On 7/27/2012 11:43 AM, Mark Alan wrote:
Hello,While using Postfix 2.9.3, iptables 1.4.12, under Ubuntu 12.04 LTS, after upgrading to Postfix 2.9.x, using grep -I ' FW ' /var/log/syslog*|sort|grep 'DPT=[0-9]\+' I am now finding a lot of syslog entries like these: /var/log/syslog:Jul 27 12:00:32 mx kernel: [485xxx.xxxxx] FW DROP-OUT IN= OUT=eth0 SRC=xx.xxx.xxx.xx DST=xxx.xx.xxx.xx LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=xxxxx DF PROTO=TCP SPT=xxxxx DPT=25 WINDOW=26280 RES=0x00 ACK PSH URGP=0 Using time and SRC= DST= ip's, I am sure that these packets are sent by Postfix. To my knowledge the emails related to these packet losses, do manage to find its way to the addressees (as usual). The relevant iptables entries are: -P OUTPUT DROP -A OUTPUT -m conntrack --ctstate INVALID -j DROP -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp -m multiport --dports 25,43,4321 -m conntrack --ctstate NEW --syn -j ACCEPT -A OUTPUT -m limit --limit 30/m --limit-burst 3 -j LOG --log-level notice --log-prefix "FW DROP-OUT " -A OUTPUT -j DROP In the absence of a better explanation, it seems that iptables, while processing postfix output is somehow loosing track of packet state. So, my questions are: Does Postfix v. 2.9.x (and/or postscreen) need anything else besides the above NEW --syn, ESTABLISHED, RELATED iptables rules? Do you remember seeing something similar in your systems? Any other thoughts about what is happening? Thank you, M.
I'm probably wrong as usual - but I'm guessing Postfix wasn't the only thing your upgraded. Possibly iptables, or your kernel, got a version bump as well? That's a fairly restrictive matching rule you have for your new connection state - what worked before might have changed. May I suggest removing the --syn for starters?
-- Daniel
