?
Solved

Postfix Mail-Server behind a firewall

Posted on 2003-10-26
16
Medium Priority
?
2,025 Views
Last Modified: 2007-02-12
I use a Web- and Mail-Server (Apache2 and Postfix) with Suse 8.2 behind a firewall (Cisco 1710 Router with ACL).
My network:

Internet < ---- > Router < ---- > Web-, Mail-Server < ---- > PIX < ---- > Intern
                 |                     |  
            X.X.X.X   10.10.0.0/16 DMZ network

ACL:
permit tcp any host X.X.X.X eq www
permit tcp any host X.X.X.X eq smtp

www works fine !

I can send emails from the mailserver, I can't  receive emails to addresses user@domain or user@X.X.X.X
A port scan to X.X.X.X says, that smtp service is not running !!!
I have used the standard configuration (main.cf) with the myorigin, mydomain, mydestination changed.
The MX record was set to the ip-address X.X.X.X

Anyone an idea whats wrong ?




                                   
0
Comment
Question by:and882
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
16 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 9622499
Is your router running the firewall feature set, or do you have a PIX firewall as in your diagram? Two very different things.
If no PIX and no firewall feature set (ip inspect), then I would suspect a DNS issue. Where is your MX record?
0
 

Author Comment

by:and882
ID: 9622958
I use a normal ACLs for traffic-filtering (no CBAC).

The pix is the firewall for my internal network and  should not be the problem. The DMZ uses a Cisco Router with ACLs as a firewall to the internet and an PIX 501 for the internal network.

ACL on the router allows port 53, DNS works for www.

I can't  send a mail to a user on the mail server e.g. user@1.2.3.4 - so DNS is not used  (is this correct ?)

The router uses NAT:

ip nat inside source static tcp 10.10.0.10 80 1.2.3.4 80 <- web
ip nat inside source static tcp 10.10.0.10 25 1.2.3.4 25 <- mail

Should I use to different internal IP addresse for mail and web ?

The Web and Mail pointing was done by www.avtiveisp.com

A record --> 1.2.3.4
MX record --> 1.2.3.4

If I try to telnet to the port I get no answer

telnet 1.2.3.4 25

I think the problem is, that the mail service on port 25 is not running on the external (public) router interface. But I don't know what I have done different to www.

I hope this helps !









 
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 1000 total points
ID: 9623319
Not sure if this makes sense, but IIRC you should make the port 25 traffic 2-way, and you should use 2-way DNS communications on both TCP and UDP.  Since it appears your ACL isn't blocking anyhing out, and you've already opened a static NAT port 25, then all that's left is opening port 53 on TCP and UDP to your server with a couple more "ip nat" commands.

If you ping your mail server's DNS name, does it resolve to 1.2.3.4?  Does the DNS name in your mail server config match the DNS name on the mx record?  If you connect directly to the public-side NIC of the mailserver can you telnet to port 25 and get a response from the mail server?
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 
LVL 79

Expert Comment

by:lrmoore
ID: 9623410
If you are trying to telnet to the server's public address from inside your LAN, it won't work anyway. You're hitting it before the nat takes place on the router..
Does your inbound access-list have a line that includes
permit tcp any any established?

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9623420
lrmoore - is that a rough equivalent to stateful filtering?
0
 

Author Comment

by:and882
ID: 9623451
Yes, this is correct.  I also need a DNS for my internal network !    

This is my inbound ACL for the router interface connected to the internet (cabel modem)

    permit tcp any host 1.2.3.4 eq www (17332 matches)
    permit tcp any host 1.2.3.4. eq smtp (494 matches)
    permit tcp any host 1.2.3.4. established (75020 matches)
    permit udp any eq domain any (1732 matches)

NAT:

Pro Inside global      Inside local       Outside local      Outside global
tcp 1.2.3.4:25   10.10.0.10:25      ---                ---
tcp 1.2.3.4:80   10.10.0.10:80      ---                ---


I do not think this is a DNS problem (not only), because it also does not work with the ip-address in the mail address.

Do I have to change something in the postfix - access file  ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9623487
ShineOn - yes, exactly.

and882 - you have not answered the question as to where you are trying to do your testing from.
Inside, on your LAN, or completely external from elsewhere on the Internet?
Yes, you do need a dns for your internal users that will resolve the MX and the A records to the 10.10.0.10 IP address, else look into the 'alias' command on the pix...
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9623494
If you change the permit tcp any host 1234 established to permit tcp any any established, does that change anything?  (just for troubleshooting...)
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9623510
When doing a DMZ with Cisco IOS is it necessary to have an outside ACL to allow access to NATted server(s) - I thought that the IP NAT INSIDE SOURCE command would handle that.  Could it be that the combination is working against each other, like maybe the outside ACL should specify the NATted address instead of the public address?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9623519
I have seen it with the outside ACL doing an ANY ANY instead of specifying a host address...
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9623529
Also, should the IP NAT INSIDE SOURCE statements have "extendable" added, or isn't that necessary here?
0
 

Author Comment

by:and882
ID: 9623636
I have tried to connect directly in the DMZ network to port 25 --> telnet 10.10.0.10 25 does not work

telnet 10.10.0.10  80 works --> there must be something wrong with the postfix or linux configuration (firewall ?).

I turn off the firewall of the mail server --> the same --> the smtp service is not running correct --> postfix status says running

ok, whats now ?


1. this is not a problem of the ACL - I think so, because I am  behind the firewall

2. It is not a problem of the firewall on the web/mail server -- I have disabled the firewall --> nothing happend

3. --> this must be a problem of the smtp server config --> postfix config

Do you agree to that ?


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9623778
Agree with #3. It is not an access-list issue if you can't even do it locally...
Perhaps you can post a pointer question in one of the Linux TA's to get a Linux guru to lend a hand..

0
 

Author Comment

by:and882
ID: 9623821
Thank you to Irmoore and ShineOn !!!!

I have found the problem, it was a hidden double config-line in the main configuration file of postfix. It don't listen to the correct interface.

So simple, but it takes my 2 days.

Thank you for your help !
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9623842
Great news!
Thanks!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9625121
Process of elimination.  Glad you got it fixed.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question