Hello, i have RouterOS with x86 pc

for the past few days my customers cannot send any emails through outlook or any other windows based programs. To be more specific, i get error: 0x800CCC0B in outlook express.

My current smtp doesn't need to authenticate.
I have tried to add the smtp in white list so users can access it without even log in.
i have also tried to redirect all port 25 traffic through that specific smtp.

i cannot figure why is blocked.

anyone to help ??

best
Markos

are you sure this is related to RouterOS? they need to apply hotfix according to MS:
http://support.microsoft.com/kb/827349

i know about the hotfix. now i get different messages. i can telnet the smtp through the wifi system but i cannot reach it. i will post the message later that i get now.

unfortunately the patch is not supported on my system. anyway it is not only on my laptop but on my customer's too.

you need to post your firewall and nat configuration, so we can see what could be causing problems. are there any other problems with websites, or just the SMTP doesn't work? is it the same for all customers, or only for some ?

My firewall rules
0 and 25 i've put them afterwoods for testing and forwarding smtp.

-->> 0 X chain=dstnat action=dst-nat to-addresses=217.27.32.193 to-ports=25 protocol=tcp dst-port=25
1 chain=hs-unauth action=accept dst-address=46.21.53.182
2 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
3 I chain=hotspot action=jump jump-target=pre-hotspot
4 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
5 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
6 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
7 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
8 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
9 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
10 D ;;; www.about-pissouri.com
chain=hs-unauth action=return dst-address=147.202.120.120
11 D ;;; radius.pissourinet.net
chain=hs-unauth action=return dst-address=46.21.53.182
-->> 12 X chain=hotspot action=dst-nat to-ports=25 protocol=tcp src-address=10.5.7.0/24 src-port=25 dst-port=25
13 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
14 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
15 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
16 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
17 I chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
18 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
19 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
20 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
21 ;;; masquerade clients
chain=srcnat action=masquerade src-address=10.5.7.0/24
22 X ;;; webproxy enable/dissable
chain=dstnat action=redirect to-ports=8080 protocol=tcp src-address=10.5.7.0/24 dst-port=80
23 X chain=dstnat action=accept protocol=tcp src-address=10.5.7.0/24 dst-port=80

and filter:
0 chain=hs-unauth-to action=return dst-address=46.21.53.182
1 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
2 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
3 D chain=input action=jump jump-target=hs-input hotspot=from-client
4 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
5 I chain=hs-input action=jump jump-target=pre-hs-input
6 D chain=hs-input action=accept protocol=udp dst-port=64872
7 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
8 D ;;; www.about-pissouri.com
chain=hs-unauth action=return dst-address=147.202.120.120
9 D ;;; radius.pissourinet.net
chain=hs-unauth action=return dst-address=46.21.53.182
10 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
11 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
12 D ;;; www.about-pissouri.com
chain=hs-unauth-to action=return src-address=147.202.120.120
13 D ;;; radius.pissourinet.net
chain=hs-unauth-to action=return src-address=46.21.53.182
14 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
15 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
16 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
17 X chain=forward action=drop p2p=all-p2p
18 chain=input action=accept protocol=tcp src-address=217.27.32.193 dst-address=10.5.7.34 src-port=25

rule 18 is for testing the smtp with a destination address (my laptop)

But if you are using the hotspot, does the end user need to authenticate against their server to send out messages? You can try having them turn off authentication on their machines and see if it works.

If your users need to authenticate themselves against their server to be able to send out messages, then you have a couple of choices:
1.) Anyone that needs to send out e-mails needs to turn off authentication if not already done. (Generates tech support calls)
2.) Depending on your relay server, you might be able to hack it to accept any and all user names and passwords. I managed to do it with Postfix, SASL, and FreeRadius. It required a fair amount of tinkering to get it going though and much trial and error. You'll also want to be sure that your server will only accept connections from known IP addresses (i.e. your hotspots) or you will become an open relay with that method.
3.) Turn off the SMTP option on the MikroTik so they use their own servers to send out e-mails (Can general support calls due to peoples relay servers not accepting connections from outside their network and can get your location black listed from a user sending spam)

Do you redirect your client's email to a local server for delivery? If not, that is probably the problem.

SMTP is tricky. It is a 2-part challenge.

1) Most email servers will not relay email for an untrusted ip or domain. So because of this reason, I use the smtp-server setting in the hotspot profile to redirect smtp to my email server for delivery. That way if my customer does not have secure email, they can send email.

2) Some clients have secure email. This requires the client to go directly to his email server to send email with the client's current setting. But because of the smtp redirect setting above, they can't do that. I set up a second hotspot on a VAP for that.

Maybe someone else has a better solution for both of us.

Hello again. When i connect my laptop directly to my fiber connection with a real ip all the messages go through. When my laptop is connected to the hotspot i get a variety of error messages. so the problem must be from the hotspot configuration.

btw i get same error as this: http://forum.mikrotik.com/viewtopic.php?f=7&t=45868 it is exactly the same issue in my firewall. i don't know if it matters or not.

My isp's smtp doesn't want any authentication.

thank you !

Do you redirect your client's email to a local server for delivery? If not, that is probably the problem.

SMTP is tricky. It is a 2-part challenge.

1) Most email servers will not relay email for an untrusted ip or domain. So because of this reason, I use the smtp-server setting in the hotspot profile to redirect smtp to my email server for delivery. That way if my customer does not have secure email, they can send email.

2) Some clients have secure email. This requires the client to go directly to his email server to send email with the client's current setting. But because of the smtp redirect setting above, they can't do that. I set up a second hotspot on a VAP for that.

Maybe someone else has a better solution for both of us.

It is possible to set up your relay server to accept all usernames and passwords so an end user can send their "secured" mail, it is tricky though. It works with the PLAN and LOGIN mechanisms, but the others don't appear to work right with this method. It's enough however that we rarely see a call about it now.

Basically I have Postfix set to used SASL auth if the end user asks for authentication, and it set to use PAM as the method. PAM is then set to use Radius to authenticate the request. The FreeRadius server is hard coded to accept everything (running on the local machine and only accepts connections from localhost). This way no matter what the end user has for their username or password it is accepted and they can relay their e-mail.

Hello Feklar,

Could you tell us more in detail about hardcode freeradius to accept all authentication request ?
Which part in the configuration file of freeradius need to be added or removed due to this purpose ?

Regards

Rieky

@Feklar: It is not the user/password I have trouble with. It is the secure email that has a "key" that does not match my email server secure key. How did you correct that?

http://www.sendmail.org/~ca/email/starttls.html

ADD: I can't remember exactly verbatim what it shows, but in the sendmail log shows something like this:
send failed: domain key mismatch.

I think it is the receiving email server misconfiguration. Most SSL/TTLS servers use a port other than 25, like gmail does. That causes no problem at all. They use port 587. It is not redirected like port 25.

Edit /etc/freeradius/users and place this near the top.
Then it will just accept anything you feed it for a user name and password. The tricky part is getting your mail server to use Radius in the first place, hard coding it to accept is easy .

@SurferTim, like you said, this doesn't work for everything. However if they have a more secured system they usually use a different port, or must connect to a VPN to send/receive e-mails. In those cases it's out of your control and usually isn't a problem. This setup doesn't cover every case, in fact it only works for the PLAN and LOGIN mechanisms if I remember correctly, but it increases the number of clients you can support without them having to make setting changes to their e-mail clients.