I have a device on my network that needs to send email notifications. Its setup requires access to an SMTP server.

The problem, is the device only allows specification via IP address, not FQDN. (It is an older Cisco phone system). Ideally, I would have an internal SMTP server or relay on a static IP that I could use, but I don't have one. I'd rather not set one up just for this one use.

Can I set up a src-nat rule to forward an IP address to an external FQDN?


My 750 is set up with a single external IP, masqueraded to the internal network 192.168.88.1/24. Pretty standard setup.

I'm thinking I might be able to do the following:

Choose an IP address that would otherwise go to the gateway, but is still a private IP as a Dummy. Like 10.1.1.1.

Then make an src-nat rule that forwards outbound port 25 requests aimed at 10.1.1.1 to smtp.outlook.com

I would set up the device that sends emails to send to 10.1.1.1

Will this work? What would the rule look like? Can I specify a FQDN in a firewall rule?

Do I put the rule before or after the masquerade rule on the src-nat chain?

If that wont work, any suggestions how to accomplish this easily?

Thanks for helping.

You could use a scheduled script to resolve the domain to an IP, then replace an IP in a dstnat rule. Are you ok with that?

If the device doesn't take a FQDN for the SMTP server you might want to check what SMTP settings it supports. Many systems are now requiring secure SMTP transactions so it might be worth checking if it supports port 587 / TLS etc.

Thanks for the replies.

So other than that you cannot put a FQDN in a firewall rule it should work?

But running a script periodically doesn't seem the best idea. When you resolve smtp.outlook.com, it goes to a long ugly Cname, then another long ugly Cname, then a list of 7 or so A name IP addresses with TTL's of 5 minutes. So technically, I would have to run the script every 5 minutes. Holy dynamic, batman. Although I might get away with longer time between lookups, i would never be absolutely certain i hit a working smtp server.

Good point about port 25, though. The old phone system can't speak TLS. smtp.outlook.com allows port 25 if its from a static IP, which this will be, but for a dynamic IP this wont work.

I'm starting to think setting up a little local smtp device might make sense, and have it send mail directly or act as a relay.

Any other clever ideas before I start learning how to configure sendmail on a linux box? Ugh.

There is no problem with resolving smtp.outlook.com. Using the CLI Don't resolve it every 5 minutes. Run it once a day.

If you have the ability and resources, then the best way is to use an email server to relay your email.

... with TTL's of 5 minutes ...

1m30s from today.

Outlook uses that short TTL for load balancing. The resolved ip should be good for much longer than 5 minutes. I show it rotates through the same set of ips over and over. If you keep entering this, you will see. It has been the same set of about a dozen ips for the last 50 minutes.

Or you can set up your own email server.