firewall rule how permit smtp.gmail.com [SOLVED]

bdario · November 25, 2019, 09:58:56 AM

Hello to all,
Opnsense 19
I'm experimenting an issue driving me nut:
I would like to send emails from a NAS behind the firewall
The NAS is correctly configured to use smtp.gmail.com:587 and works fine only if I put a rule on the server interface like this one:
- source addres: <NAS.IP.ADDR.ESS/32>
- source port: <ANY>
- destination address: <ANY>
- destination port: <ANY>
Now I would like to shrink the rule specifying "destination address" and "destination port" but the firewall doesn't accept "smtp.gmail.com".
I tried to use the ip address resolving smtp.gmail.com but it doesn't work
Is there a way to use the name instead of the IP in the field "destination address" of the rule?
Thanks so much for your kindly help
best regards
Dario

chemlud · November 25, 2019, 10:39:33 AM

You can try an Alias with the smtp server, which you can use in your FW rules.

But even more important than the server is in my opinion to limit the PORT the NAS can connect to.

I would get a little raspberry pi (1b or 2b is sufficient) and set up a local email server, just for receiving status emails from NAS, etc. Why should/would you hand over the details of your network to Google?

bdario · November 25, 2019, 11:09:19 AM

Hi chemlud,
alias doesn't solve the issue
Dario

chemlud · November 25, 2019, 11:18:08 AM

Hmmm, why? :-)

Did you check that your Alias get's resolved? ..see pftables.

bdario · November 25, 2019, 01:06:02 PM

I created and enabled an alias as follow:
- name: gmail
- type: Host(s)
- Description: smtp.gmail.com
- Content: smtp.gmail.com
I tested the alias in: Firewall / Diagnostics / pfTables
It resolves 64.233.184.109
I modified the rule as follow:
- source addres: <NAS.IP.ADDR.ESS/32>
- source port: <ANY>
- destination address: gmail
- destination port: <ANY>
or
- destination port: 587
but it doesn't permit the NAS to send email

chemlud · November 25, 2019, 02:28:08 PM

Again: It's more important to limit the destination port than the destination ip.

I see no reason (besides google messing up DNS) why your rule should not work.

bdario · November 26, 2019, 07:29:16 AM

so must I assume firewall doesn't work properly?
Hey folks, any suggestion?
Thanks

bdario · November 26, 2019, 08:43:16 AM

it seems to be solved
Tracing firewall logs I found an IP responding on tcp 587
query for it whois reply me "google"
add this ip in the alias rule solved the issue
thanks
Dario

chemlud · November 26, 2019, 10:48:59 AM

And you hardcoded the IP into your firewall rule now?

I would not bet that the IP resolves to this SMTP server (and other way around) in a month/year...

siga75 · November 27, 2019, 05:35:16 PM

alias with smtp.gmail.com and rule for port 587 works like a charm for me

I would investigate deeper

firewall rule how permit smtp.gmail.com [SOLVED]

bdario

November 25, 2019, 09:58:56 AM Last Edit: November 26, 2019, 08:43:35 AM by bdario

chemlud

November 25, 2019, 10:39:33 AM #1

bdario

November 25, 2019, 11:09:19 AM #2

chemlud

November 25, 2019, 11:18:08 AM #3

bdario

November 25, 2019, 01:06:02 PM #4 Last Edit: November 25, 2019, 01:43:06 PM by bdario

chemlud

November 25, 2019, 02:28:08 PM #5

bdario

November 26, 2019, 07:29:16 AM #6

bdario

November 26, 2019, 08:43:16 AM #7

chemlud

November 26, 2019, 10:48:59 AM #8

siga75

November 27, 2019, 05:35:16 PM #9