• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 708
  • Last Modified:

Postfix - SMTP - Connect Failed

I hope this is an easy one...  I am new to Postfix and I'm trying to setup a mail server.  I cannot connect to the smtp server from external locations.  When I am connected to the LAN everything works fine.  When I  am outside of the LAN and attempt to telnet to the mail server on port 25 I receive a connect failed message.  Please help!  Is this a Postfix issue or a firewall issue?

Postfix is running on a RHEL 4 machine behind a PIX 515 firewall.  My main.cf file is below.

myhostname = mail.example.com
mydomain = example.com
mydestination = $mydomain, $myhostname, localhost.$mydomain
myorigin = $mydomain
masquerade_domains = $mydomain
inet_interfaces = all
mynetworks = 192.168.16.6/24, 192.168.16.7/24, 127.0.0.0/8
notify_classes = resource, software, bounce, policy
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_helo_required = yes
smtpd_client_restrictions =
     check_client_access hash:/etc/postfix/client_access
smtpd_helo_restrictions =
     reject_invalid_hostname,
     check_helo_access hash:/etc/postfix/helo_access
smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
     check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions =
     permit_sasl_authenticated,
     permit_mynetworks,
     reject_unauth_destination,
     reject_non_fqdn_recipient,
     reject_unknown_recipient_domain,
     reject_rbl_client sbl-xbl.spamhaus.org,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client relays.ordb.org
smtpd_data_restrictions =
     reject_unauth_pipelining
relocated_maps = hash:/etc/postfix/relocated
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
default_transport = smtp
mail_owner = postfix
default_privs = nobody
queue_directory = /var/spool/postfix
program_directory = /usr/libexec/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 10
debug_peer_level = 2
0
tgerman10
Asked:
tgerman10
  • 8
  • 7
  • 3
1 Solution
 
Cyclops3590Commented:
Changes to make
----------------------------------
mynetworks = 192.168.16.0/24, 127.0.0.0/8

you should have received an error related to the way you had the mynetworks parameter setup before.

my guess is that this is a firewall issue.  if you can connect on the LAN then my guess is smtp works fine (by connect I mean telnet to port 25 and receive the mail banner).  if you get a connection failed from outside then i'd say start with the firewall.

can you post the pix config here (sanitized of course) so I can take a look at it to make sure everything looks good for mail traffic to get to the internal host.

0
 
kiitiiCommented:
Basically, when u turn on this feature
inet_interfaces = all
Your port 25 should be running without problem.

As you mentioned, you can telnet from LAN to port 25. meaning port 25 is open.

So, please check out your firewall settings.

0
 
kiitiiCommented:
Remember to add also :-

mynetworks_style=subnet
mynetworks = 192.168.16.0/24, ********

These 2 lines are for relaying purpose. From local LAN to outside world.

0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
Cyclops3590Commented:
kiitii, just out of curiousity did you read my post; says the same thing as your 2 posts

Also, tgerman10, can you post your pix config so I can look at it to ensure that your pix is configured right.

Thanks
0
 
tgerman10Author Commented:
Cyclops3590,
Thanks for pointing that out.  The mynetworks line was a typo.  I is supposed to read mynetworks = 192.168.16.0/24, 192.168.17.0/24, 127.0.0.0/8.  I will post the PIX config as soon as I can get it.

kiittii,
Thanks for your help.  I added the mynetworks_style = subnet line.
0
 
Cyclops3590Commented:
just fyi, subnet is the default value of the mynetworks_style parameter so that line isn't needed except for better clarity in the main.cf
0
 
tgerman10Author Commented:
Cyclops3590,
Here is my PIX config (sanitized I hope...):

