• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2056
  • Last Modified:

Postfix Mail-Server behind a firewall

I use a Web- and Mail-Server (Apache2 and Postfix) with Suse 8.2 behind a firewall (Cisco 1710 Router with ACL).
My network:

Internet < ---- > Router < ---- > Web-, Mail-Server < ---- > PIX < ---- > Intern
                 |                     |  
            X.X.X.X   10.10.0.0/16 DMZ network

ACL:
permit tcp any host X.X.X.X eq www
permit tcp any host X.X.X.X eq smtp

www works fine !

I can send emails from the mailserver, I can't  receive emails to addresses user@domain or user@X.X.X.X
A port scan to X.X.X.X says, that smtp service is not running !!!
I have used the standard configuration (main.cf) with the myorigin, mydomain, mydestination changed.
The MX record was set to the ip-address X.X.X.X

Anyone an idea whats wrong ?




                                   
0
and882
Asked:
and882
  • 7
  • 5
  • 4
2 Solutions
 
lrmooreCommented:
Is your router running the firewall feature set, or do you have a PIX firewall as in your diagram? Two very different things.
If no PIX and no firewall feature set (ip inspect), then I would suspect a DNS issue. Where is your MX record?
0
 
and882Author Commented:
I use a normal ACLs for traffic-filtering (no CBAC).

The pix is the firewall for my internal network and  should not be the problem. The DMZ uses a Cisco Router with ACLs as a firewall to the internet and an PIX 501 for the internal network.

ACL on the router allows port 53, DNS works for www.

I can't  send a mail to a user on the mail server e.g. user@1.2.3.4 - so DNS is not used  (is this correct ?)

The router uses NAT:

ip nat inside source static tcp 10.10.0.10 80 1.2.3.4 80 <- web
ip nat inside source static tcp 10.10.0.10 25 1.2.3.4 25 <- mail

Should I use to different internal IP addresse for mail and web ?

The Web and Mail pointing was done by www.avtiveisp.com

A record --> 1.2.3.4
MX record --> 1.2.3.4

If I try to telnet to the port I get no answer

telnet 1.2.3.4 25

I think the problem is, that the mail service on port 25 is not running on the external (public) router interface. But I don't know what I have done different to www.

I hope this helps !









 
0
 
ShineOnCommented:
Not sure if this makes sense, but IIRC you should make the port 25 traffic 2-way, and you should use 2-way DNS communications on both TCP and UDP.  Since it appears your ACL isn't blocking anyhing out, and you've already opened a static NAT port 25, then all that's left is opening port 53 on TCP and UDP to your server with a couple more "ip nat" commands.

If you ping your mail server's DNS name, does it resolve to 1.2.3.4?  Does the DNS name in your mail server config match the DNS name on the mx record?  If you connect directly to the public-side NIC of the mailserver can you telnet to port 25 and get a response from the mail server?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
If you are trying to telnet to the server's public address from inside your LAN, it won't work anyway. You're hitting it before the nat takes place on the router..
Does your inbound access-list have a line that includes
permit tcp any any established?

0
 
ShineOnCommented:
lrmoore - is that a rough equivalent to stateful filtering?
0
 
and882Author Commented:
Yes, this is correct.  I also need a DNS for my internal network !    

This is my inbound ACL for the router interface connected to the internet (cabel modem)

    permit tcp any host 1.2.3.4 eq www (17332 matches)
    permit tcp any host 1.2.3.4. eq smtp (494 matches)
    permit tcp any host 1.2.3.4. established (75020 matches)
    permit udp any eq domain any (1732 matches)

NAT:

Pro Inside global      Inside local       Outside local      Outside global
tcp 1.2.3.4:25   10.10.0.10:25      ---                ---
tcp 1.2.3.4:80   10.10.0.10:80      ---                ---


I do not think this is a DNS problem (not only), because it also does not work with the ip-address in the mail address.

Do I have to change something in the postfix - access file  ?
0
 
lrmooreCommented:
ShineOn - yes, exactly.

and882 - you have not answered the question as to where you are trying to do your testing from.
Inside, on your LAN, or completely external from elsewhere on the Internet?
Yes, you do need a dns for your internal users that will resolve the MX and the A records to the 10.10.0.10 IP address, else look into the 'alias' command on the pix...
0
 
ShineOnCommented:
If you change the permit tcp any host 1234 established to permit tcp any any established, does that change anything?  (just for troubleshooting...)
0
 
ShineOnCommented:
When doing a DMZ with Cisco IOS is it necessary to have an outside ACL to allow access to NATted server(s) - I thought that the IP NAT INSIDE SOURCE command would handle that.  Could it be that the combination is working against each other, like maybe the outside ACL should specify the NATted address instead of the public address?
0
 
ShineOnCommented:
I have seen it with the outside ACL doing an ANY ANY instead of specifying a host address...
0
 
ShineOnCommented:
Also, should the IP NAT INSIDE SOURCE statements have "extendable" added, or isn't that necessary here?
0
 
and882Author Commented:
I have tried to connect directly in the DMZ network to port 25 --> telnet 10.10.0.10 25 does not work

telnet 10.10.0.10  80 works --> there must be something wrong with the postfix or linux configuration (firewall ?).

I turn off the firewall of the mail server --> the same --> the smtp service is not running correct --> postfix status says running

ok, whats now ?


1. this is not a problem of the ACL - I think so, because I am  behind the firewall

2. It is not a problem of the firewall on the web/mail server -- I have disabled the firewall --> nothing happend

3. --> this must be a problem of the smtp server config --> postfix config

Do you agree to that ?


0
 
lrmooreCommented:
Agree with #3. It is not an access-list issue if you can't even do it locally...
Perhaps you can post a pointer question in one of the Linux TA's to get a Linux guru to lend a hand..

0
 
and882Author Commented:
Thank you to Irmoore and ShineOn !!!!

I have found the problem, it was a hidden double config-line in the main configuration file of postfix. It don't listen to the correct interface.

So simple, but it takes my 2 days.

Thank you for your help !
0
 
lrmooreCommented:
Great news!
Thanks!
0
 
ShineOnCommented:
Process of elimination.  Glad you got it fixed.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 7
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now