OPNsense Forum

English Forums => General Discussion => Topic started by: bdario on November 25, 2019, 09:58:56 am

Title: firewall rule how permit smtp.gmail.com [SOLVED]
Post by: bdario on November 25, 2019, 09:58:56 am

Hello to all,
Opnsense 19
I'm experimenting an issue driving me nut:
I would like to send emails from a NAS behind the firewall
The NAS is correctly configured to use smtp.gmail.com:587 and works fine only if I put a rule on the server interface like this one:
- source addres: <NAS.IP.ADDR.ESS/32>
- source port: <ANY>
- destination address: <ANY>
- destination port: <ANY>
Now I would like to shrink the rule specifying "destination address" and "destination port" but the firewall doesn't accept "smtp.gmail.com".
I tried to use the ip address resolving smtp.gmail.com but it doesn't work
Is there a way to use the name instead of the IP in the field "destination address" of the rule?
Thanks so much for your kindly help
best regards
Dario

Title: Re: firewall rule how permit smtp.gmail.com
Post by: chemlud on November 25, 2019, 10:39:33 am

You can try an Alias with the smtp server, which you can use in your FW rules.

But even more important than the server is in my opinion to limit the PORT the NAS can connect to.

I would get a little raspberry pi (1b or 2b is sufficient) and set up a local email server, just for receiving status emails from NAS, etc. Why should/would you hand over the details of your network to Google?

Title: Re: firewall rule how permit smtp.gmail.com
Post by: bdario on November 25, 2019, 11:09:19 am

Hi chemlud,
alias doesn't solve the issue
Dario

Title: Re: firewall rule how permit smtp.gmail.com
Post by: chemlud on November 25, 2019, 11:18:08 am

Hmmm, why? :-)

Did you check that your Alias get's resolved? ..see pftables.

Title: Re: firewall rule how permit smtp.gmail.com
Post by: bdario on November 25, 2019, 01:06:02 pm

I created and enabled an alias as follow:
- name: gmail
- type: Host(s)
- Description: smtp.gmail.com
- Content: smtp.gmail.com
I tested the alias in: Firewall / Diagnostics / pfTables
It resolves 64.233.184.109
I modified the rule as follow:
- source addres: <NAS.IP.ADDR.ESS/32>
- source port: <ANY>
- destination address: gmail
- destination port: <ANY>
or
- destination port: 587
but it doesn't permit the NAS to send email

Title: Re: firewall rule how permit smtp.gmail.com
Post by: chemlud on November 25, 2019, 02:28:08 pm

Again: It's more important to limit the destination port than the destination ip.

I see no reason (besides google messing up DNS) why your rule should not work.

Title: Re: firewall rule how permit smtp.gmail.com
Post by: bdario on November 26, 2019, 07:29:16 am

so must I assume firewall doesn't work properly?
Hey folks, any suggestion?
Thanks

Title: Re: firewall rule how permit smtp.gmail.com
Post by: bdario on November 26, 2019, 08:43:16 am

it seems to be solved
Tracing firewall logs I found an IP responding on tcp 587
query for it whois reply me "google"
add this ip in the alias rule solved the issue
thanks
Dario

Title: Re: firewall rule how permit smtp.gmail.com [SOLVED]
Post by: chemlud on November 26, 2019, 10:48:59 am

And you hardcoded the IP into your firewall rule now?

I would not bet that the IP resolves to this SMTP server (and other way around) in a month/year...

Title: Re: firewall rule how permit smtp.gmail.com [SOLVED]
Post by: siga75 on November 27, 2019, 05:35:16 pm

alias with smtp.gmail.com and rule for port 587 works like a charm for me

I would investigate deeper