Hi again. I finally figured out that my firewall rules might be the reason my connection times out. So when I send an email, it doesn't get past the SYN_SENT stage of the TCP handshake. In addition, it does not leave my NAT device.
I currently have my domain's DNS record pointing to the endpoint, but on
the computer itself, it is pointing to the private IP of the address. It
sends the private IP out rather than the WAN IP despite adding source
NAT rules.
I want the traffic to leave the NAT device and go to the endpoint, and
then go on its way. My IP is completely whitelisted so blacklist issues
do not exist.
Device Information:
WAN: Debian 10
NAT device: Debian 10.2 or LMDE4
Postfix Version (installed on NAT): 3.4.14-0+deb10u1
Auth type: Unix-style
Relevant Firewall rules:
# email-services
#Filter rules
:FORWARD ACCEPT [0:0]
-A ufw-user-input -p tcp -m tcp -m multiport -j ACCEPT --dports
25,143,465,587,993
#NAT rules
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
# SUBMISSION Outbound
-A PREROUTING -p tcp -m tcp --dport 587 -j DNAT --to-destination
172.16.101.1:587
-A PREROUTING -p tcp -m tcp --dport 465 -j DNAT --to-destination
172.16.101.1:465
-A POSTROUTING -p tcp -m tcp -d {private_wg0_ip} --dport 587 -j SNAT
--to-source {public_VPS_ip}:587
-A POSTROUTING -p tcp -m tcp -d {private_wg0_ip} --dport 465 -j SNAT
--to-source {public_VPS_ip}:465
COMMIT
I also enabled ip4 forwarding under /etc/sysctl.conf.
I want traffic to leave my NAT and go to the endpoint device where my
internet is delivered. I currently use Wireguard as a NAT and the
endpoint is a VPS I rent. I looked at the tcpdump data and it seems my
traffic isn't leaving. An SMTP connection is made but it loops back.
TCPdump output:
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
10:09:43.109444 IP (tos 0x0, ttl 64, id 51796, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.47019 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x2420), seq 3402657479, win 2760, options
[mss 1380,sackOK,TS val 3176264352 ecr 0,nop,wscale 0], length 0
10:09:43.109445 IP (tos 0x0, ttl 64, id 59342, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.48911 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x07cc), seq 3288894079, win 2760, options
[mss 1380,sackOK,TS val 3176264352 ecr 0,nop,wscale 0], length 0
10:09:43.109471 IP (tos 0x0, ttl 64, id 14578, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55325 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x4879), seq 2239524688, win 2760, options
[mss 1380,sackOK,TS val 3176264352 ecr 0,nop,wscale 0], length 0
10:09:43.109486 IP (tos 0x0, ttl 64, id 49212, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55569 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x9d28), seq 259559345, win 2760, options
[mss 1380,sackOK,TS val 3176264352 ecr 0,nop,wscale 0], length 0
10:09:43.156084 IP (tos 0x0, ttl 63, id 51796, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.47019 > {private_wg0_ip}.submission: Flags [S],
cksum 0x77e4 (correct), seq 3402657479, win 2760, options [mss
1380,sackOK,TS val 3176264352 ecr 0,nop,wscale 0], length 0
10:09:43.156111 IP (tos 0x0, ttl 63, id 59342, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.48911 > {private_wg0_ip}.submission: Flags [S],
cksum 0x5b90 (correct), seq 3288894079, win 2760, options [mss
1380,sackOK,TS val 3176264352 ecr 0,nop,wscale 0], length 0
10:09:43.156121 IP (tos 0x0, ttl 63, id 14578, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55325 > {private_wg0_ip}.submission: Flags [S],
cksum 0x9c3d (correct), seq 2239524688, win 2760, options [mss
1380,sackOK,TS val 3176264352 ecr 0,nop,wscale 0], length 0
10:09:47.365473 IP (tos 0x0, ttl 64, id 59343, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.48911 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0xf72b), seq 3288894079, win 2760, options
[mss 1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:47.365474 IP (tos 0x0, ttl 64, id 49213, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55569 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x8c88), seq 259559345, win 2760, options
[mss 1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:47.365505 IP (tos 0x0, ttl 64, id 14579, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55325 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x37d9), seq 2239524688, win 2760, options
[mss 1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:47.365516 IP (tos 0x0, ttl 64, id 51797, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.47019 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x1380), seq 3402657479, win 2760, options
[mss 1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:47.411464 IP (tos 0x0, ttl 63, id 59343, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.48911 > {private_wg0_ip}.submission: Flags [S],
