Upgrade from 2.2.0 to 2.2.1 successful but SSL and IMAP stopped working

Discussion in 'Installation/Configuration' started by teleriddler, Apr 27, 2006.

  1. teleriddler

    teleriddler New Member

    I recently upgarded from 2.2.0 to 2.2.1 on my Fedora Core 4 system. I had a few troubles to begin with but once I tried the install as the root user, running it out of the root directory it worked fine.

    I am experiencing an odd problem though. My clients can login with with their e-mail clients just fine as long as SSL is turned off. But when SSL is turned on the clients cannot send or receive e-mail. IMAP is also not working with or without SSL turned on.

    Steps I have taken so far:

    I went back to the Fedora Core 4 Perfect Setup guide to double check the Postfix SSL section.

    I check my main.cf file and all lines that should be added from the FC4PS are there.

    I telneted into my localhost as port 25 and got the correct response from the server.

    sals and imap services are running. I am a bit confused as where to look from here.

    Any advice is welcome.

    TR
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    As ISPConfig does not change your postfix and IMAP configuration, the problem can not be related directly to the ISPConfig update.

    Did you update your operating system too, with e.g. yum or apt? Which error messages do you get in your mail log?
     
  3. teleriddler

    teleriddler New Member

    IPTables

    OK

    So after some checking I turned off IPtables and everything started working.

    I did not add entries to my iptables but maybe someone can help me understand what is going on.

    The "Parole" entries did not used to be there:

    Here is the output of my iptables:


    -------------------------------------
    Table: filter
    Chain BLACKLIST (0 references)
    target prot opt source destination
    DROP all -- 59.36.96.102 0.0.0.0/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    DROP all -- 0.0.0.0/0 0.0.0.0/0

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- 0.0.0.0/0 127.0.0.0/8
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    DROP all -- 224.0.0.0/4 0.0.0.0/0
    PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
    PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
    PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
    PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
    DROP all -- 0.0.0.0/0 0.0.0.0/0

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
    DROP all -- 0.0.0.0/0 0.0.0.0/0

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
    PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
    PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0
    PUB_OUT all -- 0.0.0.0/0 0.0.0.0/0

    Chain PAROLE (9 references)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    PAROLE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    DROP icmp -- 0.0.0.0/0 0.0.0.0/0
    DROP all -- 0.0.0.0/0 0.0.0.0/0

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

    Table: mangle
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Table: nat
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    -------------------------------------
    After stopping IPTables and restarting here is the output

    -------------------------------------

    Table: filter
    Chain BLACKLIST (1 references)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'

    Table: mangle
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Table: nat
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    [root@keynes etc]# /etc/init.d/iptables status
    Table: filter
    Chain BLACKLIST (1 references)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'

    Table: mangle
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Table: nat
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    -----------------------------------------------------

    Current IPTables file contents:
    -----------------------------------------------------

    # Generated by iptables-save v1.3.0 on Wed Feb 8 04:50:42 2006
    *nat
    :OUTPUT ACCEPT [2499:173702]
    :pOSTROUTING ACCEPT [2499:173702]
    :pREROUTING ACCEPT [4854:708276]
    COMMIT
    # Completed on Wed Feb 8 04:50:42 2006
    # Generated by iptables-save v1.3.0 on Wed Feb 8 04:50:42 2006
    *mangle
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [150545:167915507]
    :OUTPUT ACCEPT [98885:17152842]
    :pOSTROUTING ACCEPT [98885:17152842]
    :pREROUTING ACCEPT [150545:167915507]
    COMMIT
    # Completed on Wed Feb 8 04:50:42 2006
    # Generated by iptables-save v1.3.0 on Wed Feb 8 04:50:42 2006
    *filter
    :BLACKLIST - [0:0]
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [150574:167918854]
    :OUTPUT ACCEPT [98928:17195262]
    -A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    -A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    COMMIT
    # Completed on Wed Feb 8 04:50:42 2006
    --------------------------------------------

    I am running SSHBlacklist but that is the only program that can make additions to the IPTables.

    This is really odd. Restarting seemed to clear up the configuration, even though I rebooted multiple times and that never cleared anything up.

    I consider this case solved but would like input about the mysterious entries if anyone has any theories.

    TR
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe your ISPConfig firewall is activated and has no open ports for IMAP and SSL?
     
  5. teleriddler

    teleriddler New Member

    Firewall

    Till,

    Thanks for the quick response.

    My IPSConfig firewall is turned on. A quick question I have rules added for all my mail ports:

    25
    110
    443
    993
    995

    They are tuned on to "Active = Yes". I am assuming that this means the firewall will let these ports through. Is the ISPConfig firewall separate from IPTables or does it just add rules to IPTables.

    Thanks for your answers Till.

    TR
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig firewall uses IPTables or IPChains. The firewall script ISPConfig uses is named Bastille. The Bastille config file that is written by ISPConfig is in a directory /etc/Bastille.... I dont remember the exact name of the directory, please have a look in /etc/, there is only one Bastille diretory :)
     
  7. falko

    falko Super Moderator Howtoforge Staff

    How did you stop and start the firewall? The first iptables output is from the ISPConfig firewall, but the second isn't - it's totally different so my guess is you accidentally started your system's built-in firewall which then causes your problems.
     
  8. teleriddler

    teleriddler New Member

    Start Stop of firewall

    I started IPtables by running it from it's default location:

    /etc/init.d/iptables stop

    /etc/init.d/iptables start

    I did not do anything with the ISPConfig Bastille firewall.

    Hope that helps. All is working fine.

    TR
     
  9. falko

    falko Super Moderator Howtoforge Staff

    Please make sure you didn't accidentally enable the ISPConfig firewall because the first iptables output came definitely from the ISPConfig firewall.
     

Share This Page