Monday, July 15, 2013

Postfix behind Iptables masquerade (NAT)


I've been working on a mail server behind iptables masquerade for some days, and it just didn't work, but I found the solution, it may help you.

If you use SMTP server behind NAT, and you get the following errors:
  • mail postfix/smtp[7854]: warning: host gmail-smtp-in.l.google.com[173.194.70.26]:25 greeted me with my own hostname mail.example.com
  • mail for gmail.com loops back to myself
you should check your iptables configuration. A proper port-forward config:



iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d PUBLICIP --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to MAILSERVERPRIVATEIP:25

(Only forward packets from port 25 to your mail server's private IP port 25, if it comes from the outside.)

You can test it on your mail server by telnetting to a foreign smtp server for example:

telnet smtp.gmail.com 25

It should show:

Trying 173.194.70.108...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP r54sm45040303eev.8 - gsmtp

If you see


220- mail.yourdomain.com gsmtp

you config is not good yet.