SMTP MTA
Firewall rules needed for SMTP MTA.
Port Forwards
The following IPv4 connections from the Internet to the router are forwarded to the mail server.
SMTP Mail Server
Forward SMTP connections to the mail server.
Using the OpenWRT web GUI, go to Network - Firewall - Port Forwards and add a new port forward:
Name |
SMTP Port Forwarding |
Protocol |
TCP |
Source Zone |
wan |
Source MAC address |
|
Source IP address |
any |
Source port |
any |
External IP address |
any |
External port |
25 |
Internal zone |
lan |
Internal IP address |
192.0.2.40 |
Internal port |
25 |
Enable NAT loopback |
checked |
Extra arguments |
Using the firewall configuration file
/etc/config/firewall on the OpenWRT router:
config redirect
option name 'SMTP Port Forwarding'
option proto 'tcp'
option src 'wan'
option src_dport '25'
option dest 'lan'
option dest_ip '192.0.2.40'
option dest_port '25'
option target 'DNAT'
Traffc Rules
SMTP to MTA (IPv4)
Allow IPv4 SMTP connections from anywhere to the mail server.
Using the OpenWRT web GUI, go to Network - Firewall - Traffic Rules and add a new forward rule:
Name |
SMTP to MTA (IPv4) |
Restrict to address family |
IPv4 only |
Protocol |
TCP |
Match ICMP type |
any |
Source zone |
Any zone |
Source MAC address |
any |
Source address |
any |
Source port |
any |
Destination zone |
lan |
Destination address |
192.0.2.40 |
Destination port |
25 |
Action |
accept |
Extra arguments |
Using the firewall configuration file
/etc/config/firewall on the OpenWRT router:
config rule
option name 'SMTP to MTA (IPv4)'
option family 'ipv4'
option proto 'tcp'
option src '*'
option dest 'lan'
option dest_ip '192.0.2.40'
option dest_port '25'
option target 'ACCEPT'
SMTP to MTA (IPv6)
Allow IPv6 SMTP connections from anywhere to the mail server.
Using the OpenWRT web GUI, go to Network - Firewall - Traffic Rules and add a new forward rule:
Name |
SMTP to MTA (IPv6) |
Restrict to address family |
IPv6 only |
Protocol |
TCP |
Match ICMP type |
any |
Source zone |
Any zone |
Source MAC address |
any |
Source address |
any |
Source port |
any |
Destination zone |
lan |
Destination address |
2001:db8::40 |
Destination port |
25 |
Action |
accept |
Extra arguments |
Using the firewall configuration file
/etc/config/firewall on the OpenWRT router:
config rule
option name 'SMTP to MTA (IPv6)'
option family 'ipv6'
option proto 'tcp'
option src '*'
option dest 'lan'
option dest_ip '2001:db8::40'
option dest_port '25'
option target 'ACCEPT'
SMTP from MTA (IPv4)
Allow IPv4 SMTP connections from the mail server to anywhere.
Using the OpenWRT web GUI, go to Network - Firewall - Traffic Rules and add a new forward rule:
Name |
SMTP from MTA (IPv4) |
Restrict to address family |
IPv4 only |
Protocol |
TCP |
Match ICMP type |
any |
Source zone |
lan |
Source MAC address |
any |
Source address |
192.0.2.40 |
Source port |
any |
Destination zone |
Any zone (forward) |
Destination address |
any |
Destination port |
25 |
Action |
accept |
Extra arguments |
Using the firewall configuration file
/etc/config/firewall on the OpenWRT router:
config rule
option name 'SMTP from MTA (IPv4)'
option family 'ipv4'
option proto 'tcp'
option src 'lan'
option dest '*'
option src_ip '192.0.2.40'
option dest_port '25'
option target 'ACCEPT'
SMTP from MTA (IPv6)
Allow IPv6 SMTP connections from the mail server to anywhere.
Using the OpenWRT web GUI, go to Network - Firewall - Traffic Rules and add a new forward rule:
Name |
SMTP from MTA (IPv6) |
Restrict to address family |
IPv6 only |
Protocol |
TCP |
Match ICMP type |
any |
Source zone |
lan |
Source MAC address |
any |
Source address |
2001:db8::40 |
Source port |
any |
Destination zone |
Any zone (forward) |
Destination address |
any |
Destination port |
25 |
Action |
accept |
Extra arguments |
Using the firewall configuration file
/etc/config/firewall on the OpenWRT router:
config rule
option name 'SMTP from MTA (IPv6)'
option family 'ipv6'
option proto 'tcp'
option src 'lan'
option dest '*'
option src_ip '2001:db8::40'
option dest_port '25'
option target 'ACCEPT'
Block all other SMTP
Block all other SMTP connections in and out. This is known as SMTP port management and helps to prevent infectced personal computers to send spam.
Using the OpenWRT web GUI, go to Network - Firewall - Traffic Rules and add a new forward rule:
Name |
Block all other SMTP |
Restrict to address family |
IPv4 and IPv6 |
Protocol |
TCP |
Match ICMP type |
any |
Source zone |
Any zone |
Source MAC address |
any |
Source address |
any |
Source port |
any |
Destination zone |
Any zone (forward) |
Destination address |
any |
Destination port |
25 |
Action |
reject |
Extra arguments |
Using the firewall configuration file
/etc/config/firewall on the OpenWRT router:
config rule
option _name 'Block all other SMTP'
option proto 'tcp'
option src '*'
option dest '*'
option dest_port '25'
option target 'REJECT'