Hey guys,
I need to do a config I have not done before, I did some searching around here but my scenario seems a tiny bit more complicated, so wanted to check here before I mess up the clients live mail system 
The Situation:
• client has it's own internal mail server
• client has 2 internet connections; WAN1 is very fast but unreliable, WAN2 (pppoe) is very very slow, but reliable.
• I setup the ERL firmware v1.9 with the wizard for dual wan in fail-over mode (i love it!)
• I setup 2 DNS MX records; MX priority 10 for the main fast WAN1, MX priority 20 for the backup WAN2
(also see my amazing drawing attached, made in Monodraw for mac, but I failed to make it work as text in this post lol
The Goal:
if the main WAN1 goes down; WAN2 kicks in;
• client gets (slow) internet via WAN2 (better something then nothing right)
• incoming email gets delivered via MX 20
BUT....
I need to stop the mail server from sending out email via WAN2!
(due to reverse DNS / PTR records limitations for the mail server fully qualified hostname)
So far this is what I think I need to do;
- download backup config file
- create a port group containing ports TCP 25, 465, 587 (im not sure about this yet tho)
- add a firewall ruleset with default action allow? name it WAN2-OUT
- set interfaces to eth1 (wan2) and pppoe1, or is ppoe1 sufficient? direction out
- add a rule action reject, protocol tcp, state new? source lan IP of mail server, destination the port group created in step 1
Im not sure about the following tho:
- Should port 587 be included or not, if employee is external, does it not use 587 to "drop outgoing mail on the mail server to send out? (I should ask this in the Kerio Connect fora really)
- I don't need any other "default rules" right? like in the standard incoming rulesets.
- The backup line WAN2 is a pppoe connection, when pppoe is involved always select that as interface, not eth it's on rigth?
- im not sure about the states thing (never used these before) I dont want to block outgoing smtp communication when the server is communicating about new incoming email, or is this not how it works?
Any pointers/corrections, help (or alternatives) what so ever is greatly appreciated!
regards from Amsterdam!