Hi,
a firewall rule in the Mailserver blocks port 25 from local network, the comment says “mailfilter”.
This rule does not show up in the NS GUI, so I cannot disable it there. How can I do it otherwise?
2 Likes
There is one rule saying:
?COMMENT postfix
ACCEPT loc $FW tcp 25
ACCEPT net $FW tcp 25
That’s what I see in the configuration of the network services.
After that there is another rule saying:
?COMMENT block port 25 from green
REJECT:info loc net tcp 25
Isn’t that contradictory?
I have a smtp proxy running on the firewall machine which is to forward mails to port 25 of the internal mail server. But I get an “access refused”. Probably because of the blocking rule above.
So what should I do?
Could you please describe a little more your network topology?
Firewall machine should be on RED interface, not on GREEN one…
The firewall machine has two interfaces - red and green. The green interface has an ip of the internal network.
There is an internal NS mail server which is also the DC host of the active directory. Postfix services should be accepted from red and green. In addition to that mails coming from a mailgate in a DMZ should also pass the firewall.
But no matter from where mails shall be forwarded to this internal mail server, the connection is always refused.
The firewall log does not report anything nor does the maillog.
After hours and hours of experimenting I need your help. What can be wrong here?
Is it correct that the machine name is the same as the MX Record of the domain? The domain is not locally hosted.
Go to the log viewer on the Nethserver webinterface, and search for the IP or hostname of your sending mailserver or client. This should at least yield connection info. If not, the firewall is blocking it.
Most firewalls do not automatically log every block … so perhaps you need to turn on logging for a port25 rule.
NAT could be an issue. DNS could be the issue. If your computer uses a buplic, or buplic looking DNS, you will get no result for your maildomain back and your client wont be able to send it.
If your maildomain is known on internet, it will likely be forwarded to your public IP.
The DNS server handling the request should have a valid MX record.
Perhaps your provider is blocking you on there not being a public MX record as this is oftent the case for malicious mailservers.
Check out: How to get rid smarthost (and use rdns,spf,dkim,dmarc) This topic is a wealth of info on how to configure and check your mailserver config.
Does your mailclient throw an error during send/receive ?
The mailserver accepts mails from clients on the network and sends them outside. No problem. It delivers mails from local (i.e. mails collected by getmail) correctly to the clients, too.
Mails from outside arrive at the firewall machine (Sophos UTM), there they get checked by a smtp proxy and shall then be forwarded to the internal mailserver as above. But that does not work: connection refused.
Is your nethserver installation configured as server-only (no red interface?)
I don’t know if what i’m assuming is right, but i don’t know if SMTP proxy as gateway is covered by Nethserver configuration scenarios (would please dev_team support me a bit?). SMTP smarthost is used only for outbound delivery, as far as i can remember).
Anyway, if you install the firewall module you could allow the inbound communication on port 25. But i don’t know if MTA will accept the delivery of messages…
Thanks for your effort. But it turned out that there was something wrong with the installation. I deleted and reinstalled the mailserver, now everything works as expected.
What did you configure differently, this time?
To be honest, I don’t know. I just installed the vm from scratch anew.
And the blocking was gone.