Community discussions

MUM Europe 2020
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

SMTP SSL - Port forwarding

Thu Oct 23, 2014 1:21 am

I have problem to setup my firewall. I need to configure my local mail system.

Queue message: connect to mail.domainX.com[213.222.33.44]:465 Connection time out

ip firewall nat add chain=dstnat protocol=tcp dst-port=465 action=dst-nat to-addresses=192.168.22.2 to-ports=465

where:
213.222.33.44 - is my external address (fake IP)
192.168.22.2 - is my local mail server address

Please help to configure NAT Rule to run my outcomming messages.

I don't have any problems with my incoming messages ;-)
Last edited by MikroTikFan on Fri Oct 24, 2014 12:20 am, edited 1 time in total.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: SMTP SSL - Port forwarding

Thu Oct 23, 2014 2:56 am

Please help to configure NAT Rule to run my outcomming messages.

I don't have any problems with my incoming messages ;-)
Outgoing and incoming messages from where?

If you mean another email server is having trouble delivering email to your server, you must use port 25 for that. Port 465 is how email clients like Outlook and Thunderbird connect to an email server.
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.22.2 to-ports=25
edit: Insure you have opened ports 25 and 465 on the email server firewall. That is one thing normally overlooked.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SMTP SSL - Port forwarding

Thu Oct 23, 2014 7:42 am

Outgoing messages from my mail server in LAN IP 192.168.22.2
Regarding port 25 I have also same forwarding rule in mikrotik for this port and same for others (POP3SSL-995, IMAPSSL-993).
I have also forward/accept rule for 465 and 25 port.

Mail server stil from 192.168.22.2 cant send out e-mails.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: SMTP SSL - Port forwarding

Thu Oct 23, 2014 9:27 am

you claim for "outgoing mail" (lan to wan)..so disable those rulles and all will be fine (only if you have outgoing filtering rules you have to allow .. ..)

if you have also incoming mails to handle, fix you rules ..dst-nat all connections to your private ip it will brake outgoing conns (specify incoming interface !lan or similar..)
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: SMTP SSL - Port forwarding

Thu Oct 23, 2014 2:51 pm

If you are having trouble with outgoing mail from your email server, then it is probably due to the dstnat rule for port 25. It may be redirecting your outgoing packets back to your server. You must add an in-interface (or dst-address) to that rule to prevent that.
/ip firewall nat
add chain=dstnat protocol=tcp in-interface=ether1 dst-port=25 action=dst-nat to-addresses=192.168.22.2 to-ports=25
If ether1 is not the WAN interface, change that.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SMTP SSL - Port forwarding

Thu Oct 23, 2014 8:31 pm

ether1 is WAN interface.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: SMTP SSL - Port forwarding

Thu Oct 23, 2014 9:01 pm

Then adding the "in-interface=ether1" to the nat rule should allow your email server to send mail to another email server without being redirected back to your email server. Have you tried it?
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SMTP SSL - Port forwarding

Fri Oct 24, 2014 12:18 am

I did run the connections from outside my home thru 3G connections, and mail server works properly.
The problem is when I tried to send email being connected to my LAN.

My current configuration is :

1. My external address: 213.222.33.44 (fake)
2. Then after my edge fiber router: 192.168.11.1
3. Then my mikrotik router:
WAN eth1 interface 192:168.11.250
LAN eth3 interface 192:168.22.250
4. mail server: 192.168.22.2

When I will add in host file: mail.mydomain.pl - 192.168.22.2 everything works ok, but this is for me wrong solution, because when I go outside I must change host file.

How to configure firewall and NAT to have access from LAN to my mail server using my domain name mail.domainx.pl - 213.222.33.44 (fake).
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: SMTP SSL - Port forwarding

Fri Oct 24, 2014 12:36 am

What does this mean?
The problem is when I tried to send email being connected to my LAN.
Send email with what program? To where?

There are two ways email servers "send and receive" email.
1) Email client (Outlook and Thunderbird) to and from the email server (Sendmail or Postfix).
2) Email server (Sendmail or Postfix) to and from another email server (Sendmail or Postfix).

Email clients communicate with the email server for POP3/IMAP (receive email from server) and SMTP (send email to server).
POP3 uses port 110 or 995
IMAP uses port 143 or 993
SMTP uses port 25 or 465

Email servers communicate with other email servers using port 25.

Which of those are failing?
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SMTP SSL - Port forwarding

Fri Oct 24, 2014 1:09 am

All of this ports (995, 465, 993, 25) I have forwarded and this works from outside my network f.e. from 3G connection.
But when I tried to connect via Outlook(Windows) or Thunderbird(Ubuntu) from laptops located in my LAN mail clients don't have access to mail server and I can't send or receive any e-mails.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: SMTP SSL - Port forwarding

Fri Oct 24, 2014 1:23 am

Then you should either:
1) use the localnet private ip of the email server on your localnet computers rather than domain name.
or
2) use the router localnet gateway for your dns and set a static dns for the server in the router.
or
3) use a hairpin nat.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SMTP SSL - Port forwarding

Fri Oct 24, 2014 1:34 am

Yeeeeeeeeeeeeeeeees You are The Best !
http://wiki.mikrotik.com/wiki/Hairpin_NAT works in this case.

I have also small other problem. I have forwarded port 443 from WAN to LAN (192.168.22.88) and this connection works properly from outside ;-)
One important inconvenience is when I will browse other https page file (port 443) from LAN I allways go to this forwarded addres 192.168.22.
Last edited by MikroTikFan on Fri Oct 24, 2014 2:07 am, edited 2 times in total.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: SMTP SSL - Port forwarding

Fri Oct 24, 2014 2:05 am

I have also small other problem. I have forwarded port 443 from WAN to LAN (192.168.22.88) and this connection works properly from outside ;-)
One important inconvenience is when I will browse other https page file (port 443) from LAN I allways go to this forwarded addres 192.168.22.
Then you need to add the "in-interface=ether1" to that port 443 dstnat rule. That way it will route only port 443 to that localnet address if the request comes in on ether1.

Who is online

Users browsing this forum: No registered users and 74 guests