Help setting up incoming traffic using pfSense

Ubuntu Server
#1

Hello everyone, I decided to make an account since I’ve been running into a few issues with setting up my email server.

I followed https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot .
This allows me to send out emails so I think my ports are setup correctly.
However I can’t connect an email client to my email server and I also can’t receive any emails.

What should I post to help figure this out? I’ve traced my traffic and my server sees any checks on the ports and allows traffic through all the way up to the email server, I think there’s something wrong with my email server handling incoming traffic.

#2

This is an expansive question. Lots of moving parts.

I had to research:
“pfsense cloudflare certificate dns api” - this allowed me to setup the cert process in pfsense
“haproxy reverse proxy pfsense” for a tutorial. HAPROXY is a thing on its own…

I’ll try to help you a bit… but I might miss something but this should get you moving with other crossreferencing…

  1. You need a FQDN. Use cloudflare to manage your domains, its nicee.

  2. You’ll need a certificate for the email server itself, set it to auto renew. The iredmail tutorial on linuxbabe should do that.

  3. Use the pfsense built in cert manager and make a cert for the email server/vm, this will be applied below. THIS is a big process. The best way is to link a cloudflare account to pfsense using an API key. This creates a DNS challege each time you want to make a cert, and it will save you time and energy in the future.

  4. Use the HAPROXY package in pfsense to make a “reverse proxy” for port 443 to connect your FQDN to the email server. Apply the cert you made w cert manager to the “frontend”. You’ll have to make a proper backed, etc. Find that tutorial I mentioned at the beginning.

  5. You should be able to reach your email server by is FQDN in a browser. If you can, proceed. If not, research, research, research.

  6. You have to forward ports to the server proper from pfsense by selecting on the pfsense menu: Firewall>NAT.

Below are the ports to forward. Close up the ones you’re not using AFTER everything works.

If your ISP closed off port 25, youll need mailgun, that’s another tutorial…

|Interface|Protocol|Source Address|Source Ports|Dest. Address|Dest. Ports|NAT IP|NAT Ports|

|WAN |TCP |* |* |* |25 (SMTP) |your server ip|25 (SMTP) |
|WAN |TCP |* |* |* |110 (POP3) |your server ip|110 (POP3) |
|WAN |TCP |* |* |* |143 (IMAP) |your server ip|143 (IMAP) |
|WAN |TCP |* |* |* |465 (SMTP/S) |your server ip|465 (SMTP/S) |
|WAN |TCP |* |* |* |587 (SUBMISSION) |your server ip|587 (SUBMISSION) |
|WAN |TCP |* |* |* |993 (IMAP/S) |your server ip|993 (IMAP/S) |
|WAN |TCP |* |* |* |995 (POP3/S) |your server ip|995 (POP3/S) |

I can answer a few rounds of questions IF you can get the heavy lifting done, like having your domains managed at cloudflare and connecting the API to pfsense. That’s probably the hardest part. The rest is patience, persistence, and plenty of time.

#3

even after all of that, you’ll need to do all the anti spam stuffs that are on here, like DKIM, SPF, etc…

#4

I managed to get it to work, the problem was the DNS Resolver in pfSense.
In pfSense under Services > DNS Resolver > Host Overrides, I added an entry for my FQDN pointing to my internal email server’s IP address. This allowed me to complete the missing link that was needed when adding my email to a client.

Additionally I have all the ports you listed open in nat forwarding.

I do not use HAproxy due to issues with my nextcloud instance.

Currently everything is working past this point. My new issue(s) requires a new thread.

1 Like
#5

WOW! You really cut the tape… I’m no network engineer, but your solution made me research what you did. Nice indeed!