Sendmail / SuSE firewall problem

English Network/Internet
1

I have been running Senmail on SuSE 11.1 for the last few years with no problems.
Since installing SuSE 11.3 a few months ago I have been having problems getting Sendmail to send to some (only a few) servers mostly the following:-
mx00.1and1.co.uk
mx01.1and1.co.uk

mx1.bt.mail.yahoo.com
mx2.bt.mail.yahoo.com

(There are some others, but generally email gets sent with out problems.

The messages in mail.err are:-
SYSERR(root): timeout writing message to mx1.bt.mail.yahoo.com.: Connection reset by mx1.bt.mail.yahoo.com
SYSERR(root): timeout writing message to mx01.1and1.co.uk.: Resource temporarily unavailable

If I disable the firewall # SuSEFirewall2 stop
I can send successfully using # sendmail -v -q, or # sendmail -v -qIxxxxx

When I re-enable the firewall I will start to get the timeouts/temporarily unavailable messages again (but as mentioned above, only for some servers) even though I can successfully telnet these servers when the firewall is on. When I disable the firewall the delayed messages can again be sent.

Has anybody any ideas what I need to change (presumably in the Firewall) to get things working correctly? - ‘SMTP with sendmail’ is already selected under ‘Services to Allow’ under YaST Firewall->Allowed Services.

Thank you in advance.

2

Do you see any blocked traffic on other ports when the firewall is up and you are sending? You may need to enable firewall logging. I just wonder if these servers try to ping you or check if the machine is up using ident (port 113).

3

I do not see any reference to port 113 in /var/log/firewall.
I have not set any logging preferences for the firewall (they are as SuSE provided) do I need to change any settings (where) to see additional blocked traffic in the log file?

4

No reference means it may be blocked by default. You may need to enable it and run the ident daemon. This is assuming it’s ident, which is a long shot.

Have a look at the logging settings in /etc/sysconfig/SuSEfirewall2 Beware that some settings may result in copious logs.

Finally I assume you have a static IP and are not blacklisted in any way? If you are on a consumer broadband connection normally you need to use your ISP’s relay.

5

I will have a look at /etc/sysconfig/SuSEfirewall2 and see if I can enable the ident deamon.
Yes, it is a static IP which is not on any blacklist as far as I can see. Reverse DNS is setup and resolves correctly. It is a consumer broadband, but problems have only started since SuSE 11.3, and all works fine with firewall disabled (must be a firewall setting somewhere?).
Thank you for your suggestions

6

Ok, I am banging my head against a brick wall with this one.
Firewall Off - No problems, everything works OK.
Firewall On - some emails (and only some) keep timing out until I turn the firewall off again.
It has to be in the firewall, trouble is I don’t realy understand what SuSE is (or is not) doing with /etc/sysconfig/SuSEfirewall2.
If anybody has any suggestions what I can turn on or off or add or remove from this file to try and solve this issue I would be most greatful.

7

On 2011-09-19 17:26, Forrestg123 wrote:
> If anybody has any suggestions what I can turn on or off or add or
> remove from this file to try and solve this issue I would be most
> greatful.

Activate logging of all rejected connections; then attempt to mail one of
those that fail, and watch the log carefully.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

8

As suggested, I enabled logging of for a couple of Emails that where timing out.

The following are the entries that where dropped by the firewall during the session.

This is the result of the 1st - 195.130.217.39 is the address of the server I am attempting to send to x.x.x.x is my server - the sending server.
Sep 20 08:42:33 … SRC=195.130.217.39 DST=x.x.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=30341 DF PROTO=TCP SPT=25 DPT=35767 WINDOW=105 RES=0x00 ACK URGP=0
Sep 20 08:46:43 … SRC=195.130.217.39 DST=x.x.x.x LEN=109 TOS=0x00 PREC=0x00 TTL=55 ID=30597 DF PROTO=TCP SPT=25 DPT=35767 WINDOW=886 RES=0x00 ACK PSH URGP=0

