2

I have to send emails (and only send, not receive) from a linux server (SUSE Linux Enterprise Server 11) and I think I should add kind of the following rule to the iptables: 

iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

But I am not quite sure, since my OUTPUT iptables rules suggest to me that with the current rules I should be able to send emails, but actually I can't.

This are my OUTPUT iptables rules:

Chain OUTPUT (policy ACCEPT XXM packets, XXM bytes)
 pkts bytes target     prot opt in     out     source               destination
  xxM   xxG ACCEPT     all  --  any    lo      anywhere             anywhere
  xxM   xxM SST-OUTPUT  all  --  any    any     anywhere             anywhere

I have always felt reluctant to change the rules in the bare iptables, but I think that if the default policy is "ACCEPT" I should be able to send emails just with the current rules, am I wrong?

The error I get is: Name service error for name=xxxxx.xxx type=MX: Host not found, try again what makes me think that the problem must be in the /etc/resolv.conf or somewhere else.

The INPUT rules are:

Chain INPUT (policy DROP)
 target     prot opt in     out     source               destination
  ACCEPT     all  --  lo     any     anywhere             anywhere
  ACCEPT     all  --  any    any     anywhere             anywhere            state ESTABLISHED
  ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED
  ACCEPT     tcp  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED tcp spt:smtp
  LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
  DROP       all  --  any    any     anywhere             anywhere

Note: I added the INPUT rule suggested by @Otheus in the 4th place.

Watchmaker
  • 759
  • 1
  • 7
  • 16
  • Do you have a firewall rule to allow DNS lookups? – Jenny D Apr 13 '15 at 13:15
  • @JennyD no, there is no such a rule. The server is rather closed for input rules `Chain INPUT (policy DROP 0 packets, 0 bytes)´. I thought I could just manage sending-mails with an OUTPUT rule, but I think the solution will require greater efforts than just adding rules to the iptables. – Watchmaker Apr 13 '15 at 13:35
  • As a quick test, you can also attempt manual SMTP connections to see if the issue is a DNS resolution issue or a blocking issue. Once you have a valid mail server (obtaining an mx record, ie. 'dig mx yahoo.com') then you can simply try 'telnet 25'. If you see a 220 banner response, you made a good SMTP connection. If not, drop your iptables momentarily (iptables -F) and test again. If it works, you know it is an iptables issue, if it does not, track the next issue. Don't forget to restart iptables to bring up your rules again. – BeepBeep Apr 13 '15 at 13:51
  • @BeepBeep I appreciate your answer but I can't install anything in that server, it is not a personal sever. So I have to try to solve it by using the tools/utilities that are there at the moment, which are not many. I have tried `telnet ip port` from Cygwin and I got `connection refused` (from a computer in the same vpn as the server and being ip what I got from `dig mx domain.com` and port 25). – Watchmaker Apr 13 '15 at 14:39

2 Answers2

3

In order for outgoing email to work, you need two things:

  1. allow outgoing SMTP connection (and their return packets). This one you've already got covered, it seems.
  2. a way to figure out which host to send the mail to. This is what currently doesn't work.

There are two possibilities to solve the second issue:

  • You can allow your server to perform DNS lookups in order to figure out which host to send the mail to. In order to do this, you need to add the following to your iptables (replace 10.2.3.4 with your own DNS servers)

    iptables I OUTPUT 1 -p udp -d 10.2.3.4 --dport 53 -j ACCEPT

  • You can have a relay server, which will accept all emails from this box and handle DNS lookups and delivery. If so, on this box you need to only have the following iptables rule:

    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

    You would also need to fix your postfix configuration to setup a relay host. You do this in /etc/postfix/main.cf (replacing 10.2.3.4 with the IP address to your relay host)

    relayhost = [10.2.3.4]

Edit: In both cases, you also need to allow return packets. You've not shown your entire iptables output, but if you don't already have it, you should add something like:

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • Sorry @JennyD but my OUTPUT rules ACCEPT connections by default, why should I add such a rule then?. I still think the other side of the problem is now in the mail or sendmail configuration. – Watchmaker Apr 13 '15 at 14:40
  • 1
    Sorry @gugol but your `OUTPUT` rules jump to `SST-OUTPUT` by default, and as you haven't shown what that chain looks like I can't be confident that output packets are allowed. – wurtel Apr 13 '15 at 14:46
  • @gugol: I added some info. Also, I'm really curious about how you think that the sendmail configuration will affect DNS lookups. – Jenny D Apr 14 '15 at 07:26
  • @JeenyD that were all the OUTPUT rules. I am not familiar with sending emails from servers. I set my relayhost in main.cf but I am not sure if I did it correctly. I am also behind a proxy. – Watchmaker Apr 14 '15 at 09:38
  • @JennyD I posted my INPUT rules where I added kind of a similar rule to what you suggest but just for port 25. I didn't add anything to my OUTPUT rules, because default policy is ACCEPT. And still it does not work. – Watchmaker Apr 15 '15 at 12:42
1

