I have postfix and dovecot installed and my emails work fine
- I can send emails out (local and external)
- I can receive emails in (local and external)
If I start building a firewall with iptables, I start to encounter problems.
- I can send emails out (local and external)
- I can receive emails only if it was sent from inside my domain.
- External emails trying to come in simply ‘disappear’. (I am connecting via POP3)
Here are some of the references that I have been using Digital Ocean How to setup a firewall with iptables Ubuntu Community iptables
Here are my iptables rules
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
Now when I send an email in from outside my network, this is what I see in my syslog in regards to the dropped packed.
Oct 21 17:40:09 breia dovecot: pop3-login: Login: user=<test1>, method=PLAIN, rip=58.173.60.47, lip=128.199.130.239, mpid=1381, TLS, session=<SsXjrPUFvwA6rTwv>
Oct 21 17:40:09 breia dovecot: pop3(test1): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Oct 21 17:40:30 breia kernel: [ 4253.135412] iptables denied: IN=eth0 OUT= MAC=04:01:2c:93:28:01:4c:96:14:ff:ff:f0:08:00 SRC=95.183.244.29 DST=128.199.130.239 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=39141 DPT=135 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 17:40:46 breia postfix/pickup[1030]: trigger_server_accept_local: trigger arrived
Oct 21 17:40:46 breia postfix/pickup[1030]: master_notify: status 0
Oct 21 17:40:46 breia postfix/pickup[1030]: master_notify: status 1
Oct 21 17:41:27 breia kernel: [ 4309.962349] iptables denied: IN=eth0 OUT= MAC=04:01:2c:93:28:01:4c:96:14:ff:ff:f0:08:00 SRC=64.189.75.2 DST=128.199.130.239 LEN=88 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=53 DPT=33407 LEN=68
From Understanding iptables log, I have some understanding of what the log file means.
Could someone please help me to understand further what is happening, and how I can fix it so that I can receive emails from outside my domain.
Thank you,
Brent
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
I’ve been looking at problems other people have experienced and started to wonder if iptables take time to propagate changes. It is supposed to be instant, but still people have been asking if there is a period of time for the rules to take effect.
I started to have the same feelings because even though I would remove the DROP rule, my packets were still being rejected. If I came back after about an hour (or more) then things would start working as expected.
I’ve just inserted another INPUT rule for MySQL (port 3306). As expected I can’t connect from outside the host even though the account has been set up to be accessible from outside the domain. When I get back later tonight, I’ll probably have access, even though iptables are supposed to take effect immediately.
You’ve placed a rate limiter on your server:
You only allow 5 connections a minute, then it blocks them. That may be too restrictive.