E-mail server behind NAT

I

icer

I have GW server with pf, e-mail service, nat etc on it. GW has 3 interface. One of interface has white IP/registered DNS name. I want move e-mail service behind GW in ip 192.168.0.1/24. Is it possible?
 
Yes. Just redirect (rdr) external_if:25 -> internal_if:25 and add a pass rule for it, and NAT will take care of the rest.
 
but what about HELO/EHLO request on mail server? I think that another mail servers will reject mails from my server.
 
Mail from a server without an MX record is normally dropped. You should register an MX record for your NAT (external IP, obviously).
 
As far as HELO/EHLO goes: if you can't force your mailserver to use your official ('external') hostname in HELO/EHLO, at least make sure it's a fqdn, like server.domain.local, but preferably something that has a forward and reverse DNS record. Most mailservers use 'suspect' HELO/EHLO records (like IP addresses instead of hostnames, or non-fqdn's) for spam scoring only, not for downright rejecting the connection attempt. There's always the possibility to use your ISP's relay, no doubt.
 
My MX sits behind my router on a 10.0.0.0/8 network, with no problems. Since the outgoing connection "appears" to come from the router (with external IP and FQDN, reverse DNS, et all) then mail flows through without problem.
 
Sure, but EHLO/HELO doesn't know about NAT, only about the local hostname. Not a lot of sites filter EHLO/HELO, but there should be a fqdn in there.
 
kamikaze said:
Mail from a server without an MX record is normally dropped.
Click to expand...

Since when? My domain has no MX, rejects only come from postgrey services. Much more important is that your HELO domain name is resolvable, and that the IP address it points is resolvable.

I haven't seen a single reject in 2+ years of having this configuration and two other domains, based on absent MX record.
 
I should note that the FQDN is mail.mydomain, which externally resolves to the external IP, but internally resolves to the local (natted) IP. So HELO is mail.mydomain, which resolves back to the proper IP.
 
@Mel_Flynn

Does your domain have an A record? Most MTAs will allow domains without MX records as long as they have an A record. If a domain has neither, my MTA will reject the mail ('domain doesn't exist/resolve').
 
DutchDaemon said:
@Mel_Flynn

Does your domain have an A record? Most MTAs will allow domains without MX records as long as they have an A record. If a domain has neither, my MTA will reject the mail ('domain doesn't exist/resolve').
Click to expand...

Naturally. Domain has A, HELO is FQDN and resolves and the IP resolves to the domain of the HELO FQDN.

There might be people rejecting mail based on absence of MX record as a overly paranoid anti-spam solution, but calling it 'normal', nope.
 
You must log in or register to reply here.
Back
Top