OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Exchange/DMZ/postfix

From: Charles Quesenberry (quesenberrypeak.org)
Date: Fri Dec 03 2004 - 20:38:43 CST


On Fri, 2004-12-03 at 18:13 -0800, Andrew wrote:
> --- Charles Quesenberry <quesenberrypeak.org> wrote:
>
> > On Fri, 2004-12-03 at 16:48 -0800, Andrew wrote:
> > > Hi,
> > >
> > > I'm new to messaging and have been having a lot of
> > > trouble getting this to work.
> > >
> > > I work in a small school (K-12)and I want to give
> > the
> > > older children an email account. So I decided to
> > use
> > > exchange but also wanted to use postfix as a mail
> > > relay.
> > >
> > > I followed the instructions on this website:
> > >
> > >
> >
> http://postfix.state-of-mind.de/patrick.koetter/mailrelay/
> > >
> > > but am still failing miserably.
> > >
> > > My network uses NAT. The teaching section is
> > > 192.168.1.0/24 and my DMZ is 192.168.2.0/24. I use
> > > smoothwall as the firewall
> > > (http://smoothwall.org/about/)
> > >
> > > The LAN side domain is called teaching.local and I
> > > have a registered domain called "domain.com" (I've
> > > changed the UPN section in the exchange so I don't
> > > think this is the problem)and sorted the MX
> > record. I
> > > have put a mailserver in the DMZ and know that
> > > everything is working in the sence that I can send
> > > mail to and from this machine.
> > >
> > > The postfix machine in the DMZ has an IP address
> > of
> > > 192.168.2.200
> > >
> > > The Exchange server is 192.168.1.60/24.
> > >
> > > The DMZ allows access to:
> > >
> > > TCP ALL 25 192.168.2.200 25
> > > TCP ALL 110 192.168.2.200 110
> > >
> > > My main.cf looks like this:
> > >
> > > soft_bounce = no
> > > command_directory = /usr/sbin
> > > daemon_directory = /usr/libexec/postfix
> > > local_recipient_maps =
> > > unknown_local_recipient_reject_code = 444450
> > > mynetworks = 192.168.1.0/24, 192.168.2.0/24
> > > relay_domains = $mydestination, domain.com,
> > > mail.domain.com
> > > relay_recipient_maps =
> > > hash:/etc/postfix/relay_recipients
> > >
> > > transport_maps = hash:/etc/postfix/transport
> > > debug_peer_level = 2
> > > debugger_command =
> > > PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> > > xxgdb $daemon_directory/$process_name
> > $process_id &
> > > sleep 5
> > >
> > > sendmail_path = /usr/sbin/sendmail.postfix
> > > newaliases_path = /usr/bin/newaliases.postfix
> > > mailq_path = /usr/bin/mailq.postfix
> > > setgid_group = postdrop
> > > html_directory = no
> > > manpage_directory = /usr/share/man
> > > sample_directory =
> > > /usr/share/doc/postfix-2.1.5/samples
> > > readme_directory =
> > > /usr/share/doc/postfix-2.1.5/README_FILES
> > > mydestination = $myhostname, localhost.$mydomain,
> > > $mydomain
> > >
> > > I have IPTABLES as a firewall and have amongst
> > other
> > > basic rules set to ACCEPT tcp -- anywhere anywhere
> > > state NEW tcp dpt:smtp
> > >
> > > If I log on to the machine locally I can telnet on
> > > port 25 using 127.0.0.1 and get a greeting if I
> > use
> > > 192.168.2.201 I get nothing and if I do
> > > mail.domain.com the same.
> > >
> >
> > I would solve this problem first.
> >
> > What IP address is Postfix listening on? Some
> > distro's set it to listen
> > on only the loopback. What is the output of
> > 'netstat -ant'?
> >
> > What happens if you stop iptables/smoothwall? Can
> > you telnet into port
> > 25 from a different machine then?
> >
> >
> > Chuck
> >
> >
> If I run netstat -ant from the postfix machine I get:
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address
> Foreign Address State
> tcp 0 0 0.0.0.0:1025
> 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:111
> 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:10000
> 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:631
> 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:5335
> 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:25
> 0.0.0.0:* LISTEN
> tcp 1 0 127.0.0.1:25
> 127.0.0.1:1042 CLOSE_WAIT
> tcp 1 0 127.0.0.1:25
> 127.0.0.1:1043 CLOSE_WAIT
> tcp 0 0 127.0.0.1:25
> 127.0.0.1:1044 ESTABLISHED
> tcp 1 0 127.0.0.1:25
> 127.0.0.1:1029 CLOSE_WAIT
> tcp 1 0 127.0.0.1:25
> 127.0.0.1:1034 CLOSE_WAIT
> tcp 0 0 :::22 :::*
> LISTEN
> tcp 0 0 ::ffff:192.168.2.201:22
> ::ffff:192.168.1.60:1778 ESTABLISHED
> tcp 0 0 ::ffff:127.0.0.1:1044
> ::ffff:127.0.0.1:25 ESTABLISHED
>
>

Postfix is only listening on 127.0.0.1

> If I try to telnet to postfix from a machine in the
> LAN I get "could not open connection to host on port
> 25"
>

> If I stop IPTables I get the same response. I also get
> the same response from machines whether they're in the
> LAN or the DMZ.
>
> Thanks
>
>

You need to configure your Postfix to listen on the external interface.
It is **probably** set in your /etc/postfix/master.cf
Edit that file (with a Unix/Linux text editor. Don't edit it on a
Windows machine and then scp/ftp it over. That will NOT work.) and look
for a line like this -
127.0.0.1:smtp inet n - - - - smtpd

It will probably be the first line that isn't commented out. Change
that line to read -
192.168.2.200:smtp inet n - - - - smtpd

Or whatever the external IP address is. In your first post you said it
was 192.168.2.200. But then later in the post you said it was
192.168.2.201.

Then execute 'postfix reload'.

Or, you could configure Postfix to listen on all available interfaces.
That is what I would personally do. But it is your server. To
configure Postfix to listen on all available interfaces, change that
line in master.cf to this -
smtp inet n - - - - smtpd

Completely omit the "host" and colon portion. Then do a 'postfix
reload'.

Once that is done, continue your testing. :)

But if you have any more problems, please remember to provide the
relevant portions from your maillog when asking the question.

Chuck

>
>
>
>
> __________________________________
> Do you Yahoo!?
> All your favorites on one personal page Try My Yahoo!
> http://my.yahoo.com