SMTP server outgoing mail problem

bovi · January 20, 2021, 11:51pm

Hello,

I’m trying to get my internal SMTP server working.

My SMTP server has address 192.168.2.7 and it can receive emails but can not send emails.

My `ip firewall filter’ configuration:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept 
      connection-state=established,related,untracked 
 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 
 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 
 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 
 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 
 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 
 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 
 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked 
10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN

and `ip firewall nat’ configuration:

 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 
 1    ;;; ssh
      chain=dstnat action=dst-nat to-addresses=192.168.2.7 protocol=tcp 
      src-address=!192.168.2.0/24 dst-port=22 log=no log-prefix="" 
 2    ;;; email
      chain=dstnat action=dst-nat to-addresses=192.168.2.7 protocol=tcp 
      dst-port=25,465

Am I missing something?

ak4020 · January 21, 2021, 12:29pm

you lack the firewall rule:
/ip firewall add action=accept chain=forward comment=mailserver dst-address=192.168.2.7 dst-port=25,465 protocol=tcp

nescafe2002 · January 21, 2021, 1:02pm

No need to add another filter rule. Your nat rule is dstnatting both incoming and outgoing connections. Limit the nat rule instead (e.g. dst-address-type=local and dst-address=!192.168.0.0/16).

Note that you already made this effort on the first nat rule (ssh) with src-address=!192.168.2.0/24.

To properly post config, better use /firewall export to export configuration to terminal.

bovi · January 21, 2021, 5:11pm

I’m not network specialist, so please bear with me.

My understanding that this rule affects only incoming connections
and it basically forwards them to my smtp server:

add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \
    to-addresses=192.168.2.7

If I limit this rule as you suggest
``(e.g. dst-address-type=local and dst-address=!192.168.0.0/16)‘’,
how would it resolve my outgoing connections?

Would it be possible that you write exactly how this nat rule should look like?

nescafe2002 · January 21, 2021, 5:28pm

This rule translates all connections with a destination port of 25, 465.

add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \
    to-addresses=192.168.2.7

So, even outgoing connections will be rewritten to destination ip 192.168.2.7. If this is the desired behavior, you should also apply hairpin nat to rewrite the source address and it will work (both outgoing and incoming connection will go to your internal mail server). But that’s not what you want.

The correct rule would be:

add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \
    to-addresses=192.168.2.7 dst-address-type=local dst-address=!192.168.0.0/16

dst-address-type=local makes sure only connections directed to the router itself (either wan or lan) will be rewritten to destination address 192.168.2.7
dst-address=!192.168.0.0/16 makes sure only connections to the wan address will be rewritten to destination address 192.168.2.7

(in-interface-list=WAN is also an possibility, but would not apply to LAN-initiated connections to WAN address)

bovi · January 21, 2021, 7:17pm

Thank you so much for your help and all the explanations. It works now.