Postfix SMTP server with iptables

[amr.es]

Hello,

I have centos 6.4 server to work as SMTP server using postfix server IP 10.10.10.2, i configured iptables to only allow connection to port 25 from specific IPs

there is a specific domain (example.com) that got relayed to other smtp server (IP 10.10.0.9)

the relaying is working correctly

the problem is with iptables enabled the some emails got relayed others not and mailq get full with messaged from the relay domain (example.com) with errore liks "timed out while sending end of data -- message may be sent more than once", "conversation with 10.10.0.9 timed out while sending message body " or simply connection timeout

with iptables disabled no errors, all mails got relayed successfully with no errors

iptables rules are:
iptables -A INPUT -p tcp --sport 25 -i eth1 -s 10.10.0.9 -d 10.10.10.2 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -o eth1 -s 10.10.10.2 -d 10.10.0.9 -j ACCEPT


Thanks

[TrevorH]

Don't use domain names that exist already: example.com definitely does.

If those are the rules from 10.10.0.2 (the relay box) then they look like they are the wrong way around to me. Could you please post the entire output of `iptables-save` from this machine so we can see them in context.

[igro]

and check nslookup.
may be there is some kind of rr dns then you will need write it to /etc/hosts.

[Whoever]

iptables rules are:
iptables -A INPUT -p tcp --sport 25 -i eth1 -s 10.10.0.9 -d 10.10.10.2 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -o eth1 -s 10.10.10.2 -d 10.10.0.9 -j ACCEPT


Thanks

You need to show ALL the rules. If these rules are applied AFTER the packets are already dropped, they won't do much good.

[amr.es]

Don't use domain names that exist already: example.com definitely does.

If those are the rules from 10.10.0.2 (the relay box) then they look like they are the wrong way around to me. Could you please post the entire output of `iptables-save` from this machine so we can see them in context.

Sorry example.com is just an example, the real domain is an internal domain in the company, when iptables is enabled some mails got relayed successfully some of them not and give the erros as i mentioned in the post, the rules are posted below

and check nslookup.
may be there is some kind of rr dns then you will need write it to /etc/hosts.

i think no dns resolving is needed since it will just relay the mail from this domain to another smtp server, so no need to resolve it before relaying

You need to show ALL the rules. If these rules are applied AFTER the packets are already dropped, they won't do much good.

sorry i can't post our subnets IP, here is snap shot from iptables-save after removing the IPs

-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.10.0.9/32 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -j DROP

-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -s 10.10.10.2/32 -o eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -j DROP



hope this will help, thank you all.

[TrevorH]

You stripped out some important information like the default policy of each chain. This is at the top of the iptables-save output. From what you did post, I can see that you have 4 identical rules at the top where one would do. Also you don't seem to have the ESTABISHED,RELATED rules that would solve this problem for you. Please post the entire iptables-save output and try not to obscure anything. If all your IP addresses and subnets are RFC1918 private addresses then it dsoesn't realyl hurt to post them since you are not publishing anything that anyone can get to.

[amr.es]

You stripped out some important information like the default policy of each chain. This is at the top of the iptables-save output. From what you did post, I can see that you have 4 identical rules at the top where one would do. Also you don't seem to have the ESTABISHED,RELATED rules that would solve this problem for you. Please post the entire iptables-save output and try not to obscure anything. If all your IP addresses and subnets are RFC1918 private addresses then it dsoesn't realyl hurt to post them since you are not publishing anything that anyone can get to.

sorry default is accept,i drop eveything explicitly in the lasr rule

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.175.14.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.39.224.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.8.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.31.69.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.10.0.9/32 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -j DROP

-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -s 10.10.10.2/32 -o eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -j DROP

i think ESTABISHED,RELATED and NEW are used if i want to create stateful firewall, this is stateless firewall or what each packet get matched independently or what?, also with this rules the server works properly and sends mails, but the problem happen when it relays the mails of specific domain to other mail server

i tried to not specify a port in the relay rules just to test but same problem some mails are relays others times out and kept in the queue as seen below
-A INPUT -s 10.10.0.9/32 -d 10.10.10.2/32 -i eth1 -p tcp -j ACCEPT
-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -j ACCEPT

thank you waiting to hear your opinion

[TrevorH]

Well all your problems would be solved if you used the ESTABLISHED,RELATED rule since you'd just need the OUTPUT rule allowing traffic to --dport 25 on the destination server and iptables would remember everything else for you and make it work.

[amr.es]

Well all your problems would be solved if you used the ESTABLISHED,RELATED rule since you'd just need the OUTPUT rule allowing traffic to --dport 25 on the destination server and iptables would remember everything else for you and make it work.

So you mean the output rule to the server i relay to should be

-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m tcp --dport 25 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

or should it be in the INPUT direction, i will test this rule and feedback, but can you explain more if 10.10.10.2 is the initiator so the OUTPUT rule should be in NEW state and the INPUT rule from 10.10.0.9 should be in RELATED,ESTABLISHED state, plus can i use RELATED,ESTABLISHED without a rule with NEW state?

[TrevorH]

I suspect you want

Code: Select all

-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
and
-I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT