PFsense firewall with nethserver as mail server

Hi @Gaetano_Battaglini,

Welcome!

Some fast clues:

  • If you want to use NethServer (as Email Server, WEB Server, …) placed in DMZ (ORANGE), you will always use the GREEN Interface of the NethServer.
    (I use NethServer as Email Server placed in DMZ (Endian UTM) in this configuration, without issues.)

  • If you want to convert DHCP to static IP, you must follow this steps:
    Configuration -> Network -> EDIT -> select Static (please see the attached pictures).

  • I don’t use pfSense, but AFAIK it has only two interfaces defined as is: WAN (RED) and LAN (GREEN). If you want to have DMZ (ORANGE), you must to create it manually. In this case, you must defined also the firewall rules between interfaces/zones on pfSense. I think your problem comes from here.

Kind regards,
Gabriel

1 Like

Hi,

Is your pfsense instance has more than two ethernet port?
1- In afirmative case, plug the Nethserver on it, and make a DMZ FOR IT.
2 -In the negative case, is your switch case doing Vlan?
2-1 In this case you can crean two vlan… one for the 3 pcs, and one for the DMZ.
2-2 if you can’t doing vlan… put the Nethserver instance in the same lan the the 3 pc, put a static ip, and make NAT with pfsense to give access from the WAN to the Nethserver instance.

DMZ it’s an excellent setup, but IMHO its a trouble waiting to come for:

  • Backups (if they are on LAN segment, they will load firewall a lot)
  • Scale from mailserver to multi-functional server
  • Number of rules throught the firewall if scaling to unified communication server (in any case, it could be a one-time-job.

So, question is: will be Nethserver only a mail server in future?

DMZ is the worse solution you can ever have.
A DMZ is the honey pot for hackers, any newbie will try to experiment his knowledge on your box.
You have a pfsense and worried? just do nat/port forward and you will be always safe.
Why is it exposing an entire server for just few ports ? I understand that NS7 has a good firewall but again I would not expose it entirely to the public internet.
That is my personal opinion and would agree should you wish to disagree.

1 Like

The DMZ is a good practise, it’s avoid to compromise the entire network in case of “rebound attack”

But in this exact case, for ONE service ( mail server) I think the NAT solution is acceptable :wink:

Sorry but I don’t understand.
DMZ is based on port forward and you said that port forward is safe.
So, why DMZ is not safe?

this is my pfsense configuration:

http://imgur.com/SjVBerQ

as you can see I have on my PFsense server 2 ethernet card one for lan pc and one for dmz (server mail)
My question is:
for put a static ip on netserver (DMZ on pfsense) is correct i I edit nethserver in the following way?:
192.168.2.111
255.255.255.0
gateway 192.168.2.1
my proble is the gateway??
what I have to put?
192.168.2.1 or 192.168.0.1.?
Thanks

According to your pfSense settings, the DMZ zone/network is the 192.168.2.1/24 network segment.
So, your NethServer LAN (GREEN) IP will be from this range (192.168.2.111), with 192.168.2.1 as Gateway.

Thanks I did It !!
Now m server mail (nethserver) ha a static IP.
Thank :slight_smile:
Now the NAT rules on my PFsense firewall can you control if these rules I wrote are correct?

http://imgur.com/FXpoBEs

Thanks again

1 Like

I am not sure if the first rule (HTTP) is necessary. I think nothing on Email Server can be reached on port 80.
All the other rules are for Email Server and must be reached from Internet (WAN).
I think you need also the SSH port to be opened.
EDIT: and port 980! (if you want to access NS GUI from WAN, or other rule from LAN to DMZ to this port).

Also, you must create outbound rules for DMZ (to WAN): port 80 for NS updates, NTP, DNS (53) and port 25 for communication with other Email Servers.

At this time, I can not think of anything else.

at the moment if I write on mozilla firefox on a client on my lan (for example 192.168.1.xxx) the address 192.168.2.111:980 I can reach without problem nethserver.
This is the actual situation rules of my PFsense:

WAN Rules:
http://imgur.com/ovC9GOq

DMZ Rules
http://imgur.com/TCkkQvj

LAN Rules
http://imgur.com/RNWdPRY

NAT
http://imgur.com/FXpoBEs

From one of my lan client, for example, I have updated nethserver easly without problem and I have dowloaded and istalled on netserver machine the following packages:

http://imgur.com/4YEjlAW

For building a simple servermail are the packages correct? or I need something else or I need to delete some of the packages downloaded?