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password x encrypted
passwd x encrypted
hostname x
domain-name x
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access permit tcp any host 12.160.82.118 eq www
access-list outside_access permit tcp any host 12.160.82.118 eq smtp
access-list outside_access permit tcp any host 12.160.82.118 eq imap4
access-list outside_access permit tcp any host 12.160.82.117 eq ssh
access-list outside_access permit tcp any host 12.160.82.116 eq ssh
access-list outside_access permit tcp any host 12.160.82.116 eq https
access-list outside_access permit tcp any host 12.160.82.116 eq www
access-list outside_access permit tcp any host 12.160.82.115 eq ssh
access-list outside_access permit tcp any host 12.160.82.122 eq www
access-list outside_access permit tcp any host 12.160.82.122 eq citrix-ica
access-list outside_access permit tcp any host 12.160.82.122 eq 1604
access-list outside_access permit tcp any host 12.160.82.117 eq 2598
access-list outside_access permit tcp any host 12.160.82.117 eq citrix-ica
access-list outside_access permit tcp any host 12.160.82.117 eq www
access-list outside_access permit tcp any host 12.160.82.119 eq smtp
access-list outside_access permit tcp any host 12.160.82.119 eq imap4
access-list outside_access permit tcp any host 12.160.82.119 eq www
access-list outside_access permit tcp any host 12.160.82.119 eq ssh
access-list 90 permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nonat_vpn permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nonat_vpn permit ip 192.168.16.0 255.255.255.0 192.168.160.96 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.160.96 255.255.255.224
pager lines 24
logging on
logging timestamp
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 12.160.82.121 255.255.255.240
ip address inside 192.168.16.1 255.255.255.0
ip address dmz 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.160.100-192.168.160.120
pdm location 12.160.82.112 255.255.255.255 inside
pdm location 192.168.16.2 255.255.255.255 inside
pdm location 192.168.16.4 255.255.255.255 inside
pdm location 192.168.16.6 255.255.255.255 inside
pdm location 192.168.16.7 255.255.255.255 inside
pdm location 192.168.16.8 255.255.255.255 inside
pdm location 204.232.10.1 255.255.255.255 outside
pdm location 65.196.220.0 255.255.255.0 outside
pdm location 141.152.158.72 255.255.255.255 outside
pdm location 192.168.17.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat_vpn
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.160.82.115 192.168.16.6 netmask 255.255.255.255 0 0
static (inside,outside) 12.160.82.117 192.168.16.8 netmask 255.255.255.255 0 0
static (inside,outside) 12.160.82.118 192.168.16.2 netmask 255.255.255.255 0 0
static (inside,outside) 12.160.82.122 192.168.16.4 netmask 255.255.255.255 0 0
static (inside,outside) 12.160.82.116 192.168.16.7 netmask 255.255.255.255 0 0
static (inside,outside) 12.160.82.119 192.168.16.5 netmask 255.255.255.255 0 0
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 12.160.82.120 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community ppr0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mpgtransform esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map 2va 2 ipsec-isakmp
crypto map 2va 2 match address 90
crypto map 2va 2 set peer 141.152.158.72
crypto map 2va 2 set transform-set mpgtransform
crypto map 2va 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map 2va client authentication LOCAL
crypto map 2va interface outside
isakmp enable outside
isakmp key x address 141.152.158.72 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup x address-pool VPN_Pool
vpngroup x dns-server x
vpngroup x default-domain x
vpngroup x idle-time 1800
vpngroup x password x
telnet 192.168.16.0 255.255.255.0 inside
telnet 12.160.82.112 255.255.255.255 inside
telnet timeout 5
ssh 204.232.10.1 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 141.152.158.72 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username x password x encrypted privilege 15
username x password x encrypted privilege 2
terminal width 80
Cryptochecksum:3724a0757373ecaecfd6a0a811c456e1
0
 
kiitiiCommented:
Cyclops3590,

opps! sorry about tat, my mistake.
anyway,

Tigerman10, if later things solved, all credits should go to cyclop3590.
I am no pixfirewall expert, only iptables.

Happy solving.
0
 
Cyclops3590Commented:
ok, i'm not seeing an issue (pix config looks good).  also i did
telnet 12.160.82.119 25
and i received a mail banner
220 lhotse.orderprocessingcenter.net ESMTP Postfix

so i guess i'm missing the point as to what is wrong here
0
 
tgerman10Author Commented:
You received the mail banner?  I just had several people at other locations try and they all got the connect failed message.  Any ideas?
0
 
Cyclops3590Commented:
what IP are they using, or are they using a fqdn in which case what is the fqdn you are using.  Is it "lhotse.orderprocessingcenter.net" or something else?

I just tried
telnet lhotse.orderprocessingcenter.net 25
and was successful.

0
 
tgerman10Author Commented:
Hmmm...  maybe I need to get them to try again...  Earlier they were trying with both the IP (12.160.82.119) and the fqdn (lhotse.orderprocessingcenter.com).  Both failed.  Let me run some more test.  I will get back to you soon.
0
 
tgerman10Author Commented:
Cyclops3590,
How are you getting that to work???  I have gotten other people to try it from various location and they all get the connect failed message.  I am currently at home tyring both the IP and fqdn and all I get is connect failed.  What is going on?  What is different about your attempts?
0
 
Cyclops3590Commented:
just tried it from home, ip and hostname both worked.  try a ping to see if maybe the latency is just really high (hard to believe that's the culprit, but am running out of ideas).  by the way, ping the IP assigned to the outside interface to test.

for me i'm getting an avg rtt of 37ms from my home in North Carolina, US
0
 
tgerman10Author Commented:
Okay, I tried a ping.  When I ping the mail server (IP and fqdn) I get 100% loss.  All attempts time out.  I am able to succussfully ping the outside interface of the PIX.  I am not able to ping any of our other public IP's.
0
 
Cyclops3590Commented:
i would expect that, the pix doesn't pass on icmp packets (unless told to i believe)

beyond that, sorry i'm out of ideas.  i cannot think of one reason why it should work everytime from two different IPs for me and never for you from multiple IPs
0
 
tgerman10Author Commented:
Cyclops3590,
Things are working now.  The problem was my ISP (Cox).  They are blocking port 25 traffic that does not go through their servers.  I changed the smtp port that Postfix is using and everything works great.  The other people that were helping me test this use Cox as their ISP also.  That is why their attempts were failing too.  Thanks for your assistance!  You helped guide me in the right direction.
0
 
Cyclops3590Commented:
glad i could be of assistance.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 8
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now