Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Tue Oct 21, 2014 12:08 am 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
Now I don't see any email ports opened in your IPTABLES rules (25, 465, 587, 993, 995)

Also, when you use telnet for testing services, you need to remember to ADD the port number after the IP number

so....

telnet 106.185.45.57 25

Assuming you've just setup your server (i.e. there isn't much of anything important or confidential on it), there's little to risk by turning off your firewall and testing your email setup. If it works, then you just need to figure out the firewall rules, if it doesn't, then you need to fix your email server config before worrying about your firewall config. Just remember to turn your firewall back on after your tests.

What distro are you using?

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.


Top
   
PostPosted: Tue Oct 21, 2014 5:51 am 
Offline
Senior Newbie

Joined: Thu Sep 11, 2014 1:53 am
Posts: 13
vonskippy wrote:
Now I don't see any email ports opened in your IPTABLES rules (25, 465, 587, 993, 995)

Also, when you use telnet for testing services, you need to remember to ADD the port number after the IP number

so....

telnet 106.185.45.57 25

Assuming you've just setup your server (i.e. there isn't much of anything important or confidential on it), there's little to risk by turning off your firewall and testing your email setup. If it works, then you just need to figure out the firewall rules, if it doesn't, then you need to fix your email server config before worrying about your firewall config. Just remember to turn your firewall back on after your tests.

What distro are you using?

Thank you. The telnet does work when I put a space in between the ports and the ip address.
The ports are open are 25, 443, 567, 465, 80, 993, and 995. Other ports are not open when I use telnet.

I am running Debian 7.6.

There is not a single line command to disable Debian's iptables, is there?

I see a lot of lengthy tutorials that cut access to my server right away and I am not sure if it is correct or not?

The MX records are correct? I have combed over-and-over these Linode tutorials and roubleshooting ones too and have verified for several days I have followed every step correctly. I have them almost memorized by now. *lol*


Top
   
PostPosted: Tue Oct 21, 2014 11:07 am 
Offline
Senior Member
User avatar

Joined: Tue Apr 13, 2004 6:54 pm
Posts: 833
Fufu wrote:
Thank you. The telnet does work when I put a space in between the ports and the ip address.
The ports are open are 25, 443, 567, 465, 80, 993, and 995. Other ports are not open when I use telnet.

No, they are not. Some are (443, 80) but others aren't (25, 995).

You have to do the test _off_ your linode from another machine. Local traffic from the linode to the same linode won't be caught by the firewall

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)


Top
   
PostPosted: Tue Oct 21, 2014 7:55 pm 
Offline
Senior Newbie

Joined: Thu Sep 11, 2014 1:53 am
Posts: 13
Thanks sweh
sweh wrote:
Fufu wrote:
Thank you. The telnet does work when I put a space in between the ports and the ip address.
The ports are open are 25, 443, 567, 465, 80, 993, and 995. Other ports are not open when I use telnet.

No, they are not. Some are (443, 80) but others aren't (25, 995).

You have to do the test _off_ your linode from another machine. Local traffic from the linode to the same linode won't be caught by the firewall



I made the edits to sudo nano /etc/iptables.firewall.rules
Code:
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 567 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

telnet from another machine's results
Code:
# telnet 106.185.45.57 80
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 443
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 995
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 993
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 465
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close                                                                                                                                               
Connection closed.                                                                                                                                           
# telnet 106.185.45.57 567
Trying 106.185.45.57...
telnet: connect to address 106.185.45.57: Connection refused
# telnet 106.185.45.57 25
Trying 106.185.45.57...
telnet: connect to address 106.185.45.57: Connection timed out

sudo iptables -L
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere           
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:567
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere


Top
   
PostPosted: Tue Oct 21, 2014 8:56 pm 
Offline
Senior Member
User avatar

Joined: Tue Apr 13, 2004 6:54 pm
Posts: 833
Quote:
# telnet 106.185.45.57 25
Trying 106.185.45.57...
telnet: connect to address 106.185.45.57: Connection timed out

I'm guessing you did this from a home machine; many ISPs block outgoing port 25 to prevent spam.

Port 567 you have no process listening.

I don't know why you're not getting a response on some of these ports; application misconfig.

For SSL enabled ports you need to use openssl
eg
Code:
% openssl s_client -connect 106.185.45.57:993
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify return:1
...
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
0 logout
closed

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)


Top
   
PostPosted: Tue Oct 21, 2014 9:34 pm 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
Something answers on TCP25, but it doesn't seem to be a SMTP service (I get a blank terminal session, which no matter what I type doesn't echo any commands or error messages, and eventually times out the telnet session).

