25-Aug-2013: initial release.
Today there are a lot of devices you can use to access your mail. It is a good idea to make everything so that you use the same settings for fixed internal PC’s and for mobile devices that connect from a public Internet access point or internal LAN. With the setup from the previous articles this is easy to do. You just have to make sure that mail connections to mail.wpl.uk (our example net) connect you to the postfix and dovecot servers no matter where you are. From the public Internet, just forward the ports 25, 587 and 993 to the server which runs postfix and dovecot. At least you should already have port 25 open to receive mail. Port 587 will be used to deliver mail using the SMTP protocol, but to allow to send mail for internal clients they must login and use TLS to crypt the connection. The same is true for port 993, this is the IMAP port on wich the user must use TLS to crypt the connection and authorize with his existing Unix user name and password.
The problem is when a user is inside the network, the name mail.wpl.uk resolves to the external IP address instead of the internal address that the servers are listening on. Not that this is only true for IPv4 connections. IPv6 just works because the IPv6 addresses for the postfix and imap servers are the same for everyone.
In the firewall you must add a rule on the homsrv machine (where the local users are) that translates the external IPv4 address to the internal IPv4 address.
iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp -m multiport \ -s 10.126.160.0/21 -d 220.127.116.11 --dports 993,25,587 -j DNAT \ --to-destination 10.126.161.2
If you use Firewall Builder, then enter this under the homsrv firewall, NAT.
All clients are a bit different, but in general it should be this for incoming mail using the IMAP protocol:
Server name: mail.wpl.uk Server port: 993 (imaps). User name: The Unix user name. Connection security: SSL/TLS Auth method: Normal password.
For outgoing mail use the submission port (SMTP with authorization):
Server name: mail.wpl.uk Server port: 587 (submission). User name: The Unix user name. Connection security: STARTTLS Auth method: Normal password.
A note about certificates. In this project we use self signed certificates and the mail clients are forced to use TLS. These client will pop up messages that the servers provide untrusted certificates. To avoid that the root certificate should be installed on the client computers and or in the mail programs. This depends on the client OS and used clients.
As usual, the configuration can be found on the download page.