0

my network looks like this:
Internet <-> Gateway router(nat) <-> enp0s3 Linux enp0s8(NAT) <-> SMTP server

Without Linux NAT it works ok, but I need it.

When I try to send mail to another server i get: Network screen and reply from my smtp server: Cannot start TLS: handshake failure
I used these rules in firewalld:

nmcli connection modify enp0s8 connection.zone internal
firewall-cmd --get-active-zone
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --query-masquerade
firewall-cmd --zone=internal --add-masquerade --permanent
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp0s3 -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp0s8 -o enp0s3 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp0s3 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT

Have you got any ideas?

tater
  • 1,445
  • 2
  • 10
  • 12
Bomzi
  • 1
  • 1
  • This error has nothing to do with using NAT or not. It's is a problem at the application layer and NAT does not make any changes to this. Unfortunately the current information do not help in pinning down the real cause of the problem. It might be a mismatch in supported ciphers or protocol version between this specific client and this specific server, but this is just speculation. – Steffen Ullrich Oct 02 '20 at 21:33
  • Emails sent by users to external servers are cached and are waiting to be sent, or rather TLS authentication, which one time takes place and another time does not. Emails wait a 10-15 minutes before they are sent to the server. Without that NAT server it works great. – Bomzi Oct 02 '20 at 21:37
  • *"Without Linux NAT it works ok, but I need it."* - it might be helpful to provide a packet capture of a working vs. a non-working connection then. Please the full pcap file and not just a screenshot or similar. – Steffen Ullrich Oct 02 '20 at 21:38

0 Answers0