LRP - Receiving SMTP Mail

[CopperTop]

I just finished building my LRP firewall from an old P166. Everything is working great, but from the XP side of my dual booting desktop, I can't send or receive SMTP mail (via Outlook). Obviously, my firewall is so tight that the commands aren't getting through. After a lot of searching, I can only find info on setting up an actual mail server on the linux machine - nothing on how to allow SMTP requests to pass through it.

Any suggestions?

TIA,
CT

[jasonlambert]

SMTP is port 25.

Are you trying to use outlook to send via your ISP's mail server? or the one on your firewall? If the first option, you will need to ensure that you are allowing port 25 connections to be forwarded.

If the second option, which mail server is it? for example, sendmail only allows connections from localhost with most distros these days by default.

Jason

[CopperTop]

Thanks for the quick reply!

Yes, when in XP mode, I'd like to send mail mail through Outlook - I don't care if it's through the ISP or through the LRP.

Is it a big security risk having port 25 open? How do you forward connections through it (remember, this is all new to me!)?

When I do a ps ax on the router, I don't see any kind of mail service running. If this is a better (i.e. more secure) way of sending mail, how do I set a mail server up? BTW, I'm using FrazierWall...

[jasonlambert]

If your dont mind using your ISP's SMTP mail server, then i would go with that option, as it will involve a lot less work.

Forwarding traffic from your internal LAN to the outside world is not much of a security risk, and you would not need to open the port inbound, as your connections will be establish from WITHIN your LAN to the outside, ie, to your ISP.

I assume that it was working before you put this new firewall in place?

If so, can you post the error message that you are receiving from MS outlook?

I have never used FrazierWall, so i dont know anything about it, do you still have Iptables access? If so, can you do an "iptables -L " and paste the output here?

Jason

[CopperTop]

Yes, Outlook was working fine prior to me bringing the firewall on-line. Here is the error from Outlook:

Task 'Sending and Receiving' reported error (0x800CCC0D) : 'Unable to find the e-mail server. Please verify the server information in your account properties.'

Now, if I'm sending and receiving throught hte firewall, the port (25) would have to be open for both inbound and outbound, no?


Also, iptables doesn't work on the router, but here's the listing from ipchains:

Code:

Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
chk_DoS    all  ------  anywhere              anywhere              n/a
DENY       tcp  ----l-  anywhere              anywhere              any ->   tcpmux:2099
DENY       tcp  ----l-  anywhere              anywhere              any ->   cvspserver:3781
DENY       tcp  ----l-  anywhere              anywhere              any ->   3784:6072
DENY       tcp  ----l-  anywhere              anywhere              any ->   6074:47623
DENY       tcp  ----l-  anywhere              anywhere              any ->   47625:60999
DENY       udp  ----l-  anywhere              anywhere              any ->   1:bootps
DENY       udp  ----l-  anywhere              anywhere              any ->   tftp:499
DENY       udp  ----l-  anywhere              anywhere              any ->   501:2099
DENY       udp  ----l-  anywhere              anywhere              any ->   cvspserver:3781
DENY       udp  ----l-  anywhere              anywhere              any ->   3784:6072
DENY       udp  ----l-  anywhere              anywhere              any ->   6074:7069
DENY       udp  ----l-  anywhere              anywhere              any ->   7080:28799
DENY       udp  ----l-  anywhere              anywhere              any ->   28901:47623
DENY       udp  ----l-  anywhere              anywhere              any ->   47625:60999
DENY       icmp ----l-  anywhere              anywhere              any ->   5
DENY       tcp  ------  anywhere              anywhere              any ->   netbios-ns:netbios-ssn
DENY       udp  ------  anywhere              anywhere              any ->   netbios-ns:netbios-ssn
DENY       tcp  ------  anywhere              anywhere              any ->   445
DENY       all  ----l-  127.0.0.0/24          anywhere              n/a
Chain forward (policy DENY):
target     prot opt     source                destination           ports
MASQ       all  ------  192.168.128.0/24      anywhere              n/a
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       icmp ------  anywhere              anywhere              echo-reply
Chain chk_DoS (1 references):

edit: Sendmail is running on the router after all...

[jasonlambert]

1) can you ping the mail server from your windows machine?
2) Try turning off sendmail, and adding explicit allow rules to both to forward and input chains for port 25

Jason

[CopperTop]

1) Weird - I can ping the ISP mail server from the desktop when running linux, but I can't ping it from the same physical machine when running XP.

