MX Records.?

Depending on how your mail server is configured 587 is the default SMTP port for starttls rather than 25.

But the reason you can’t connect to your mail server on your local network is because you need to have a local dns that resolves your domain to your local server address and not the public IP. I wouldn’t rely on nat reflection for this as a lot of dns checks are done by the mail server. You can also add an mx record in pfsense but you have to do it with the advanced box.

You can email me if you like and I can tell you what my logs say and we can see if your mail is being sent and then rejected or what’s going on.

You can send it to [email protected]

You’ll want to watch your log as well to make sure your mail server is actually sending it.

Thanks guys but I’m signing off for tonight… you all helped a lot and I have pretty much figured out my issue I think. Tomorrow I will message back here as to if I fixed it or not. I figured out now I can sigh in outside my network unencrypted and incoming mail works… just not outgoing so I am thinking its a Nat issue. We will see. Thanks again and peace out till tomorrow

I doubt it’s a nat issue, more likely your ISP is blocking it or the mail server of the recipient is configured to reject mail from servers that don’t meet whatever requirements. This is because anyone can set up a mail server for sending mail and send out spam all day, so there are certain things that mail servers will check for and just drop the connection if those aren’t met.

@SynapseAptics

Ok it’s checklist time:

  1. Connect locally via IP with Outlook using ports 25 and 143. :white_check_mark:

  2. Connect Locally via domain name using ports 25 and 143. :x:

  3. Ports 25 and 143 are forwarded on the router. :white_check_mark:

  4. Can send/receive mail locally. :x:

  5. Connect from WAN using ports 25 and 143. :white_check_mark:

  6. Send/receive mail from WAN. :white_check_mark: :x:

  7. Connect locally via TLS :x:

  8. Ports 645 and 993 are forwarded on the router. :white_check_mark:

  9. Send/receive mail via TLS :x:


2. Connect Locally via domain name.

What is the stdout of host 2xmedia.com and host mail.2xmedia.com? If you’re getting nothing back, then either enable hairpin NAT, put entries in your hosts file* (for now), or work on connecting via WAN.

* Since your domain and mail server share the same public IP, the MX record isn’t actually necessary (pretty sure), so you don’t need to worry about it in the hosts file.


5. Connect from WAN

What’s the hosts file look like on the mail server? It might need to be able to resolve the fqdn in order to send mail. This could be fixed with hairpin NAT, but you don’t want to rely on that. The server’s domain name should always be in the hosts file in case something happens with the DNS.

On the mail server, host mail.2xmedia.com should return 192.168.2.101 even if it has no network connection.


Don’t open 7000 or 9000.

Okay so I think I have figured it out but I am not sure. First of all I can now sign in locally using the domain name. I configured my pfsense firewall to handle the domain internally and return the correct IP internal. I have only tried with outlook but it only works right now with no encryption internally. Externally It works just fine with Starttls AKA TLS/SSL and it can receive messages… So its receiving incoming mail fine and external I can sign in with encryption on and using the domain names. I cannot send mail out or at least its not being accepted by my gmail account. My suspicion is that its because I am using the default SSL certificates and since they are self signed and no public certificate authority knows them google and other public mail servers are denying it because the messages are coming from a secure but self signed domain. I wish I had a non public mail server to try and send something to… That would tell me for sure… but I am gonna try and use lets encrypt and get accepted SSL certificates. What does everyone here think? Also here is the details from a public mail server tester… It seems to be working fine and then it talks about self signed issues and failing to get mail From

This is correct.

Are you able to send mail without encryption?

Yes, do that. I’ve never seen it used for mail (just https), but I don’t see why it wouldn’t work.

Tbh I am busy as hell in the lab today at work. I won’t have anymore time to test it and see if I can send encrypted messages but I will check soon and let everyone know what happened or of it does not work lol. I will message back tomorrow. Have a great day y’all(Yes I am in Texas) and thanks for the input again.

1 Like

Let’s encrypt will work, but you will need a webserver to verify the domain and then you can use the cert you get for the mail server.

That error looks more like the self signed cert doesn’t verify the domain name rather than it just being an issue of a self signed cert. You need to make sure that the cert is for your mail server’s domain name otherwise it will be rejected.