> Local mail client is at 192.168.1.1 qmail is on the dmz host at > 192.168.10.1 The dmz host is running Bering 1.2 without shorewall. > hosts.allow is set to all:all
This setting is relevant (and for the purposes at hand, correct) on the DMZ/Qmail server but not on the router.
> I have these rules set in /etc/shorewall/rules > ACCEPT loc dmz tcp 110 > ACCEPT loc dmz udp 110 > ACCEPT dmz loc tcp 110 > ACCEPT dmz loc udp 110 > to allow pop3 access and the shorewall logs do not show anything after I > make the attempt.
But this information makes sense only with respect to the router (since the DMZ host is, as you say, not running Shorewall).
As to the rules themselves, the first two are fine: they will get port-110 traffic *to* the DMZ as you intend. They are probably sufficient to get the return traffic to the LAN (since Shorewall normally handles responses to ACCEPTed traffic right). But if not, the latter two don't do the job, because they ACCEPT traffic *to* port 110 on the LAN, not *from* port 110 on the DMZ. I'm not the best source for Shorewall rules, but I think that in order to ACCEPT traffic *from* DMZ port 110, the rules need to be:
ACCEPT dmz loc tcp - 110
ACCEPT dmz loc udp - 110(the added - skips the dport value and puts the 110 into the sport location).
The Shorewall logs are helpful here but not definitive. Much better is to run "status shorewall" before and after an unsuccessful attempt to connect and see what rules are being incremented.
tcpdump shows this
This is the key one -- where are you running tcpdump? The DMZ host? The router? The client? A fourth machine (on the DMZ or the LAN)?
If this is from the router, or from any host on the LAN side, it pretty much indicates that the router is not the problem. But if it is from the DMZ host, then it does not indicates whether the POP responses are making it back to the LAN.
With respect to the router part, I can tell you that here (a Linux router, but not Bering or Shorewall), the only firewall rules I need to get POP3 access are
one that ACCEPTs dport 110 packets from the LAN to the DMZ
one that ACCEPTs state ESTABLISHED packets from the DMZ to the LANOf course, my rulesets overall are quite a bit different from the ones Shorewall generates ... but they do suggest that in the absence of specific DROP rules, some very basic rules are enough.
As to Lynn's comments ... I assume "lrpqmail" is a test username you are using, so you have met the directory requirement. His suggestion to connect via telnet is a good one, but it does require that you know POP3 command syntax. Thankfully, the basics are not very complicated. For a quick test, after the telnet connection is made, you want to try this sequence of commands:
USER lrpqmail
PASS <whatever the password is>
LIST (this one lists messages waiting for download)
RETR <something> (will retrieve a specific message from the LIST response)
QUIT
I'm not bothering with the corresponding detail for an SMTP connection, because your report seems to say that the SMTP connection does work.
At 12:41 PM 12/21/2003 -0600, Lynn Avants wrote:
Kory,
I haven't set up Qmail on a LEAF system, but from regular Linux distributions I'm not sure your likely looking for the most common problems. Typically, each user must have a directory that contains a ~/Maildir folder rather than a global directory (one user?). POP3 is quite a bit of a PITA with Qmail over the preferred IMAP method as well (which likely doesn't have a *.lrp package). IIRC, the qmail.lrp is setup by default as a relay instead of a stand-alone server.... which makes more sense from the configuration you describe and the typical use of a MTA on a router distribution.
In any respect, you should see if you can telnet in a pop/smtp session to the mail server and see where the process bombs out manually. If you can't SMTP in as a valid mail user, the most likely culprit is the fact that the server is configured to relay to a different full mail server.
On Sunday 21 December 2003 11:53 am, Kory Krofft wrote: > I have successfully set up my DMZ, registered a domain, compiled a custom > version of ez-ipupdate to handle a non standard service, reconfigured > weblet to act as a basic web content server. > > I now need to get Qmail up and running so I can host my own email. > I followed the "qmail LEAF/LRP user's guide" but I am missing something. If > I use a windows mail client to send mail to the lrpqmail user at my domain > name, the message shows up in the /home/lrpqmail/Maildir/new directory. If > I configure the mail client to retrieve the message, it times out and is > unable to retrieve it. Anyone else got this working and care to help me > debug it? I have pored through many qmail documents but the lrp setup is > different than most as far as some of the file locations so I am trusting > that the package should work as is if the right config options are set. > > Thanks, > > Kory > > Local mail client is at 192.168.1.1 qmail is on the dmz host at > 192.168.10.1 The dmz host is running Bering 1.2 without shorewall. > hosts.allow is set to all:all > I have these rules set in /etc/shorewall/rules > ACCEPT loc dmz tcp 110 > ACCEPT loc dmz udp 110 > ACCEPT dmz loc tcp 110 > ACCEPT dmz loc udp 110 > to allow pop3 access and the shorewall logs do not show anything after I > make the attempt. tcpdump shows this > > cat /trace.txt > 12:15:02.858391 192.168.10.1.22 > 192.168.1.1.2545: P > 1829060004:1829060048(44) ack 2012809980 win 7504 (DF) [tos 0x10] 0x0000 > 4510 0054 cc2c 4000 4006 e214 c0a8 0a01 E..T.,@[EMAIL PROTECTED] 0x0010 > c0a8 0101 0016 09f1 6d05 3da4 77f9 0afc ........m.=.w... 0x0020 > 5018 1d50 4f4d 0000 0000 0027 15bb 63c4 P..POM.....'..c. 0x0030 > cb01 b157 ed34 4321 891d 69dc ce4d e601 ...W.4C!..i..M.. 0x0040 > 106b 3e93 9eec 801a e0f4 be8e 8c60 b6c0 .k>..........`.. 0x0050 > 3d90 2330 =.#0
> 12:15:03.022844 192.168.1.1.2545 > 192.168.10.1.22: . ack 44 win 64859 (DF) > [tos 0x10] 0x0000 4510 0028 e834 4000 7f06 8738 c0a8 0101 > E..([EMAIL PROTECTED] 0x0010 c0a8 0a01 09f1 0016 77f9 0afc 6d05 3dd0 > ........w...m.=. 0x0020 5010 fd5b ee53 0000 0000 0000 0000
> P..[.S........ 12:15:17.574911 192.168.1.1.2596 > 192.168.10.1.110: S> 2396681599:2396681599(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) 0x0000
> 4500 0030 ec7c 4000 7f06 82f8 c0a8 0101 E..0.|@......... 0x0010
> c0a8 0a01 0a24 006e 8eda 757f 0000 0000 .....$.n..u..... 0x0020
> 7002 ffff e7e0 0000 0204 05b4 0101 0402 p...............
