Arch Linux

etakeh32

Member

From: Pridnestrovie

Registered: 2014-03-08

Posts: 66

[SOLVED]Set up iptables and no longer rcv emails from other domains

I was able to send an e-mail from my gmail to me@mydomain.com. Then I setup iptables and it is no longer working. I can still send e-mails from me@mydomain to me2@mydomain.
Does port 25 need to be open? Shouldn't port 587 be sufficient?

iptables.rules:

# Generated by iptables-save v1.4.21 on Sun May 24 12:26:32 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [23:3238]
:TCP - [0:0]
:UDP - [0:0]
:sshguard - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 9322 -j sshguard
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 9322 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT
-A TCP -p tcp -m tcp --dport 587 -j ACCEPT
-A TCP -p tcp -m tcp --dport 9321 -j ACCEPT
COMMIT

Master.cf:

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

Last edited by etakeh32 (2015-05-24 23:16:19)

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,231

Website

Re: [SOLVED]Set up iptables and no longer rcv emails from other domains

Does port 25 need to be open? Shouldn't port 587 be sufficient?

Yes 25 needs to be open to receive mail from external hosts. 587 is for sending mail from your mail client (Thunderbird, Evolution et al)

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

etakeh32

Member

From: Pridnestrovie

Registered: 2014-03-08

Posts: 66

Re: [SOLVED]Set up iptables and no longer rcv emails from other domains

Okay thanks. So does that mean, that if 'Bob' sends me an e-mail via gmail, once it has been transmitted from Bob's computer to gmail.com, let's say using webmail over SSL, it then travels from gmail to my server unencrypted?

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,231

Website

Re: [SOLVED]Set up iptables and no longer rcv emails from other domains

Yes, unless you enable opportunistic TLS in Postfix.

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

etakeh32

Member

From: Pridnestrovie

Registered: 2014-03-08

Posts: 66

Re: [SOLVED]Set up iptables and no longer rcv emails from other domains

I will try and figure out how to do that. If I enable that, would I need to open any other ports or would that also take place via port 25?

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,231

Website

Re: [SOLVED]Set up iptables and no longer rcv emails from other domains

would I need to open any other ports or would that also take place via port 25?

All "public" SMTP takes place over port 25.

Email is not secure; you can enable opportunistic TLS, however that does not prevent the connection being MitM'ed because there is no verification of certificates (hence the "opportunistic" part)

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

etakeh32

Member

From: Pridnestrovie

Registered: 2014-03-08

Posts: 66

Re: [SOLVED]Set up iptables and no longer rcv emails from other domains

Thanks!