HI all.
I’ve got very obscure problem. First, take a look at my LANs please 
So here is how it goes in words:
- There are ~50PCs LAN (I call it LAN1), connected to 3rd NIC of an old Windows box, connected to Internet via NIC1. Box has wipfw and squid (for filtering, logging and restrictions), and it also doing NAT. This windows box also carries L2TP/PPTP server.
This box has 3 NICs, two of which (NIC1 and NIC2) connected to same unmanaged switch, but have different addresses. NIC1 got white address with provider’s gateway, NIC2 got 172.22.2.1. - This unmanaged switch connected to provider,
and we’ve got connection to same provider from other location via MikroТik RB951G-2HnD. Providers knows that and takes his tax to let us pass up to 100MBps of our LAN traffic via his infrastructure. Mikrotik keeps up it’s VPN to Windows, via which all routing between LANs occur (no NAT, manual routes on both sides).
Behind mikrotik, there is LAN2 - There is another LAN3 connected to same unmanaged switch (on windows box side) via pair of dead cheap TP-Links (something like TL-WR720N), those doing NAT. It has IP-based “allow” permission on Windows box, but does not have VPN.
Everything worked fine (almost), until recently I added some rules (something like «deny from any to me in via eth5» after all “allow” rules) to wipfw.conf on Windows box, and LAN2 lost access to SMTP and POP3 of yandex (smtp.yandex.ru, pop.yandex.ru). This is very weird, because everything still works for LAN1 and LAN3, and even LAN2 retained all access to {smtp,imap}.googlemail.com.
Trouble looks like this:
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => Assigned $opt{} key/value: tls => yes
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => Connecting to smtp.yandex.ru:587
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => My IP address is: 192.168.2.47
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 smtp1j.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: SUCCESS => Received: 220 smtp1j.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: INFO => Sending: EHLO srv1s
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 250-smtp1j.mail.yandex.net, 250-8BITMIME, 250-PIPELINING, 250-SIZE 42991616, 250-STARTTLS, 250-AUTH LOGIN PLAIN XOAUTH2, 250-DSN, 250 ENHANCEDSTATUSCODES
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: SUCCESS => Received: 250-smtp1j.mail.yandex.net, 250-8BITMIME, 250-PIPELINING, 250-SIZE 42991616, 250-STARTTLS, 250-AUTH LOGIN PLAIN XOAUTH2, 250-DSN, 250 ENHANCEDSTATUSCODES
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => The remote SMTP server supports TLS :)
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => Starting TLS
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: INFO => Sending: STARTTLS
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => evalSMTPresponse() - Checking for SMTP success or error status in the message: 220 Go ahead
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Dec 06 20:08:39 srv1s sendEmail.exe[6268]: SUCCESS => Received: 220 Go ahead
**<process hangs here>**
POP/IMAP via SSL does not finish handshake (connections hangs too). Same from different machines on LAN2, and different MUAs, including Thunderbird.
I worked around problem currently by installing stunnel on windows gateway, and setting up mail for LAN2 via one.
When I found out problems, I’ve restored old .conf from backup, but it didn’t help (though i checked that old rules definitely applied).
What else I found, is that Mikrotik itself can send email (using same settings): imgur.com/8C3EpLb
So PCs behind Mikrotik cannot, and Mikrotik can. This is why I ended up on this forum at all 
Please help me figure out what’s going wrong. This definitely not some firewall rules, see imgur.com/f6gBvVu (other tabs are mostly empty/have default values).
A little clarification:
- There are some other hosts, aside from Yandex, which are affected, but most are not.
- Both SSL and TLS cannot finish handshare with these hosts, via any protocol (SMTP? | POP? | IMAP? | HTTPS). But everything works fine via forwarded ports and squid on Windows box (but then I have to re-configure applications).