Hi,
please which ports should I forward for well going IMAP clients
over firewall? (Shorewall 1.4.8)
I have forwarded only 25 for SMTP - MTA works fine and 143 for
imap, but it works only for connection to MBX. When I sent some e-mails,
it returns this eror:
The following recipient(s) could not be reached:
''admin@dashofer.sk'' on 9. 3. 2004 13:40
550 5.7.1 Unable to relay for admin@dashofer.sk
Thanks for any advice.
At 15.04 09/03/2004, Varga Pavol wrote:> Hi, > please which ports should I forward for well going IMAP clients >over firewall? (Shorewall 1.4.8) > I have forwarded only 25 for SMTP - MTA works fine and 143 for >imap, but it works only for connection to MBX. When I sent some e-mails, >it returns this eror: > >The following recipient(s) could not be reached: > > ''admin@dashofer.sk'' on 9. 3. 2004 13:40 > 550 5.7.1 Unable to relay for admin@dashofer.skIt sounds like an SMTP misconfiguration rather than a shorewall issue. Look at your MTA trusted network config. andrea
Hi This looks like an error message from your MTA. IMAP is for receiving mail only. Mail still gets send via SMTP. And the one you set up don´t access the the mail. Regards Sascha ------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany knific@k-sysdes.net http://www.k-sysdes.net> -----Ursprüngliche Nachricht----- > Von: shorewall-users-bounces@lists.shorewall.net[mailto:shorewall-users-> bounces@lists.shorewall.net] Im Auftrag von Varga Pavol > Gesendet: Dienstag, 9. März 2004 15:04 > An: Linux - Shorewall-Users > Betreff: [Shorewall-users] IMAP client over firewall? > > > Hi, > please which ports should I forward for well going IMAP clients > over firewall? (Shorewall 1.4.8) > I have forwarded only 25 for SMTP - MTA works fine and 143 for > imap, but it works only for connection to MBX. When I sent somee-mails,> it returns this eror: > > The following recipient(s) could not be reached: > > ''admin@dashofer.sk'' on 9. 3. 2004 13:40 > 550 5.7.1 Unable to relay for admin@dashofer.sk > > Thanks for any advice. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi, thank You all for your insurance that it is not a Shorewall job. This disablement caused conflict with M$Outlook''s profile/account setting (wasn''t the same! = my bad). To TimeLORD: Dik za pripomienku, chcel som povedat "through firewall" And now, when IMAP4 works perfectly, I have the next problem, how to set up Shorewall for M$Outlook client. I tried to forward a 135 port, but it don''t work. (This is a temporary problem, until we replace whole Exchange.) Palo.
Hi Tom, I have a nice script for transfering automaticaly generated shorewall configuration files from machine where they are generated. After scp transfer my script restart shorewal and backup package - I am using leaf distro. Script is working fine when I run it manualy. If its schedulled in cron somethin strange will happened. Shorewall will lockup during restart. I made a trace file in which I can see, that shorewall is checking for existence of /tmp/shorewall/lock file. And this file exists. Also shorewall create directory /tmp/shorewall-XXXXX (where X are numbers) with some contents, but it will not restart. I realy don''t know whats wrong. Because my script working well, if its started from console. Today this problem totaly smashed out our community network :-))) I can send you status, and both /tmp/shorewall directory if you will need them. Can I asked you for a litle help? Thank you very much. Best Regards Litin
On Wed, 10 Mar 2004, Dominik Strnad wrote:> > I can send you status, and both /tmp/shorewall directory if you will > need them. >Please change the cron entry to "shorewall debug restart 2> /tmp/trace". After the restart hangs, please send me the /tmp/trace file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I also test "shorewall debug restart 2> /tmp/trace" record in crontab It fail with exactly same trace file. - last line is: + echo Accounting rule 0016 accounting wlan0 192.168.143.26/31 - - Added And I didn''t stopped anything. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, March 10, 2004 2:01 AM To: Mailing List for Experienced Shorewall Users Subject: Re: [Shorewall-users] shorewall stuck after cron restart On Wed, 10 Mar 2004, Dominik Strnad wrote:> > I can send you status, and both /tmp/shorewall directory if you will > need them. >Please change the cron entry to "shorewall debug restart 2> /tmp/trace". After the restart hangs, please send me the /tmp/trace file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 10 Mar 2004, Dominik Strnad wrote:> I also test "shorewall debug restart 2> /tmp/trace" record in crontab > It fail with exactly same trace file. - last line is: > > + echo Accounting rule 0016 accounting wlan0 192.168.143.26/31 - - > Added > > And I didn''t stopped anything. >Then I have no idea what the problem is unless you are out of disk space. