I've got a mail server and a spam server both on our internal subnet. I'm trying to avoid making local DNS entries for each domain I add.

Spam Server External IP 123.123.123.1
Spam Server Internal IP 192.168.0.2
Mail Server Internal IP 192.168.0.3
Gateway 192.168.0.1

Outside connects to our spam server: 123.123.123.1 which in turn DST-NATs to its internal address of 192.168.0.2

Our spam server knows to relay the email so it does a DNS lookup for the host that its sending mail to and sees the external IP address because I don't have an internal DNS zone setup. It sees 123.123.123.1

Our spam server would then route this through our mikrotik router (ver 2.9.x). I'm trying to get it to connect to our mail server: 192.168.0.3. This is where I'm stuck. How do I tell it to redirect traffic going to 123.123.123.1:25 to 192.168.0.3:25 ? I've tried various SRC-NAT and DST-NAT rules but with no luck. Can anyone help??


Sandy

If your spam server has an IP on your internal network where your mail server is, you don't need to route through the MikroTik. Just have the spam server deliverly locally to the mail server.

-Rich

Yes, that would work if I had local DNS setup so the IP that was resolved was a local one but when we're hosting 50 or so domains I don't want to create internal AND external DNS records for each domain. I had a friend who knows more about mikrotik end up helping me out -- not sure if it's the best solution -- just testing it out now.

First and shame on me, I was running 2.9.10 so I just upgraded to 2.9.23

What my friend did was create a srcnat rule where:
src address is 192.168.0.2 (spam)
dst address is 192.168.0.3 (mail)
action = masquerade

then,

created a dstnat rule where:
src address is 192.168.0.2 (spam internal)
dst address is 123.123.123.1 port 25 (ext ip that domain resolves to)
action = netmap to 192.168.0.3 (port 0-65535)

Anyway, so far from my testing this seems to work..

What my friend did was create a srcnat rule where:
src address is 192.168.0.2 (spam)
dst address is 192.168.0.3 (mail)
action = masquerade

then,

created a dstnat rule where:
src address is 192.168.0.2 (spam internal)
dst address is 123.123.123.1 port 25 (ext ip that domain resolves to)
action = netmap to 192.168.0.3 (port 0-65535)

Anyway, so far from my testing this seems to work..

I understand a little better now

How about this, if you using sendmail on the spam server, you can use mailertable to direct mail for specific domains to specific hosts:
Any domain that is not specified in mailertable will have an MX lookup performed. If the domain is listed in mailertable, it sends the mail to that host without performing MX lookups. This way you only need a single A record in your domain's DNS zone file for all hosted domains (domain1.com, domain2.org, etc).

Regarding the MikroTik configs, I don't believe you need the first src-nat rule.

Also, the dst-nat rule could (should?) be a dst-nat action to port 25. Netmap is generally used for a 1:1 NAT for multiple hosts.

Hope this helps!

-Rich

Thanks Rich that certainly did help (your mailertable suggestion)