Hello Community, Thank you for posting the amazing script Perfect Server Automated ISPConfig 3 Installation on Debian 10 and Ubuntu 20.04^ I actually run into one more problem as at one point the server would not receive any emails from other ISPConfig servers (I didn't try Gmail etc.. probably should have). What has happened: I sent an email from server1.example.com on 11/5/2021 where I installed ISPConfig manually many months ago (the mailserver was and is working fine there) but the newly installed server2.example.com (using the automatic installer script) would not receive the email. I sort of forgot about it and on 16/5/2021 I received an email from MAILER-DAEMON@server1.example.com : Subject: Undelivered Mail Returned to Sender Code: This is the mail system at host server1.example.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <[email protected]>: connect to server2.example.com[1.2.3.4]:25: Connection timed out Reporting-MTA: dns; server1.example.com X-Postfix-Queue-ID: 753FB3EAD5 X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Tue, 11 May 2021 11:25:15 +0000 (UTC) Final-Recipient: rfc822; [email protected] Original-Recipient: rfc822;[email protected] Action: failed Status: 4.4.1 Diagnostic-Code: X-Postfix; connect to server2.example.com[1.2.3.4]:25: Connection timed out (1.2.3.4 was an actual public IPv4 address of server2.example.com) I didn't have time to deal with it on 16/5/2021 so I looked at it again today (17/5/2021) so I scanned the 1.2.3.4 IP with nmap tool and indeed the port 25 wasn't opened (as I followed the firewall recommendations within the howto^) Later I opened the TCP port 25 via the web interface (System-Firewall) even though it was not advised and I sent an email again from server1.example.com to the same server server2.example.com and somehow the email arrived, I figured that's what fixed it so I run nmap again but the port 25 wasn't opened (?!) at least according to nmap. So I closed the port again (removed it from the list of opened TCP ports via web interface) but the email would still work (?!). Can somebody explain to me what has happened or how to debug this? Could it be related to not yet fully propagated DNS records on server2.example.com? Why would I get the failure email 5 days later? Is it possible that there is some sort of weird bug within the firewall? Does the ISPConfig actually use port 25 to exchange emails between servers? Thank you for any input on this.
Oops, this is a mistake in the tutorial. The reason you got the email after 5 days is that it tries to deliver it for a certain amount of time until it finally can't. I'll make sure the tutorial is updated asap.
So which one is the problem? How come that if I (later) removed the firewall exception on port 25 it still works? I just enabled and disabled the port 25. I actually even rebooted the server and it still works with the port 25 NOT enabled (via the web interface) on the server...
mail from one server to another is delivered on port 25 (unless you explicitly configure it to do something differently), so you need port 25 open in the firewalls of a mail server, and mail will not deliver correctly with port 25 blocked.
Well this is my current configuration on server2.example.com: and I can receive emails, so what's wrong? The port 25 is not really removed? It should not work right?
You can run 'iptables -L -n -v' on that server's command prompt to see what the live firewall rules look like. Also check ip6tables output if you have ipv6.
I did so if I understand it correctly the web GUI didn't actually remove the TCP 25 rule: Code: Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 9 448 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 1125 67336 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 155 7608 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 24 1052 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 40110:40210 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 2 100 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 3 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 7 420 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 2 100 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 58 3392 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 9 504 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 5 307 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 7 380 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
I just did a fresh install using the automatic installer and it seems that the firewall rules were automatically added. Maybe the step "4. Setting up the firewall" can be now removed in the howto? Edit: It's not initially listed but if I click "add firewall record" it's already all pre-filled (?!) all I have to do is click save. Odd?
No, there is no firewall added. Just follow the guide. It's the exact opposite, would be odd if it won't be pre-filled with the default ports as most users would not even know which ports need to be opened for a operational system.
