iptables and incoming email blocked

October 21, 2014 1.2k views

I have postfix and dovecot installed and my emails work fine

  • I can send emails out (local and external)
  • I can receive emails in (local and external)

If I start building a firewall with iptables, I start to encounter problems.

  • I can send emails out (local and external)
  • I can receive emails only if it was sent from inside my domain.
  • External emails trying to come in simply 'disappear'. (I am connecting via POP3)

Here are some of the references that I have been using
Digital Ocean How to setup a firewall with iptables
Ubuntu Community iptables

Here are my iptables rules
sudo iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP

Now when I send an email in from outside my network, this is what I see in my syslog in regards to the dropped packed.

Oct 21 17:40:09 breia dovecot: pop3-login: Login: user=<test1>, method=PLAIN, rip=58.173.60.47, lip=128.199.130.239, mpid=1381, TLS, session=<SsXjrPUFvwA6rTwv>
Oct 21 17:40:09 breia dovecot: pop3(test1): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Oct 21 17:40:30 breia kernel: [ 4253.135412] iptables denied: IN=eth0 OUT= MAC=04:01:2c:93:28:01:4c:96:14:ff:ff:f0:08:00 SRC=95.183.244.29 DST=128.199.130.239 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=39141 DPT=135 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 17:40:46 breia postfix/pickup[1030]: trigger_server_accept_local: trigger arrived
Oct 21 17:40:46 breia postfix/pickup[1030]: master_notify: status 0
Oct 21 17:40:46 breia postfix/pickup[1030]: master_notify: status 1
Oct 21 17:41:27 breia kernel: [ 4309.962349] iptables denied: IN=eth0 OUT= MAC=04:01:2c:93:28:01:4c:96:14:ff:ff:f0:08:00 SRC=64.189.75.2 DST=128.199.130.239 LEN=88 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=53 DPT=33407 LEN=68

From Understanding iptables log, I have some understanding of what the log file means.

Could someone please help me to understand further what is happening, and how I can fix it so that I can receive emails from outside my domain.

Thank you,

Brent

2 Answers

You've placed a rate limiter on your server:

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

You only allow 5 connections a minute, then it blocks them. That may be too restrictive.

  • Thanks for the response Jon. The rule has been set up for logging and the restrictive part prevents spam bots from clogging up my logs. In fact the default is 3 per hour if I didn't specify --limit.

    Thanks.

I've been looking at problems other people have experienced and started to wonder if iptables take time to propagate changes. It is supposed to be instant, but still people have been asking if there is a period of time for the rules to take effect.

I started to have the same feelings because even though I would remove the DROP rule, my packets were still being rejected. If I came back after about an hour (or more) then things would start working as expected.

I've just inserted another INPUT rule for MySQL (port 3306). As expected I can't connect from outside the host even though the account has been set up to be accessible from outside the domain. When I get back later tonight, I'll probably have access, even though iptables are supposed to take effect immediately.

  • It is instantaneous. When adding rules (and my rule list is 4814 lines long), they instantly take effect. This is because it's not an "app" per se. It's a kernel module.

    A simple test to make sure it's working:

    add rule, then run this

    iptables -L|grep "3306"
    

    If it's there, it's already being applied.

Have another answer? Share your knowledge.