This is the result of the 2nd - 79.170.40.76 is the address of the server I am attempting to send to x.x.x.x is my server - the sending server.
Sep 20 14:47:39 … SRC=79.170.40.76 DST=x.x.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=51 ID=32558 DF PROTO=TCP SPT=25 DPT=56827 WINDOW=943 RES=0x00 ACK URGP=0
Sep 20 14:52:21 … SRC=79.170.40.76 DST=x.x.x.x LEN=157 TOS=0x00 PREC=0x00 TTL=51 ID=32569 DF PROTO=TCP SPT=25 DPT=56827 WINDOW=943 RES=0x00 ACK PSH URGP=0

I am presuming that I need to allow TCP ports 3000 - 6000 though the firewall? Is anyone able to advise re this?

9

On 2011-09-20 16:26, Forrestg123 wrote:
>
> As suggested, I enabled logging of for a couple of Emails that where
> timing out.

I refer to this:

FW_LOG_DROP_CRIT=“yes”
FW_LOG_DROP_ALL=“yes”

> The following are the entries that where dropped by the firewall during
> the session.

But you have removed important text from the entries. Plus, you have not
used code tags, that’s crucial here.


<0.4> 2011-08-07 22:38:09 Telcontar kernel - - - [296938.632493]
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:*:*:*:*:*:*:*:*:*:*:*:*:*
SRC=192.168.*.* DST=192.168.*.* LEN=99 TOS=0x00 PREC=0xC0 TTL=255 ID=31631
PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.*.* DST=80.58.*.* LEN=71 TOS=0x00
PREC=0x00 TTL=64 ID=23866 PROTO=UDP SPT=54017 DPT=53 LEN=51 ]
/CODE


The key SFW2-INext-DROP-DEFLT is crucial to interpret it, it tells what the
firewall is doing with the package and why. In my case, it is dropping a
package on the external interface due to default rules.


> I am presuming that I need to allow TCP ports 3000 - 6000 though the
> firewall?  Is anyone able to advise re this?

No, I don't think so.

--
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 "Celadon" at Telcontar)
10

OK, Hopefully I’ve done it correclty this time.
I’ve set the following:-
FW_LOG_DROP_CRIT=“yes”
FW_LOG_DROP_ALL=“yes”
then run SuSEconfig.

The following is the result of running sendmail -v -qI


sendmail -v -qIp8L7JK79026122

Running /var/spool/mqueue/p8L7JK79026122 (sequence 1 of 1)
<recipient@btinternet.com>... Connecting to mx1.bt.mail.yahoo.com. via esmtp...
220 mta1019.bt.mail.ird.yahoo.com ESMTP YSmtp service ready
>>> EHLO mail.mydomain.co.uk
250-mta1019.bt.mail.ird.yahoo.com
250-8BITMIME
250-SIZE 41943040
250 PIPELINING
>>> MAIL From:<someone@sourcedomain.co.uk> SIZE=676711 BODY=8BITMIME
250 sender <someone@sourcedomain.co.uk> ok
>>> RCPT To:<recipient@btinternet.com>
>>> DATA
250 recipient <recipient@btinternet.com> ok
354 go ahead
timeout writing message to mx1.bt.mail.yahoo.com.: Connection reset by mx1.bt.mail.yahoo.com.
<recipient@btinternet.com>... Connecting to mx2.bt.mail.yahoo.com. via esmtp...
<recipient@btinternet.com>... Closing connection to mx1.bt.mail.yahoo.com.
220 mta1030.bt.mail.ird.yahoo.com ESMTP YSmtp service ready
>>> EHLO mail.mydomain.co.uk
250-mta1030.bt.mail.ird.yahoo.com
250-8BITMIME
250-SIZE 41943040
250 PIPELINING
>>> MAIL From:<someone@sourcedomain.co.uk> SIZE=676711 BODY=8BITMIME
250 sender <someone@sourcedomain.co.uk> ok
>>> RCPT To:<recipient@btinternet.com>
>>> DATA
250 recipient <recipient@btinternet.com> ok
354 go ahead
timeout writing message to mx2.bt.mail.yahoo.com.: Connection reset by mx2.bt.mail.yahoo.com.
<recipient@btinternet.com>... Deferred
Closing connection to mx2.bt.mail.yahoo.com.

