Its normal to run mail server within the LAN if you have reliable power system but also because it is because is one of the best method for security of your mail server. This how to is going to explain how to configure Mikrotik router to allow traffic going and leaving the mail server which is running in the LAN.
This how to assumes the following
The setup will have only three simple steps as below.
Step 1
Create firewall to allow inbound TCP traffic from any IP address to these ports on the server.
25 (SMTP)
110 (POP3)
143 (IMAP)
443 (HTTPS)
465 (SMTPS)
587 (Submission)
993 (IMAPS)
995 (POP3S)
I here assume access to webmail and any web access on the server is done on port 443(https) as port 80 will be used by mikrotik web access.
Copy the following on notepad and edit by changing the mail server IP (192.168.1.200) and mikrotik public IP (X.X.X.X) and paste the following firewall rules on mikrotik terminal.
Step 2
Create DNS redirect to allow creating static DNS entry for the server for local access
Copy and paste the following in the terminal.
Step 3
Create the static entry for mail server MX records, so that traffic within the LAN should not be redirected to public IP but going direct to mail server local IP.
Copy and paste the following in mikrotik terminal and change only mail server IP and domain MX records to reflect your mail server.
This how to assumes the following
- X.X.X.X being your public IP,
- mail.jarasyola.co.tz being MX records of your server domain and
- 192.168.1.200 being IP address of mail server.
Step 1
Create firewall to allow inbound TCP traffic from any IP address to these ports on the server.
25 (SMTP)
110 (POP3)
143 (IMAP)
443 (HTTPS)
465 (SMTPS)
587 (Submission)
993 (IMAPS)
995 (POP3S)
I here assume access to webmail and any web access on the server is done on port 443(https) as port 80 will be used by mikrotik web access.
Copy the following on notepad and edit by changing the mail server IP (192.168.1.200) and mikrotik public IP (X.X.X.X) and paste the following firewall rules on mikrotik terminal.
/ip firewall nat add action=dst-nat chain=dstnat comment="Email server port forwarding" \ dst-address=X.X.X.X dst-port=25 protocol=tcp to-addresses=\ 192.168.1.200 to-ports=25 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=22 \ protocol=tcp to-addresses=192.168.1.200 to-ports=22 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=110 \ protocol=tcp to-addresses=192.168.1.200 to-ports=110 add action=dst-nat chain=dstnat dst-address= dst-port=143 \ protocol=tcp to-addresses=192.168.1.200 to-ports=143 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=443 \ protocol=tcp to-addresses=192.168.1.200 to-ports=443 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=465 \ protocol=tcp to-addresses=192.168.1.200 to-ports=465 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=587 \ protocol=tcp to-addresses=192.168.1.200 to-ports=587 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=993 \ protocol=tcp to-addresses=192.168.1.200 to-ports=993 add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=995 \ protocol=tcp to-addresses=192.168.1.200 to-ports=995
Step 2
Create DNS redirect to allow creating static DNS entry for the server for local access
Copy and paste the following in the terminal.
/ip firewall nat add action=redirect chain=dstnat comment="Dns redirect" dst-port=53 protocol=\ udp to-ports=53 add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53The setting above will force all dns entry being replied by router before being redirected to provider DNS server.
Step 3
Create the static entry for mail server MX records, so that traffic within the LAN should not be redirected to public IP but going direct to mail server local IP.
Copy and paste the following in mikrotik terminal and change only mail server IP and domain MX records to reflect your mail server.
/ip dns static add address=192.168.1.200 name=mail.jarasyola.co.tzThat's all, the server will work perfectly within your LAN, to avoid blacklist to spam generated by other users in the network you should block port 25 not being used by other computers in the network for sending unauthorized emails, the howto is found here.
Thank you!! Works like a charm! Except I can't reach the mailserver locally... in LTE from my smarthphone works perfectly btw!
ReplyDeleteHappy to hear that, for local reach-ability make sure, the server is assigned correct IP and is able to ping the local gateway.
DeleteThanks so much for sharing.
ReplyDeleteI am hoping to configure the same setup (Mail Server on LAN), but I have one issue with your setup.
My external IP is dynamic (Comcast), any thoughts on working around that?
Hello,
ReplyDeleteas far as i know, mail server is working with static public IP and DNS records with points to static public IP unless if you're server is only for testing.
There is no question that static IP is a best practice for a mail server.
ReplyDeleteYet, I have been running this one on a dynamic IP for decades. It really is pretty static, unless the mac address of the connected device changes or there is a power outage. Still the next time this happens, my server will be broken as I have configured above as you describe...
Again, thanks so much for posting this!
If they bind it to mac address that means that is actually static, so you may use it and modify it when they change it which means will be very rare cases
ReplyDelete