SMTP iptables problem

venom_casos · 08-25-2006, 10:40 AM

Hello,

I'm having problems with getting iptables to work correctly with smtp. When I have the firewall off (default accept) it works fine. But when I turn it back on:

input -i eth0 -p tcp --dport smtp -j accept
output -o eth0 -p tcp --sport smtp -m state --state new,est.,rel. -j accept

It will not work. After reviewing the maillog, I can see a good email go through when the firewall is off in comparison to when the firewall is on and the email will not go through. The process stops and does not generate the sendmail line:

Code:

Aug 25 10:11:35 srv01 ipop3d[3346]: pop3 service init from 24.172.189.255
Aug 25 10:11:35 srv01 ipop3d[3346]: Auth user=venom@shadow.net host=rrcs-24-172-189-255.central.biz.rr.com [24.172.189.255] nmsgs=0/0
Aug 25 10:11:35 srv01 ipop3d[3346]: Logout user=venom@shadow.net host=rrcs-24-172-189-255.central.biz.rr.com [24.172.189.255] nmsgs=0 ndele=0
Aug 25 10:12:20 srv01 sm-acceptingconnections[3350]: AUTH=server, relay=rrcs-24-172-189-255.central.biz.rr.com [24.172.189.255], authid=venom@shadow.net@, mech=PLAIN, bits=0
Aug 25 10:12:20 srv01 sm-acceptingconnections[3350]: k7PECKE0003350: from=<venom@shadow.net>, size=316, class=0, nrcpts=1, msgid=<44EF028D.8040107@shadow.net>, proto=ESMTP, daemon=MTA, relay=rrcs-24-172-189-255.central.biz.rr.com [24.172.189.255]
Aug 25 10:12:20 srv01 sm-acceptingconnections[3350]: k7PECKE0003350: to=<w@twmi.rr.com>, delay=00:00:00, mailer=esmtp, pri=30316, stat=queued
Aug 25 10:12:21 srv01 MailScanner[2254]: New Batch: Scanning 1 messages, 860 bytes
Aug 25 10:12:21 srv01 MailScanner[2254]: Virus and Content Scanning: Starting
Aug 25 10:12:21 srv01 MailScanner[3353]: Unrar command /usr/bin/unrar does not exist or is not executable, please either install it or remove the setting from MailScanner.conf
Aug 25 10:12:21 srv01 MailScanner[2254]: Uninfected: Delivered 1 messages

On the good email, this line is added to the end:

Code:

Aug 25 10:05:12 srv01 sendmail[3125]: k7PE58BZ003119: to=<w@twmi.rr.com>, delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=120321, relay=orngca-02.mgw.rr.com. [66.75.160.148], dsn=2.0.0, stat=Sent (ok:  Message 1353941463 accepted)

Any help is greatly appreciated, I've been fighting with this for a couple days now. Thanks in advance!

w3bd3vil · 08-25-2006, 11:43 AM

Quote:

Aug 25 10:11:35 srv01 ipop3d[3346]: pop3 service init from 24.172.189.255
Aug 25 10:11:35 srv01 ipop3d[3346]: Auth user=venom@shadow.net host=rrcs-24-172-189-255.central.biz.rr.com [24.172.189.255] nmsgs=0/0

i see pop3 there, you probably need to allow 110 also.

venom_casos · 08-25-2006, 02:19 PM

Thanks, pop3 = 110 in my /etc/services so they're one in the same. Also, pop3 is working fine, I can receive emails with no problem. I just can't send them.

benjithegreat98 · 08-25-2006, 03:18 PM

Is all outgoing traffic being filtered? If so you should probably have a rule that allows anything that is outgoing if it is established or related. I see you have one rule that applies does that for port 25, but go ahead and let it all out to see if the problem is related to the outgoing rules.

Also, maybe you could turn on logging for your filewall and see what happens when an email is sent.

venom_casos · 08-25-2006, 04:50 PM

All outgoing/incoming/forward policies are set to drop. So yes, only allowed connections are allowed outbound. All of my other outgoing rules are established, with exception to ftp (related).

I've tried both ways... allowing input to accept, and then turning it back to drop as well as turning output to accept. Neither of those work. The only way that the email is sent is if I change both input and output to accept.

How do I turn on firewall logging?

benjithegreat98 · 08-25-2006, 05:08 PM

It depends how you did your firewall. If you did it manually (meaning created a script that controls the rules) you can do something like this:

iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j LOG --log-prefix [SMTP LOGGGING]

I'm pretty sure this will log everything incomming to port 25

venom_casos · 08-25-2006, 07:15 PM

Hey,

Thanks for the suggestion. Another friend of mine said the same thing and I started messing around logging different things both incoming and outgoing, as well as whatever else the server was dropping.

In the end, I found the solution which was to add the following rules:

input -i eth0 -p tcp --dport smtp -state new,established -j accept
input -i eth0 -p tcp --dport 1024: --sport smtp -j accept

output -o eth0 -p tcp --sport smtp -state established -j accept
output -o eth0 -p tcp --sport 1024: --dport smtp -j accept

Thanks for the help, greatly appreciated!!