The following is the output from /var/log/firewall where 212.82.111.207 is the IP for mta1030.bt.mail.ird.yahoo.com


Sep 21 08:49:30 linuxmail2 kernel: [1264803.792101] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=11647 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A0BA6148A12D7B20D0101050A38359D213835A7D1)
Sep 21 08:49:30 linuxmail2 kernel: [1264803.806398] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=11659 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A0BA6149912D7B20D0101050A38359D213835AD29)
Sep 21 08:49:30 linuxmail2 kernel: [1264803.821708] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=72 TOS=0x00 PREC=0x00 TTL=55 ID=11665 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A0BA614A812D7B20D010105123835B2813835B7D938359D213835AD29)
Sep 21 08:49:30 linuxmail2 kernel: [1264803.838198] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=72 TOS=0x00 PREC=0x00 TTL=55 ID=11701 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A0BA614B812D7B20D010105123835B2813835BD3138359D213835AD29)
Sep 21 08:49:53 linuxmail2 kernel: [1264827.191996] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=33667 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A0BA66FF012D7B4070101051A3835F7F93836B3013835DD413835F2A13835C7E13835D7E9)
Sep 21 08:50:23 linuxmail2 kernel: [1264856.392600] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=14385 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A0BA6E20012D7B4070101051A3835F7F93836B3013835DD413835F2A13835C7E13835D7E9)
Sep 21 08:50:40 linuxmail2 kernel: [1264873.626526] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=45206 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A0BA7255112D7B4070101051A3835F7F93836B3013835DD413835F2A13835C7E13835D7E9)
Sep 21 08:51:01 linuxmail2 kernel: [1264895.014530] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=13890 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A0BA778D612D7B4070101051A3835F7F93836B3013835DD413835F2A13835C7E13835D7E9)
Sep 21 08:51:40 linuxmail2 kernel: [1264933.615369] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=59509 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A0BA80F9E12D7B4070101051A3835F7F93836B3013835DD413835F2A13835C7E13835D7E9)
Sep 21 08:51:51 linuxmail2 kernel: [1264944.538325] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=4062 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A0BA83A4112D7B4070101051A3835F7F93836B3013835DD413835F2A13835C7E13835D7E9)
Sep 21 08:52:18 linuxmail2 kernel: [1264972.222682] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=36692 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A0BA8A66612D7B4070101051A3835F7F93836B3013835DD413835F2A13835C7E13835D7E9)
Sep 21 08:53:04 linuxmail2 kernel: [1265017.425238] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=51503 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A89331C8912D882B20101050A0A2761CC0A276724)
Sep 21 08:53:04 linuxmail2 kernel: [1265017.440960] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=51563 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A89331C9812D882B20101050A0A2761CC0A276C7C)
Sep 21 08:53:04 linuxmail2 kernel: [1265017.459958] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=51584 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A89331CAB12D882B20101050A0A2761CC0A2771D4)
Sep 21 08:53:11 linuxmail2 kernel: [1265025.142653] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=56 ID=64300 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A89333AAC12D884AA0101051A0A27CCAC0A287D040A27B74C0A27C7540A278C8C0A27AC9C)
Sep 21 08:53:34 linuxmail2 kernel: [1265047.609695] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=56 ID=35380 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A8933926812D884AA0101051A0A27CCAC0A287D040A27B74C0A27C7540A278C8C0A27AC9C)
Sep 21 08:53:50 linuxmail2 kernel: [1265064.195643] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=56 ID=56502 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A8933D33012D884AA0101051A0A27CCAC0A287D040A27B74C0A27C7540A278C8C0A27AC9C)
Sep 21 08:54:13 linuxmail2 kernel: [1265086.518317] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=56 ID=18365 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A89342A6012D884AA0101051A0A27CCAC0A287D040A27B74C0A27C7540A278C8C0A27AC9C)
Sep 21 08:54:56 linuxmail2 kernel: [1265130.142892] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=56 ID=4749 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A8934D4C012D884AA0101051A0A27CCAC0A287D040A27B74C0A27C7540A278C8C0A27AC9C)
Sep 21 08:55:23 linuxmail2 kernel: [1265156.662356] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=56 ID=39596 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A89353C5212D884AA0101051A0A27CCAC0A287D040A27B74C0A27C7540A278C8C0A27AC9C)
Sep 21 08:55:29 linuxmail2 kernel: [1265163.123405] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=80 TOS=0x00 PREC=0x00 TTL=56 ID=48262 DF PROTO=TCP SPT=25 DPT=35237 WINDOW=10256 RES=0x00 ACK FIN URGP=0 OPT (0101080A8935558812D884AA0101051A0A27CCAC0A287D040A27B74C0A27C7540A278C8C0A27AC9C)

