Guest masonjd Posted July 8, 2004 Report Share Posted July 8, 2004 This post has been split from the SMTP service thread by spinynorman. I hope no one minds that I am going to jump on to the this. I am having the exact same problem. Let me give you some details about my system and what I am trying to do. I have Mandrake 10 installed and it is acting as my web server, email server, and router. It is the firewall/gateway between my home lan (with about 3 other machines) and the internet. I am fairly familiar with postfix and linux as I have been running them for three years. Up until now I've just used SquirrelMail to access my IMAP folders etc. Now I want to use clients external to my system like outlook or thunderbird from work or my laptop. My firewall definitely does not block port 25. I am using shorewall and it is open as seen from both the shorewall gui screens as well as /etc/shorewall/rules. However, when I run nmap against my machine from outside of the network every port listed as open in my shorewall rules file is displayed except port 25. I can telnet to port 25 from any computer on my lan but cannot from outside of my network. I can telnet to every other port listed as open on my firewall. I have even tried disabling my firewall entirely but smtp connections from outside of my network are still rejected. So when I run Thunderbird on any machine from within my network I can send email just fine. From outside the network I just get connection refused errors. My main.cf file lists my work ip address in the my_networks option. I have even gone so far as too list the work entire subnet as allowed and still nothing. I also have inet_interfaces set to all. So I think I've checked just about everything. The fact that I still can't get any response on port 25 even though I shut off my firewall completely makes me think that there is something going on that I don't know about. Any ideas? Quote Link to comment Share on other sites More sharing options...
johanl Posted July 9, 2004 Report Share Posted July 9, 2004 It seems to me you don't have the same problem as I had. What I understand from your story is, that you can receive emails fine on your system from other people, but when you try to send emails your messages get rejected by the other server. Right? So incoming SMTP connections (port 25) go through to your server and you receive mails. But when you send mails through that same server, it has to make an outgoing connection on port 25 directly to another SMTP server. If this is correct so far, you can try setting up postfix to send mail through your ISP's smtp server, and see if it works then. Quote Link to comment Share on other sites More sharing options...
streeter Posted July 9, 2004 Report Share Posted July 9, 2004 How are you connecting - DSL with a static address? or something else... also what hardware ? If you run nmap on your external interface IP address from the postfix PC itself, do you get port 25 listed? If you do, then Postfix is listening on this interface and the problem must be elsewhere. Chris Quote Link to comment Share on other sites More sharing options...
Guest masonjd Posted July 9, 2004 Report Share Posted July 9, 2004 Let me clarify a bit. When I use a webmail program hosted on the Mandrake box or any email client program, like Thunderbird or Outlook, from my lan I can send and receive email just fine. If I try to use an email client program from work I can receive email just fine but when I try to send email I get an error saying that the server refused the connection on port 25. I live in a townhome with a T1 line coming directly to the development. So no DSL or cable modem. Just plain old internet connection. My Mandrake 10 box is my firewall/gateway. It gets a static IP from my ISP. I've talked to them and they do not filter nor block any port. This is an old Dell Optiplex 700 Mhz P11 with two network cards. eth0 is getting a static IP from my ISP and eth1 is the gateway from my lan. I'll install and run nmap from the machine to itself tonight after work. I'll let you know what I get. The more I think about it I think the problem may just be with my main.cf I think I may have the mynetworks option set incorrectly. Any ideas...? Quote Link to comment Share on other sites More sharing options...
streeter Posted July 10, 2004 Report Share Posted July 10, 2004 As I understand it, mynetworks should just contain trusted IP addresses and their masks - so add your clients network address and mask in the form 192.168.0.0/24. You should probably narrow this down to only the hosts you are using once you are happy with it working, i.e 192.168.0.3/32 as these hosts are allowed to relay mail. Entries are separated by white space and/or a comma Is inet_interfaces = all set? You can read postfix default settings with postconf -d and settings that have been changed by you with postconf -n . Easier than trawling through main.cf. Chris Quote Link to comment Share on other sites More sharing options...
Guest masonjd Posted July 10, 2004 Report Share Posted July 10, 2004 inet_address = all is set. When I nmap from the box itself port 25 is displayed open. But when I run nmap from another computer outside of the lan 25 does not show up at all, which I believe indicates that it is filtered or closed. Quote Link to comment Share on other sites More sharing options...
Guest LibraOne Posted July 10, 2004 Report Share Posted July 10, 2004 Masonjd, Maybe you can paste the relevant bits of the output of postconf -d here, so we can help better. Cheers, LibraOne Quote Link to comment Share on other sites More sharing options...
streeter Posted July 10, 2004 Report Share Posted July 10, 2004 Please post output of "iptables -nvL" and "iptables -nvL -t nat" - if postfix is listening on your outgoing interface, it is almost certainly being filtered. Install iptables with urpmi iptables if you need to. Chris Quote Link to comment Share on other sites More sharing options...
