Unless I am missing something you can not use SMTP authentication or alternate port numbers to send to mail servers. We enforce SMTP authentication to prevent spammers from using our mail servers without an account, even though we have relay disabled. The reason is most spyware doesnt utilize SMTP authentication, YET and so it is stopped. Also using an alternate port would allow special servers to hide on those ports for sending email. Now I could just make the from address something else, however our mail server does a reverse look up to verify the sender is a legit account and if it is a local account it isnt allowed without SMTP auth. The other issue if I make it originate from say a hotmail account it would then ask hotmail’s DNS if the SPF allowed hotmail emails to come from that IP, which it most certainly would not and then be blocked.
If I allow a bypass for the Mikrotiks IP then every NAT customer behind it could then freely send email through our servers, meaning their spyware would then freeflow the outbound stuff.
Have you tried using SRC-NAT to change from port 25 to the alternate port? Never tried but that should also work for changing the outbound port at least. SMTP AUTH would be very nice addition though.
Yes I had, but once again all email coming from NATed customers inside use that address going outbound and they get converted, so the solution doesnt work for what I need.
Can you src-nat on the outbound chain - that would just grab anything generated on the local MT not the forward traffic… just a thought- without looking at it directly I cant remember if thats doable.
Ok being dumb ir somethig, but all you are doing is a dst-nat + src-nat??? Correct… Then just setup auth on the smtp server for the src ip of the mt interface.. That way you just give your customer the details for login..
Real world IPs are valuable, I would need to waste 1 extra IP per box or ALLOW all clients behind NAT to them be able to relay. That isnt a problem until they get infected or spyware on their system, relay then through the server as they would be an allowed IP address, which then gets our mail servers on spam lists, no thanks.
Right now my solution is an extra IP per box so that the NAT (clients) send from a different IP and MUST use SMTP authentication, the mikrotik itself now sends from a different IP and is allowed. This however is wasting 1 Real World IP per Mikrotik just for the ability to send email, where if Mikrotik would add SMTP authentication support I could save those IPs, not to mention some of them are wasting more because I use small 4 IP subnets (2 usable IPs), but with 2 IPs needed per mikrotik, plus the link IP, I end up wasting a 6 IP subnet (4 usable).
I made this post as a request to save the IPs/hassle of customizing a mail server for a feature availiable in every email client (including linux) in the past 5 years.
I had an idea to see if a script could telnet into something and issue commands based on text returned so I could customer right my SMTP authentication routing, with little luck so far. I dont see the ability to telnet in scripting.
