Unable to connect to SMTP service port on WAN IP.

tom919 · June 2, 2024, 10:37pm

Hi Guru,

I am trying to setup an email server behind the MikroTik L009UiGS router. however, I am not able to connect to SMTP service at public IP (WAN). Checked the Wireshark, the RST is sent after Sync packet. Not sure what might be wrong with my setting. Below are the current environment and firewall/nat & firewall/filter settings. what might be wrong in my setting?

WAN IP(ISP): 50.1.1.1 (fake)
Email server: 192.168.88.50 (for example)

SMTP port: 25
POP3 port: 110
IMAP port: 143

firewall/filter:
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="Tomtom" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="troubleshoot" 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

firewall/nat:
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    ;;; Email server forwarding
      chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=25 protocol=tcp dst-address-type="" src-address-list="" dst-address-list="" connection-type="" in-interface=ether1 
      dst-port=25 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=110 protocol=tcp in-interface=ether1 packet-mark="" dst-port=110 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=143 protocol=tcp in-interface=ether1 dst-port=143 log=no log-prefix=""

Regards,
Tom

rplant · June 3, 2024, 12:59am

SMTP is often blocked at the ISP level.
You likely need to jump through at least a few hoops before you can use it as a mail server.

anav · June 3, 2024, 12:41pm

Using an un encrypted mail system/server is asking to get hacked.

tom919 · June 3, 2024, 2:32pm

Hi All,

Thank you all. Just validated after changing the port 25 to 2525. The dst-nat works. like you indicated, the ports(25, 587, 465) are blocked by ISP. Need to find a way to detour it.