> 12:15:17.575141 192.168.10.1.110 > 192.168.1.1.2596: S > 1898983426:1898983426(0) ack 2396681600 win 5840 <mss 1460,nop,nop,sackOK> > (DF) 0x0000 4500 0030 931e 4000 4006 1b57 c0a8 0a01 > [EMAIL PROTECTED]@..W.... 0x0010 c0a8 0101 006e 0a24 7130 3002 8eda 7580 > .....n.$q00...u. 0x0020 7012 16d0 2fcd 0000 0204 05b4 0101 0402
> p.../........... 12:15:17.575863 192.168.1.1.2596 > 192.168.10.1.110: . ack
> 1 win 65535 (DF) 0x0000 4500 0028 ec7d 4000 7f06 82ff c0a8 0101
> E..([EMAIL PROTECTED] 0x0010 c0a8 0a01 0a24 006e 8eda 7580 7130 3003
> .....$.n..u.q00. 0x0020 5010 ffff 7361 0000 0000 0000 0000
> P...sa........ 12:16:38.723826 192.168.10.1.110 > 192.168.1.1.2596: P > 1:42(41) ack 1 win 5840 (DF) 0x0000 4500 0051 d712 4000 4006 d741 c0a8 > 0a01 [EMAIL PROTECTED]@..A.... 0x0010 c0a8 0101 006e 0a24 7130 3003 8eda > 7580 .....n.$q00...u. 0x0020 5018 16d0 d2a9 0000 2b4f 4b20 3c31 > 3537 P.......+OK.<157 0x0030 3734 2e31 3037 3230 3038 3939 3840 > 6d61 [EMAIL PROTECTED] 0x0040 696c 2e6b 726f 6666 7473 2e63 6f6d > 3e0d il.kroffts.com>. 0x0050 0a > . > 12:16:38.940653 192.168.1.1.2596 > 192.168.10.1.110: . ack 42 win 65494 > (DF) 0x0000 4500 0028 eee6 4000 7f06 8096 c0a8 0101 > E..([EMAIL PROTECTED] 0x0010 c0a8 0a01 0a24 006e 8eda 7580 7130 302c > .....$.n..u.q00, 0x0020 5010 ffd6 7361 0000 0000 0000 0000 > P...sa........ 12:17:27.145630 192.168.1.1.2596 > 192.168.10.1.110: F > 1:1(0) ack 42 win 65494 (DF) 0x0000 4500 0028 f113 4000 7f06 7e69 c0a8 > 0101 E..([EMAIL PROTECTED] 0x0010 c0a8 0a01 0a24 006e 8eda 7580 7130 > 302c .....$.n..u.q00, 0x0020 5011 ffd6 7360 0000 0000 0000 0000 > P...s`........ 12:17:27.146212 192.168.10.1.110 > > 192.168.1.1.2596: F 42:42(0) ack 2 win 5840 (DF) 0x0000 4500 0028 2e5e > 4000 4006 801f c0a8 0a01 E..([EMAIL PROTECTED]@....... 0x0010 c0a8 0101 006e > 0a24 7130 302c 8eda 7581 .....n.$q00,..u. 0x0020 5011 16d0 5c66 > 0000 P...\f.. > 12:17:27.146783 192.168.1.1.2596 > 192.168.10.1.110: . ack 43 win 65494 > (DF) 0x0000 4500 0028 f114 4000 7f06 7e68 c0a8 0101 > E..([EMAIL PROTECTED] 0x0010 c0a8 0a01 0a24 006e 8eda 7581 7130 302d > .....$.n..u.q00- 0x0020 5010 ffd6 735f 0000 0000 0000 0000 > P...s_........
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
