and882
asked on
Postfix Mail-Server behind a firewall
I use a Web- and Mail-Server (Apache2 and Postfix) with Suse 8.2 behind a firewall (Cisco 1710 Router with ACL).
My network:
Internet < ---- > Router < ---- > Web-, Mail-Server < ---- > PIX < ---- > Intern
| |
X.X.X.X 10.10.0.0/16 DMZ network
ACL:
permit tcp any host X.X.X.X eq www
permit tcp any host X.X.X.X eq smtp
www works fine !
I can send emails from the mailserver, I can't receive emails to addresses user@domain or user@X.X.X.X
A port scan to X.X.X.X says, that smtp service is not running !!!
I have used the standard configuration (main.cf) with the myorigin, mydomain, mydestination changed.
The MX record was set to the ip-address X.X.X.X
Anyone an idea whats wrong ?
My network:
Internet < ---- > Router < ---- > Web-, Mail-Server < ---- > PIX < ---- > Intern
| |
X.X.X.X 10.10.0.0/16 DMZ network
ACL:
permit tcp any host X.X.X.X eq www
permit tcp any host X.X.X.X eq smtp
www works fine !
I can send emails from the mailserver, I can't receive emails to addresses user@domain or user@X.X.X.X
A port scan to X.X.X.X says, that smtp service is not running !!!
I have used the standard configuration (main.cf) with the myorigin, mydomain, mydestination changed.
The MX record was set to the ip-address X.X.X.X
Anyone an idea whats wrong ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are trying to telnet to the server's public address from inside your LAN, it won't work anyway. You're hitting it before the nat takes place on the router..
Does your inbound access-list have a line that includes
permit tcp any any established?
Does your inbound access-list have a line that includes
permit tcp any any established?
lrmoore - is that a rough equivalent to stateful filtering?
ASKER
Yes, this is correct. I also need a DNS for my internal network !
This is my inbound ACL for the router interface connected to the internet (cabel modem)
permit tcp any host 1.2.3.4 eq www (17332 matches)
permit tcp any host 1.2.3.4. eq smtp (494 matches)
permit tcp any host 1.2.3.4. established (75020 matches)
permit udp any eq domain any (1732 matches)
NAT:
Pro Inside global Inside local Outside local Outside global
tcp 1.2.3.4:25 10.10.0.10:25 --- ---
tcp 1.2.3.4:80 10.10.0.10:80 --- ---
I do not think this is a DNS problem (not only), because it also does not work with the ip-address in the mail address.
Do I have to change something in the postfix - access file ?
This is my inbound ACL for the router interface connected to the internet (cabel modem)
permit tcp any host 1.2.3.4 eq www (17332 matches)
permit tcp any host 1.2.3.4. eq smtp (494 matches)
permit tcp any host 1.2.3.4. established (75020 matches)
permit udp any eq domain any (1732 matches)
NAT:
Pro Inside global Inside local Outside local Outside global
tcp 1.2.3.4:25 10.10.0.10:25 --- ---
tcp 1.2.3.4:80 10.10.0.10:80 --- ---
I do not think this is a DNS problem (not only), because it also does not work with the ip-address in the mail address.
Do I have to change something in the postfix - access file ?
ShineOn - yes, exactly.
and882 - you have not answered the question as to where you are trying to do your testing from.
Inside, on your LAN, or completely external from elsewhere on the Internet?
Yes, you do need a dns for your internal users that will resolve the MX and the A records to the 10.10.0.10 IP address, else look into the 'alias' command on the pix...
and882 - you have not answered the question as to where you are trying to do your testing from.
Inside, on your LAN, or completely external from elsewhere on the Internet?
Yes, you do need a dns for your internal users that will resolve the MX and the A records to the 10.10.0.10 IP address, else look into the 'alias' command on the pix...
If you change the permit tcp any host 1234 established to permit tcp any any established, does that change anything? (just for troubleshooting...)
When doing a DMZ with Cisco IOS is it necessary to have an outside ACL to allow access to NATted server(s) - I thought that the IP NAT INSIDE SOURCE command would handle that. Could it be that the combination is working against each other, like maybe the outside ACL should specify the NATted address instead of the public address?
I have seen it with the outside ACL doing an ANY ANY instead of specifying a host address...
Also, should the IP NAT INSIDE SOURCE statements have "extendable" added, or isn't that necessary here?
ASKER
I have tried to connect directly in the DMZ network to port 25 --> telnet 10.10.0.10 25 does not work
telnet 10.10.0.10 80 works --> there must be something wrong with the postfix or linux configuration (firewall ?).
I turn off the firewall of the mail server --> the same --> the smtp service is not running correct --> postfix status says running
ok, whats now ?
1. this is not a problem of the ACL - I think so, because I am behind the firewall
2. It is not a problem of the firewall on the web/mail server -- I have disabled the firewall --> nothing happend
3. --> this must be a problem of the smtp server config --> postfix config
Do you agree to that ?
telnet 10.10.0.10 80 works --> there must be something wrong with the postfix or linux configuration (firewall ?).
I turn off the firewall of the mail server --> the same --> the smtp service is not running correct --> postfix status says running
ok, whats now ?
1. this is not a problem of the ACL - I think so, because I am behind the firewall
2. It is not a problem of the firewall on the web/mail server -- I have disabled the firewall --> nothing happend
3. --> this must be a problem of the smtp server config --> postfix config
Do you agree to that ?
Agree with #3. It is not an access-list issue if you can't even do it locally...
Perhaps you can post a pointer question in one of the Linux TA's to get a Linux guru to lend a hand..
Perhaps you can post a pointer question in one of the Linux TA's to get a Linux guru to lend a hand..
ASKER
Thank you to Irmoore and ShineOn !!!!
I have found the problem, it was a hidden double config-line in the main configuration file of postfix. It don't listen to the correct interface.
So simple, but it takes my 2 days.
Thank you for your help !
I have found the problem, it was a hidden double config-line in the main configuration file of postfix. It don't listen to the correct interface.
So simple, but it takes my 2 days.
Thank you for your help !
Great news!
Thanks!
Thanks!
Process of elimination. Glad you got it fixed.
ASKER
The pix is the firewall for my internal network and should not be the problem. The DMZ uses a Cisco Router with ACLs as a firewall to the internet and an PIX 501 for the internal network.
ACL on the router allows port 53, DNS works for www.
I can't send a mail to a user on the mail server e.g. user@1.2.3.4 - so DNS is not used (is this correct ?)
The router uses NAT:
ip nat inside source static tcp 10.10.0.10 80 1.2.3.4 80 <- web
ip nat inside source static tcp 10.10.0.10 25 1.2.3.4 25 <- mail
Should I use to different internal IP addresse for mail and web ?
The Web and Mail pointing was done by www.avtiveisp.com
A record --> 1.2.3.4
MX record --> 1.2.3.4
If I try to telnet to the port I get no answer
telnet 1.2.3.4 25
I think the problem is, that the mail service on port 25 is not running on the external (public) router interface. But I don't know what I have done different to www.
I hope this helps !