next »

[Lectrician]

Is it possible for any clients on the LAN side of pfsense to send SMTP email, but have pfsense recognise the port 25 traffic and re-direct it to my ISP's SMTP server?

Sorry if that sounds a mouthful, I know what I mean!

Thanks!

[Cry Havok]

Yes - create a port forwarding rule on the LAN interface forwarding traffic to any IP on 25/TCP to your ISP.

If you're not in full control of all clients this may cause a few surprises for people - do ensure that you tell them in that case.

[jimp]

Yes - create a port forwarding rule on the LAN interface forwarding traffic to any IP on 25/TCP to your ISP.

If you're not in full control of all clients this may cause a few surprises for people - do ensure that you tell them in that case.

If you leave port 587 unmolested, that seems fair. Many places outright block 25 from clients these days, but allow 587 (submission port).

[Lectrician]

How should I set it up for use as a public access WiFi?

Many places yo goto say not to change your SMTP server settings on your computer as the WiFi service will re-route it to their SMTP server.

I thought mail went out on port 25   Now I wonder

cheers.

[Cry Havok]

Server to server email does, but then there's also 587/TCP (mail client submission) and 465/TCP (SMTPS, SMTP over SSL).  There's also the issue that many SMTP servers speak TLS (SSL) and if you intercept the email then the client may generate (confusing) errors because certificates don't match.

Finally with the likes of DKIM and SPF people require their email to route via their own mail servers, intercepting it means their email will be rejected by recipients.

Personally I'd suggest that simply blocking port 25/TCP outbound to anything other than the ISP mail server and provide a notification on the captive portal page.

[danswartz]

Unless you really know what you are doing, I would be leery of re-routing users' SMTP without telling them - even so, some clients may not be able to work in your redirected environment.  I would just block port 25 outbound and tell them (on the captive portal?) how to connect.

[unromeo27]

Hi guys...
Sorry for reopening this .. not so old thread.

I am in the same situation, my ISP is constantly threatening me that he is going to block port 25 if I don't make something to stop SPAM going out from my location.

One very important thing you should know : My location = business hotel with hundreds of customers a week, a few laptops a day with different configurations and different owners who don't even know what's that a "mail server".

 One of the suggestions the ISP gave me was to redirect all traffic on port 25 to his SMTP server (then they will filter spam).

this is my configuration :

WAN : xx.xx.xx.11/32
LAN : 192.168.0.0/24 (staff network)
OPT1: 192.168.1.0/24 (hotel clients network)

Please excuse my poor English..  and please try to be as explicit as possible, because I am a total NEWBIE ..

Thanks !

[jimp]

I am in the same situation, my ISP is constantly threatening me that he is going to block port 25 if I don't make something to stop SPAM going out from my location.

If you read this thread, you'd see that redirecting SMTP is a bad thing. Don't do it. Just block outbound port 25, and direct the users to use their ISP's secure mail ports, as Cry Havok Mentioned: 587/TCP (mail client submission) and 465/TCP (SMTPS, SMTP over SSL)

This is a very common situation now, and travelers should be getting used to needing this.

[unromeo27]

Thanks for the answer, but .. isn't there any other option ?
Tell me who is going to deal with the tens of customers asking why they can't send e-mails from their laptop. Told you.. most of them don't even know what's that a SMTP or just a simple "mail server". I am trying to keep the customers happy, but at the same time to stop my IP from getting blacklisted over and over again..

[jimp]

Most of them are using webmail now anyhow, at least in this region. And the ones that do need SMTP, a lot of ISPs will not take port 25 from clients for relay from off-network now anyhow. (At least around here)

If an ISP supports SMTP auth, they probably already support using the submission port (587).

I don't think it will be the big issue you think it will, but the only way to know is to shut it down and try.

[kpa]

In my opinion you have no choise but to bluntly deny outbound tcp port 25, there is no excuse for allowing SPAM email to originate from a network operated by YOU.

[danswartz]

KPA, +1.