Monday, July 15, 2013

Postfix behind Iptables masquerade (NAT)

I've been working on a mail server behind iptables masquerade for some days, and it just didn't work, but I found the solution, it may help you.

If you use SMTP server behind NAT, and you get the following errors:
  • mail postfix/smtp[7854]: warning: host[]:25 greeted me with my own hostname
  • mail for loops back to myself
you should check your iptables configuration. A proper port-forward config:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d PUBLICIP --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to MAILSERVERPRIVATEIP:25

(Only forward packets from port 25 to your mail server's private IP port 25, if it comes from the outside.)

You can test it on your mail server by telnetting to a foreign smtp server for example:

telnet 25

It should show:

Connected to
Escape character is '^]'.
220 ESMTP r54sm45040303eev.8 - gsmtp

If you see

220- gsmtp

you config is not good yet.