Upgrade from 2.2.0 to 2.2.1 successful but SSL and IMAP stopped working

I recently upgarded from 2.2.0 to 2.2.1 on my Fedora Core 4 system. I had a few troubles to begin with but once I tried the install as the root user, running it out of the root directory it worked fine.

I am experiencing an odd problem though. My clients can login with with their e-mail clients just fine as long as SSL is turned off. But when SSL is turned on the clients cannot send or receive e-mail. IMAP is also not working with or without SSL turned on.

Steps I have taken so far:

I went back to the Fedora Core 4 Perfect Setup guide to double check the Postfix SSL section.

I check my main.cf file and all lines that should be added from the FC4PS are there.

I telneted into my localhost as port 25 and got the correct response from the server.

sals and imap services are running. I am a bit confused as where to look from here.

Any advice is welcome.

TR

 

IPTables

OK

So after some checking I turned off IPtables and everything started working.

I did not add entries to my iptables but maybe someone can help me understand what is going on.

The "Parole" entries did not used to be there:

Here is the output of my iptables:


-------------------------------------
Table: filter
Chain BLACKLIST (0 references)
target prot opt source destination
DROP all -- 59.36.96.102 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 127.0.0.0/8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 224.0.0.0/4 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0

Chain PAROLE (9 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Table: mangle
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Table: nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
-------------------------------------
After stopping IPTables and restarting here is the output

-------------------------------------

Table: filter
Chain BLACKLIST (1 references)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

Chain INPUT (policy ACCEPT)
target prot opt source destination
BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'

Table: mangle
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Table: nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

[root@keynes etc]# /etc/init.d/iptables status
Table: filter
Chain BLACKLIST (1 references)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

Chain INPUT (policy ACCEPT)
target prot opt source destination
BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'

Table: mangle
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Table: nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

-----------------------------------------------------

Current IPTables file contents:
-----------------------------------------------------

# Generated by iptables-save v1.3.0 on Wed Feb 8 04:50:42 2006
*nat
:OUTPUT ACCEPT [2499:173702]
OSTROUTING ACCEPT [2499:173702]
REROUTING ACCEPT [4854:708276]
COMMIT
# Completed on Wed Feb 8 04:50:42 2006
# Generated by iptables-save v1.3.0 on Wed Feb 8 04:50:42 2006
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [150545:167915507]
:OUTPUT ACCEPT [98885:17152842]
OSTROUTING ACCEPT [98885:17152842]
REROUTING ACCEPT [150545:167915507]
COMMIT
# Completed on Wed Feb 8 04:50:42 2006
# Generated by iptables-save v1.3.0 on Wed Feb 8 04:50:42 2006
*filter
:BLACKLIST - [0:0]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [150574:167918854]
:OUTPUT ACCEPT [98928:17195262]
-A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
COMMIT
# Completed on Wed Feb 8 04:50:42 2006
--------------------------------------------

I am running SSHBlacklist but that is the only program that can make additions to the IPTables.

This is really odd. Restarting seemed to clear up the configuration, even though I rebooted multiple times and that never cleared anything up.

I consider this case solved but would like input about the mysterious entries if anyone has any theories.

TR

 

Firewall

Till,

Thanks for the quick response.

My IPSConfig firewall is turned on. A quick question I have rules added for all my mail ports:

25
110
443
993
995

They are tuned on to "Active = Yes". I am assuming that this means the firewall will let these ports through. Is the ISPConfig firewall separate from IPTables or does it just add rules to IPTables.

Thanks for your answers Till.

TR

 

How did you stop and start the firewall? The first iptables output is from the ISPConfig firewall, but the second isn't - it's totally different so my guess is you accidentally started your system's built-in firewall which then causes your problems.

 

Start Stop of firewall

I started IPtables by running it from it's default location:

/etc/init.d/iptables stop

/etc/init.d/iptables start

I did not do anything with the ISPConfig Bastille firewall.

Hope that helps. All is working fine.

TR

 

Please make sure you didn't accidentally enable the ISPConfig firewall because the first iptables output came definitely from the ISPConfig firewall.