Re: Iptables stopping smtp_bind_address from working properly
On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J.
Re: Iptables stopping smtp_bind_address from working properly
On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. The following is in there. I'm certainly no iptables expert but don't the following rules cover that? Chain INPUT (policy ACCEPT): . . . ACCEPT all -- localhost.localdomain anywhere . . . and in Chain OUTPUT (policy ACCEPT): . . . ACCEPT all -- anywhere localhost.localdomain . . .
Re: Iptables stopping smtp_bind_address from working properly
On 2011-07-08 22:37, Jeffrey Starin wrote: On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. The following is in there. I'm certainly no iptables expert but don't the following rules cover that? Chain INPUT (policy ACCEPT): . . . ACCEPT all -- localhost.localdomain anywhere . . . and in Chain OUTPUT (policy ACCEPT): . . . ACCEPT all -- anywhere localhost.localdomain . . . That depends entirely on what localhost.localdomain stands for. DNS names have no place in iptables rules - they slow it to a crawl, for one thing. -- J.
Re: Iptables stopping smtp_bind_address from working properly
On 7/8/2011 4:39 PM, Jeroen Geilman wrote: On 2011-07-08 22:37, Jeffrey Starin wrote: On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. The following is in there. I'm certainly no iptables expert but don't the following rules cover that? Chain INPUT (policy ACCEPT): . . . ACCEPT all -- localhost.localdomain anywhere . . . and in Chain OUTPUT (policy ACCEPT): . . . ACCEPT all -- anywhere localhost.localdomain . . . That depends entirely on what localhost.localdomain stands for. DNS names have no place in iptables rules - they slow it to a crawl, for one thing. -- J. more /etc/hosts: 127.0.0.1 localhost.localdomain localhost the_ip_address_listed_in_smpt_bind_address the_TLD the_host_name I would think that would work but it's not. . .
Re: Iptables stopping smtp_bind_address from working properly
On 2011-07-08 22:43, Jeffrey Starin wrote: On 7/8/2011 4:39 PM, Jeroen Geilman wrote: On 2011-07-08 22:37, Jeffrey Starin wrote: On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. The following is in there. I'm certainly no iptables expert but don't the following rules cover that? Chain INPUT (policy ACCEPT): . . . ACCEPT all -- localhost.localdomain anywhere . . . and in Chain OUTPUT (policy ACCEPT): . . . ACCEPT all -- anywhere localhost.localdomain . . . That depends entirely on what localhost.localdomain stands for. DNS names have no place in iptables rules - they slow it to a crawl, for one thing. -- J. more /etc/hosts: 127.0.0.1 localhost.localdomain localhost the_ip_address_listed_in_smpt_bind_address the_TLD the_host_name I would think that would work but it's not. . . You originally stated that it works when you disable iptables. This pretty much defines the parameters of the problem - it's limited to iptables. -- J.
Re: Iptables stopping smtp_bind_address from working properly
On 7/8/2011 4:46 PM, Jeroen Geilman wrote: On 2011-07-08 22:43, Jeffrey Starin wrote: On 7/8/2011 4:39 PM, Jeroen Geilman wrote: On 2011-07-08 22:37, Jeffrey Starin wrote: On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. The following is in there. I'm certainly no iptables expert but don't the following rules cover that? Chain INPUT (policy ACCEPT): . . . ACCEPT all -- localhost.localdomain anywhere . . . and in Chain OUTPUT (policy ACCEPT): . . . ACCEPT all -- anywhere localhost.localdomain . . . That depends entirely on what localhost.localdomain stands for. DNS names have no place in iptables rules - they slow it to a crawl, for one thing. -- J. more /etc/hosts: 127.0.0.1 localhost.localdomain localhost the_ip_address_listed_in_smpt_bind_address the_TLD the_host_name I would think that would work but it's not. . . You originally stated that it works when you disable iptables. This pretty much defines the parameters of the problem - it's limited to iptables. -- J. Thanks for your suggestions. But I'm trying to find out what in the iptables chains/policies is causing this problem. I can't disable iptables that would disable the firewall. So I am back to square one, it seems. J.
