Hello, I had a successful configuration thanks to the help of some of you people. I had the 1:1 NAT explained to me and some of the Port Forwarding.
I was curious what was the best way to allow only those 2 Ports to be open to my LAN 192.168.1.0. I ask because I tried Port Forward but to no avail. I can send pics of what I currently have. The 192.168.1.0 has Internet access on its correct WAN so it's definitely available.
Would this be for a self-hosted email server? I would urge caution with these if you want to use this as more than a learning opportunity. If you use it in anger it will become a lesson in frustration.
So many recipients are behind overzealous spam filters that the presence of a home range IP address alone is enough to sink your messages without trace.
If you do want to host a mail server, I would start with setting up a VPN. OpenVPN, Wireguard, Tailscale, Zerotier will all give you more benefit than email alone and will simplify your networking and security no end.
I moved to Proton mail for my domain and never looked back. (other vendors are available)
Bart...
I run my own mail server at my house, and utilize Proxmox Mail Gateway in an LXC container, and Axigen mail server in another LXC.
I use aliases for this to help keep this clean and organized. I have one inbound rule (Firewall / Rules / WAN) for port 25 that says from Any - to the mail gateway, and a linked NAT rule for it. You shouldn't need anything setup for outbound unless you modified your any rule outbound, which nothing is blocked by default outbound.
My outbound mail port 25 is blocked by my ISP. So, I use an SMTP relay host (SMTP2GO) that allows 1000/mo for free. I have a template in the mail gateway that allows me to utilize outbound mail through the mail gateway using an authenticated smarthost. This also helps with your mail reputation for your domain. My mail server is setup to send all mail through the mail gateway. Inbound, everything is sent to the mail gateway first, then it passes it along to the mail server once it has been scored.
None of this kind of hosting is as hard as everyone makes it out to be - if you have the free time to set it up and monitor it, I encourage anyone to at least try it. I think a lot of people just don't have the time to stay on top of people trying to relay, but using things like a mail gateway that utilizes spamhaus and other checks can help out a lot, along with using things like Crowdsec and such on OPN.
Other alias rules I have in place that you are going to want at the top of your list (they are applied in an order from top to bottom) are blocking ASNs and blocking IPs, because you will have bad actors trying to relay off you. OPN allows you to block by ASN number, which can be fantastic to use, but it may also block some services you want to access and cannot. This takes just a few seconds of adding an ASN number or an IP to the alias list and applying. I only bother with the morons that are trying to ping my mail every minute - the small few checks every now and then I don't worry about and are already listed in an RBL 99.9% of the time.
I thank you both for your responses. I apologize for not explaining further and made it sound an inquiry of wanting to create email servers anew.
Currently I am running my Internet through a Cisco ISR1000 with a nice ACL/NAT setup which connects to/through a Cisco FPR1010 NGFW for more protection and then connects to an Cisco SG350XG. I have 100% incoming and outgoing blocked aside from my WireGuard VM VPN and then NGINX w/ general access for like plex/readarr etc... My goal was to start shutting some equipment off and moving to a VM of OPNSense, I tried doing the Access for OPN like it was on Cisco but to no avail. I have my postfix/Dovecot set to use 993 and 587 (don't quote me) but still it seemed I needed 25 open. My meaning is I have 2 email servers currently up and running and have had no issues the last 3 years of hosting them. Of course I'll look into the suggestions of tightening security and so on, also currently, these email accounts were both in DMZ fashion and no access to my regular LAN and they themselves only hosted the email
Servers on Slackware boxes.
My main question was what was the legitimate solution for allowing access to the email ports? Would it be a 1:1 NAT or a Port Forward? Can I have the 1:1 for specific ports even with my outbound nat's?
Quote from: fbeye on November 25, 2024, 04:39:35 PM
I have my postfix/Dovecot set to use 993 and 587 (don't quote me) but still it seemed I needed 25 open.
25 is the default port for SMTP communication. If you run an SMTP server you might need to open this port.
QuoteMy main question was what was the legitimate solution for allowing access to the email ports? Would it be a 1:1 NAT or a Port Forward? Can I have the 1:1 for specific ports even with my outbound nat's?
Depends on your needs.
1:1 maps a public IP to a local one and vice versa. But it cannot be configured for a certain port.
If you only want to map outbound traffic to a certain port to specific IP, you have to go with outbound NAT.
As I said, I will absolutely go through all the advice and implement it for security reasons, but I figure instead of going all out and it not working, I would never know what made it not work, so for now I just want tio get it working, then build upon security. Naturally of all things, TODAY my letsencrypt certificate expired and so I can not test anything email... I try to renew it as I always do, but Port 80 is not allowing access. I have tried various combinations of Port forward+Rules but to no avail.
I want my x.x.x.180 Static IP to accept connections to HTTP[80] for LAN 192.168.1.180 for Certbot.. These are my two current sets of rules which I clearly have wrong. Any ideas?
You do not need firewall rules, just a NAT port forward rule.
Source: any
Destination: one address of the multiple IPs you have on WAN - best create an alias for that
Destination port: 80
Redirect target IP: your internal server
Filter rule association: pass
That's it. Same for SMTP and everything else.
