kephillips
asked on
iptables to allow mail users to get mail externally
Hi experts,
I'm using Red Hat 9, iptables and sendmail.
I have my mail server functional and firewall allowing all internal (eth0) connections to check their mail.
What I can't seem to get to work is so that people externally-over the internet to have pop3 accounts. I would like them to be able to use outlook express instead of having to go to the web page everytime. I have tried opening port 25 on iptables. What do I need to do and how??
thanks very much
I'm using Red Hat 9, iptables and sendmail.
I have my mail server functional and firewall allowing all internal (eth0) connections to check their mail.
What I can't seem to get to work is so that people externally-over the internet to have pop3 accounts. I would like them to be able to use outlook express instead of having to go to the web page everytime. I have tried opening port 25 on iptables. What do I need to do and how??
thanks very much
For POP access you'll need to allow inbound connections on 110/TCP. 25/TCP is only used for SMTP connections.
ASKER
hi jlevie,
i've tried this:
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
and still it doesn't seem to work. Also, when I go to www.grc.com (shields up) to check what ports i have open, it tells me that only 25 and 80 are. Doesn't say anything about 110...
i've tried this:
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
and still it doesn't seem to work. Also, when I go to www.grc.com (shields up) to check what ports i have open, it tells me that only 25 and 80 are. Doesn't say anything about 110...
check with netstat -a if the ports are open.
sorry listen not open. jejeje.
and iptables -L to check if the rules are correct and iptables save it
and iptables -L to check if the rules are correct and iptables save it
ASKER
here's what i have doing a netstat -a:
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
yep the ports are listen, and iptables -L have the rules to open this ports to outside???
Please check you /etc/xinetd.d/ipop3 conf file. It should look something similar to this:
# default: off
# description: The POP3 service allows remote users to access their mail \
# using an POP3 client such as Netscape Communicator, mutt, \
# or fetchmail.
service pop3
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += HOST DURATION
log_on_failure += HOST
}
I'm cannot recall but I think by default there may be a hosts setting there you have to comment out or remove. Also, try a netstat -avtn|grep LISTEN and paste the output. SHould show something similar to:
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
HTH,
John
# default: off
# description: The POP3 service allows remote users to access their mail \
# using an POP3 client such as Netscape Communicator, mutt, \
# or fetchmail.
service pop3
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += HOST DURATION
log_on_failure += HOST
}
I'm cannot recall but I think by default there may be a hosts setting there you have to comment out or remove. Also, try a netstat -avtn|grep LISTEN and paste the output. SHould show something similar to:
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
HTH,
John
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The above answers are correct. You do indeed need to open up port 110 for POP3 access. You might want to check out my favorite firewall called homeLANsecurity. It has most of these standard ports preconfigured. All you would need to do is set the POP3 to "ON" and it will take care of the rest for you. You can find it at:
http://www.unixpages.com/hls
http://www.unixpages.com/hls
And another complete firewall (mine) can be seen at http://www.entrophy-free.net/tools/iptables-gw