Re: Iptables stopping smtp_bind_address from working properly
On 7/8/2011 4:43 PM, Jeffrey Starin wrote: > On 7/8/2011 4:39 PM, Jeroen Geilman wrote: >> On 2011-07-08 22:37, Jeffrey Starin wrote: >>> On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: > When I turn off the firewall (which I am loath to do) to my VPS I > am able to use the command smtp_bind_address just fine. > > Otherwise, with firewall turned on, I am getting these time out > errors in my maillog files: > > Jul 7 13:00:34 who postfix/smtp[40187]: connect to > 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. >>> The following is in there. I'm certainly no iptables expert but >>> don't the following rules cover that? >>> >>> Chain INPUT (policy ACCEPT): >>> . . . >>> ACCEPT all -- localhost.localdomain anywhere >>> . . . >>> >>> and in Chain OUTPUT (policy ACCEPT): >>> . . . >>> ACCEPT all -- anywhere localhost.localdomain >>> . . . >> >> That depends entirely on what localhost.localdomain stands for. >> >> DNS names have no place in iptables rules - they slow it to a crawl, >> for one thing. >> >> -- >> J. >> >> > more /etc/hosts: > > 127.0.0.1 localhost.localdomain localhost > the_ip_address_listed_in_smpt_bind_address the_TLD > the_host_name > > I would think that would work but it's not. . . What you seem to be missing is a rule from this hidden smtp_bind_address to 127.0.0.1 for port 10027. When you do not bind, it is most likely that your kernel selecting the loopback interface and your rules ACCEPT it. Nit: Those rules look a bit of a mess with duplicates too, unless columns were cut out. Brian
Re: Iptables stopping smtp_bind_address from working properly
On 7/8/2011 4:51 PM, Brian Evans - Postfix List wrote: On 7/8/2011 4:43 PM, Jeffrey Starin wrote: On 7/8/2011 4:39 PM, Jeroen Geilman wrote: On 2011-07-08 22:37, Jeffrey Starin wrote: On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. The following is in there. I'm certainly no iptables expert but don't the following rules cover that? Chain INPUT (policy ACCEPT): . . . ACCEPT all -- localhost.localdomain anywhere . . . and in Chain OUTPUT (policy ACCEPT): . . . ACCEPT all -- anywhere localhost.localdomain . . . That depends entirely on what localhost.localdomain stands for. DNS names have no place in iptables rules - they slow it to a crawl, for one thing. -- J. more /etc/hosts: 127.0.0.1 localhost.localdomain localhost the_ip_address_listed_in_smpt_bind_address the_TLD the_host_name I would think that would work but it's not. . . What you seem to be missing is a rule from this hidden smtp_bind_address to 127.0.0.1 for port 10027. When you do not bind, it is most likely that your kernel selecting the loopback interface and your rules ACCEPT it. Nit: Those rules look a bit of a mess with duplicates too, unless columns were cut out. Brian I thought the rules were a bit of a mess, too until I examined them very carefully. They do look like duplicates but one rule may in fact use udp and the other tcp. Are you saying I need an explicit rule for that smtp_bind_address to 127.0.0.1 for port 10027? Thank you.
Re: Iptables stopping smtp_bind_address from working properly
Zitat von Jeffrey Starin : On 7/8/2011 4:46 PM, Jeroen Geilman wrote: On 2011-07-08 22:43, Jeffrey Starin wrote: On 7/8/2011 4:39 PM, Jeroen Geilman wrote: On 2011-07-08 22:37, Jeffrey Starin wrote: On 7/8/2011 4:21 PM, Jeroen Geilman wrote: On 2011-07-08 21:06, Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) You will have to allow access from localhost to port 10027 on localhost. -- J. The following is in there. I'm certainly no iptables expert but don't the following rules cover that? Chain INPUT (policy ACCEPT): . . . ACCEPT all -- localhost.localdomain anywhere . . . and in Chain OUTPUT (policy ACCEPT): . . . ACCEPT all -- anywhere localhost.localdomain . . . That depends entirely on what localhost.localdomain stands for. DNS names have no place in iptables rules - they slow it to a crawl, for one thing. -- J. more /etc/hosts: 127.0.0.1 localhost.localdomain localhost the_ip_address_listed_in_smpt_bind_address the_TLD the_host_name I would think that would work but it's not. . . You originally stated that it works when you disable iptables. This pretty much defines the parameters of the problem - it's limited to iptables. -- J. Thanks for your suggestions. But I'm trying to find out what in the iptables chains/policies is causing this problem. I can't disable iptables that would disable the firewall. So I am back to square one, it seems. http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf Part 7 may be helpful Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Iptables stopping smtp_bind_address from working properly
Am 08.07.2011 22:56, schrieb Jeffrey Starin: > Are you saying I need an explicit rule for that smtp_bind_address to > 127.0.0.1 for port 10027? no you should fix your rules generally because it is a wonder that this machine works as expected - never heard that anybody limits the loopback-device iptables -A INPUT -i lo -j ACCEPT signature.asc Description: OpenPGP digital signature
Re: Iptables stopping smtp_bind_address from working properly
