# E-mail server behind NAT



## icer (Feb 25, 2009)

I have GW server with pf, e-mail service, nat etc on it. GW has 3 interface. One of interface has white IP/registered DNS name. I want move e-mail service behind GW in ip 192.168.0.1/24. Is it possible?


----------



## DutchDaemon (Feb 25, 2009)

Yes. Just redirect (rdr) external_if:25 -> internal_if:25 and add a pass rule for it, and NAT will take care of the rest.


----------



## icer (Feb 26, 2009)

but what about HELO/EHLO request on mail server? I think that another mail servers will reject mails from my server.


----------



## kamikaze (Feb 26, 2009)

Mail from a server without an MX record is normally dropped. You should register an MX record for your NAT (external IP, obviously).


----------



## DutchDaemon (Feb 26, 2009)

As far as HELO/EHLO goes: if you can't force your mailserver to use your official ('external') hostname in HELO/EHLO, at least make sure it's a fqdn, like server.domain.local, but preferably something that has a forward and reverse DNS record. Most mailservers use 'suspect' HELO/EHLO records (like IP addresses instead of hostnames, or non-fqdn's) for spam scoring only, not for downright rejecting the connection attempt. There's always the possibility to use your ISP's relay, no doubt.


----------



## cajunman4life (Feb 26, 2009)

My MX sits behind my router on a 10.0.0.0/8 network, with no problems. Since the outgoing connection "appears" to come from the router (with external IP and FQDN, reverse DNS, et all) then mail flows through without problem.


----------



## DutchDaemon (Feb 26, 2009)

Sure, but EHLO/HELO doesn't know about NAT, only about the local hostname. Not a lot of sites filter EHLO/HELO, but there should be a fqdn in there.


----------



## icer (Feb 26, 2009)

ok, thanks a lot I will try


----------



## Mel_Flynn (Feb 26, 2009)

kamikaze said:
			
		

> Mail from a server without an MX record is normally dropped.



Since when? My domain has no MX, rejects only come from postgrey services. Much more important is that your HELO domain name is resolvable, and that the IP address it points is resolvable.

I haven't seen a single reject in 2+ years of having this configuration and two other domains, based on absent MX record.


----------



## cajunman4life (Feb 27, 2009)

I should note that the FQDN is mail.mydomain, which externally resolves to the external IP, but internally resolves to the local (natted) IP. So HELO is mail.mydomain, which resolves back to the proper IP.


----------



## DutchDaemon (Feb 27, 2009)

@Mel_Flynn

Does your domain have an A record? Most MTAs will allow domains without MX records as long as they have an A record. If a domain has neither, my MTA will reject the mail ('domain doesn't exist/resolve').


----------



## DutchDaemon (Feb 27, 2009)

@cajunman4life

That'll do.


----------



## Mel_Flynn (Feb 27, 2009)

DutchDaemon said:
			
		

> @Mel_Flynn
> 
> Does your domain have an A record? Most MTAs will allow domains without MX records as long as they have an A record. If a domain has neither, my MTA will reject the mail ('domain doesn't exist/resolve').



Naturally. Domain has A, HELO is FQDN and resolves and the IP resolves to the domain of the HELO FQDN.

There might be people rejecting mail based on absence of MX record as a overly paranoid anti-spam solution, but calling it 'normal', nope.


----------

