DuxTel Systems (11)
Interface Cards and Adapters (14)
Mikrotik Systems-> (159)
Mimosa Wireless (5)
RouterBOARD (11)
Router Enclosures (11)
Power Supplies & PoE-> (29)
Antennas and Accessories-> (106)
Mikrotik RouterOS (6)
Assembled Kits (6)
Carrier Wireless (1)
Cable and Misc (14)
Hardware and Mounting (23)
Configuration Library (FREE!) (7)
Quick Find
search products
search articles
New Articles
Case Studies
Product Guides (2)
Mikrotik Configuration (17)
Technical (5)
Community News (9)
Q&A (28)
Product Advisory (7)
Policy and Information (7)
Shipping & Returns
Privacy Notice
Conditions of Use
Contact Us
About SMTP server value in HotSpot Server Profile Properties by Mike Everest

Q: Just wondered if you know what these 2 NAT rules do and I can not even change them. The reason I was asking this is because after the Internet Outage in Site 1 2 weeks ago, some of our user there could not connect to port 25 to any smtp server including ours, from either outlook or printer.  I check the gateway router and this 2 NAT looks like having something to do with port 25
Rule number 0 and number 13, you can jump into x.x.x.x and have a look if needed. Thanks

A: Those rules are smtp redirect support for captive portal (hotspot) application.  It is added by default when setting up hotspot service under IP -> Hotspot -> Setup  IF an IP address is entered in response for 'smtp relay server'

You will notivce that the chain is 'hs-auth' which is jumped to by rule #8 which says when arriving in 'hotspot chain' and hotspot type is 'authenticated', jump to 'hs-auth' chain.

'hotspot chain' is triggered by rule #1, when hotspot type is 'from client', jump to 'hotspot' chain.

the rule in your question (rule # zero) has the effect that when the destination port is 25, jump to 'hs-smtp' chain.  There is one rule in smtp chain, #23, which essentially says "redirect the connection to host x.x.x.x"

So your one question becomes two ;-)

1. what is x.x.x.x, and
2. why is that host defined at all?

Unfortunately I can't answer either of those questions.  x.x.x.x seems to reverse lookup to some dynamic host address with no apparent sarvices attached (certainly not mail service at least) and we NEVER define smtp redirect host when we set up default captive portal services.

I can tell you how to disable/change it though! :-)  Just go to 'IP -> Hotspot -> Server profiles' and edit the active profile (in this case it is 'hsprof1') On the 'general tab' set or remove the last field "SMTP Server":

Should you change it or remove it?  Anser depends on what you want to acheive.

The reason it is there is because most unauthenticated mail delivery agents will not accept outbound mail from unknown networks.  This is a security measure to prevent unauthorised relay of unsolicited bulk mail (i.e. spam).  Therefore, users who normally access mail using some kind of desktop main client like windows mail, outlook, thunderbird, etc via their own internet service will have outbound mail server set to the smtp agent of their ISP.  The ISP accepts the mail and relays to the final destination because it recognises the client as one of their own customers.  When sending via a hotspot service, though, the client is unknown to that ISP mail server and so it will reject the mail delivery, thus the customer can't deliver mail - end result: customer calls YOU ;-)

The intent of this smtp relay system is to trap the outbound mail connections and route it to a mail relay agent that WILL relay the mail - i.e. your own.  Your own smtp relay will recognise the client as coming from inside your own network, and so the client mail program works again without anyone noticing.  End result NO PHONE CALL :-)

BUT this is all well and good for mail clients that send email by unauthenticated SMTP (unless the mail server is set to some non-existent host like you have right now!) - the problem these days is that most mail systems use some form of AUTHENTICATED smtp outbound mail.  Thus the mail client will connect to the ISP mail server and offer it some credentials that identify the client as 'known' and therefore allowed to relay mail through that service.

If you have been clever enough to relay the mail through your own server (to avoid phone calls) then you are caught out because YOUR mail server will not accept the auth credentials offered by the clicnt.  Why should it?  They are credentials configured on some other mail server!  End result: the customer calls you!

So,.....  the dilemma.  Do you implement a redirect to avoid getting phone calls from customers who do not use smtp auth, or do you NOT implement to avoid getting calls from customers who DO use smtp auth?  10 years ago, the decision was easy to go with the former - not many people used smtp auth.  About 5 years ago the decision was hard - the auth to non-auth base was about 50/50 - you were caught between a rick and a hard place.  Nowadays, the decision is easy again.  MOST mail systems implement smtp auth, so you will likely get more calls if you DO redirect than if you don't.

Therefore, I recommend that you leave the smtp relay server field disabled for this reason.

Hope it helps - further questions are welcome!


Date Added:
Current Comments: 0
Write Review
Tell a friend
Tell a friend about this article:  
Shopping Cart
0 items
Latest News
about 1 day ago
Cute as a button! The hAP-mini 3 port wifi router from MikroTik has finally passed all relevant certifications! Ge…
more >>
about 10 days ago
LOOK! The new wsAP-lite is a dual band WiFi AP with passthrough PoE ethernet that fits into a power point profile!
more >>
about 10 days ago
The new LtAP-mini is the ideal mobile and vehicle connectivity system with GPS - add your own 4G modem for the ulti…
more >>
about 10 days ago
The cool new RBLHGG-60adkit Wireless Wire Dish Kit is on its way - available for pre-order right now!
more >>
about 11 days ago
DuxTel News: Half-price Mimosa, MikroTik LTE updates, MUM 2018 Highlights -
more >>
about 01 month ago
CCR1072-1G-8S+ - it doesn't get any better than this! Normally $4325, special price $2999 - (ex demo model, 1 unit…
more >>
about 01 month ago
ready for MikroTik Certified Training - kicking off TOMORROW! :)
more >>
about 01 month ago
MikroTik's first ever true 802.3af/at PoE switch with auto-detecting 24v/48v and 4x 10GB SFP+ uplink is available n…
more >>
about 01 month ago
Thinking about horns? See here! :)
more >>
Follow our tweets for all the latest news and updates!
RB2011UiAS-2HnD-IN: 2011 RouterBoard with the lot!
I have worked with CISCO and Linux firewalls and routers pro ..
4 of 5 Stars!

Copyright © 2018 DuxTel Online Store