cjmara
asked on
Incoming Mail through a firewall
I'm a little stumped on this one. I have a mail server that was multi-homed, and used the external interface for the virtual smtp server.
I have finally installed a new firewall, and have been able to get RPC over HTTP through the firewall, as well as OWA. I created rules for SMTP and HTTPS, and forwarded the traffic to the internal interface, as well as change the Virtual SMTP server to use the internal interface.
As I mentioned, OWA and RPC over HTTPS both work; but I have NO incoming email. I am also running GFI MailEssentials and MailSecurity; but in both cases they are directed at the Virtual SMTP Server. I did verify that the incoming mail stopped as it was not even hitting the MailEssentials.
Any suggestions?
As soon as I renabled the external interface and disabled the virtual ip on the firewall as well as the rules; I started receiving incoming emails.
Sidenote: the firewall is pfSense.
Thanks,
I have finally installed a new firewall, and have been able to get RPC over HTTP through the firewall, as well as OWA. I created rules for SMTP and HTTPS, and forwarded the traffic to the internal interface, as well as change the Virtual SMTP server to use the internal interface.
As I mentioned, OWA and RPC over HTTPS both work; but I have NO incoming email. I am also running GFI MailEssentials and MailSecurity; but in both cases they are directed at the Virtual SMTP Server. I did verify that the incoming mail stopped as it was not even hitting the MailEssentials.
Any suggestions?
As soon as I renabled the external interface and disabled the virtual ip on the firewall as well as the rules; I started receiving incoming emails.
Sidenote: the firewall is pfSense.
Thanks,
debuggerau
do you have MX record pointing to both public IP's, or just to the external interface?
ASKER
The MX record is pointing to the external interface, but we set that up on the firewall (after it was disabled on the mail server) as a virtual ip and then added the rules for forwarding.
Thanks
Thanks
what rules have you for the virtual ip in the firewall?
Sounds like the rule for SMTP is not quite right..
Can you telnet to port 25 externally to test?
Sounds like the rule for SMTP is not quite right..
Can you telnet to port 25 externally to test?
ASKER
Sorry I should have added that. We were able to telnet to port 25 on the appropriate address (once I remembered to change the Virtual SMTP server).
I am including a picture of the rules that we have since disabled.
Thanks,
pfSense-rules.png
I am including a picture of the rules that we have since disabled.
Thanks,
pfSense-rules.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well,
I wasn't able to get things working properly from home last night so I left it until this morning. I switched everything on the mail server, and then the firewall; and then connected to the mail server. Yesterday we only went as far as connecting to the mail server, so this morning we completed the process by sending a mail as you had suggested. It worked, and when I went and looked at my logs, mail did not stop coming in today.
Not sure what has changed as I followed the same steps that I did yesterday (and rechecked yesterday) but today it is working. At the same point, doesn't really matter much as long as it is working.
Thanks for the suggestion, as going back to it made the difference.
I wasn't able to get things working properly from home last night so I left it until this morning. I switched everything on the mail server, and then the firewall; and then connected to the mail server. Yesterday we only went as far as connecting to the mail server, so this morning we completed the process by sending a mail as you had suggested. It worked, and when I went and looked at my logs, mail did not stop coming in today.
Not sure what has changed as I followed the same steps that I did yesterday (and rechecked yesterday) but today it is working. At the same point, doesn't really matter much as long as it is working.
Thanks for the suggestion, as going back to it made the difference.