SMTP Outbound

Started by spetrillo, December 12, 2024, 05:46:11 PM

Previous topic - Next topic
Hello all,

I have a server that needs to send outbound SMTP mail. It can be over port 25 or 587. Do I need to explicitly open those ports with a firewall rule?

Thanks,
Steve

This entirely depends on the rules already existing on the interface that server is connected to.

If it is LAN and if the factory preset rule of "allow all" rule is still in place, then no.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Ptrick,

Yes its the default rule still in place, but that rule is an inbound rule. Don's I need an outbound rule to send mail from this LAN segment?

I did try a port forward from the LAN segment, on default port 25, but that didnt seem to do the trick.

Thanks,
Steve

No, you don't. Inbound or outbound as seen from the OPNsense device. So when your server on LAN opens an SMTP connection to some system on the Internet that first packet is coming IN your LAN interface. Right?

So inbound allow all takes care of any Internet directed traffic any system on your LAN might want to do, including of course SMTP.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

I thought when the device on the LAN side opens up a connection to the outside the first packet is going out to the Internet correct? Then the connection is established and they chat among themselves?

A bit more information on this. When I port probe from the Interfaces section, with a host name and port of 25 it succeeds. If I add a LAN IP and same port it fails with a connection timeout. With that info I would assume port 25 is not open on the LAN segment in question?

Picture yourself sitting inside your OPNsense device. The first packet from any system on LAN directed towards the Internet is coming IN through OPNsense's LAN interface, undergoes the firewall rules, and if there is a matching "allow" rule in place then goes OUT the WAN interface towards your ISP and finally the destination.

So that INbound rule is all it takes to allow any system on your LAN to contact any system on the Internet on any port.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)