SMTP SSL - Port forwarding

MikroTikFan · October 22, 2014, 10:21pm

I have problem to setup my firewall. I need to configure my local mail system.

Queue message: connect to mail.domainX.com[213.222.33.44]:465 Connection time out

ip firewall nat add chain=dstnat protocol=tcp dst-port=465 action=dst-nat to-addresses=192.168.22.2 to-ports=465

where:
213.222.33.44 - is my external address (fake IP)
192.168.22.2 - is my local mail server address

Please help to configure NAT Rule to run my outcomming messages.

I don’t have any problems with my incoming messages

SurferTim · October 22, 2014, 11:56pm

Please help to configure NAT Rule to run my outcomming messages.

I don’t have any problems with my incoming messages >

Outgoing and incoming messages from where?

If you mean another email server is having trouble delivering email to your server, you must use port 25 for that. Port 465 is how email clients like Outlook and Thunderbird connect to an email server.

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.22.2 to-ports=25

edit: Insure you have opened ports 25 and 465 on the email server firewall. That is one thing normally overlooked.

MikroTikFan · October 23, 2014, 4:42am

Outgoing messages from my mail server in LAN IP 192.168.22.2
Regarding port 25 I have also same forwarding rule in mikrotik for this port and same for others (POP3SSL-995, IMAPSSL-993).
I have also forward/accept rule for 465 and 25 port.

Mail server stil from 192.168.22.2 cant send out e-mails.

bajodel · October 23, 2014, 6:27am

you claim for “outgoing mail” (lan to wan)..so disable those rulles and all will be fine (only if you have outgoing filtering rules you have to allow .. ..)

if you have also incoming mails to handle, fix you rules ..dst-nat all connections to your private ip it will brake outgoing conns (specify incoming interface !lan or similar..)

SurferTim · October 23, 2014, 11:51am

If you are having trouble with outgoing mail from your email server, then it is probably due to the dstnat rule for port 25. It may be redirecting your outgoing packets back to your server. You must add an in-interface (or dst-address) to that rule to prevent that.

/ip firewall nat
add chain=dstnat protocol=tcp in-interface=ether1 dst-port=25 action=dst-nat to-addresses=192.168.22.2 to-ports=25

If ether1 is not the WAN interface, change that.

MikroTikFan · October 23, 2014, 5:31pm

ether1 is WAN interface.

SurferTim · October 23, 2014, 6:01pm

Then adding the “in-interface=ether1” to the nat rule should allow your email server to send mail to another email server without being redirected back to your email server. Have you tried it?

MikroTikFan · October 23, 2014, 9:18pm

I did run the connections from outside my home thru 3G connections, and mail server works properly.
The problem is when I tried to send email being connected to my LAN.

My current configuration is :

My external address: 213.222.33.44 (fake)
Then after my edge fiber router: 192.168.11.1
Then my mikrotik router:
WAN eth1 interface 192:168.11.250
LAN eth3 interface 192:168.22.250
mail server: 192.168.22.2

When I will add in host file: mail.mydomain.pl - 192.168.22.2 everything works ok, but this is for me wrong solution, because when I go outside I must change host file.

How to configure firewall and NAT to have access from LAN to my mail server using my domain name mail.domainx.pl - 213.222.33.44 (fake).

SurferTim · October 23, 2014, 9:36pm

What does this mean?

The problem is when I tried to send email being connected to my LAN.

Send email with what program? To where?

There are two ways email servers “send and receive” email.

Email client (Outlook and Thunderbird) to and from the email server (Sendmail or Postfix).
Email server (Sendmail or Postfix) to and from another email server (Sendmail or Postfix).

Email clients communicate with the email server for POP3/IMAP (receive email from server) and SMTP (send email to server).
POP3 uses port 110 or 995
IMAP uses port 143 or 993
SMTP uses port 25 or 465

Email servers communicate with other email servers using port 25.

Which of those are failing?

MikroTikFan · October 23, 2014, 10:09pm

All of this ports (995, 465, 993, 25) I have forwarded and this works from outside my network f.e. from 3G connection.
But when I tried to connect via Outlook(Windows) or Thunderbird(Ubuntu) from laptops located in my LAN mail clients don’t have access to mail server and I can’t send or receive any e-mails.

SurferTim · October 23, 2014, 10:23pm

Then you should either:

use the localnet private ip of the email server on your localnet computers rather than domain name.
or
use the router localnet gateway for your dns and set a static dns for the server in the router.
or
use a hairpin nat.

MikroTikFan · October 23, 2014, 10:34pm

Yeeeeeeeeeeeeeeeees You are The Best !
http://wiki.mikrotik.com/wiki/Hairpin_NAT works in this case.

I have also small other problem. I have forwarded port 443 from WAN to LAN (192.168.22.88) and this connection works properly from outside
One important inconvenience is when I will browse other https page file (port 443) from LAN I allways go to this forwarded addres 192.168.22.

SurferTim · October 23, 2014, 11:05pm

Then you need to add the “in-interface=ether1” to that port 443 dstnat rule. That way it will route only port 443 to that localnet address if the request comes in on ether1.