Saturday, April 9, 2016

Configuring Mikrotik router to allow traffic from mail server running on LAN

Its normal to run mail server within the LAN if you have reliable power system but also because it is because is one of the best method for security of your mail server. This how to is going to explain how to configure Mikrotik router to allow traffic going and leaving the mail server which is running in the LAN.

This how to assumes the following

  • X.X.X.X being your public IP,
  • mail.jarasyola.co.tz being MX records of your server domain and 
  • 192.168.1.200 being IP address of mail server.

The setup will have only three simple steps as below.


Step 1
Create firewall to allow inbound TCP traffic from any IP address to these ports on the server.

25 (SMTP)
110 (POP3)
143 (IMAP)
443 (HTTPS)
465 (SMTPS)
587 (Submission)
993 (IMAPS)
995 (POP3S)

I here assume access to webmail and any web access on the server is done on port 443(https) as port 80 will be used by mikrotik web access.

Copy the following on notepad and edit by changing the mail server IP (192.168.1.200) and mikrotik public IP (X.X.X.X)  and paste the following firewall rules on mikrotik terminal.

/ip firewall nat
add action=dst-nat chain=dstnat comment="Email server port forwarding" \
    dst-address=X.X.X.X dst-port=25 protocol=tcp to-addresses=\
    192.168.1.200 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=22 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=22
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=110 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=110
add action=dst-nat chain=dstnat dst-address= dst-port=143 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=143
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=443 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=443
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=465 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=465
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=587 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=993 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=993
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=995 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=995

Step 2
Create DNS redirect to allow creating static DNS entry for the server for local access

Copy and paste the following in the terminal.
/ip firewall nat
add action=redirect chain=dstnat comment="Dns redirect" dst-port=53 protocol=\
    udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
The setting above will force all dns entry being replied by router before being redirected to provider DNS server.

Step 3
Create the static entry for mail server MX records, so that traffic within the LAN should not be redirected to public IP but going direct to mail server local IP.
Copy and paste the following in mikrotik terminal and change only mail server IP and domain MX records to reflect your mail server.
/ip dns static
add address=192.168.1.200 name=mail.jarasyola.co.tz
That's all, the server will work perfectly within your LAN, to avoid blacklist to spam generated by other users in the network you should block port 25 not being used by other computers in the network for sending unauthorized emails, the howto is found here.