Thank you in advance.

11

On 2011-09-21 10:16, Forrestg123 wrote:
>
> OK, Hopefully I’ve done it correclty this time.
> I’ve set the following:-
> FW_LOG_DROP_CRIT=“yes”
> FW_LOG_DROP_ALL=“yes”
> then run SuSEconfig.

Rather, run “SuSEfirewall2” to reload it, but doesn’t matter, it took
effect, I think.

> The following is the result of running sendmail -v -qI

Yes, I see where it fails.

> The following is the output from /var/log/firewall where 212.82.111.207
> is the IP for mta1030.bt.mail.ird.yahoo.com
>
>
> Code:
> --------------------
>
> Sep 21 08:49:30 linuxmail2 kernel: [1264803.792101] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=11647 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A0BA6148A12D7B20D0101050A38359D213835A7D1)
> Sep 21 08:49:30 linuxmail2 kernel: [1264803.806398] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:85:89:38:78:00:09:43:46:0e:29:08:00 SRC=212.82.111.207 DST=10.0.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=11659 DF PROTO=TCP SPT=25 DPT=58571 WINDOW=10256 RES=0x00 ACK URGP=0 OPT (0101080A0BA6149912D7B20D0101050A38359D213835AD29)

>
> --------------------

There is something there I don’t understand. It is a package coming from
port 25 remote to a local high port, dropped by default. I think it should
be a tracked connection, a response: the port should be opened in advance
and waiting for that connection, I don’t understand why it is closed.

Yes, you could open high ports, but this should not be necessary.

Try this and post the result here, so that I can see your firewall config
in case I or some other can spot something wrong.



cat /etc/sysconfig/SuSEfirewall2 | egrep -v "^:space:]]*$|^#"

Another possibility is to track the procedure with ethereal aka wireshark.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

12

Thank you for your time with this.
Dump of SuSEfirewall2 follows:-


FW_DEV_EXT="eth0 eth1"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="30000:30500 30000:30500 993 585 465 143 25 8080 80 21 22 110"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT="apache2 apache2-ssl dovecot nfs-kernel-server ntp samba-server sendmail sshd"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT="yes"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_ZONE_DEFAULT=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_WRITE_STATUS=""
FW_RUNTIME_OVERRIDE=""
FW_LO_NOTRACK=""
FW_BOOT_FULL_INIT=""
13

On 2011-09-21 14:26, Forrestg123 wrote:
>
> Thank you for your time with this.
> Dump of SuSEfirewall2 follows:-
>

I don’t see anything that would be causing this, but there are a few
strange things:

>
> Code:
> --------------------
>
> FW_DEV_EXT=“eth0 eth1”

Two external interfaces? Then you must be using special routing, or
something. Bounding?

> FW_SERVICES_EXT_TCP=“30000:30500 30000:30500 993 585 465 143 25 8080 80 21 22 110”

You have 30000:30500 repeated.

