n    :set currentIP \$pppoeIP;\r\
    \n/system script run UpdateIPLogin;\r\
    \n};\r\
    \n\r\
    \n"
add comment=8.4.3 dont-require-permissions=yes name=UpdateIPLogin owner=\
    AlfredBot policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    do {/system script environment remove [find name=identityINFO];} on-error=\
    {};\r\
    \n:global serialNUMBER ([/system routerboard get serial-number]);\r\
    \n:global modelNUMBER ([/system routerboard get model]);\r\
    \n:global boardINFO ([/system resource get board-name]);\r\
    \n:global versionNUMBER ([/system resource get version]);\r\
    \n:global E1macADDRESS ([/interface ethernet get 0 mac-address]);\r\# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0F
    \n:global pppoeClient \"\"\r\
    \n:global pppoeLogin \"\"\r\
    \n:global pppoeIP \"\"\r\
    \n:global clouddnsNAME \"\"\r\
    \n:global identityINFO \"\"\r\
    \n:global clouddnsNAMECLEANED \"\"\r\
    \n:global scriptVERSION \"\"\r\
    \n\r\
    \n:do {\r\
    \n\t:global scriptVERSION ([/file get scriptVERSION.txt value-name=content\
    s]);\r\
    \n\t} on-error={\r\
    \n\t:global scriptVERSION \"No ver.\";\r\
    \n}\r\
    \n\r\
    \n:if ([:len [:tostr \$scriptVERSION]] >10) do={\r\
    \n\t:set \$scriptVERSION \"8.4.3 - Erreur\";\r\
    \n}\r\
    \n\r\
    \n:do {\r\
    \n\t:set \$pppoeClient [/interface pppoe-client get [find name~\"pppoe-out\
    1\"] name];\r\
    \n\t:set \$pppoeLogin [/interface pppoe-client get [find name=\$pppoeClien\
    t] user];\r\
    \n\t:set \$pppoeIP ([/ip address get [find interface=\$pppoeClient] addres\
    s]);\r\
    \n\t:set \$pppoeIP [:pick \$pppoeIP 0 [:find \$pppoeIP \"/\"]];\r\
    \n\t} on-error={};\r\
    \n\r\
    \n:do {\r\
    \n\t/ip cloud force-update\r\
    \n\t} on-error={};\r\
    \n\t\r\
    \n:do {:set \$clouddnsNAME ([/ip cloud get dns-name]);\r\
    \n\t:set \$clouddnsNAMECLEANED ([:pick \$clouddnsNAME 0 [:find \$clouddnsN\
    AME \".sn.mynetname.net\"]]);\r\
    \n\t} on-error={};\r\
    \n\r\
    \n\r\
    \n:if ([:len \$pppoeLogin] > 1 ) do={\r\
    \n\t\t/tool fetch http-method=post mode=https url=\"https://alfred.ISP.n\# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0F
    et/inventory/ip_update\" http-header-field=\"X-Auth-Key:eb9637592913c1d750\
    8edb6d75bcb60f2cc7324f9f5515b84e4f8d43252f16d260056cb68f232834e29196b8eabf\
    da1c,content-type:application/json\" output=none http-data=\"{\\\"pppoelog\
    in\\\":\\\"\$pppoeLogin\\\",\\\"ippublic\\\":\\\"\$pppoeIP\\\",\\\"version\
    \\\":\\\"\$versionNUMBER\\\",\\\"script\\\":\\\"\$scriptVERSION\\\"}\"\r\
    \n    } else={\r\
    \n    :set \$pppoeIP \"\"\r\
    \n\t:set \$pppoeIP ([/ip cloud get public-address]);\r\
    \n\t:set \$pppoeLogin \"\"\r\
    \n\t:set \$pppoeLogin \$clouddnsNAMECLEANED;\r\
    \n\t/tool fetch http-method=post mode=https url=\"https://alfred.ISP.net\
    /inventory/ip_update\" http-header-field=\"X-Auth-Key:eb9637592913c1d7508e\
    db6d75bcb60f2cc7324f9f5515b84e4f8d43252f16d260056cb68f232834e29196b8eabfda\
    1c,content-type:application/json\" output=none http-data=\"{\\\"pppoelogin\
    \\\":\\\"\$pppoeLogin\\\",\\\"ippublic\\\":\\\"\$pppoeIP\\\",\\\"version\\\
    \":\\\"\$versionNUMBER\\\",\\\"script\\\":\\\"\$scriptVERSION\\\"}\"\r\
    \n};\r\
    \n"
add comment=8.4.3 dont-require-permissions=yes name=\
    RegisterRouterBoard2Alfred owner=AlfredBot policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    do {/system script environment remove [find name=identityINFO];} on-error=\
    {};\r\
    \n:global serialNUMBER ([/system routerboard get serial-number]);\r\
    \n:global modelNUMBER ([/system routerboard get model]);\r\
    \n:global boardINFO ([/system resource get board-name]);\r\
    \n:global versionNUMBER ([/system resource get version]);\r\
    \n:global E1macADDRESS ([/interface ethernet get 0 mac-address]);\r\# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0F
    \n:global pppoeClient \"\"\r\
    \n:global pppoeLogin \"\"\r\
    \n:global clouddnsNAME \"\"\r\
    \n:global identityINFO \"\"\r\
    \n:global clouddnsNAMECLEANED \"\"\r\
    \n:do {:set \$pppoeClient [/interface pppoe-client get [find name~\"pppoe-\
    out1\"] name];} on-error={};\r\
    \n:do {:set \$pppoeLogin [/interface pppoe-client get [find name=\$pppoeCl\
