Help with NAT for email so mail server "sees" the originating IP address of the sender/receiver

Like it is said above here, change your Full NAT rules to DNAT rules, that's all you should need to succesfully get outside connections in to your mailserver.

Like it is said above here, change your Full NAT rules to DNAT rules, that's all you should need to succesfully get outside connections in to your mailserver.

Thank you. You are quite right, but I still have problems. I have now changed my full NAT to a DNATs like so

Any -> SMTP -> External WAN (www.xyz.com). DNAT -> mail.xyz.com

and ditto with SMTP SSL

For some reason I still need the Full NAT on POP3 otherwise I can't receive email. I wonder if that is because I am MASQing my Green and Orange interfaces to External WAN (www.xyz.com) ?? Any ideas?

With the DNATs above, my web server (which is on the same physical machine and the same IP address) canNOT send out e-mails using the FQDN of the mail server (eg. mail.xyz.com). But it can send e-mail if I simply use the IP address of the server (eg: 192.168.1.11). Any idea why?

Mike Huggins said:

With the DNATs above, my web server (which is on the same physical machine and the same IP address) canNOT send out e-mails using the FQDN of the mail server (eg. mail.xyz.com). But it can send e-mail if I simply use the IP address of the server (eg: 192.168.1.11). Any idea why?

 

Yes,

For this you do need a Full NAT since you cannot connect from the inside through the outside address back in using only DNAT. Two other possibilities would be 1. Use a HOSTS file on the webserver pointing mail.xyz.com to 192.168.1.11 or 2. do the same using internal DNS

Your full nat would look like:

From: Internal (Network) (the network where your web server is located)
To: External (WAN) Address
Service: SMTP

Change source to: Internal Address
Change destination to: internal IP-address of mail server

Thank you. Yes that makes sense. I'll just set the web server up to use the IP address rather than the FQDN as it's quicker and easier

Any thoughts why I need the Full NAT on the POP3? I presume for the exact same reason as the above?

Yes, exact same reason. When you want to access inside resources from inside by connecting to the public (outside) IP-address, you will need a Full NAT.

Thanks. By changing to DNATs I now have a new unwanted problem. It seems the going emails are leaving us on the External WAN Network interface address, which is a dynamic address owned by the ISP. Rather than leaving us on the External WAN (www.mycompany.com) fixed IP address. This is making our emails out appears as spam to receiving clients

I have a MASQ rule that both Green and Orange (DMZ) go out on the External www.mycompany.com address, but that doesn't seem to work for email

Is there a way to change this so the receiving clients see the my.company.com IP address (which is a fixed address eg 217.1.2.3)? When I had the Full NAT the receicing clients did see the fixed IP address as the sender

/friendlygripe Mike, we try not to ask new questions in a thread - especially when the new question could belong in a completely different forum.  It defeats the purpose of the Community - building an easily-searchable "library" of solutions that let people find answers without having to ask the same question already answered elsewhere. /friendlygripe

Masquerading rules are now in an ordered list, so put your "special" rules at the top.  Before that was possible, this problem was, and still could be, solved by a NAT rule like: 'SNAT : Any -> SMTP -> Internet : from External [www.mycompany.com] (Address)'.  (I'm assuming, perhaps incorrectly, that your fixed IP is on a unique ISP connection and that you don't have multiple external connections.

Now, if your mail server is relaying off the UTM's SMTP Proxy, this question belongs in that forum and should be asked there.

Cheers - Bob

Hi Bob

Thanks. Yes I do understand your gripe, and my original question - I think - was in the right place but I've gone off on a tangent

I have changed the Full NATs to DNATs and my email server is now seeing the originating IP address of the sender, but an unwanted thing has now happened. The recipents of outgoing e-mails are now seeing the ISP's dynamic IP address (that they give to the router) as the source IP, instead of the (fixed) External WAN (www.mycompany.com). This means the majority of our emails are coming back as from a black listed IP

I currently have

Any -> SMTP -> External (WAN) [www.mycompany.com] (Address) -DNAT-> mail.mycompany.com

and ditto for SMTP SSL

I'm totally frustrated now. I think either I'm completely stupid or I have missed something, somewhere

I was reading other forum posts about the mail going out on a different IP

I can see when I had the Full NATs setup in December, gmail was seeing my email as coming from my fixed IP (eg 217.x.y.x) (which is External WAN my.company.com)

I had kept those Full NATs exactly as they were, and just turned them off

As a test, I disabled the new DNATs, and re-enabled the old Full NATs. I sent gmail a message and - this is where I am lost/stupid/fustrated - it still shows the email originating from the ISP's dynamic range

Relief. I was being stupid

It now works as expected. So the receiver sees my IP as my external IP address *for my mail server* (not the ISP's dynamic address), and I presume because I have the DNATs that my server will see inbound requests as coming from their receiver address rather than the UTM's (I hope)

You're indeed there, Mike!

Cheers - Bob