0

I am trying to set-up Mikrotik (RouterOS v6.24) for sending emails.

I have google account and I am using SMTP connection. I know that I need to allow outbound connection for it to work. But when I try to send an email, the inbound filter will block connection and sending an email will fail.

16:37:04 firewall,info input: in:ether1-WAN out:(none), src-mac 00:13:60:16:4f:c6, proto TCP (SYN,ACK), 74.125.128.108:587->x.x.x.x:5462

When I disable the input filter. The email will be send correctly.

Why do I need to allow input connection for sending an email?

RouterOS settings:

   address: 74.125.128.108
       port: 587
  start-tls: yes
       from: xxxxx@gmail.com
       user: xxxxx
   password: xxxxxxxx
last-status: failed

Command used:

send to=xxxxx@xxxx.com from="xxxx@gmail.com" subject="test email" body="test body"
techraf
  • 4,163
  • 8
  • 27
  • 44
pagep
  • 137
  • 1
  • 9

1 Answers1

1

It appears that you don't allow established/related connections on the Input chain.

In order for the router to communicate with the outside world (be it smtp, or anything else) and you have a firewall on the input chain you need to allow any established/related connections back in to the router.

Simply add on the top of your input chain the following rule:

/ip firewall filter add chain=input connection-state=established,related action=accept
Cha0s
  • 2,432
  • 2
  • 15
  • 26
  • Thanks, this fixes the issue (or adding allow for google server). But could you please explain, you mentioned _(or anything else)_, even when we did not have this rule in our firewall and we simply blocked all incoming traffic - we could use the internet on the devices behind the firewall without any problem. I would imagine that without that rule it should not work. – pagep Sep 14 '16 at 11:53
  • Without allowing established/related connections and without explicitly allowing the remote IPs your router tries to connect to, then the replies back from those remote IPs will be dropped. TCP/IP is a bidirectional protocol. You send *and* receive packets, so the router's firewall needs to know which of the reply-packets to accept (ie: established/related) and which to drop. That's where the 'established/related' rule comes into play. For more information on the subject you may lookup 'Stateful Firewall' and iptables. – Cha0s Sep 14 '16 at 13:16