A couple of years ago I installed Openwrt and was able to set up port forwards to allow mail on port 25 to be delivered to my mail servers from my spam company's networks. I didn't have a problem at all and everything worked.
I just decided to go back to Openwrt and for some reason I cannot make this work. I have a public static and I want to forward port 25 to an internal mail server from 4 subnets. There have definitely been some changes to the firewall so could someone help me set this up? Thanks!
Port 25 is blocked by most isps because of the fact that it is easy for this to be abused. Are you certain that your isp actually allows port 25? And even if they do, you should really be using a modern mail server with encryption enabled.
2 Likes
I don't have any ports blocked on my fiber 1G/1G line. I have had mail servers for decades. I have always set it up so the spam service delivers clean mail directly to my servers and have never had a problem since I only allow the delivery from their subnets. That is what I'm trying to setup but there is a big change to the firewall since I last used Openwrt.
Ok. Still, port 25 is a bad idea since it’s not encrypted. But that being said:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
After trying a myriad of things, I found out the "drop invalid packets" was the problem. I didn't check the box originally so I didn't think it would be causing the issue. All is well!
Just to be clear - to receive email, Public SMTP servers must run and open their firewall to 25/tcp - as you don't have a choice if the sending MTA will initiate an encrypted session or not.
This is why it is so easy for ISPs to implement inbound/outbound blocks to stop email according to BCP 30 (RFC 2505). In order to encrypt an email, S/MIME is generally used. S/MIME generally requires a software email client - not many webmail clients support it.
In the most basic scenario, a Public CA just needs to issue you a Client PKI Cert, after installing it into your email client, you're ready to send encrypted email.
1 Like
@lleachii Thanks for the backup. I have used this structure for many many years and it has been great! In order to comply, I have hardened the servers to ONLY use the spam service's sending IP addresses. They deliver the clean mail directly to my servers. No one else is allow to connect on port 25 so if openwrt would not have allowed this setup, I would have had to look elsewhere. BTW - the servers have certs issued by public CA's so the email is encrypted between the machine and the clients. I would recommend this setup to anyone since I have never had a breach using this method.
On another note - this is for any Openwrt developer that is interested. The "drop invalid packets" on the firewall was checked somehow (I may have done it but I don't think so). This did not allow the port forwards to work - which should have taken precedence. When I unchecked the box, the forwards worked AND rechecking the box allowed them to continue. It seems that the system suddenly realized that those packets were not invalid and let them through. I don't know if this is a help to anyone, but thought I would report it.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.