MikroTik

Posted: **Fri May 05, 2006 7:20 pm**

I've got a mail server and a spam server both on our internal subnet. I'm trying to avoid making local DNS entries for each domain I add.

Spam Server External IP 123.123.123.1
Spam Server Internal IP 192.168.0.2
Mail Server Internal IP 192.168.0.3
Gateway 192.168.0.1

Outside connects to our spam server: 123.123.123.1 which in turn DST-NATs to its internal address of 192.168.0.2

Our spam server knows to relay the email so it does a DNS lookup for the host that its sending mail to and sees the external IP address because I don't have an internal DNS zone setup. It sees 123.123.123.1

Our spam server would then route this through our mikrotik router (ver 2.9.x). I'm trying to get it to connect to our mail server: 192.168.0.3. This is where I'm stuck. How do I tell it to redirect traffic going to 123.123.123.1:25 to 192.168.0.3:25 ? I've tried various SRC-NAT and DST-NAT rules but with no luck. Can anyone help??

Sandy

Posted: **Fri May 05, 2006 11:58 pm**

If your spam server has an IP on your internal network where your mail server is, you don't need to route through the MikroTik. Just have the spam server deliverly locally to the mail server.

-Rich

Posted: **Sat May 06, 2006 12:58 am**

Yes, that would work if I had local DNS setup so the IP that was resolved was a local one but when we're hosting 50 or so domains I don't want to create internal AND external DNS records for each domain. I had a friend who knows more about mikrotik end up helping me out -- not sure if it's the best solution -- just testing it out now.

First and shame on me, I was running 2.9.10 so I just upgraded to 2.9.23

What my friend did was create a srcnat rule where:
src address is 192.168.0.2 (spam)
dst address is 192.168.0.3 (mail)
action = masquerade

then,

created a dstnat rule where:
src address is 192.168.0.2 (spam internal)
dst address is 123.123.123.1 port 25 (ext ip that domain resolves to)
action = netmap to 192.168.0.3 (port 0-65535)

Anyway, so far from my testing this seems to work..

Posted: **Mon May 08, 2006 9:36 pm**

What my friend did was create a srcnat rule where:
src address is 192.168.0.2 (spam)
dst address is 192.168.0.3 (mail)
action = masquerade

then,

created a dstnat rule where:
src address is 192.168.0.2 (spam internal)
dst address is 123.123.123.1 port 25 (ext ip that domain resolves to)
action = netmap to 192.168.0.3 (port 0-65535)

Anyway, so far from my testing this seems to work..

I understand a little better now

How about this, if you using sendmail on the spam server, you can use mailertable to direct mail for specific domains to specific hosts:

domain1.com           smtp:internal-smtp.mydomain.com
domain2.org           smtp:internal-smtp.mydomain.com

Any domain that is not specified in mailertable will have an MX lookup performed. If the domain is listed in mailertable, it sends the mail to that host without performing MX lookups. This way you only need a single A record in your domain's DNS zone file for all hosted domains (domain1.com, domain2.org, etc).

Regarding the MikroTik configs, I don't believe you need the first src-nat rule.

Also, the dst-nat rule could (should?) be a dst-nat action to port 25. Netmap is generally used for a 1:1 NAT for multiple hosts.

Hope this helps!

-Rich

Posted: **Tue May 09, 2006 6:47 am**

Thanks Rich that certainly did help (your mailertable suggestion)

MikroTik

Advanced NAT problem - SMTP

Advanced NAT problem - SMTP

Re: Advanced NAT problem - SMTP