In case of port 80 best move the OPNsense UI to a port other than 443 and disable the HTTP --> HTTPS redirect. With the latter active you cannot use port 80 inbound.
HTH,
Patrick
Thank you.. Unless I am dyslexic and have something backwards, I can not get it to work.
Filter rule association: pass is set?
No additional (leftover) firewall rule on WAN that might interfere?
It's how it does work here and how it is supposed to work. Does not look like anything the wrong way round.
Try tcpdump on WAN, then on the DMZ interface to observe how the packets are flowing, if they arrive on WAN at all and if they are sent out the DMZ to the server. Check if the server answers.
One common cause of problems: does the server in the DMZ have a proper default gateway configured? I.e. the OPNsense DMZ interface address?
Verified absolutely no WAN rules [at all]. The Filter rule on all 3 set to PASS
In this particular setup, there is no DMZ..
192.168.1.180 is connected to an SG350XG which has a DHCP Server, that SG350XG has a static Route 0.0.0.0 172.16.2.1 [OPNSense Firewall address].. Has always been this when was being used with the Cisco Firewall. So nothing physical has changed.
Not sure what else.
So 192.168.1.180 has a default gateway to that SG350XG?
And OPNsense has a System > Gateways entry with the IP address of that SG350XG?
And a static route for 192.168.1.0/24 (probably) towards that gateway?
Well F me.
I got so focused on NAT/Portforward and Rules [that I did not need] I totally forgot about the OPNSense static route for the 192.168.1.0 Network... I had only done the default 192.168.5.0 [home LAN] network.
Seems I can not use the email... From my yahoo I cna send and it receives, but what is weird is when I try to send out it gets rejected
NOQUEUE: reject: RCPT from unknown[108.147.186.99]: 554 5.7.1 <***@yahoo.com>: Relay access denied; from=<fbeye@***.org> to=<***@yahoo.com> proto=ESMTP helo=<smtpclient.apple>
My Email server has been the same setup for 3 years it has never been a relay, I have had that all disabled etc. Is there any setting in opnsense that would cause it to appear as such? As far as email server goes, I literally am just going from 1 router to another, no settings have been changed.
UPDATE, So I hooked everything back up to the cisco setup [was just a swap of cables] and outgoing email works. I looked at settings on cisco and really it is the same as far as NAT so I am unsure why I get relay access denied through opnsense.
Literally stopped working on it then came back, now I coming and outgoing works. No idea.
Thank you for your help ya steered me right.
You need to get your internal routing right.
Don't assign a gateway to any internal interfaces. Add your l3-switch/router as a GW in Systems > Gateways and then add routes via System > Routes.
No interface but WAN should have a gateway set in the Interfaces menu.
When that is in order, inbound port forwarding really is dead easy.
For outbound you need to switch to hybrid (I prefer manual for everything) and add NAT rules on WAN for the networks behind that internal router.
That's essentially "it". Works. Really :)
I think that is how it is set... My LAN Interface only has its 172.16.2.1 IP. I created a Gateway 172.16.2.2 (SG350XG) and then use the 6 static routes to find the 6 Networks through the 172.16.2.2 Gateway... There is no Gateway other than that and the WAN. I believe this is what you mean.
I have Outbound NAT for the 6 Networks to associate with their respective WAN IP's.
As of now everything worked as you suggest, I just had missed 1 thing here or there. But everything works as it should so far, everything using their correct WAN and LAN IP's.
Next I want to look into the Netdata plugin and WireGuard Service. I currently am running WG on an inside client and works fine, but curious how or if I should even move it to the OPNSense router instead. I'm sure that is simply user preference anyway.
I thank you, and yes after all my little mess ups and corrections, works like butter.
Quote from: Amodin on November 25, 2024, 03:19:57 PM
and Axigen mail server in another LXC.
How good is it. Can you send email with anything before the @ without hassle (catch-all). How much RAM does the LXC consume.
Axigen is one of the nicest commercial offers I have used in my DC so far.
We were forced to cancel the subscription when they discontinued FreeBSD support :(
Yes, arbitrary sender addresses as long as you authenticate with one proper account is a configurable option. Catch all for receiving also works.
Quote from: Patrick M. Hausen on November 26, 2024, 11:27:23 AM
Yes, arbitrary sender addresses as long as you authenticate with one proper account is a configurable option. Catch all for receiving also works.
Thanks Patrick. I hope this is also true for the free version. I haven't switched yet from something running on Windows. It should be light on resources and very easy to use, that's how I roll. ;)
The free version is limited in the number of mailboxes. 5 IIRC which was just too few even for my private family network. 10 would have been sufficient.
But even their entry level commercial license is prohibitively priced for private use.
Hello
So, everything seems to be working fine but was curious, can I use 587 submission solely and disable 25 or does 25 need to be enabled in some fashion for the server to work?
Do you intend to receive inbound mail destined for the domains that server hosts?
That's port 25 - server to server. 587 or 465 is for MUA to MTA only.
Ah, I did not realize that. Interesting, ty.