Re: [exim] local server access

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Ltc Hotspot
Dátum:  
Címzett: Graeme Fowler
CC: Exim-Users
Tárgy: Re: [exim] local server access
Graeme,

Here is a revised attached iptable.

Regards,
Hall

On Sun, Aug 20, 2017 at 6:42 AM, Ltc Hotspot <ltc.hotspot@???> wrote:
> Graeme,
>
> Check the attached iptable rules to determine, if smarthost port
> traffic have authorized access to the local mail server.
>
> These are the Outbound SMTP IP addresses that should have authorized
> access to the local server:
> https://support.duocircle.com/solution/articles/5000704608-ip-addresses-of-smtp-servers.
>
>
> These are the Inbound IP addresses that should have authorized access
> to the local server:
> https://support.duocircle.com/solution/articles/5000524218-ip-addresses-for-firewalls.
>
>
> Secondly, all third party port traffic is further blocked by these rules?.
>
>
> Thanks,
> Hal
>
>
> On Sun, Aug 20, 2017 at 5:44 AM, Graeme Fowler via Exim-users
> <exim-users@???> wrote:
>> On 20 Aug 2017, at 13:26, Ltc Hotspot via Exim-users <exim-users@???> wrote:
>>> We configured a smarthost with an iptable to block all incoming port
>>> traffic. What is the rule which allows for the local server to connect
>>> to the address 127.0.0.1:25 ?
>>
>> Firstly, that’s not specifically an Exim problem - you probably need to be asking the question on a WHM mailing list as that’s what you’re using.
>>
>>> Read attached exim error log file and the current iptable
>>> configuration for details.
>>
>> Notwithstanding the above, you don’t appear to have a generic:
>>
>> -A [chain] -i lo -j ACCEPT
>>
>> rule at the top of your file. That would solve your problem, and any others you might have whereby the machine wants to talk IP to itself - it will *always* talk to itself on interface lo, rather than the ethernet interfaces, because that’s the shortest and least interruptive path.
>>
>> Graeme
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/




-A iptables -I cP-Firewall-1-INPUT -i lo -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.214.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.210.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.151.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.219.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.206.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.27.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.158.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.172.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.36.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.155.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.69.130.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.213.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.200.247.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.218.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.200.129.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.205.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.222.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.69.62.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.68.193.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.60.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.154.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.229.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.26.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.28.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.118.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.142.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.144.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.147.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.152.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.162.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.58.5.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.58.7.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j DROP