I need confirmation for my understanding. Suppose I have the router in 192.168.1.1 and a mail server in 192.168.1.2, with port forwarding SMTP traffic from 192.168.1.1 to 192.168.1.2. Now if the mail server is configured to accept and relay SMTP input without authentication from the local domain, and authentication set on the other domains, is this mail server seen as an open relay from the Internet?
Internet SMTP traffic comes with IP 12.34.56.78 on the WAN, but the port forwarding translates it as coming from 192.168.1.1 and the mail server considers it as coming from the local domain and accept it without authentication...
with port forwarding SMTP traffic from 192.168.1.1 to 192.168.1.2
This wouldn't work, same side of the router.
You're right. I meant from the WAN (the Internet IP of the router) to the LAN.
If you're trying to get SMTP traffic from WAN and have it seen by the server as 192.168.1.1- you'll need to mangle the packet.
If fact, I want to prevent my internal mail server from being seen as open relay from the Internet. So my understanding is correct that the internal mail server can appear as an open relay on the Internet if port forwarding is enabled.
To prevent it, I must configure the mail server either to enforce authentication even on the local domain, or to accept traffic from the local domain without authentication but enforce it when it comes from the router IP 192.168.1.1.
it's usually a setting within the mail server, if the port isn't open, you'll never receive any emails, relay or not, doesn't matter.
Let me give more context. The mail server needs to be able accept mail from the Internet (on email delivery port 587), for instance when someone uses a mobile phone. The phone email client can be configured to provide authentication.
On the local network (LAN), computers must be able to send emails to that server too, and they can be configured to authenticate too.
So the port must be open on the mail server, and I must have a way to get the internal mail server seen from the Internet, the reason for using port forwarding.
But if that mail server accept email without authenticating, it becomes an open relay. That seems the case on my exim4 server that accept emails from hosts on the local domain without authenticating... I just need to find how to enforce authentication on Exim, whatever the origin of the email.
Port forward only changes the destination IP, i.e from 12.34.56.78 to 192.168.1.2. The mail server will still require authentication as the source IP is not local.