Re: Iptables stopping smtp_bind_address from working properly

Fri, 08 Jul 2011 14:45:48 -0700 

Okay.

Got it.

Thanks for the hollers.

I will do what I can.

On 7/8/2011 5:42 PM, Ansgar Wiechers wrote:

On 2011-07-08 Jeffrey Starin wrote:

When I turn off the firewall (which I am loath to do) to my VPS I am
able to use the command smtp_bind_address just fine.

Otherwise, with firewall turned on, I am getting these time out
errors in my maillog files:

Jul  7 13:00:04 who postfix/pickup[36846]: 1F3274160009: uid=10003
from=<blabla...@mydomain.com>
Jul  7 13:00:04 who postfix/cleanup[38864]: 1F3274160009:
message-id=<20110707170002.38758.1650417736.sw...@www.mydomain.com>
Jul  7 13:00:04 who postfix/qmgr[36847]: 1F3274160009:
from=<blablabla@mydomain>, size=996, nrcpt=1 (queue active)
Jul  7 13:00:34 who postfix/smtp[40187]: connect to
127.0.0.1[127.0.0.1]: Connection timed out (port 10027)
Jul  7 13:00:34 who postfix/smtp[40187]: 1F3274160009:
to=<blublu...@gmail.com>, relay=none, delay=32, delays=1.9/0.01/30/0,
dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:
Connection timed out)

I cannot find in the following list of rules (which is the default
iptables policy for the hosting company I use) what is causing the
connection timed out issue.  If someone sees something please advise
what needs to be done.  I am at my wits end with this problem.  Thank
you.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp

Almost 400 rules with tons of duplicates in them? You gotta be kidding.
Nobody's gonna bother checking these (unless they have A LOT of free
time on their hands).

Seriously, clean your ruleset (or rather: rebuild it from scratch)
before you try anything else.

As Harald already pointed out: for connections to localhost something
like

   iptables -A INPUT -i lo -j ACCEPT

is perfectly fine. And unless you have rather strict security
requirements (in which case your ruleset would allow far less protocols
to begin with), you can simply accept everything in the OUTPUT chain:

   iptables -P OUTPUT ACCEPT

Also, when posting your tables somewhere, use "iptables -nL" rather than
just "iptables -L".

Regards
Ansgar Wiechers

Reply via email to