    ient] user];} on-error={};\r\
    \n:do {:set \$clouddnsNAME ([/ip cloud get dns-name]);} on-error={};\r\
    \n:do {:set \$clouddnsNAMECLEANED ([:pick \$clouddnsNAME 0 [:find \$cloudd\
    nsNAME \".sn.mynetname.net\"]]);} on-error={};\r\
    \n\r\
    \n\r\
    \n\r\
    \n:if ([:len \$pppoeLogin] > 1 ) do={\r\
    \n:set identityINFO (\$pppoeLogin);\r\
    \n/tool fetch http-method=post mode=https url=\"https://alfred.ISP.net/i\
    nventory/\" http-header-field=\"X-Auth-Key:eb9637592913c1d7508edb6d75bcb60\
    f2cc7324f9f5515b84e4f8d43252f16d260056cb68f232834e29196b8eabfda1c,content-\
    type:application/json\" as-value output=user http-data=\"{\\\"identity\\\"\
    :\\\"\$identityINFO\\\",\\\"serial\\\":\\\"\$serialNUMBER\\\",\\\"model\\\
    \":\\\"\$modelNUMBER\\\",\\\"board-name\\\":\\\"\$boardINFO\\\",\\\"versio\
    n\\\":\\\"\$versionNUMBER\\\",\\\"mac-address\\\":\\\"\$E1macADDRESS\\\",\
    \\\"ddnsname\\\":\\\"\$clouddnsNAME\\\"}\"\r\
    \n    } else={\r\
    \n:set identityINFO (\$clouddnsNAMECLEANED);\r\
    \n/tool fetch http-method=post mode=https url=\"https://alfred.ISP.net/i\
    nventory/\" http-header-field=\"X-Auth-Key:eb9637592913c1d7508edb6d75bcb60\
    f2cc7324f9f5515b84e4f8d43252f16d260056cb68f232834e29196b8eabfda1c,content-\
    type:application/json\" as-value output=user http-data=\"{\\\"identity\\\"\
    :\\\"\$identityINFO\\\",\\\"serial\\\":\\\"\$serialNUMBER\\\",\\\"model\\\
    \":\\\"\$modelNUMBER\\\",\\\"board-name\\\":\\\"\$boardINFO\\\",\\\"versio\
    n\\\":\\\"\$versionNUMBER\\\",\\\"mac-address\\\":\\\"\$E1macADDRESS\\\",\
    \\\"ddnsname\\\":\\\"\$clouddnsNAME\\\"}\"\r\
    \n    };\r\
    \n"
add comment=8.4.3 dont-require-permissions=yes name=UpdateRegistrationInfo \
    owner=AlfredBot policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global versionNUMBER ([/system resource get version]);\r\
    \n:global setDEBUG 0;\r\
    \n:global fileNAME firmwareVersion.txt;\r\
    \n\r\
    \n:if (:len [/file print count-only where name=\$fileNAME] >= 1) do={ \r\
    \n\r\
    \n    :if (\$setDEBUG = 1) do={\r\
    \n    :log info message=\"File found, updating content...\"\r\
    \n    };\r\
    \n\r\
    \n    /file set \$fileNAME contents=\$versionNUMBER;\r\
    \n    :delay 2s;\r\
    \n\r\
    \n    :if (\$setDEBUG = 1) do={\r\
    \n    :log info message=\"Content updated, setting global variable...\"\r\
    \n    };\r\
    \n\r\
    \n    :global versionFile [/file get \$fileNAME contents];\r\
    \n     };\r\# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0F
    \n\r\
    \n:if (:len [/file print count-only where name=\$fileNAME] = 0) do={ \r\
    \n\r\
    \n    :if (\$setDEBUG = 1) do={\r\
    \n    :log info message=\"File creation...\"\r\
    \n    };\r\
    \n    \r\
    \n    /file print file=\$fileNAME;\r\
    \n    :delay 1s;\r\
    \n    /file set \$fileNAME contents=\"\";\r\
    \n    \r\
    \n    :if (\$setDEBUG = 1) do={\r\
    \n    :log info message=\"File initialisation...\"\r\
    \n    };\r\
    \n\r\
    \n    :delay 2s;\r\
    \n    /file set \$fileNAME contents=\$versionNUMBER;\r\
    \n\r\
    \n    :if (\$setDEBUG = 1) do={\r\
    \n    :log info message=\"Setting file content...\"\r\
    \n    };\r\
    \n\r\
    \n    :delay 2s;\r\
    \n\r\
    \n    :if (\$setDEBUG = 1) do={\r\
    \n    :log info message=\"Content updated, setting global variable...\"\r\
    \n    };\r\
    \n\r\
    \n    :global versionFile [/file get \$fileNAME contents];};\r\
    \n\r\
    \n\r\
    \n:if (\$versionNUMBER != versionFile) do={\r\
    \n\r\
    \n    :if (\$setDEBUG = 1) do={\r\
    \n    :log info message=\"Running registration prcess...\"\r\
    \n    };\r\
    \n\r\
    \n    /system script run RegisterRouterBoard2Alfred;\r\
    \n};\r\
    \n"
/tool bandwidth-server
set enabled=no
/tool romon port# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0F
add
/tool sniffer
set filter-stream=yes
/tool traffic-monitor
add interface=ether3_LAN name=tmon1 on-event="log info \"dox=wload\"" \
    threshold=3000000 traffic=received trigger=always# oct/20/2020 09:39:57 by RouterOS 6.46.7
# software id = FXU2-QK81
#
# model = 1100AHx2
# serial number = 45AA02A58C0F
add interface=ether3_LAN name=tmon2 threshold=0 trigger=always
/user aaa
set accounting=no default-group=full use-radius=yes