Now the next and last step :slight_smile:
have you got a paper tutorial or a video tutorial for newbie for the first configuration of nethserver to work only as mailserver?
Thanks in advance

For thank you all I permit to post the actual situation of my faboulous nethserver mail perfectly functioning and ready for becaming my personal servermail :yum:

http://imgur.com/Q2Vsm0M

P.S. If I read correct I need more ram :slight_smile:

Waiting your replies
Gaetano

1 Like

Good job!

For an Email Server, the following packages must be selected to be installed:

  • OpenLDAP
  • Backup
  • Email
  • POP3 Proxy
  • SMTP Proxy
  • WebTop 5 groupware or SOGo groupware

All necessary dependencies will be installed automatically.
(I recommend you to use OpenLDAP as Account Provider for this kind of approach)

You can install other packages as you need.

I recommend you to use Fail2Ban and Clamscan by Stephane de Labrusse:

https://wiki.nethserver.org/doku.php?id=module:fail2ban
https://wiki.nethserver.org/doku.php?id=clamscan

There are some topics about email server on this forum.
Try to find with the search engine.

Enjoy NethServer! You will love it! And this Community too! :slight_smile:

1 Like

There’s already the excellent Roundcube for the mail server

1 Like

I found this interesting and easy guide:

Two questions:
when Enzo Turri say: “Check your public ip”
How can I chek and know my public ip?

the guide if I undestand well is for SOGo groupware the step are the same for WebTop 5 groupware?

Thanks

With NS7 you can see your public IP in the “diagnostic” menu

1 Like

http://www.ipaddresslocation.org/
Look for My IP

@GG_jr

DMZ is not based on port forwarding. When you put a machine in DMZ you are exposing its entire ethernet interface to the public net.
Then after that you have to make sure your firewall on that machine is set correctly.
In the case it is not then you are calling curious people to start practicing their skills on that machine
The first thing you will see is using your webserver and email server. other than that crypto malwares… and you name it.

It is basically like that Internet-----your router also acts as stateless firewall (not a real firewall but few functions like port forwarding and ddos…ACL…---- then your real firewall (interactive stateful)---- then your machine/s

in your case
Internet -------router (stateless firewall but this time it will not look into traffic you are forwarding to the DMZ)— then your DMZ

So your DMZ in this case is responsible for its own protection…

Hi @ghost,

After I have wrote “DMZ is based on port forward”, I was sure that you will not agree with that!
It was the short version.
Should be: the access to the servers placed in DMZ is through port forward/DNAT, at least in my case.

My case:
Internet x 2 -> Router (BGP, NAT, some protection) -> WAN-Endian UTM:
-> DMZ
-> Guest WiFi
-> LAN

All traffic from the Internet to zones (WAN, DMZ, Guest WiFi, LAN), between zones and from zones to Internet is controlled by Endian UTM through traffic rules (more or less restrictive).
Of course, all servers, placed in DMZ and/or LAN, are protected also by their own firewall rules.

But, with all the above, nothing is safe!
We try to reduce the risks, we can not cancel them altogether!

BR,
Gabriel

Sorry to dig up an old thread, but for anyone wanting to do this, I use this method. Set up alias in Pfsense/opnsense, an alias for your mail server and an alias for ports 143,993,587,25,80 and 443. Now under nat, port forward the ports from the firewall as a source to the mail server alias and save. Now you will want to set up fail2ban and clamav on nethserver since it essentially is acting as a mail server/webserver. This way, you can have a mail server, web server, virtual hosts, reverse proxies, etc. all behind pfsense. I have not forwarded NTP or 53 (dns) but I haven’t really needed to. I have 3 dns servers, 1 hardware and 2 redundant so I dont think you need to forward dns if you have a dns server on the network. I run opnsense on my firewall and nethserver in a VM as a web/mail server/webdav, with the hopes of moving to a hardware box at some point if nethserver supports ARM(ARM is the future of servers imo). Then the VM can be a redundant server. Anyways, I know a few people would like to have this setup, it works well and Ive been happy with it.

1 Like

You could further secure this by defining a class B subnet on the computers and servers, but defining rules on class C based subnets. Example:

Workstations: 172.16.0.x/16
Servers: 172.16.1.x/16

You can now define rules in PfSense that allow traffic from 172.16.0.x/24 to wherever and back, but prevent any WAN traffic being allowed to 172.16.1.x/24, unless you expect it (defined a rule for it), while they are still in the same network and on the same switch.

1 Like