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.


Top
   
PostPosted: Thu Oct 23, 2014 12:05 am 
Offline
Senior Newbie

Joined: Thu Sep 11, 2014 1:53 am
Posts: 13
I really appreciate the help a ALOT!!!
What other information/command result/screenshots/file conf do you need from me?
sweh wrote:
Quote:
# telnet 106.185.45.57 25
Trying 106.185.45.57...
telnet: connect to address 106.185.45.57: Connection timed out

I'm guessing you did this from a home machine; many ISPs block outgoing port 25 to prevent spam.

Port 567 you have no process listening.

I don't know why you're not getting a response on some of these ports; application misconfig.

For SSL enabled ports you need to use openssl
eg
Code:
% openssl s_client -connect 106.185.45.57:993
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify return:1
...
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
0 logout
closed


Already I have found this missing, maybe this needs to be somewhere else?

Code:
#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 567 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT


Is my mail server setup correctly with MX in Linode?
MX Records
Mail Server: mail.harris.hk Preference: 10 Subdomain: mail TTL: Default

I have done all the troubleshoot checks with no errors.

Is there anything missing in the Linode documentation?
DNS is reversed.


Top
   
PostPosted: Thu Oct 23, 2014 12:54 am 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
Ok, you seem to be doing many changes - not all for the better.

Your DNS and MX settings seem to be ok:

http://mxtoolbox.com/SuperTool.aspx?act ... n=toolpage
http://network-tools.com/default.asp?pr ... .harris.hk

Your PTR points to your domain name (i.e. harris.hk) which is ok, but I think most anti-spam wants it to point to the hostname (i.e. mail.harris.hk)

http://www.myiptest.com/staticpages/ind ... DNS-Lookup

But your firewall is getting worse not better
http://mxtoolbox.com/SuperTool.aspx?act ... n=toolpage
https://pentest-tools.com/discovery-pro ... nline-nmap

Once again, you should pick a topic (either email service, or firewall) and fix that before moving on. Working on several problems at once just means you have too many variables to determine what's being changed for the better and what's being changed for the worse.

Turn off IPTABLES, and get your Email service working. Once it's working, turn on IPTABLES and once again, get Email working (knowing that any problems with email now are caused by the firewall).

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.


Top
   
PostPosted: Thu Oct 23, 2014 1:37 am 
Offline
Senior Newbie

Joined: Thu Sep 11, 2014 1:53 am
Posts: 13
permissions set for mail server:

ls -ld /var/mail
Code:
drwxrwsr-x 3 vmail vmail 4096 Oct 22 21:59 /var/mail


ls -ld /etc/dovecot
Code:
drwxr-x--- 4 vmail dovecot 4096 Oct 22 21:58 /etc/dovecot


/var/log/mail.log
Code:
Oct 20 17:42:48 kalos postfix/smtpd[28156]: fatal: bad boolean configuration: smtpd_sasl_auth_enable = yes  smtpd_recipient_restrictions =          permit_s$
Oct 20 17:42:49 kalos postfix/master[24019]: warning: process /usr/lib/postfix/smtpd pid 28156 exit status 1
Oct 20 17:42:49 kalos postfix/master[24019]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
Oct 20 17:43:13 kalos postfix/master[24019]: terminating on signal 15
Oct 20 17:43:13 kalos postfix/master[28299]: daemon started -- version 2.9.6, configuration /etc/postfix
Oct 21 02:13:37 kalos postfix/master[4048]: daemon started -- version 2.9.6, configuration /etc/postfix
Oct 21 02:26:11 kalos postfix/pickup[4054]: 7450AE8B6: uid=0 from=<root>
Oct 21 02:26:11 kalos postfix/cleanup[4966]: 7450AE8B6: message-id=<20141021092611.7450AE8B6@kalos.harris.hk>
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 7450AE8B6: from=<root@harris.hk>, size=1777, nrcpt=1 (queue active)
Oct 21 02:26:11 kalos postfix/lmtp[4974]: 7450AE8B6: to=<root@harris.hk>, orig_to=<root>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.14, delays=0.$
Oct 21 02:26:11 kalos postfix/cleanup[4966]: 91B96E8B9: message-id=<20141021092611.91B96E8B9@kalos.harris.hk>
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: from=<>, size=3710, nrcpt=1 (queue active)
Oct 21 02:26:11 kalos postfix/bounce[4981]: 7450AE8B6: sender non-delivery notification: 91B96E8B9
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 7450AE8B6: removed
Oct 21 02:26:11 kalos postfix/lmtp[4974]: 91B96E8B9: to=<root@harris.hk>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0, dsn=5.1.1$
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: removed
Oct 22 22:07:34 kalos postfix/master[4597]: daemon started -- version 2.9.6, configuration /etc/postfix


service postfix status
Code:
[ ok ] postfix is running.


