Solved

Postfix Mail-Server behind a firewall

Posted on 2003-10-26
16
2,010 Views
Last Modified: 2007-02-12
I use a Web- and Mail-Server (Apache2 and Postfix) with Suse 8.2 behind a firewall (Cisco 1710 Router with ACL).
My network:

Internet < ---- > Router < ---- > Web-, Mail-Server < ---- > PIX < ---- > Intern
                 |                     |  
            X.X.X.X   10.10.0.0/16 DMZ network

ACL:
permit tcp any host X.X.X.X eq www
permit tcp any host X.X.X.X eq smtp

www works fine !

I can send emails from the mailserver, I can't  receive emails to addresses user@domain or user@X.X.X.X
A port scan to X.X.X.X says, that smtp service is not running !!!
I have used the standard configuration (main.cf) with the myorigin, mydomain, mydestination changed.
The MX record was set to the ip-address X.X.X.X

Anyone an idea whats wrong ?




                                   
0
Comment
Question by:and882
  • 7
  • 5
  • 4
16 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
Comment Utility
Is your router running the firewall feature set, or do you have a PIX firewall as in your diagram? Two very different things.
If no PIX and no firewall feature set (ip inspect), then I would suspect a DNS issue. Where is your MX record?
0
 

Author Comment

by:and882
Comment Utility
I use a normal ACLs for traffic-filtering (no CBAC).

The pix is the firewall for my internal network and  should not be the problem. The DMZ uses a Cisco Router with ACLs as a firewall to the internet and an PIX 501 for the internal network.

ACL on the router allows port 53, DNS works for www.

I can't  send a mail to a user on the mail server e.g. user@1.2.3.4 - so DNS is not used  (is this correct ?)

The router uses NAT:

ip nat inside source static tcp 10.10.0.10 80 1.2.3.4 80 <- web
ip nat inside source static tcp 10.10.0.10 25 1.2.3.4 25 <- mail

Should I use to different internal IP addresse for mail and web ?

The Web and Mail pointing was done by www.avtiveisp.com

A record --> 1.2.3.4
MX record --> 1.2.3.4

If I try to telnet to the port I get no answer

telnet 1.2.3.4 25

I think the problem is, that the mail service on port 25 is not running on the external (public) router interface. But I don't know what I have done different to www.

I hope this helps !









 
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 250 total points
Comment Utility
Not sure if this makes sense, but IIRC you should make the port 25 traffic 2-way, and you should use 2-way DNS communications on both TCP and UDP.  Since it appears your ACL isn't blocking anyhing out, and you've already opened a static NAT port 25, then all that's left is opening port 53 on TCP and UDP to your server with a couple more "ip nat" commands.

If you ping your mail server's DNS name, does it resolve to 1.2.3.4?  Does the DNS name in your mail server config match the DNS name on the mx record?  If you connect directly to the public-side NIC of the mailserver can you telnet to port 25 and get a response from the mail server?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you are trying to telnet to the server's public address from inside your LAN, it won't work anyway. You're hitting it before the nat takes place on the router..
Does your inbound access-list have a line that includes
permit tcp any any established?

0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
lrmoore - is that a rough equivalent to stateful filtering?
0
 

Author Comment

by:and882
Comment Utility
Yes, this is correct.  I also need a DNS for my internal network !    

This is my inbound ACL for the router interface connected to the internet (cabel modem)

    permit tcp any host 1.2.3.4 eq www (17332 matches)
    permit tcp any host 1.2.3.4. eq smtp (494 matches)
    permit tcp any host 1.2.3.4. established (75020 matches)
    permit udp any eq domain any (1732 matches)

NAT:

Pro Inside global      Inside local       Outside local      Outside global
tcp 1.2.3.4:25   10.10.0.10:25      ---                ---
tcp 1.2.3.4:80   10.10.0.10:80      ---                ---


I do not think this is a DNS problem (not only), because it also does not work with the ip-address in the mail address.

Do I have to change something in the postfix - access file  ?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
ShineOn - yes, exactly.

and882 - you have not answered the question as to where you are trying to do your testing from.
Inside, on your LAN, or completely external from elsewhere on the Internet?
Yes, you do need a dns for your internal users that will resolve the MX and the A records to the 10.10.0.10 IP address, else look into the 'alias' command on the pix...
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
If you change the permit tcp any host 1234 established to permit tcp any any established, does that change anything?  (just for troubleshooting...)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
When doing a DMZ with Cisco IOS is it necessary to have an outside ACL to allow access to NATted server(s) - I thought that the IP NAT INSIDE SOURCE command would handle that.  Could it be that the combination is working against each other, like maybe the outside ACL should specify the NATted address instead of the public address?
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
I have seen it with the outside ACL doing an ANY ANY instead of specifying a host address...
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Also, should the IP NAT INSIDE SOURCE statements have "extendable" added, or isn't that necessary here?
0
 

Author Comment

by:and882
Comment Utility
I have tried to connect directly in the DMZ network to port 25 --> telnet 10.10.0.10 25 does not work

telnet 10.10.0.10  80 works --> there must be something wrong with the postfix or linux configuration (firewall ?).

I turn off the firewall of the mail server --> the same --> the smtp service is not running correct --> postfix status says running

ok, whats now ?


1. this is not a problem of the ACL - I think so, because I am  behind the firewall

2. It is not a problem of the firewall on the web/mail server -- I have disabled the firewall --> nothing happend

3. --> this must be a problem of the smtp server config --> postfix config

Do you agree to that ?


0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Agree with #3. It is not an access-list issue if you can't even do it locally...
Perhaps you can post a pointer question in one of the Linux TA's to get a Linux guru to lend a hand..

0
 

Author Comment

by:and882
Comment Utility
Thank you to Irmoore and ShineOn !!!!

I have found the problem, it was a hidden double config-line in the main configuration file of postfix. It don't listen to the correct interface.

So simple, but it takes my 2 days.

Thank you for your help !
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Great news!
Thanks!
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Process of elimination.  Glad you got it fixed.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Let’s list some of the technologies that enable smooth teleworking. 
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now