> FW_CONFIGURATIONS_EXT=“apache2 apache2-ssl dovecot nfs-kernel-server ntp samba-server sendmail sshd”

Are you sure that the configuration “sendmail” exists? I don’t see it in my
“/etc/sysconfig/SuSEfirewall2.d/services”, but it could be because I don’t
have sendmail but postfix.

If you have it, please post what ports it opens (postfix opens 25 and 465)

> FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
> FW_ALLOW_INCOMING_HIGHPORTS_UDP=""

You might allow those two as a hack instead of disabling the firewall.

> FW_LOG_DROP_CRIT=“yes”
> FW_LOG_DROP_ALL=“no”

You said you have set it to yes :-?

>
> --------------------
>
>


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

14

Yes there are two network interfaces eth0 connected to and ADSL and eth1 to SDSL, all sendmail stuff uses eth0

Re 30000:30500 repeated, SuSE must have done this via YAST, I have not edited SuSEfirewall2 before - I will remove the second entry

Yes the sendmail entry exists:-


linuxmail2:/etc/sysconfig/SuSEfirewall2.d/services # cat sendmail
## Name: SMTP with sendmail
## Description: Firewall Configuration file for sendmail

# space separated list of allowed TCP ports
TCP="25 465"

# space separated list of allowed UDP ports
UDP=""

# space separated list of allowed RPC services
RPC=""

# space separated list of allowed IP protocols
IP=""

# space separated list of allowed UDP broadcast ports
BROADCAST=""

Re FW_ALLOW_INCOMING_HIGHPORTS_TCP="" and FW_ALLOW_INCOMING_HIGHPORTS_UDP="" I had noticed these but also noted the comment “Use of this variable is deprecated”
But I will certainly enable them and see what happens.

Re FW_LOG_DROP_ALL - I had set it back to “no” before dumping the output.

Regards
Richard

15

Just out of interest the following is a dump of SuSEfirewall2 from the previous server running SuSE 11.1 - I had no problems with sendmail (or the firewall) on this version.
I don’t know if it might shed any light?


FW_DEV_EXT="eth0 eth1"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="imap imaps microsoft-ds netbios-ssn pop3 pop3s"
FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC="mountd nfs nfs_acl"
FW_CONFIGURATIONS_EXT="apache2 apache2-ssl bind nfs-client nfs-kernel-server sendmail sshd"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT="10.0.0.0/255.255.255.0,tcp,901"
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="netbios-ns netbios-dgm"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT="yes"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
16

As another “just out of interest” if I set FW_ALLOW_INCOMING_HIGHPORTS_TCP=“yes” the mail that would normally get timeout errors gets sent without problem.
Once again, if anyone can explain the ins and outs of what is going on here I would be very interested - I cannot be the only person in the world who has had this problem, can I?
Thank you in advance.

17

On 2011-09-21 17:26, Forrestg123 wrote:
>
> Yes there are two network interfaces eth0 connected to and ADSL and eth1
> to SDSL, all sendmail stuff uses eth0

I think, for lack of another explanation, that this is related to the
problem. Maybe the connection that fails gets started on one interface and
then comes via the other, or something of the sort.

> Re 30000:30500 repeated, SuSE must have done this via YAST, I have not
> edited SuSEfirewall2 before - I will remove the second entry

Ok.

> Yes the sendmail entry exists:-

It is identical to the one for postfix.

> Re FW_ALLOW_INCOMING_HIGHPORTS_TCP="" and
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="" I had noticed these but also noted
> the comment “Use of this variable is deprecated”

I remember this been discussed time ago, yes…

> But I will certainly enable them and see what happens.

I see that it works for you then. At least till they remove that rule.

> Re FW_LOG_DROP_ALL - I had set it back to “no” before dumping the
> output.

Ah, I understand.

For your old server, the config is basically the same. The only curious
thing is FW_SERVICES_ACCEPT_EXT, which I think is incorrectly defined, but
that is of no consequence now.

Well, you got it working. It is a hack, not the correct method, but at
least it will give you time to study the problem. I would use wireshark aka
ethereal to investigate it further, because I have no idea of the cause.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)