service dovecot status
Code:
[ ok ] dovecot is running.


service postfix restart
Code:
[ ok ] Stopping Postfix Mail Transport Agent: postfix.
[ ok ] Starting Postfix Mail Transport Agent: postfix.


service dovecot restart
Code:
[ ok ] Restarting IMAP/POP3 mail server: dovecot.


tail /var/log/mail.log
Code:
Oct 21 02:26:11 kalos postfix/lmtp[4974]: 7450AE8B6: to=<root@harris.hk>, orig_to=<root>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.14, delays=0.04/0.02/0.02/0.06, dsn=5.1.1, status=bounced (host kalos.harris.hk[private/dovecot-lmtp] said: 550 5.1.1 <root@harris.hk> User doesn't exist: root@harris.hk (in reply to RCPT TO command))
Oct 21 02:26:11 kalos postfix/cleanup[4966]: 91B96E8B9: message-id=<20141021092611.91B96E8B9@kalos.harris.hk>
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: from=<>, size=3710, nrcpt=1 (queue active)
Oct 21 02:26:11 kalos postfix/bounce[4981]: 7450AE8B6: sender non-delivery notification: 91B96E8B9
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 7450AE8B6: removed
Oct 21 02:26:11 kalos postfix/lmtp[4974]: 91B96E8B9: to=<root@harris.hk>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0, dsn=5.1.1, status=bounced (host kalos.harris.hk[private/dovecot-lmtp] said: 550 5.1.1 <root@harris.hk> User doesn't exist: root@harris.hk (in reply to RCPT TO command))
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: removed
Oct 22 22:07:34 kalos postfix/master[4597]: daemon started -- version 2.9.6, configuration /etc/postfix
Oct 22 22:46:23 kalos postfix/master[4597]: terminating on signal 15
Oct 22 22:46:23 kalos postfix/master[6166]: daemon started -- version 2.9.6, configuration /etc/postfix

tail /var/log/upstart/dovecot.log
Code:
tail: cannot open `/var/log/upstart/dovecot.log' for reading: No such file or directory


vonskippy wrote:
Turn off IPTABLES, and get your Email service working. Once it's working, turn on IPTABLES and once again, get Email working (knowing that any problems with email now are caused by the firewall).
How can I turn off iptables in Debian?

As root:

'/etc/init.d/iptables stop'
output: (doesn't work)

'iptables -X'
output: iptables: Too many links.

The CentOS commands do not work either. I am using Debian.


Top
   
PostPosted: Thu Oct 23, 2014 3:35 pm 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
Here's a good thread on the Debian forum explaining it (follow it to the Ubuntu forum for info on UFW) - and a good recommendation - install UFW to manage your IPTABLES. With UFW installed, then it's a simple 'sudo service ufw stop' and 'sudo service ufw start'

http://forums.debian.net/viewtopic.php?f=10&t=112759

After researching something as simple as turning IPTABLES on and off in Debian, I'm oh so glad I use CentOS (service iptables stop / service iptables start).

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.


Top
   
PostPosted: Wed Oct 29, 2014 5:18 pm 
Offline
Senior Newbie

Joined: Thu Sep 11, 2014 1:53 am
Posts: 13
UFW doesn't function properly in Debian 7.6. It says it will "enables" and "stops" on a reboot, but always displays "inactive" and never actually does anything with Debian 7.6 kernel 3.15.

this is my '$/var/log/mail.log' excerpt of the error I am receiving.

Oct 24 22:03:06 kalos postfix/smtpd[3998]: connect from mta.email.jacquielawson.com[66.231.90.157]
Oct 24 22:03:06 kalos postfix/smtpd[3998]: NOQUEUE: reject: RCPT from mta.email.jacquielawson.com[66.231.90.157]: 554 5.7.1 <username@harris.hk>: Relay access denied; from=<bounce-910$
Oct 24 22:03:06 kalos postfix/smtpd[3998]: disconnect from mta.email.jacquielawson.com[66.231.90.157]

I believe I have my firewall sorted out:
$iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group