2) I've been readin up on ipchains, but haven't been able to successfully write rules to open port 25. These are the lines I added:

Code:

# outgoing SMTP connections
/sbin/ipchains -A output -p tcp -i eth0 -s 192.168.128.0/24 1024:65535 \
	--dport 25 -j ACCEPT
/sbin/ipchains -A input -p tcp -i eth0 --sport 25 \
	-d 192.168.128.0/24 1024:65535 ! -y -j ACCEPT

# incoming SMTP connections
/sbin/ipchains -A input -p tcp -i eth0 -d 192.168.128.0/24 25 -j ACCEPT
/sbin/ipchains -A output -p tcp -i eth0 -s 192.168.128.0/24 25 -j ACCEPT

where eth0 points to the outside world.
Is there a glaring newbie mistake in here? Any pointers?

[jasonlambert]

Unfortunatly, i dont know enough about IPChains to be able to verify your rules there, maybe someone else will be able to.

Ok, lets get this one cracked...

When you try pinging the mail server from your windows machine, what happens? does it say "request timed out" or "unknown host" or something else?

If it say request timed out, can you provide a traceroute, from both the windows and the linux side of things? for linux, the command is "traceroute <hostname>" and for windows, drop to a dos box and run "tracert <hostname>".

Lastly, trying to rule out MS outlook, can you drop to a dos box, and try the command: "telnet". then type: "set localecho". lastly, type "o <hostname> 25"

Then, repeat the telnet thing again, but use 110 in place of 25 as the port number.

Obviously, when using port 25 in telnet, replace <hostname> with your SMTP server, and when using 110 as the port number, replace <hostname> with your incoming POP3 Mail server.

I have just noticed in your orignal post you mentioned that you cannot send OR receive mail, so atm i think we should concentrate with the above diagnostics rather than your router.

Paste back the results.

Jason

[CopperTop]

Jason, thanks for taking the time to help!

1) pinging shawmail from XP:

Code:

Ping request could not find host shawmail. Please check the name and try again.

2) tracert shawmail from XP:

Code:

Unable to resolve target system name shawmail.

traceroute shawmail from linux:

Code:

traceroute to shawmail.cg.shawcable.net (24.71.223.43), 30 hops max, 38 byte packets
 1  192.168.128.1 (192.168.128.1)  1.708 ms  2.523 ms  1.711 ms
 2  68.144.208.1 (68.144.208.1)  14.088 ms  144.140 ms  60.220 ms
 3  rd1so-ge2-0-3.cg.shawcable.net (64.59.130.2)  31.431 ms  215.354 ms  25.831 ms
 4  rc1so-pos14-0.cg.shawcable.net (66.163.71.129)  24.056 ms  111.156 ms  25.581 ms
 5  * * *

3) telent shawmail on port 25 from XP:

Code:

Connecting To shawmail...Could not open connection to the host, on port 25: Connect failed.

4) telnet shawmail on port 110 from XP:

Code:

Connecting To shawmail...Could not open connection to the host, on port 110: Connect failed.

I didn't encounter any of these problems before setting up the router.
/me scratches head

[jasonlambert]

Ok, im pretty certain that the problem is due to name resolution within Windows XP.

Boot to linux, and open the file "/etc/resolv.conf". you should have a couple of lines there such as "namesever x.x.x.x" - make a note of these on a piece of paper.

boot to winXP

(this is from memory, so bear with)

open the properties for your network adapter - should be able to do this by right clicking on "my network places" on your desktop, and choosing properties. then right click on your ethernet adapter, and select properties.

On this page, you should have a list of items, one of which should be "Internet protocol TCP/IP". it will be ticked. You need to select it, highlight it or what ever, BUT DONT UNTICK IT. once highlighted, click "properties".

On this page, at the bottom, you should see at the bottom: "use the following DNS servers". If you have a dot in that option already, make a note of what is in the 2 DNS server boxes on another piece of paper.

Put 2 of the "nameserver" entries you wrote down from linux's "/etc/resolv.conf" into the prefered DNS and Secondy/alternative DNS boxes.

Click ok.
Click ok for the next window.

Right click on your ethernet adapter, choose disable.
wait 30 seconds, or until the icon turns grey, then double click on it.

Retest sending/receiving mail.

If after all that, you cannot browser the internet, put the Windows DNS servers back as they were ( you did write them down, didnt you? )

Jason