Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

SMTP server outgoing mail problem  [SOLVED]

Post Reply
 
bovi
just joined
Topic Author
Posts: 3
Joined: Wed Jan 20, 2021 11:30 pm

SMTP server outgoing mail problem

Thu Jan 21, 2021 1:51 am

Hello,

I'm trying to get my internal SMTP server working.

My SMTP server has address 192.168.2.7 and it can receive emails but can not send emails.

My `ip firewall filter' configuration:
Code: Select all
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept 
      connection-state=established,related,untracked 
 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 
 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 
 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 
 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 
 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 
 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 
 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked 
10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 
11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN
and `ip firewall nat' configuration:
Code: Select all
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 
 1    ;;; ssh
      chain=dstnat action=dst-nat to-addresses=192.168.2.7 protocol=tcp 
      src-address=!192.168.2.0/24 dst-port=22 log=no log-prefix="" 
 2    ;;; email
      chain=dstnat action=dst-nat to-addresses=192.168.2.7 protocol=tcp 
      dst-port=25,465

Am I missing something?
Top
 
ak4020
newbie
Posts: 32
Joined: Mon Mar 23, 2020 11:35 am

Re: SMTP server outgoing mail problem

Thu Jan 21, 2021 2:29 pm

you lack the firewall rule:
/ip firewall add action=accept chain=forward comment=mailserver dst-address=192.168.2.7 dst-port=25,465 protocol=tcp
Top
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: SMTP server outgoing mail problem

Thu Jan 21, 2021 3:02 pm

No need to add another filter rule. Your nat rule is dstnatting both incoming and outgoing connections. Limit the nat rule instead (e.g. dst-address-type=local and dst-address=!192.168.0.0/16).

Note that you already made this effort on the first nat rule (ssh) with src-address=!192.168.2.0/24.

To properly post config, better use /firewall export to export configuration to terminal.
Top
 
bovi
just joined
Topic Author
Posts: 3
Joined: Wed Jan 20, 2021 11:30 pm

Re: SMTP server outgoing mail problem

Thu Jan 21, 2021 7:11 pm

I'm not network specialist, so please bear with me.

My understanding that this rule affects only incoming connections
and it basically forwards them to my smtp server:
Code: Select all
add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \
    to-addresses=192.168.2.7

If I limit this rule as you suggest
``(e.g. dst-address-type=local and dst-address=!192.168.0.0/16)'',
how would it resolve my outgoing connections?

Would it be possible that you write exactly how this nat rule should look like?
Top
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: SMTP server outgoing mail problem  [SOLVED]

Thu Jan 21, 2021 7:28 pm

This rule translates all connections with a destination port of 25, 465.

Code: Select all
add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \
    to-addresses=192.168.2.7

So, even outgoing connections will be rewritten to destination ip 192.168.2.7. If this is the desired behavior, you should also apply hairpin nat to rewrite the source address and it will work (both outgoing and incoming connection will go to your internal mail server). But that's not what you want.

The correct rule would be:

Code: Select all
add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \
    to-addresses=192.168.2.7 dst-address-type=local dst-address=!192.168.0.0/16

dst-address-type=local makes sure only connections directed to the router itself (either wan or lan) will be rewritten to destination address 192.168.2.7
dst-address=!192.168.0.0/16 makes sure only connections to the wan address will be rewritten to destination address 192.168.2.7

(in-interface-list=WAN is also an possibility, but would not apply to LAN-initiated connections to WAN address)
Top
 
bovi
just joined
Topic Author
Posts: 3
Joined: Wed Jan 20, 2021 11:30 pm

Re: SMTP server outgoing mail problem

Thu Jan 21, 2021 9:17 pm

Thank you so much for your help and all the explanations. It works now.
Top
Post Reply

Who is online

Users browsing this forum: anav, Bing [Bot], Google [Bot], miker3000 and 104 guests
  4. RouterOS
  5. Beginner Basics