Shorewall users - Mar 2002 - Sendmail questions and problems

Hi
First, thanks for all previous help.
I have shorewall running on a single eth divice and everything seems to be
working fine except sendmail.  I can send mail out of my server, but none seems
to be getting in.
Here are my rules.
ACCEPT  net   $FW  tcp  smtp,www
ACCEPT net   $FW  udp  smtp

My policy:
fw		net		ACCEPT
net		all		DROP	

Interface:
net        eth0      detect	dhcp,noping,norfc1918,multi

When I do:
telnet mymailserver.com 25
from a telnet prompt on another machine to my server, I get:
Unable to connect to remote host, connection refused.
And, If I try to send mail to it, it becomes undeliverable.

Do you think this is a problem with sendmail or the firewall?
As I said, I can send mail from the server using sendmail.

How can I successfully shutdown the firewall to determine which one is causing
the problem?
I''ve done a shorewall stop, but then nothing works.
I''ve restarted shorewall with routestopped and stoped it and everything
but sendmail still works.

I assume then that it is not a shorewall problem.

If anyone has any ideas, thanks ahead of time.
cya
john Michael

John Michael wrote:
> ...
> I have shorewall running on a single eth divice and everything seems
> to be working fine except sendmail.  I can send mail out of my
> server, but none seems to be getting in.
> Here are my rules.
> ACCEPT  net   $FW  tcp  smtp,www
> ACCEPT net   $FW  udp  smtp
Firstly, sendmail uses tcp, so there is no reason that you should need
that second rule.
> My policy:
> fw net ACCEPT
> net all DROP
I suggest that you also use an all to all policy.  I think shorewall
will probably do something sensible without it, but it''s good practice
to have a catch-all policy defined in case you forget something.

If you are trying to work out a problem, i suggest always including
"info" in the 4th column, so that you can see the problems in your
syslog (/var/log/messages by default on Red Hat).
> Interface:
> net        eth0      detect dhcp,noping,norfc1918,multi
> 
> When I do:
> telnet mymailserver.com 25
> from a telnet prompt on another machine to my server, I get:
> Unable to connect to remote host, connection refused.
> And, If I try to send mail to it, it becomes undeliverable.
>
> Do you think this is a problem with sendmail or the firewall?
> As I said, I can send mail from the server using sendmail.
> 
> I assume then that it is not a shorewall problem.
I think you are right.  "Connection refused" is what you get when an
ICMP destination unreachable is returned.  This is what happens when
you use an iptables policy of REJECT (which you aren''t), or if the
connection is allowed, but there is no daemon running on that port.

The first thing to check is that sendmail is really running.  Use
''service sendmail status'' on Red Hat, or your
distribution''s
equivalent (try ''ps -ef|grep sendmail'' if all else fails). 
Another
way is to run ''netstat -anp|grep :25.*LISTEN'' - this finds all
services running a listener on port 25.

If sendmail is running, then you might have a policy or rule affecting
your connectivity that you don''t realize - try posting the output of
''shorewall status'' to the mailing list and we might be able to
figure
it out.
> ...
> How can I successfully shutdown the firewall to determine which one
> is causing the problem?
> I''ve done a shorewall stop, but then nothing works.
> I''ve restarted shorewall with routestopped and stoped it and
> everything but sendmail still works.
I think "shorewall clear" is the command you want to stop the
firewall.

Paul
http://paulgear.webhop.net

Paul Gear wrote: As I said, I can send mail from the server using
sendmail.
> >
> > I assume then that it is not a shorewall problem.
>
> I think you are right.  "Connection refused" is what you get when
an
> ICMP destination unreachable is returned.  This is what happens when
> you use an iptables policy of REJECT (which you aren''t), or if the
> connection is allowed, but there is no daemon running on that port.
>
> The first thing to check is that sendmail is really running.  Use
> ''service sendmail status'' on Red Hat, or your
distribution''s
> equivalent (try ''ps -ef|grep sendmail'' if all else
fails).  Another
> way is to run ''netstat -anp|grep :25.*LISTEN'' - this
finds all
> services running a listener on port 25.
>
> If sendmail is running, then you might have a policy or rule affecting
> your connectivity that you don''t realize - try posting the output
of
> ''shorewall status'' to the mailing list and we might be
able to figure
> it out.
I just thought of something else: by default 8.11.x versions of sendmail
(and possibly earlier) do not accept connections over the network.  Check
for this text in /etc/mail/sendmail.mc:

dnl This changes sendmail to only listen on the loopback device 127.0.0.1

dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA'')

If the DAEMON_OPTIONS line isn''t commented, then you need to comment it
out and rebuild your /etc/sendmail.cf using ''m4 <
/etc/mail/sendmail.mc >
/etc/sendmail.cf''.

Paul
http://paulgear.webhop.net

Paul Gear wrote:
> Paul Gear wrote: As I said, I can send mail from the server using
> sendmail.
Dunno where that part came from - i must have typelexia today.  Skip to the
part at the bottom.

Paul
http://paulgear.webhop.net

Try "shorewall clear" then attempt to connect to your SMTP server; if
it still doesn''t work, it''s a problem with the server.

-Tom
  ----- Original Message ----- 
  From: John Michael 
  To: shorewall-users@shorewall.net 
  Sent: Saturday, March 16, 2002 5:49 PM
  Subject: [Shorewall-users] Sendmail questions and problems


  Hi
  First, thanks for all previous help.
  I have shorewall running on a single eth divice and everything seems to be
working fine except sendmail.  I can send mail out of my server, but none seems
to be getting in.
  Here are my rules.
  ACCEPT  net   $FW  tcp  smtp,www
  ACCEPT net   $FW  udp  smtp

  My policy:
  fw net ACCEPT
  net all DROP 

  Interface:
  net        eth0      detect dhcp,noping,norfc1918,multi

  When I do:
  telnet mymailserver.com 25
  from a telnet prompt on another machine to my server, I get:
  Unable to connect to remote host, connection refused.
  And, If I try to send mail to it, it becomes undeliverable.

  Do you think this is a problem with sendmail or the firewall?
  As I said, I can send mail from the server using sendmail.

  How can I successfully shutdown the firewall to determine which one is causing
the problem?
  I''ve done a shorewall stop, but then nothing works.
  I''ve restarted shorewall with routestopped and stoped it and
everything but sendmail still works.

  I assume then that it is not a shorewall problem.

  If anyone has any ideas, thanks ahead of time.
  cya
  john Michael

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John,

If you happen to run redhat the default configuration of sendmail starting 
from RH 7.0 i believe is to only listen on localhost, you can verify this 
with netstat -n --listen | grep :25     

The following output shows it is listening on all interfaces.
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      

If the address in the output is 127.0.0.1 then it''s only listening on 
localhost.

Check the redhat gotcha page for your version of rh on how to fix.

http://www.redhat.com/support/resources/gotchas/7.1/gotchas-71.html 

for 7.1 

good luck


On Sun, 17 Mar 2002, Tom Eastep wrote:
> Try "shorewall clear" then attempt to connect to your SMTP
server; if it still doesn''t work, it''s a problem with the
server.
> 
> -Tom
>   ----- Original Message ----- 
>   From: John Michael 
>   To: shorewall-users@shorewall.net 
>   Sent: Saturday, March 16, 2002 5:49 PM
>   Subject: [Shorewall-users] Sendmail questions and problems
> 
> 
>   Hi
>   First, thanks for all previous help.
>   I have shorewall running on a single eth divice and everything seems to
be working fine except sendmail.  I can send mail out of my server, but none
seems to be getting in.
>   Here are my rules.
>   ACCEPT  net   $FW  tcp  smtp,www
>   ACCEPT net   $FW  udp  smtp
> 
>   My policy:
>   fw net ACCEPT
>   net all DROP 
> 
>   Interface:
>   net        eth0      detect dhcp,noping,norfc1918,multi
> 
>   When I do:
>   telnet mymailserver.com 25
>   from a telnet prompt on another machine to my server, I get:
>   Unable to connect to remote host, connection refused.
>   And, If I try to send mail to it, it becomes undeliverable.
> 
>   Do you think this is a problem with sendmail or the firewall?
>   As I said, I can send mail from the server using sendmail.
> 
>   How can I successfully shutdown the firewall to determine which one is
causing the problem?
>   I''ve done a shorewall stop, but then nothing works.
>   I''ve restarted shorewall with routestopped and stoped it and
everything but sendmail still works.
> 
>   I assume then that it is not a shorewall problem.
> 
>   If anyone has any ideas, thanks ahead of time.
>   cya
>   john Michael
> 
> 
> 
- -- 
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@sjc.nl>

Outlook Express is actually an incredibly effective virus distribution system
which only pretends to be an email program.
[by Eric Lee]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8lavcH0P/oLuWBrcRAoPJAKCTp7jZNyM/drf5dA1cKLh1MsOO9QCcD6bm
0FIDsIy2Jf3EdEgWNlo7B80=hPQ0
-----END PGP SIGNATURE-----