Postfix SMTP server with iptables
Postfix SMTP server with iptables
Hello,
I have centos 6.4 server to work as SMTP server using postfix server IP 10.10.10.2, i configured iptables to only allow connection to port 25 from specific IPs
there is a specific domain (example.com) that got relayed to other smtp server (IP 10.10.0.9)
the relaying is working correctly
the problem is with iptables enabled the some emails got relayed others not and mailq get full with messaged from the relay domain (example.com) with errore liks "timed out while sending end of data -- message may be sent more than once", "conversation with 10.10.0.9 timed out while sending message body " or simply connection timeout
with iptables disabled no errors, all mails got relayed successfully with no errors
iptables rules are:
iptables -A INPUT -p tcp --sport 25 -i eth1 -s 10.10.0.9 -d 10.10.10.2 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -o eth1 -s 10.10.10.2 -d 10.10.0.9 -j ACCEPT
Thanks
I have centos 6.4 server to work as SMTP server using postfix server IP 10.10.10.2, i configured iptables to only allow connection to port 25 from specific IPs
there is a specific domain (example.com) that got relayed to other smtp server (IP 10.10.0.9)
the relaying is working correctly
the problem is with iptables enabled the some emails got relayed others not and mailq get full with messaged from the relay domain (example.com) with errore liks "timed out while sending end of data -- message may be sent more than once", "conversation with 10.10.0.9 timed out while sending message body " or simply connection timeout
with iptables disabled no errors, all mails got relayed successfully with no errors
iptables rules are:
iptables -A INPUT -p tcp --sport 25 -i eth1 -s 10.10.0.9 -d 10.10.10.2 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -o eth1 -s 10.10.10.2 -d 10.10.0.9 -j ACCEPT
Thanks
Re: Postfix SMTP server with iptables
Don't use domain names that exist already: example.com definitely does.
If those are the rules from 10.10.0.2 (the relay box) then they look like they are the wrong way around to me. Could you please post the entire output of `iptables-save` from this machine so we can see them in context.
If those are the rules from 10.10.0.2 (the relay box) then they look like they are the wrong way around to me. Could you please post the entire output of `iptables-save` from this machine so we can see them in context.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Postfix SMTP server with iptables
and check nslookup.
may be there is some kind of rr dns then you will need write it to /etc/hosts.
may be there is some kind of rr dns then you will need write it to /etc/hosts.
Re: Postfix SMTP server with iptables
You need to show ALL the rules. If these rules are applied AFTER the packets are already dropped, they won't do much good.amr.es wrote:
iptables rules are:
iptables -A INPUT -p tcp --sport 25 -i eth1 -s 10.10.0.9 -d 10.10.10.2 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -o eth1 -s 10.10.10.2 -d 10.10.0.9 -j ACCEPT
Thanks
Re: Postfix SMTP server with iptables
Sorry example.com is just an example, the real domain is an internal domain in the company, when iptables is enabled some mails got relayed successfully some of them not and give the erros as i mentioned in the post, the rules are posted belowTrevorH wrote:Don't use domain names that exist already: example.com definitely does.
If those are the rules from 10.10.0.2 (the relay box) then they look like they are the wrong way around to me. Could you please post the entire output of `iptables-save` from this machine so we can see them in context.
i think no dns resolving is needed since it will just relay the mail from this domain to another smtp server, so no need to resolve it before relayingigro wrote:and check nslookup.
may be there is some kind of rr dns then you will need write it to /etc/hosts.
sorry i can't post our subnets IP, here is snap shot from iptables-save after removing the IPsWhoever wrote: You need to show ALL the rules. If these rules are applied AFTER the packets are already dropped, they won't do much good.
-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s subnet -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.10.0.9/32 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -s 10.10.10.2/32 -o eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -j DROP
hope this will help, thank you all.
Re: Postfix SMTP server with iptables
You stripped out some important information like the default policy of each chain. This is at the top of the iptables-save output. From what you did post, I can see that you have 4 identical rules at the top where one would do. Also you don't seem to have the ESTABISHED,RELATED rules that would solve this problem for you. Please post the entire iptables-save output and try not to obscure anything. If all your IP addresses and subnets are RFC1918 private addresses then it dsoesn't realyl hurt to post them since you are not publishing anything that anyone can get to.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Postfix SMTP server with iptables
sorry default is accept,i drop eveything explicitly in the lasr ruleTrevorH wrote:You stripped out some important information like the default policy of each chain. This is at the top of the iptables-save output. From what you did post, I can see that you have 4 identical rules at the top where one would do. Also you don't seem to have the ESTABISHED,RELATED rules that would solve this problem for you. Please post the entire iptables-save output and try not to obscure anything. If all your IP addresses and subnets are RFC1918 private addresses then it dsoesn't realyl hurt to post them since you are not publishing anything that anyone can get to.
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.175.14.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.39.224.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.8.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.31.69.0/24 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 10.10.0.9/32 -d 10.10.10.2/32 -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -s 10.10.10.2/32 -o eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -j DROP
i think ESTABISHED,RELATED and NEW are used if i want to create stateful firewall, this is stateless firewall or what each packet get matched independently or what?, also with this rules the server works properly and sends mails, but the problem happen when it relays the mails of specific domain to other mail server
i tried to not specify a port in the relay rules just to test but same problem some mails are relays others times out and kept in the queue as seen below
-A INPUT -s 10.10.0.9/32 -d 10.10.10.2/32 -i eth1 -p tcp -j ACCEPT
-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -j ACCEPT
thank you waiting to hear your opinion
Re: Postfix SMTP server with iptables
Well all your problems would be solved if you used the ESTABLISHED,RELATED rule since you'd just need the OUTPUT rule allowing traffic to --dport 25 on the destination server and iptables would remember everything else for you and make it work.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Postfix SMTP server with iptables
So you mean the output rule to the server i relay to should beTrevorH wrote:Well all your problems would be solved if you used the ESTABLISHED,RELATED rule since you'd just need the OUTPUT rule allowing traffic to --dport 25 on the destination server and iptables would remember everything else for you and make it work.
-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m tcp --dport 25 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
or should it be in the INPUT direction, i will test this rule and feedback, but can you explain more if 10.10.10.2 is the initiator so the OUTPUT rule should be in NEW state and the INPUT rule from 10.10.0.9 should be in RELATED,ESTABLISHED state, plus can i use RELATED,ESTABLISHED without a rule with NEW state?
Re: Postfix SMTP server with iptables
I suspect you want
Code: Select all
-A OUTPUT -s 10.10.10.2/32 -d 10.10.0.9/32 -o eth1 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
and
-I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke