Incoming connections tor SMTP Port never get an answer, timeouts.

rheaalleen

I´m having problems receiving mails from external sources. Sending works flawless, 10/10 scores with the mail-tester.

Rough setup: VPS -> iptables DNAT -> WG Tunnel -> OPNSense -> DNAT -> VM/Mailcow
Alternative (for troubleshooting): VPS -> iptables DNAT -> WG Tunnel -> OPNSense -> VM/Mailcow.

The DNS setup points to my VPS where iptables NAT’s every incoming connection on the Mailcow ports.
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 172.16.1.5

This is part of a script that is executed whenever the VPS/Wireguard boots. The destination is the OPNSense endpoint of Wireguard. On OPNSense itself the incoming connections have NAT again, tho with my alternative that was skipped, and the 172.16.1.5 gets DNAT to my VM IP where Mailcow runs.

With tcpdump on the VM interface I can see the SYN going through every interface (eth0/br-mailcow/vethXXXXX)

ens18 In  IP externalIP.47173 > mail.smtp: Flags [S], seq 3589073342, win 64240, options [mss 1460,sackOK,TS val 524804313 ecr 0,nop,wscale 7], length 0
br-mailcow Out IP externalIP.47173  > 172.22.1.253.smtp: Flags [S], seq 3589073342, win 64240, options [mss 1460,sackOK,TS val 524804313 ecr 0,nop,wscale 7], length 0
veth7712c3d Out IP externalIP.47173 > 172.22.1.253.smtp: Flags [S], seq 3589073342, win 64240, options [mss 1460,sackOK,TS val 524804313 ecr 0,nop,wscale 7], length 0

After that, nothing. Mails get returned, timeouts shown. Mailcow shows all systems running, no errors, no logs in Postfix.
No more packets going out, SYN stays unanswered, Postfix doesn’t react on it.

Telnet on port 25 to the mail domain/VPS IP get a Timeout. Using telnet internally from another VM to the Mailcow VM IP work perfectly.

Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX
Escape character is '^]'.
220-mail.domain.tld ESMTP Postcow

Tried it without the DNAT/Port Forwarding on OPNSense but results where the same.

The configuration for Mailcow is relatively unchanged, only ACME disabled and bindings/ports for the webinterface

HTTP_PORT=8080
HTTP_BIND=XX.XX.XX.XX

HTTPS_PORT=9443
HTTPS_BIND=XX.XX.XX.XX

I don’t know if its relevant but outgoing mails are sent through the VPS/Wireguard with PBF but since the incoming connection establish a session this shouldn’t apply to answers tho these don’t even happen as shown above

rheaalleen

Tested the setup with outgoing mail configuration disabled, no PBF. Still same results, connections reach the server but never get an answer and mail doesn´t get delivered to Mailcow users.

Any ideas?