HGunther
asked on
I can neither send nor receive emails
In firewall, only allow packets with target port = 25, 80, 110, 443(HTTPS), 576(submition) and 8080(Tomcat) to come in. DNS is pointed to 3 outside servers; OS is Linux 7.2. The firewall is put outside the router. Now I can neither send nor receive emails. I found that this server can not resolve domain name, so I cannot find any host by nslookup. That's why? Can you tell me which ports shall be opened for incoming when a program needs to access DNS?
udp and tcp port 53
The fact you can't SEND outgoing emails sounds pretty suspicious. You may also need to open the port for POP3 incoming - TCP port 110 - (depending on how you pick up your mail).
Opening port 25 will only work for incoming mail if you are running an SMTP mail server on your network. If you are picking up your mail from your ISP's server then it's probably port 110 you want.
Anyway, if you ARE running SMTP then get onto another machine (or ask a friend) to telnet to your external IP address on port 25 - eg, with windows do 'telnet x.x.x.x 25' at a DOS command line. Put your IP address in instead of x.x.x.x. Run TCPDUMP on the firewall at the same time, to see what packets are going through.
My bet would be that you have not got packet forwarding working properly on the firewall, or possibly a problem with Network Address Translation (NAT).
By the way, for incoming DNS you probably only need to allow inbound TCP (port 53) only - I have never found it necessary to allow UDP. BUT I'd strongly advise you to ONLY allow incoming dns updates from trusted servers - i.e. your own ISP's only... there are some nasty dns exploits you should not allow in....
Opening port 25 will only work for incoming mail if you are running an SMTP mail server on your network. If you are picking up your mail from your ISP's server then it's probably port 110 you want.
Anyway, if you ARE running SMTP then get onto another machine (or ask a friend) to telnet to your external IP address on port 25 - eg, with windows do 'telnet x.x.x.x 25' at a DOS command line. Put your IP address in instead of x.x.x.x. Run TCPDUMP on the firewall at the same time, to see what packets are going through.
My bet would be that you have not got packet forwarding working properly on the firewall, or possibly a problem with Network Address Translation (NAT).
By the way, for incoming DNS you probably only need to allow inbound TCP (port 53) only - I have never found it necessary to allow UDP. BUT I'd strongly advise you to ONLY allow incoming dns updates from trusted servers - i.e. your own ISP's only... there are some nasty dns exploits you should not allow in....
ASKER
Crossley, thanks!
As I expressed in the question, the cause why I cannot send emails out is that my email server cannot resolve domain name, that is to say, this server cannot find any dns server though I setup the dns server to 3 outside servers.
I think the major problem is my server cannot resolve doamin name.
As I expressed in the question, the cause why I cannot send emails out is that my email server cannot resolve domain name, that is to say, this server cannot find any dns server though I setup the dns server to 3 outside servers.
I think the major problem is my server cannot resolve doamin name.
http://www.iana.org/assignments/port-numbers
24/tcp any private mail system
24/udp any private mail system
smtp 25/tcp Simple Mail Transfer
smtp 25/udp Simple Mail Transfer
domain 53/tcp Domain Name Server
domain 53/udp Domain Name Server
pop3 110/tcp Post Office Protocol - Version 3
pop3 110/udp Post Office Protocol - Version 3
HGunther,
Here's where you can get list of ports, and I've sketched parts applicable. I cannot tell from your comments to date on your usage of #53.
I ditto above comment on accessing only 'trusted' servers. You may need permissions, as well as having them located nearby (for response time).
You would be wise to have good proxy. Many consider NAT as OK. I suspect Crossley has provided the answer (I cannot tell well if initial question mentioned #25 and #110 were already open, or if that was a subsequent edit. Better IMO to not edit initial question, but rather add feedback as comment, to help us understand troubleshooting sequence. -an FYI to any reader)
24/tcp any private mail system
24/udp any private mail system
smtp 25/tcp Simple Mail Transfer
smtp 25/udp Simple Mail Transfer
domain 53/tcp Domain Name Server
domain 53/udp Domain Name Server
pop3 110/tcp Post Office Protocol - Version 3
pop3 110/udp Post Office Protocol - Version 3
HGunther,
Here's where you can get list of ports, and I've sketched parts applicable. I cannot tell from your comments to date on your usage of #53.
I ditto above comment on accessing only 'trusted' servers. You may need permissions, as well as having them located nearby (for response time).
You would be wise to have good proxy. Many consider NAT as OK. I suspect Crossley has provided the answer (I cannot tell well if initial question mentioned #25 and #110 were already open, or if that was a subsequent edit. Better IMO to not edit initial question, but rather add feedback as comment, to help us understand troubleshooting sequence. -an FYI to any reader)
Hmm, in addition to SunBow's comments:
Setup a caching DNS on the mail server.
See DJBDNS at http://cr.yp.to/
A public mail server really cannot be NATted.
Setup a caching DNS on the mail server.
See DJBDNS at http://cr.yp.to/
A public mail server really cannot be NATted.
ASKER
In the firewall, the following rules are in action (this firewall was not implemeted from Linux 7.2):
INPUT policy: DENY ALL
and Packets from port 53 are accept
and Packets to port 25, 80, 110, 443, 576, 8080 are accept
Now I can receive email from out side. But from this email server, I cannot send emails out. Shall I let packets from 25 to be coming?
BTW, nslookup is working properly.
INPUT policy: DENY ALL
and Packets from port 53 are accept
and Packets to port 25, 80, 110, 443, 576, 8080 are accept
Now I can receive email from out side. But from this email server, I cannot send emails out. Shall I let packets from 25 to be coming?
BTW, nslookup is working properly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much, Crossley!
Now I can both send and receieve emails.
In the firewall, I asked the admin (we share network with another organization) to add a rule: let packets from port 25 come in.
Regards! Gunther
Now I can both send and receieve emails.
In the firewall, I asked the admin (we share network with another organization) to add a rule: let packets from port 25 come in.
Regards! Gunther