Sendmail + restrictive iptables = headache

flp · 09-09-2004, 08:37 AM

Hi Folks,

After reading lots of forum posts, and lots of (confusing) articles, I am still having problems, any help would be greatly appreciated

I am running a web server, and am keeping it all locked down as much as possible with iptables. Default action for incoming packets is drop, and I've set up rules to allow SSH/Web/DNS requests etc etc. The server works fine in every respect except for trying to send email.

The trouble is, in this locked down state, sendmail won't send emails sent to it via my PHP scripts! If I change the default action for incoming packets on iptables to 'Accept' then sendmail happily sends out the emails. If iptables incoming default is set back to 'drop', then the emails just sit in the queue with this error:

'Deferred: Connection timed out with <nameofmailserver>'

Now I understand WHY this is happening I think because I had a similar problem with DNS requests. DNS lookups wouldn't work until I allowed port 53, TCP and UDP.

So I guess the real question is... what ports do I need to allow to get this box sending mails? I may want to use it as a relay in future, but for now I just want sendmail to... umm.... send!

Any help would be great, many thanks! Sorry for the long story

dominant · 09-09-2004, 09:02 AM

You have to allow incoming TCP packets on 25 (SMTP) port

flp · 09-09-2004, 09:09 AM

Doh! Thankyouthankyouthankyou!

I *THOUGHT* I tried this before, but I must have have set the rule for source, not destination!

One more thing though, I haven't done anything to the sendmail configuration, I'm not open for spammers to abuse me am I? What can I do to check?

Apologies for my lack of knowledge - I just program usually.

dominant · 09-09-2004, 09:36 AM

I haven't configure my sendmail either.
It's quite complicate because you have to use the m4 processor, etc.

I use the default configuration and it works

For spam use SpamAssassin

chort · 09-09-2004, 04:33 PM

Here's some helpful info on making sure that Sendmail is not configured as an open relay. You should also checkout www.sendmail.org as it has a lot more documentation.

flp · 09-09-2004, 06:35 PM

That's great, thanks for all the help. Think I'll stick around and see if I can be of use