Have to ACCEPT port 25 for outgoing mail?

I have the Fedora Core 1 install and am using iptables to secure stuff. "iptables -L" looks like this:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So I am accepting http and ssh explicitly, and also allowing anything RELATED,ESTABLISHED which I think should cover outgoing mail. However, mail goes nowhere unless I add an explicit accept for smtp:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I have read several forums and howtos on the RELATED,ESTABLISHED bit, but I still don't get why RELATED does not cover outgoing mail… any takers?

3 Replies

@widowmaker:

However, mail goes nowhere unless I add an explicit accept for smtp:
Ok, shot in the dark, but maybe you have a problem with local connections (sendmail to smtp server)? If the above are all your firewall rules I think connections from localhost to localhost will be blocked. Add something like this also (to your firewall rules):

# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT

It might be safer to replace "! -i eth0" with "-i lo" but I'm too lazy to test that now.

@widowmaker:

I have read several forums and howtos on the RELATED,ESTABLISHED bit, but I still don't get why RELATED does not cover outgoing mail… any takers?
Well, RELATED is for protocols that are known to use several ports at once. For example ftp that first opens a control connection where you issue your commands, and then a second data connection when you actually up- or download some file. And so the firewall dynamically opens up for that one on a as-needed basis (and then I suppose only from the right host, etc, etc).

SMTP only uses port 25, but first from localhost to your server. Then from your server to someone elses port 25.

Right on. I am not even able to do "telnet localhost 25" just to connect to the local smtp server and get its welcome string without the explicit accept of smtp. I added a rule with "-i lo" as you suggested in place of the smtp rule, and then I can connect to the local server, and all is well.

Might be worth mentioning that the default behavior of Fedora is to only accept smtp connections from localhost, so even with the explicit smtp accept rule in place, connections from outside are refused, which is good enough for stopping relays.

Thanks!

What might be happening is that theire's a pause for IDENT with many servers; if you telnet to a remote server on port 25 (without the INPUT line), do you connect? If you connect, but it takes a long time before you see anything, you might want to add an explicit REJECT rule for TCP port 113. Not a drop, a true reject, so that the remote server instantly knows that there's no port open there:

iptables -A INPUT -p -i eth0 –dport 113 -j REJECT

Also double-check that your reverse lookup is working properly on your allocated IPs.

To allow all traffic on your loopback interface:

iptables -A OUTPUT -o lo -s 127.0.0.0/8 -j ACCEPT

iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT

Once you connect and immediately get a welcome string to remote mail servers when you telnet to them on port 25, then try mail again. If that fails, read your logs carefully: that will generally tell you why it isn't working.

That incoming SMTP rule shouldn't be necessary.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct