Hi, Jasen:
We configured a smarthost with an iptable to block all incoming port
traffic. What is the rule which allows for the local server to connect
to the address 127.0.0.1:25 ?
Read attached exim error log file and the current iptable
configuration for details.
Regards,
Hal
On Sun, Aug 20, 2017 at 3:23 AM, Jasen Betts <jasen@???> wrote:
> On 2017-08-20, Ltc Hotspot via Exim-users <exim-users@???> wrote:
>> Dear Exim Users:
>>
>> Is this a valid rule to authorize local access to Exim:
>> -A cP-Firewall-1-INPUT -s 127.0.0.1:25 -p tcp -m state --state NEW -m
>> tcp --dport 25 -j ACCEPT
>>
>
> No, "-s 127.0.0.1:25" is wrong.
>
> "-s 127.0.0.1/8" probably makes the most sense.
>
>
> You may want to specify adestination address too, especially if your
> firewall is doing NAT for some of 127.0.0.0/8.
>
>
> Local access in a different way is by having execute permission on
> /usr/lib/sendmail.
>
> --
> This email has not been checked by half-arsed antivirus software
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
The service “exim” appears to be down.
Server
imap.dslcomputer.com
Primary IP Address
97.74.13.78
Service Name
exim
Service Status
failed ?
Notification
The service “exim” appears to be down.
Service Check Method
The system failed to connect to this service’s TCP/IP port.
Reason
Service check failed to complete
Timeout while trying to connect to service: Died
Number of Restart Attempts
180
Service Check Raw Output
The 'exim' service passed the check.
Startup Log
Starting clamd: [ OK ]
Starting exim: [ OK ]
Starting spamd: (XID s7asa6) The “spamd” service is disabled.
[FAILED]
Log Messages
2017-08-19 22:38:04 exim 4.89 daemon started: pid=22409, -q1h, listening for SMTP on port 26 (IPv4) port 10025 (IPv4) port 587 (IPv4) port 52525 (IPv4) port 24 (IPv4) port 25 (IPv4) port 2525 (IPv4)
2017-08-19 22:23:01 exim 4.89 daemon started: pid=19902, -q1h, listening for SMTP on port 26 (IPv4) port 10025 (IPv4) port 587 (IPv4) port 52525 (IPv4) port 24 (IPv4) port 25 (IPv4) port 2525 (IPv4)
Memory Information
Used
2.3 GB
Available
1.69 GB
Installed
4 GB
Load Information
0.23 0.08 0.05
Uptime
6 days, 9 hours, 51 minutes, and 41 seconds
IOStat Information
avg-cpu: %user %nice %system %iowait %steal %idle 0.17 0.04 0.04 0.01 0.00 99.74 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
Top Processes
PID
Owner
CPU %
Memory %
Command
24256
root
0.58
0.10
sshd: root [priv]
24278
root
0.54
0.31
/usr/local/cpanel/scripts/restartsrv_crond --check --notconfigured-ok
24149
root
0.52
0.70
tailwatchd - chkservd - crond check
7933
cpanelsolr
0.49
13.77
/usr/lib/jvm/jre-1.8.0/bin/java -server -Xms512m -Xmx512m -XX:NewRatio=3 -XX:SurvivorRatio=4 -XX:TargetSurvivorRatio=90 -XX:MaxTenuringThreshold=8 -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 -XX:+CMSScavengeBeforeRemark -XX:PretenureSizeThreshold=64m -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=50 -XX:CMSMaxAbortablePrecleanTime=6000 -XX:+CMSParallelRemarkEnabled -XX:+ParallelRefProcEnabled -XX:-OmitStackTraceInFastThrow -verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:/home/cpanelsolr/server/logs/solr_gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=9 -XX:GCLogFileSize=20M -Dsolr.log.dir=/home/cpanelsolr/server/logs -Djetty.port=8984 -DSTOP.PORT=7984 -DSTOP.KEY=solrrocks -Dhost=127.0.0.1 -Duser.timezone=UTC -Djetty.home=/home/cpanelsolr/server -Dsolr.solr.home=/home/cpanelsolr/server/solr -Dsolr.install.dir=/home/cpanelsolr -Xss256k -Dsolr.autoSoftCommit.maxTime=3000 -Dsolr.log.muteconsole -XX:OnOutOfMemoryError=/home/cpanelsolr/bin/oom_solr.sh 8984 /home/cpanelsolr/server/logs -jar start.jar --module=http
24248
root
0.46
0.37
cPhulkd - processor - http socket
The chkservd process attempts to connect to “127.0.0.1:25” in order to validate that this service is functioning. If you blocked connections with iptables or the “Host Access Control” interface in WHM, this failure may be a false positive.
To resolve this issue, either open the firewall to allow connections as the root user to “127.0.0.1:25” or disable checks for this service in WHM’s “Service Manager” interface with the “Configure Monitor Settings” link below.
Configure Monitor Settings:
https://imap.dslcomputer.com:2087/scripts/srvmng#service-chkservd
Configure chkservd:
https://imap.dslcomputer.com:2087/scripts2/tweaksettings?find=chkservd
Disable HTML notifications:
https://imap.dslcomputer.com:2087/scripts2/tweaksettings?find=chkservd_plaintext_notify
The system generated this notice on Sunday, August 20, 2017 at 5:53:07 AM UTC.
root@imap [/etc/sysconfig]# vim iptables
"iptables" 71L, 5507C-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.214.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.210.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.151.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.219.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.206.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.27.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.158.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.172.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.36.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.155.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.69.130.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.213.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.200.247.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.218.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.200.129.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.205.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.222.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.69.62.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.68.193.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.60.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.154.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.229.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.26.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.28.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.118.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.142.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.144.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.147.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.152.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.162.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.58.5.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.58.7.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j DROP68,187%
-- INSERT --68,187%
COMMIT69,191%
