Can't send mail through VPN connection

v7
mail

(Dan) #1

NethServer Version: 7.4
Module: email2

Being away from home for the past couple of weeks and on unsecure WiFi, I’m doing much of my internet usage through a VPN connection. It’s a VPS on Google Compute Engine, built using Streisand. And most everything I need to do, I can do just fine. Except…

I can reach my mail server using Thunderbird, and download and read messages without any problem. However, when I try to send messages, the connection just times out. Per the manual, I’m trying to connect on port 587 using STARTTLS. When I disconnect from the VPN, the message sends just fine.

It’s looking like there’s something that’s blocking this IP address (or maybe the entire 35.0.0.0/8 network) from connecting specifically to the SMTP server, but what would it be? I know I haven’t set up anything like that manually.


(Michael Kicks) #2

What Thunderbird look for SMTP Server? Public IP address, VPN address, FDQN?


(Joel Clendineng) #3

Do you have access to your network from the VPN? Probably a dumb question, but when you are setting up a VPN, you can allow or deny access to inter-network traffic.


(Dan) #4

The FQDN.

The VPN server is on a different continent from the Neth server (and both are on a different continent from me at the moment). I can reach any other public service (IMAP, web, ssh) when connected to the VPN, just not SMTP.


(Marc) #5

Check it this information helps:

If you need to send mail through a corporate mail server but are blocked by the port restrictions (…) you can use a VPN to bypass these restrictions. This method requires running a VPN client on your Compute Engine cluster, and a VPN server on your corporate network router. This setup would allow your instance to appear “inside” your corporate firewall, and allow unrestricted access to your corporate mail server.

Source


(Dan) #6

It does indeed, and I didn’t even think to look there. It’s an anti-spam measure, no doubt, but still unfortunate. Also explains why nothing showed up anywhere in the logs on the Neth box. I wonder if AWS does the same…


(Michael Kicks) #7

Which is the routing path of the FDQN lookout??
Also: is allowed by NethServer to connect on 587? Or it’s allowed only on 465? (SMTPS)


(Dan) #8

?

No, 587 is definitely allowed, as are 465 and 25. But GCE blocks all three. Bottom line is, apparently, you can’t send email from or through a GCE instance.


(Michael Kicks) #9

If i look for a FDQN on a DNS server, it could answer different things…

  • if it’s a public DNS which knows the public ip of the FDQN, it will answer me public ip, therefore based on routing table of my computer and gateway.
  • if it’s a forwarded, could answer what it’s stored on the DNS server queried by the forwarder
  • if it’s a LAN DNS Server which stores some records and make some query forwards, could answer Public IP, private IP of green or Private IP of VPN connection.

Therefore, firewall rules of mail acceptance could be different on each interface…
And the answer could change a lot.


(Dan) #10

The VPN server is remote. It isn’t on my home LAN, it isn’t on the same network as my Neth box (which is on my home LAN as an OpenVPN client to my pfSense router at home, but is otherwise quite remote as well). Home is in .us, the VPN server in question is on the other side of .us, the Neth box is in .de, and I’m currently in .kr. But thanks to the magic of the Internet, we can all communicate.

I’m in a hotel in .kr with my laptop on the hotel’s open WiFi. Because I want a reasonably secure connection where all my neighbors can’t sniff my cleartext traffic, I want to use a VPN connection to the Internet. I have two connections configured on my laptop: (1) OpenVPN to my home LAN, and (2) IPSEC to the GCE instance that I’ve set up as a Streisand server. I have no problem at all with (1), but I don’t want to route high-bandwidth stuff through my home LAN if I can help it (bandwidth there isn’t awful, but it’s still limited). That’s why I’d rather use (2) except for cases where I really need to get into my home LAN (like doing stuff on the command line on my FreeNAS box).

I don’t think it could. Once it’s established that I’m trying to send the traffic through GCE, and that GCE blocks virtually all outgoing mail traffic (which I hadn’t known when I started this thread), I think that’s pretty much the end of it, right? I will not be able to send mail using client software through that connection. Sure, I can use webmail. Sure, I can use my other VPN connection. But neither of those really answers my question. Google’s docs do: