pfSense+Postfix via Poot Foward/NAT

Sato · December 17, 2022, 12:00pm

Hello from Japan.

I have been running a postfix server behind firewall with private IP via port forward without any problems. But one issues that I have been researching to fix is how I can know the client IP on the SMTP.

My mail log only captures my pfsense box interface IP and not client (source) IP.
MTA captures 10.0.0.1 on its log for all incoming mails via port forward and/or 1:1NAT.

[ISP] - [WAN: 219.xxx.xxx.xxx global IP] pfsense box [LAN(DMZ): 10.0.0.1] - MTA [LAN: 10.0.0.2]

I am trying to use RBL and Rspamd more efficiently and wonder how I can use pfSense to maintain the client IP for MTA to receive behind fire wall or perhaps to use proxy protocol.

Other than that, the mail server has been working great and no troubles and I assume Rspamd is also working fine despite history shows only 10.0.0.1 as sender IP, but not RBL, I wonder.

I am using HAproxy for all other http traffic to numbers of web servers withX-forwarder-for and it is great.

I have been trying to find some info on this in Japanese, but not so many people in Japan use pfSense since unuumbered is popular in Japan for multi number of global IPs connection.

If I can set unnumbered in pfsense, I can get 8 global IPs to assign a global IP to certain servers require direct access. I can not find a way to do so either.

Any help or information is greatly appreciated.

Takahisa

LTS_Tom · December 17, 2022, 12:34pm

With port forwarding in pfsense it does not obscure the source IP so I would look into the settings on your mail server.

Sato · December 19, 2022, 12:15pm

Hi Tom,

Thank yo so much for the advise!

I will check my postfix server setting one more time. The mail server captures and records IP address where the connection coming from, which is pfsense box interface IP not the source IP. Also indicates the router IP in the e-mail header as received from IP. I can see the source IP if I watch pfTop. I will check if there is any way to keep source IP over NAT.

In the log and header, unknown [10.0.0.1] (which is pfSense box’s IP)

Sato · January 4, 2023, 5:21pm

[Update]

I was able to sort out the issues. By adding routing on the mail server NIC, I was able to remove Outbound NAT for the traffic which enable to have NAT without masquerading. Now mail server can see source IP.

The NIC had gateway as the pfsense box, but it was not enough to wsend back the traffic to the pfsense box if the traffic came thru port forward without masquerading.

Tom, thank yo so much for your advise. it helped me to find the best course of action to solve this issues.