On Fri, Jul 08, 2011 at 04:37:58PM -0400, Jeffrey Starin wrote: > On 7/8/2011 4:21 PM, Jeroen Geilman wrote: > > On 2011-07-08 21:06, Jeffrey Starin wrote: > >> When I turn off the firewall (which I am loath to do) to my VPS I am > >> able to use the command smtp_bind_address just fine. > >> > >> Otherwise, with firewall turned on, I am getting these time out > >> errors in my maillog files: > >> > >> Jul 7 13:00:34 who postfix/smtp[40187]: connect to > >> 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) > > > > You will have to allow access from localhost to port 10027 on localhost. > > > > -- > > J. > > > > > The following is in there. I'm certainly no iptables expert but don't > the following rules cover that? > > Chain INPUT (policy ACCEPT): > . . . > ACCEPT all -- localhost.localdomain anywhere > . . . > > and in Chain OUTPUT (policy ACCEPT): > . . . > ACCEPT all -- anywhere localhost.localdomain > . . . The dots suggest that there are more rules. with iptables -vnL you get a better overview and see where it drops. -- Robert Felber, PGP: D1B2F2E5 http://www.selling-it.de
Re: Iptables stopping smtp_bind_address from working properly
On 2011-07-08 Jeffrey Starin wrote: > When I turn off the firewall (which I am loath to do) to my VPS I am > able to use the command smtp_bind_address just fine. > > Otherwise, with firewall turned on, I am getting these time out > errors in my maillog files: > > Jul 7 13:00:04 who postfix/pickup[36846]: 1F3274160009: uid=10003 > from= > Jul 7 13:00:04 who postfix/cleanup[38864]: 1F3274160009: > message-id=<20110707170002.38758.1650417736.sw...@www.mydomain.com> > Jul 7 13:00:04 who postfix/qmgr[36847]: 1F3274160009: > from=, size=996, nrcpt=1 (queue active) > Jul 7 13:00:34 who postfix/smtp[40187]: connect to > 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) > Jul 7 13:00:34 who postfix/smtp[40187]: 1F3274160009: > to=, relay=none, delay=32, delays=1.9/0.01/30/0, > dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]: > Connection timed out) > > I cannot find in the following list of rules (which is the default > iptables policy for the hosting company I use) what is causing the > connection timed out issue. If someone sees something please advise > what needs to be done. I am at my wits end with this problem. Thank > you. > > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT icmp -- anywhere anywhereicmp Almost 400 rules with tons of duplicates in them? You gotta be kidding. Nobody's gonna bother checking these (unless they have A LOT of free time on their hands). Seriously, clean your ruleset (or rather: rebuild it from scratch) before you try anything else. As Harald already pointed out: for connections to localhost something like iptables -A INPUT -i lo -j ACCEPT is perfectly fine. And unless you have rather strict security requirements (in which case your ruleset would allow far less protocols to begin with), you can simply accept everything in the OUTPUT chain: iptables -P OUTPUT ACCEPT Also, when posting your tables somewhere, use "iptables -nL" rather than just "iptables -L". Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Re: Iptables stopping smtp_bind_address from working properly
Okay. Got it. Thanks for the hollers. I will do what I can. On 7/8/2011 5:42 PM, Ansgar Wiechers wrote: On 2011-07-08 Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:04 who postfix/pickup[36846]: 1F3274160009: uid=10003 from= Jul 7 13:00:04 who postfix/cleanup[38864]: 1F3274160009: message-id=<20110707170002.38758.1650417736.sw...@www.mydomain.com> Jul 7 13:00:04 who postfix/qmgr[36847]: 1F3274160009: from=, size=996, nrcpt=1 (queue active) Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) Jul 7 13:00:34 who postfix/smtp[40187]: 1F3274160009: to=, relay=none, delay=32, delays=1.9/0.01/30/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]: Connection timed out) I cannot find in the following list of rules (which is the default iptables policy for the hosting company I use) what is causing the connection timed out issue. If someone sees something please advise what needs to be done. I am at my wits end with this problem. Thank you. Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhereicmp Almost 400 rules with tons of duplicates in them? You gotta be kidding. Nobody's gonna bother checking these (unless they have A LOT of free time on their hands). Seriously, clean your ruleset (or rather: rebuild it from scratch) before you try anything else. As Harald already pointed out: for connections to localhost something like iptables -A INPUT -i lo -j ACCEPT is perfectly fine. And unless you have rather strict security requirements (in which case your ruleset would allow far less protocols to begin with), you can simply accept everything in the OUTPUT chain: iptables -P OUTPUT ACCEPT Also, when posting your tables somewhere, use "iptables -nL" rather than just "iptables -L". Regards Ansgar Wiechers
Re: Iptables stopping smtp_bind_address from working properly
On Fri, Jul 08, 2011 at 11:42:51PM +0200, Ansgar Wiechers wrote: > is perfectly fine. And unless you have rather strict security > requirements (in which case your ruleset would allow far less protocols > to begin with), you can simply accept everything in the OUTPUT chain: > > iptables -P OUTPUT ACCEPT > > Also, when posting your tables somewhere, use "iptables -nL" rather than > just "iptables -L". I always felt that output of iptables-save is a more nice way to check things out, and it can be also useful then to use it directly to build ruleset (with iptables-restore). But maybe it's only my taste ...