[

Sorry it took so long to be able to respond due to the weekend.
The SMTP rules are on line 262.

I cannot help.
My advice is to reset back to default rules and get rid of all the bloatware.
Then focus on SMTP as needed and get it working and expand your requirements any other ACTUAL services, port forwardings etc… from there with a clean setup.
Then add the garbage after the fact if you think you need it. ( I dont mean the scripts if they are providing Needed Functionality (and not unnecessary faux protection rules)

Also you seem to have an additional address defined that is incomplete 192.168.88.1 etc… (no pool, no dhcp etc…)

I’m with @anav: firewall is bloated. You should simplify it. If you insist on current settings, then become a network expert who knows what the goal of this firewall.

Default on SOHO devices (I’m not sure if your device falls into this category) is pretty sane and one of first rules in chain=forward is

add chain=forward action=accept connection-state=established,related

or something like this. It makes sure that all connections, accepted by other rules, actually do work even if other rules are not entirely complete.

Really, really hard to follow the export (for future use, try to expand Winbox terminal window, and make it as wide as possble, in order to have the output as below:

/ip firewall nat 
add action=masquerade chain=srcnat dst-address=149.255.59.17 out-interface=pppoe-out1 
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=IPPUBLIC

instead of

/ip firewall nat
add action=masquerade chain=srcnat dst-address=149.255.59.17 out-interface=\
    pppoe-out1
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=\
    IPPUBLIC

Then: (above) you have both masquerading and src-nat for the same, I do not see the final outcome. Masquerading should be enough (as it is easier with a pppoe out interface).

Then: try to shortly disable ALL filter rules, and check your dst-port 25 connection. Best start is to try it from router terminal, something like this:

/system telnet alt1.aspmx.l.google.com 25

Finally, from what I could see, try to get rid of the “block this, bllock that, block also that”, block, block etc in firewall rules. Just allow what you really need, and block everything else (check this example from wiki: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Firewall)

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router

etc etc …

You also have a lot of scripting, which are pretty hard to follow. Disable also those, at least for testing.

Anyhow, I would go with anav’s advice above: start clean and focus only on what you need.

Waiting tests results …