email smtp port 25 and 587 firewall rule/port forward protection

[RamSense]

Dear community,

I have a mailserver running behind opnsense. The mailserver is working and have the port forward rules for ports used 25, 587, etc

Now I was thinking, Is there a way to configure opnsense so to protect the mailserver that only the local IPrange and vpn range can log in into the mail server and being able to sent email? Using an alias?
but so that the mailserver can receive emails being sent to it from anybody?

Sounds like a solid option, but I don't know if this is possible while the mailserver must being able to communicatie with the world?

Hope my question makes sense and somebody with knowledge of running mailservers and opnsense have a best practise for how to set secure port forwards/alias etc.

[fabian]

Just open the port 587 only internally. Foreign servers will always send mails to 25.

[RamSense]

Thanks Fabian,

I will change this right away!

[RamSense]

@Fabian

I changed port 587 in the firewall on the mailserver to only allow internally.

In opnsense I still have :

Firewall->NAT->Port Forward-> rule:
Interface (WAN) - protocol (TCP) - Source Adress (*) - Ports (*) - Destination Address (WAN address) - Ports (587) - NAT IP (local IP mailserver) - Ports (587)

and the auto added rule Firewall->Rules->Wan-> rule:
Protocol (IPv4 TCP) - Source (*) Port (*) -  Destination (local IP mailserver) - Port (587) - Gateway (*) - Schedule (*)

How to change this for the "open port 587 only internally?

Thanks in advance for your explanation!

[fabian]

Source IP is just all LAN addresses you want to allow in the firewall rule.

[RamSense]

@Fabian, thank you for your reply.
So I change this in the NAT portforward so it get changed also in the firewall-rules-wan?

See attached pictures? Or should I Leave the Nat port forward untouched and only change firewall-rules-wan?

[RamSense]

somehow the LAN addresses used above did not work for my iPhone on 4g (with vpn to opnsense).
Than I thought, when I make an alias with the ip-range from LAN and VPN and use that as source ip....
changed it, and this works!

I do not understand what is different from the LAN address with this alias, but that has to do with my learning of how opnsense / firewall works. Or should Source IP - lan address also have worked? What did I do wrong than?

[fabian]

LAN Address - OPNsense IP-Address on the LAN interface
LAN Network - The network which is directly attached to the LAN interface (so this includes the hosts) <- you usually need this one

This Firewall - Any IP address assigned to this firewall

[RamSense]

Ah great! Now I Understand. Thanks for that. Learned something again today.
And problem solved :-)

[RamSense]

Humm...
I still must be doing something wrong.
When choosing LAN Network or just the Ip range of VPN 10.8.0.0/24
the port 587 gets blocked by opnsense.
My iPhone 4g connected to opnsense with vpn has a virtual-ip 10.8.0.2 but opnsense blocks it. Have I something wrong in the port forward or is this something I have done wrong in the vpn setup? with  Redirect Gateway enabled....
In the firewall log I see the REALIP of the iPhone getting blocked and not the virtual ip 10.8.0.2 getting handled...

p.s. this happened after updating to opnsense 21.7

[RamSense]

Testing with Wireguard VPN  -> it works and connection to email (587)
Testing with OpenVPN -> gets blocked

I am convinced openvpn was also working before opnsense 21.7. But I can't figure out why it is not working now, if it has to do with the upgrade to 21.7 and Wireguard works like it should.. I am obviously missing something

[chemlud]

Is your opnvpn tunnel otherwise functional? Correct FW rules?

What is the error message you get?

Do a package capture on openvpn/LAN to see, where the packages are blocked...

[RamSense]

Dear Chemlud,

Thank you for your reply.
Yes the OPNvpn is working on all other parts. I can connect, browse the internet and connect to lan available services/devices.

When I look at the firewall live view I see that my iPhone real IP gets blocked while I have an alias nat port forward with alias for 10.8.0.0/24 as for local lan and Wireguard. The last 2 are working, only the vpn/10.8.0.0/24 does not.
The realIP gets blocked instead of the virtualIP/VPNIP gets through

I have attached 2 pictures

[RamSense]

maybe this is happening?
https://forum.opnsense.org/index.php?topic=24183.0

[RamSense]

Looks like it was an missing NAT outbound rule(?)
When I add a NAT - outbound rule >
Interface (LAN) - source (any) - source port (*) - Destination (*) - Destination port (*) - NAT Address (interface address) - NAT port (*) - Static port (NO)

it works.......
Now I have to figure it out how to narrow it down I think.
(I'm still a fairly new user in opnsense)