This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Correct NAT for IMAP Client

Hi community,

currently I am running out of ideas how to correctly NAT internally connected IMAP clients to our internal mail server.

Following setup:

- IMAP client account with mail.domain.de over port 993 configured
- Masquerading: Internal (Network) -> External
- DNAT: Internet IPv4 -> IMAP SSL -> External (Address) --> internal IP mailserver (mail.internal.local)
- I made sure nothing of the IMAP traffic gets blocked by the firewall
- WLAN internal bridged to AP LAN

Behaviour:

- IMAP connection works if the client connects from outside the internal network (e.g. WLAN at home)
- IMAP connection does NOT work if the client is connected via internal WLAN

tcpdump:

- running a tcpdump shows, the client establishes connection to mail.domain.de but gets answers from mail.internal.local

So I tried to set up SNAT to change the answer from mail.internal.local to mail.domain.de and a DNAT to change the destination of internal requests from mail.domain.de to mail.internal.local.

tcpdump again:

- now it showed requests and answers to and from mail.domain.de

But still, the internally connected IMAP client can't connect to the mail server over 993.

Maybe someone is able to enlighten me here. :)



This thread was automatically locked due to age.
Parents
  • You need to add a full nat rule to allow for internal traffic to go back inside through the external interface.

    Traffic from: Internal network
    Going to: External (Address)
    Map source: Internal (Address)
    Map Destination: Internal IP mailserver


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you very much. Although I forgot to mention, that our public IP address does not run on the external interface of the SG, your Full NAT suggestion was correct. I just had to change the "going to" to the public IP address.

    Regards
    Philipp

Reply Children