Output policy is set to ACCEPT? then there is no need to create an OUTPUT rule. Rather, you need an incoming rule to either (1) accept established connections or (2) accept non-syn packets from port 25. The first is preferred and is accomplished in Linux with:

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

If you want to be more restrictive, you add the port to the rule:

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -p tcp -m tcp --sport 25 -j ACCEPT

You can test with one of telnet, socat, nc, nmap. Also keep in mind, many times ISPs filter port 25 access (you have to use their own mail gateway -- done to eliminate SPAM). And smtp+ssl sometimes uses port 465 and other times 587.

Per your error, "Name service error", the actual problem is DNS resolution. The above rule will also handle that one, but again if you want to be more restrictive, the --sport is 53.

Otheus
  • 439
  • 3
  • 12
  • I am afraid it is more complicated than this. I have tried but it does not work. Probably I have to configurate properly sendmail or mail so that it works properly. I have been reading about it and I don't think there is a quick solution and the problems will be at different levels. – Watchmaker Apr 13 '15 at 12:25
  • Again, your fundamental problem, as posted, is a hostname resolution problem. That could be caused by your blocking port 53 (probably by policy). Install the "dig" tools, via bind-utils package, and do: dig mx _sendmail-server-host.domain.name_ – Otheus Apr 13 '15 at 12:57
  • intalling is not possible and the dig utility is not available at the moment. By the way, should't you correct the `--insert` option (as -I instead of just I) ?? – Watchmaker Apr 13 '15 at 15:09
  • You don't need root to run dig, therefore you don't need to be root to install it. Simply upload the binary executable (into a tmpfs mount if necessary) and run from there. iptables missing dash corrected. thanks. – Otheus Apr 15 '15 at 08:05
  • You're behind a proxy?? Perhaps /etc/resolv.conf is simply not correctly configured. Or perhaps your proxying DNS service is not configured correctly. If you absolutely cannot install dig, try `hostname -I alt2.aspmx.l.google.com.` You should get 172.24.1.61. – Otheus Apr 15 '15 at 08:14
  • "The server is rather closed for input rules `Chain INPUT (policy DROP 0 packets, 0 bytes)´." That doesn't mean it's closed -- that means the default policy is to drop _unless overridden by your rules_. Please post the INPUT table rules. That's where your problem probably is. – Otheus Apr 15 '15 at 08:15
  • The IP of _which_ server? yours or google.com's? So did you use `dig` or did you use `hostname`? – Otheus Apr 15 '15 at 11:49
  • > "" I have tried telnet ip port from Cygwin and I got connection refused (from a computer in the same vpn as the server and being ip what I got from dig mx domain.com and port 25)."" Wait, you got `connection refused` from another host to the alleged target mail server? Then this is not your problem. (But the DNS error you discuss still is.) – Otheus Apr 15 '15 at 11:55
  • "When I do: hostname -i alt2.aspmx.l.google.com. I get: 127.0.0.2 " Your first problem really is host resolution. It's FUBAR'd. OK, post /etc/resolv.conf if you can. – Otheus Apr 15 '15 at 11:57
  • When I do: `hostname -i alt2.aspmx.l.google.com.` I get: `127.0.0.2 xxx.xxx.xxx.x` being the x address the private address of my server. – Watchmaker Apr 15 '15 at 12:12
  • It is a very sealed server: `wget google.com` gives me `Resolving google.com... failed: Name or service not known. wget: unable to resolve host address google.com` – Watchmaker Apr 15 '15 at 12:13
  • Your first problem really is host resolution. It's FUBAR'd. OK, post /etc/resolv.conf if you can. – Otheus Apr 15 '15 at 13:29
  • it just says `search mydomain.com` – Watchmaker Apr 15 '15 at 15:32
  • 1
    Yep, there's your problem! – Otheus Apr 15 '15 at 16:31
  • Should I add some alternative DNS nameservers? – Watchmaker Apr 16 '15 at 12:07
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/22896/discussion-between-gugol-and-otheus). – Watchmaker Apr 16 '15 at 12:10