-1

I hate to ask this, but I'm pretty sure I have everything configured correctly with iRedMail as the host for my email server/VPS re dovecot, postfix etc (even though everything is pretty much done automatically done via their install scripts).

While I'm no expert on firewalls at all, I'm not totally dumb, and as such I've been trying to figure out why I can't connect to the mail server via pop, imap, smtp etc over the various ports from an external email client.

I can't telnet to any of the ports remotely, but can get to them locally, so I'm thinking it has to be a firewall issue, which leads me to my current conclusion: the firewall process could be wrong?

These are the results of some commands:

[root@server user]#  telnet localhost 110
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.

And just to confirm it's working:

[root@server user]# dovecot -n | grep protocols
protocols = pop3 imap sieve lmtp
ssl_protocols = !SSLv2 !SSLv3

And then the IP Tables output:

[root@server user]# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-N f2b-default
-N f2b-dovecot
-N f2b-postfix
-N f2b-roundcube
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-dovecot
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-roundcube
-A INPUT -p tcp -j f2b-default
-A INPUT -p tcp -j f2b-default
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-dovecot
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-roundcube
-A INPUT -p tcp -j f2b-default
-A INPUT -p tcp -j f2b-default
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 7822 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 7822 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 7822 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A f2b-default -j RETURN
-A f2b-default -j RETURN
-A f2b-default -j RETURN
-A f2b-default -j RETURN
-A f2b-dovecot -j RETURN
-A f2b-dovecot -j RETURN
-A f2b-postfix -j RETURN
-A f2b-postfix -j RETURN
-A f2b-roundcube -j RETURN
-A f2b-roundcube -j RETURN

Or a different view.

[root@server log]# iptables -nvL
Chain INPUT (policy DROP 8296 packets, 397K bytes)
 pkts bytes target     prot opt in     out     source               destination         
19567 2390K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
19567 2390K f2b-dovecot  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
19567 2390K f2b-roundcube  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
 106K   13M f2b-default  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 106K   13M f2b-default  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
19567 2390K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
19567 2390K f2b-dovecot  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
19567 2390K f2b-roundcube  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
 106K   13M f2b-default  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 106K   13M f2b-default  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
46957 7004K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:7822
    0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:7822
    0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:7822
    0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:22
  396 25848 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
 8718 1575K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20
43508 3858K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
   21  1248 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8001
  748 43552 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:996
    7   444 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:25

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 112K packets, 80M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_IN_ZONES (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_IN_ZONES_SOURCE (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES_SOURCE (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES_SOURCE (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_deny (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-default (4 references)
 pkts bytes target     prot opt in     out     source               destination         
 422K   50M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-dovecot (2 references)
 pkts bytes target     prot opt in     out     source               destination         
39134 4779K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-postfix (2 references)
 pkts bytes target     prot opt in     out     source               destination         
39134 4779K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-roundcube (2 references)
 pkts bytes target     prot opt in     out     source               destination         
39134 4779K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

As I mentioned, I'm no expert, but to me, it looks like it's capturing all traffic in the "email" port realm, and then sending it to the f2b* rules, but then simply giving a RETURN. At no point does it ACCEPT anything.

Or, does the traffic get sent to the actual fail2ban program for analysis, where it is then decided upon, as to what has to happen with it?

Sorry for the simpleton question.

Cheers, Steve

vr_driver
  • 101
  • 5
  • This format is hard to read. Instead of your iptables configuration shown, show us the output of `iptables -nvL`. – Julie Pelletier Jun 22 '16 at 05:14
  • Also tell us if `telnet yourdomainname 110` works as your only test is on localhost which could explain lots of things. – Julie Pelletier Jun 22 '16 at 05:15
  • Hi @JuliePelletier, I've updated the question as per your suggestion. Yes, the telnet only works locally when I'm ssh'd in to the server. Not from the outside world. – vr_driver Jun 22 '16 at 05:25
  • I meant for you to do the telnet test locally but with the public address, not localhost. – Julie Pelletier Jun 22 '16 at 05:26
  • That most likely means that your services are not listening to the public IP, just localhost. Check the listen entry in DoveCot's configuration file. – Julie Pelletier Jun 22 '16 at 05:29
  • hmm... It's "listen = * [::]" So it should be right... – vr_driver Jun 22 '16 at 05:32
  • Can you at least confirm that it works when you disable the firewall? – Julie Pelletier Jun 22 '16 at 05:53
  • @JuliePelletier 'Connection Refused' generally means nothing is listening ... timeout is something else. – user9517 Jun 22 '16 at 07:16
  • I just tested it, and it works when the firewall is off, so I'll go down the path of looking for firewall problems now. That's a good start. But in relation to my original question, should I just drop those f2b-* rules, or try and sort it out? Ta – vr_driver Jun 22 '16 at 07:46
  • @JuliePelletier All sorted now. Thanks for the pointers. – vr_driver Jun 23 '16 at 01:00

2 Answers2

1

You could see on your iptables config an see such entries:

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT

These rules open ports from outside. As you can see there are no open ports for your mail services. You should add them to connect to ports from outside.

vr_driver
  • 101
  • 5
Alexander Tolkachev
  • 4,608
  • 3
  • 14
  • 23
0

Thanks for the suggestions. While the initial question wasn't totally addressed, the guided questions did help me figure things out further. I'm sure I'm not the only one who may have this problem in the future, so I'm posting my answer.

What is happening, (as I did suspect) is that in the iptables, there are a few rules that capture traffic on selected ports, and of which it then runs that traffic through fail2ban, and then just returns it if it's not on a banned list.

So, because of this, (and confirmed), there was no traffic allowed through, because no ports were technically open.

I have since solved this, and it's working by adding extra rules to iptables such as the following.

iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

How this works properly is explained here: https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server

You can read about adding open ports here: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-basic-iptables-firewall-on-centos-6

And if you are using iRedMail, they have a list of the ports that are open: http://www.iredmail.org/docs/network.ports.html

vr_driver
  • 101
  • 5