SMTP Port Forwarding: Missing emails with large headers

Greetings!

I have a strange email problem that seems to be related to the routing or port forwarding that is occurring in my Mikrotik router. Certain inbound messages to my email server are timing out, with the sender first receiving an auto-reply message stating there is a delay in delivery, and finally a few days later receiving another auto-reply message stating the message delivery failed due to retry timeout. The vast majority of inbound email messages are being received, the only messages that being lost appear to have in common a very large email header. For instance, messages that are sent to lots of recipients, like meeting invitations. It is difficult for me to know what messages are being lost, because troubleshooting data requires the senders to forward to me the bounce messages they receive days after the original messages are sent.

My spam filtering is handled by a 3rd party company, and the message timeouts are occurring when the spam filter forwards the message to my in-house exchange email server. I have no spam filtering set on the in-house email server.

I’ve currently spent 3 weeks troubleshooting this issue. I’ve gone through my email server very thoroughly, and I cannot find anything to account for why only certain messages are lost. I also double checked my DNS, and worked with my spam filter tech support, but I was unable to identify the cause of the timeouts.

I considered that the issue might be my existing Mikrotik gateway, so I pulled another Mikrotik router off the shelf, attached it to a new public IP, and made it the primary gateway for all inbound and outbound email to my network. None of my troubleshooting steps have had any effect on the original issue.

I do not know if the problem is in my email server, or in my Mikrotik router, but on the chance it is in the router, I’m posting here for help. I wonder if somehow the port forwarding in the Mikrotik might somehow be dropping certain email packets.

The only forum post I found online that has a similar issue to mine is here: https://www.experts-exchange.com/questions/26375915/Problems-with-timeouts-on-incoming-mail-Exchange-2010.html
In this post, a Cisco router had some sort of SMTP filter that had to be turned off before certain messages were allowed through the firewall. This post is why I’m focusing on my Mikrotik router for the solution.

Below are my Mikrotik mail gateway firewall configurations. X.X.78.59 is my newly setup mail gateway public IP. 10.1.0.35 is my Exchange server IP.

My Nat rules are as follows:

/ip firewall nat
add action=dst-nat chain=dstnat comment=“Exchange incoming SMTP, SSL, Outlook Anywhere” dst-address=X.X.78.59
dst-port=25,443,6001-6004 protocol=tcp to-addresses=10.1.0.35
add action=masquerade chain=srcnat out-interface=ether1-gateway

My Firewall Filter Rules on the forward chain are:

/ip firewall filter
add action=accept chain=forward comment=“Allow Established Connections” connection-state=established
add action=accept chain=forward comment=“Allow Related Connections” connection-state=related
add action=accept chain=forward comment=“Allow incoming email” dst-port=25 protocol=tcp
add action=accept chain=forward comment=“Allow incoming email” dst-port=443 protocol=tcp
add action=accept chain=forward comment=“Allow incoming email” dst-port=6001-6004 protocol=tcp
add action=accept chain=forward comment=“email filter IP range to allow for mail Forward Rule” src-address=Y.Y.182.0/24
add action=accept chain=forward comment=“email filter IP range to allow for mail Forward Rule” src-address=Z.Z.231.128/26
add action=accept chain=forward comment=“Allow access from local network” src-address=10.0.0.0/8
add action=drop chain=forward comment=“Drop Invalid Packets” connection-state=invalid
add action=log chain=forward comment=“Log all remaining traffic” log-prefix=filter:
add action=drop chain=forward comment=“Drop all other forwarding packets”

I did try leaving the invalid packet rule and the drop all other forwarding packet rules off for 24 hours, but it did not help my issue.

Does anyone have some insight into my issue? An obvious solution I’ve missed would be great. In lieu of that, I would appreciate some recommendations on how I could troubleshoot further, maybe by finding and logging the failing inbound SMTP connections. My best guess at the moment is that my Exchange server is not receiving the packets of the failed inbound messages.

Thank you very much.

There’s no SMTP filter in RouterOS, I can tell you that. It’s highly unlikely that router has anything to do with it, incoming e-emails are just another TCP connection and router couldn’t care less about what’s inside.

If it was my problem, I’d try if I can find a way how to reliably reproduce it, i.e. if it seems to affect messages with large headers, I’d send some with enormous headers and see if they fail. If you’re lucky and make it fail reliably, it would be something to work with further.

Thank you, Sob.

Good suggestion, I’ll see if I can find an email design that always fails.

I finally solved this issue. My ISP was unknowingly blocking these messages, using a Cisco device, just like in the forum post I found.

Tell them to use Mikrotik

I would not be surprised when certain MikroTik users had the same problem… after all we regularly
see naive firewall rules to “block facebook”, “block youtube”, etc. They trigger on such as string in
the packets, and when it would occur somewhere in the headers it would be blocked as well…
(the creators of those rules always boast how effective they are for them in blocking the unwanted
traffic, but they rarely consider the chance of falsely blocking something else)