Guest masonjd Posted July 11, 2004 Report Share Posted July 11, 2004 The outpout of iptables -nvL: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 290K 194M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 260K 182M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 2635K 1890M eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 34988 17M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 26067 2788K eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 290K 194M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 196K 101M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 1207K 237M all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain Drop (1 references) pkts bytes target prot opt in out source destination 40216 16M RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 40147 16M dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 2828 190K DropSMB all -- * * 0.0.0.0/0 0.0.0.0/0 1275 114K DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 1275 114K dropNonSyn all -- * * 0.0.0.0/0 0.0.0.0/0 1200 107K DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DropDNSrep (2 references) pkts bytes target prot opt in out source destination 51 10126 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain DropSMB (1 references) pkts bytes target prot opt in out source destination 4 2298 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 627 30134 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 922 44456 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain DropUPnP (2 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 Chain Reject (4 references) pkts bytes target prot opt in out source destination 390 163K RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 390 163K dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 283 110K RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 283 110K DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 283 110K dropNonSyn all -- * * 0.0.0.0/0 0.0.0.0/0 283 110K DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain RejectAuth (2 references) pkts bytes target prot opt in out source destination 69 3508 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 Chain RejectSMB (1 references) pkts bytes target prot opt in out source destination 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain all2all (2 references) pkts bytes target prot opt in out source destination 1207K 237M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 390 163K Reject all -- * * 0.0.0.0/0 0.0.0.0/0 283 110K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 283 110K reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 37407 16M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 19 532 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropNonSyn (2 references) pkts bytes target prot opt in out source destination 75 6101 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 34988 17M net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 53810 17M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 260K 182M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 1156 89697 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 26067 2788K loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 3448 259K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 2635K 1890M loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 190K 101M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4203 252K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 1550 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (0 references) pkts bytes target prot opt in out source destination Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 2631K 1890M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,137,138,139 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 17 992 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 5 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:109 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 64 3062 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:5902 3155 152K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 207 103K all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 24911 2698K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1156 89697 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 34988 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 40216 16M Drop all -- * * 0.0.0.0/0 0.0.0.0/0 1149 97334 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 1149 97334 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 206K 165M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9681 1325K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,137,138,139 3170 155K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 3 168 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 14 672 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 249 13480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:109 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 8 384 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138 462 22232 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 9 432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:5902 40216 16M net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 69 3508 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 283 110K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) pkts bytes target prot opt in out source destination Chain smurfs (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 Output of iptables -nvL -t nat: Chain PREROUTING (policy ACCEPT 206K packets, 32M bytes) pkts bytes target prot opt in out source destination 4569 346K loc_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 11271 packets, 621K bytes) pkts bytes target prot opt in out source destination 6443 416K eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 11385 packets, 678K bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 1121 86944 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Chain loc_dnat (1 references) pkts bytes target prot opt in out source destination 3155 152K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 I did a man lookup on postconf and it appears that postconf -d shows you the default settings instead of what my current settings are. Is that what you really wanted? [formatted by spinynorman] Quote Link to comment Share on other sites More sharing options...
Guest LibraOne Posted July 11, 2004 Report Share Posted July 11, 2004 masonjd, I can't read these iptables output, I do not use a firewall on my mailserver. I'll leave that to streeter. Maybe he'll find the cause. If not, what I'm interested in is these settings in your main.cf: inet_interfaces mydestination mynetworks_style mynetworks Especially the -mynetworks- are important. In my configuration mynetworks_style is blank. Mynetworks looks like this in my config: mynetworks = 192.168.xy.0/24, 192.168.xz.0/24, www.xxx.yyy.zzz/32, 127.0.0.1/32 the first and second are my local networks respectively, the third is my internet connection, the fourth is the local host. I think for you it's important to set the third, unless you have done that already. Cheers, LibraOne Quote Link to comment Share on other sites More sharing options...
streeter Posted July 11, 2004 Report Share Posted July 11, 2004 OK - your firewall is allowing input from eth0 to port 25 - in fact it had accepted 249 packets in that session, so the firewall is not the problem. the only line that could possibly be stopping input is 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID which stops non icmp packets that are invalid. To stop your smtp traffic, the packets sent would have to be 'broken' somehow - unlikely seeing as you have tried from several machines... Suppose we could comment it out in the config just to make sure. It is also allowing all valid output to leave on eth0. postconf -d does give the default settings, but the default settings are somewhat dynamic - for instance a dynamic dial-up IP address would appear in mynetworks here. postconf -n gives the settings you have changed - between the two commands, we can see the entire setup. As LibraOneNow says, looks like the mynetworks statement may be at fault. Chris Quote Link to comment Share on other sites More sharing options...
Guest masonjd Posted July 12, 2004 Report Share Posted July 12, 2004 Okay. Here are the requested pieces of my main.cf mynetworks = 128.187.0.0/16, 127.0.0.0/8, 192.0.0.0/8, 192.168.1.1 mydestination = $myhostname, localhost.$mydomain, localhost inet_interfaces = all mynetworks_style is commented out. The first number in mynetworks is my employer's class B sub domain. I freely admit that I may be totally wrong in how I set this up. (In fact I'm almost sure it is because things aren't working.) The other ones are my attempts to make sure that I can send mail from inside my lan. This is working though you may be able to suggest a better way to do it. All I really want to do is be able to relay mail though my linux router from work. Thanks. Quote Link to comment Share on other sites More sharing options...
streeter Posted July 14, 2004 Report Share Posted July 14, 2004 I think you may need to set the proxy_interfaces parameter to the address of the port you receive the port forwarded mail on. Chris Quote Link to comment Share on other sites More sharing options...
Guest masonjd Posted July 16, 2004 Report Share Posted July 16, 2004 I'm not sure I understand. I think you may need to set the proxy_interfaces parameter to the address of the port you receive the port forwarded mail on. Chris <{POST_SNAPBACK}> I don't think I have port forwarded mail. All of my mail transfer happens on standard ports. The problem I am experiencing is accessing smtp from a computer not within my LAN. No port forwarding is happening. Quote Link to comment Share on other sites More sharing options...
Guest masonjd Posted July 16, 2004 Report Share Posted July 16, 2004 It turns out that my settings are correct. It is just that my work has blocked port 25 leaving the network. You have to be on a whitelist to get it to work. So thanks to eveyone who tried to help me out. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.