cksum 0x4af0 (correct), seq 3288894079, win 2760, options [mss
1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:47.421638 IP (tos 0x0, ttl 63, id 49213, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55569 > {private_wg0_ip}.submission: Flags [S],
cksum 0xe04c (correct), seq 259559345, win 2760, options [mss
1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:47.422598 IP (tos 0x0, ttl 63, id 14579, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55325 > {private_wg0_ip}.submission: Flags [S],
cksum 0x8b9d (correct), seq 2239524688, win 2760, options [mss
1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:47.422630 IP (tos 0x0, ttl 63, id 51797, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.47019 > {private_wg0_ip}.submission: Flags [S],
cksum 0x6744 (correct), seq 3402657479, win 2760, options [mss
1380,sackOK,TS val 3176268608 ecr 0,nop,wscale 0], length 0
10:09:55.557468 IP (tos 0x0, ttl 64, id 51798, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.47019 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0xf380), seq 3402657479, win 2760, options
[mss 1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
10:09:55.557469 IP (tos 0x0, ttl 64, id 59344, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.48911 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0xd72c), seq 3288894079, win 2760, options
[mss 1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
10:09:55.557499 IP (tos 0x0, ttl 64, id 14580, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55325 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x17da), seq 2239524688, win 2760, options
[mss 1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
10:09:55.557518 IP (tos 0x0, ttl 64, id 49214, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55569 > {public_VPS_ip}.submission: Flags [S],
cksum 0x761c (incorrect -> 0x6c89), seq 259559345, win 2760, options
[mss 1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
10:09:55.602409 IP (tos 0x0, ttl 63, id 51798, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.47019 > {private_wg0_ip}.submission: Flags [S],
cksum 0x4745 (correct), seq 3402657479, win 2760, options [mss
1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
10:09:55.612559 IP (tos 0x0, ttl 63, id 59344, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.48911 > ledgerlark.krowverse.local.submission:
Flags [S], cksum 0x2af1 (correct), seq 3288894079, win 2760, options
[mss 1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
10:09:55.613126 IP (tos 0x0, ttl 63, id 14580, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55325 > {private_wg0_ip}.submission: Flags [S],
cksum 0x6b9e (correct), seq 2239524688, win 2760, options [mss
1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
10:09:55.613336 IP (tos 0x0, ttl 63, id 49214, offset 0, flags [DF],
proto TCP (6), length 60)
{private_wg0_ip}.55569 > {private_wg0_ip}.submission: Flags [S],
cksum 0xc04d (correct), seq 259559345, win 2760, options [mss
1380,sackOK,TS val 3176276799 ecr 0,nop,wscale 0], length 0
^C
23 packets captured
24 packets received by filter
1 packet dropped by kernel
###END TCPDUMP OUTPUT###
The output of postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
inet_interfaces = $myhostname
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 18253611008
mailq_path = /usr/bin/mailq
message_size_limit = 10485760
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = [private]
myhostname = [private]
mynetworks = 127.0.0.0/8 [wg0-namespace] [public_vps_ip]
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
relayhost = [165.22.191.194]:587
sendmail_path = /usr/sbin/postfix
setgid_group = postdrop
smtp_bind_address = [wg0_private_ip]
smtp_enforce_tls = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tcp_port = submission
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_wrappermode = yes
smtp_use_tls = yes
smtpd_enforce_tls = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_invalid_hostname, reject_unauth_pipelining,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client
dnsbl-1.uceprotect.net, reject_rbl_client zen.spamhaus.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = submission
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = [NFS Path on wg0]
smtpd_tls_key_file = [NFS Path on wg0]
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tcp_windowsize = 4096
unknown_local_recipient_reject_code = 550
###END POSTCONF OUTPUT###
Output of postconf -Mf:
smtp inet n - - - - smtpd
submission inet n - - - - smtpd -v
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_tls_wrappermode=yes
-o
smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F
user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
#End postconf output#
I hope the amount of detail I provided helps.
publickey - masstransitkrow@365stops.org - 20be2ea5.asc
Description: application/pgp-keys
