Firewall Work with Email

Discussion in 'Installation/Configuration' started by Emsanator, Jun 5, 2023.

Tags:
  1. Emsanator

    Emsanator Member

    Hello,
    I wanted to let you know about the problem I'm having with my email sending. If the firewall is active, the email sending function doesn't work and I can't access the extra ports I added. I would like to request your support regarding the cause of this situation.
    I noticed that the current configuration was causing a conflict with my email sending capabilities. I tried to resolve the issue by adding extra ports to the firewall's whitelist, but still without success.


    Thank you
     

    Attached Files:

  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the output of
    Code:
    ufw status numbered
    And
    Code:
    iptables -L
     
  3. Emsanator

    Emsanator Member

    Hi Thom, of course;

    Code:
    root@serve:~# ufw status numbered
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] 22                         ALLOW IN    Anywhere
    [ 2] 22/tcp                     ALLOW IN    Anywhere
    [ 3] 80                         ALLOW IN    Anywhere
    [ 4] 80/tcp                     ALLOW IN    Anywhere
    [ 5] 443/tcp                    ALLOW IN    Anywhere
    [ 6] 443                        ALLOW IN    Anywhere
    [ 7] 8080                       ALLOW IN    Anywhere
    [ 8] 8080/tcp                   ALLOW IN    Anywhere
    [ 9] 21                         ALLOW IN    Anywhere
    [10] 8081                       ALLOW IN    Anywhere
    [11] Anywhere                   ALLOW IN    159.146.***.***
    [12] 3512/tcp                   ALLOW IN    Anywhere
    [13] 3516/tcp                   ALLOW IN    Anywhere
    [14] 22 (v6)                    ALLOW IN    Anywhere (v6)
    [15] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
    [16] 80 (v6)                    ALLOW IN    Anywhere (v6)
    [17] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
    [18] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
    [19] 443 (v6)                   ALLOW IN    Anywhere (v6)
    [20] 8080 (v6)                  ALLOW IN    Anywhere (v6)
    [21] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)
    [22] 21 (v6)                    ALLOW IN    Anywhere (v6)
    [23] 8081 (v6)                  ALLOW IN    Anywhere (v6)
    [24] 3512/tcp (v6)              ALLOW IN    Anywhere (v6)
    [25] 3516/tcp (v6)              ALLOW IN    Anywhere (v6)
    
    Code:
    root@serve:~# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
    ufw-before-logging-input  all  --  anywhere             anywhere
    ufw-before-input  all  --  anywhere             anywhere
    ufw-after-input  all  --  anywhere             anywhere
    ufw-after-logging-input  all  --  anywhere             anywhere
    ufw-reject-input  all  --  anywhere             anywhere
    ufw-track-input  all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ufw-before-logging-forward  all  --  anywhere             anywhere
    ufw-before-forward  all  --  anywhere             anywhere
    ufw-after-forward  all  --  anywhere             anywhere
    ufw-after-logging-forward  all  --  anywhere             anywhere
    ufw-reject-forward  all  --  anywhere             anywhere
    ufw-track-forward  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ufw-before-logging-output  all  --  anywhere             anywhere
    ufw-before-output  all  --  anywhere             anywhere
    ufw-after-output  all  --  anywhere             anywhere
    ufw-after-logging-output  all  --  anywhere             anywhere
    ufw-reject-output  all  --  anywhere             anywhere
    ufw-track-output  all  --  anywhere             anywhere
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination
    REJECT     all  --  218.92.0.47          anywhere             reject-with icmp-port-unreachable
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-before-logging-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-logging-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-logging-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
    ufw-not-local  all  --  anywhere             anywhere
    ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
    ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
    ufw-user-input  all  --  anywhere             anywhere
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ufw-user-output  all  --  anywhere             anywhere
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ufw-user-forward  all  --  anywhere             anywhere
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
    ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-logging-input (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-after-logging-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-logging-forward (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-reject-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-track-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-track-output (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
    ACCEPT     udp  --  anywhere             anywhere             ctstate NEW
    
    Chain ufw-track-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-logging-deny (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-logging-allow (0 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
    
    Chain ufw-skip-to-policy-input (7 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-skip-to-policy-output (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain ufw-skip-to-policy-forward (0 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-not-local (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-user-input (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:22
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:80
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:443
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:http-alt
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:fsp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:tproxy
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:8081
    ACCEPT     all  --  ***.***.146.159.srv.turk.net  anywhere
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3512
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3516
    
    Chain ufw-user-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-user-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-input (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-output (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-forward (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-limit (0 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    
    Chain ufw-user-limit-accept (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    root@serve:~#
    
    
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Does it work when you add port 25 tcp to the open port list of the firewall?
     
  5. Emsanator

    Emsanator Member

    Port number 25 is already added, added on ports 465 (SSL) and 587 (TLS), but it does not work when the firewall is active.
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What happens when sending e-mail? Something in mail.log?
     
  7. Emsanator

    Emsanator Member

    When I check ports over IP from different sites, I can see that ports 465, 587, 3512 are closed.

    @Taleman the mail.log file is a few MB, I could not share it. I deleted it to refresh but it didn't occur in the new file.

     
    Last edited: Jun 5, 2023
  8. Emsanator

    Emsanator Member

    Update

    I think there is a bug in the ISPconfig firewall part. For this reason, I decided to add manually and after adding manually, the e-mail started to work.

    ----
    Guide for other people.
    Code:
    root@serve:~# sudo ufw allow 3512/tcp
    Skipping adding existing rule
    Skipping adding existing rule (v6)
    root@serve:~# sudo ufw reset
    Resetting all rules to installed defaults. This may disrupt existing ssh
    connections. Proceed with operation (y|n)?
    root@serve:~# y
    Backing up 'user.rules' to '/etc/ufw/user.rules.20230605_214110'
    Backing up 'before.rules' to '/etc/ufw/before.rules.20230605_214110'
    Backing up 'after.rules' to '/etc/ufw/after.rules.20230605_214110'
    Backing up 'user6.rules' to '/etc/ufw/user6.rules.20230605_214110'
    Backing up 'before6.rules' to '/etc/ufw/before6.rules.20230605_214110'
    Backing up 'after6.rules' to '/etc/ufw/after6.rules.20230605_214110'
    
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    It's more likely that it's an issue specific to your system or you made a typo in the port list as it works fine on thousands of other servers and it also works on all Debian and Ubuntu test systems. I asked to add port 25 as it was not added before according to your posts.
     
    ahrasis likes this.
  10. Emsanator

    Emsanator Member

    You're right about that. Port 25 was added earlier, as you can see in the screenshot in first post. However, I'm glad I managed to solve the problem somehow.
    Thank you eveyone for your help and your time.
     

Share This Page