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hmmm I don''t know how much space shorewall need to... Here is df -k Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 16384 9244 7140 56% / tmpfs 63796 12 63784 0% /tmp tmpfs 8192 144 8048 2% /var/log What do you think? Is this enough? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, March 10, 2004 3:40 AM To: Mailing List for Experienced Shorewall Users Subject: RE: [Shorewall-users] shorewall stuck after cron restart On Wed, 10 Mar 2004, Dominik Strnad wrote:> I also test "shorewall debug restart 2> /tmp/trace" record in crontab > It fail with exactly same trace file. - last line is: > > + echo Accounting rule 0016 accounting wlan0 192.168.143.26/31 - - > Added > > And I didn''t stopped anything. >Then I have no idea what the problem is unless you are out of disk space. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
But still same question: How it can be possible that when I start script manualy everything is ok? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, March 10, 2004 3:40 AM To: Mailing List for Experienced Shorewall Users Subject: RE: [Shorewall-users] shorewall stuck after cron restart On Wed, 10 Mar 2004, Dominik Strnad wrote:> I also test "shorewall debug restart 2> /tmp/trace" record in crontab > It fail with exactly same trace file. - last line is: > > + echo Accounting rule 0016 accounting wlan0 192.168.143.26/31 - - > Added > > And I didn''t stopped anything. >Then I have no idea what the problem is unless you are out of disk space. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 10 Mar 2004, Dominik Strnad wrote:> Hmmm I don''t know how much space shorewall need to... > > Here is df -k > > Filesystem 1k-blocks Used Available Use% Mounted on > /dev/root 16384 9244 7140 56% / > tmpfs 63796 12 63784 0% /tmp > tmpfs 8192 144 8048 2% /var/log > > What do you think? Is this enough? >Should be -- but you need to look at it when the "shorewall restart" stops, not now. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 10 Mar 2004, Dominik Strnad wrote:> But still same question: How it can be possible that when I start script > manualy everything is ok? >I don''t know. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hmmmm let''s rock, I need some more testing, but seems for now that redirecting all outputs - mean STDOUT and STDERR to /dev/null seems to help... But stil I realy dn''t know WHY! :-) Litin -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, March 10, 2004 4:05 AM To: Mailing List for Experienced Shorewall Users Subject: RE: [Shorewall-users] shorewall stuck after cron restart On Wed, 10 Mar 2004, Dominik Strnad wrote:> Hmmm I don''t know how much space shorewall need to... > > Here is df -k > > Filesystem 1k-blocks Used Available Use% Mounted on > /dev/root 16384 9244 7140 56% / > tmpfs 63796 12 63784 0% /tmp > tmpfs 8192 144 8048 2% /var/log > > What do you think? Is this enough? >Should be -- but you need to look at it when the "shorewall restart" stops, not now. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 10 Mar 2004, Dominik Strnad wrote:> Hmmmm let''s rock, I need some more testing, but seems for now that > redirecting all outputs - mean STDOUT and STDERR to /dev/null seems to > help... > > But stil I realy dn''t know WHY! :-) >Then I believe that you are running out of disk space. When you run an embedded OS disbribution on your firewall, you have to expect these sorts of problems. It''s one of the reasons why I use a "real" distribution on my firewall; it allows me to focus on firewalling problems rather than on embedded OS limitations... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----Original Message----- From: Varga Pavol [mailto:pavol.varga@dashofer.sk] Sent: Tuesday, March 09, 2004 10:51 PM To: Linux - Shorewall-Users Subject: [Shorewall-users] IMAP client over firewall? Hi, thank You all for your insurance that it is not a Shorewall job. This disablement caused conflict with M$Outlook''s profile/account setting (wasn''t the same! = my bad). To TimeLORD: Dik za pripomienku, chcel som povedat "through firewall" And now, when IMAP4 works perfectly, I have the next problem, how to set up Shorewall for M$Outlook client. I tried to forward a 135 port, but it don''t work. (This is a temporary problem, until we replace whole Exchange.) To allow users to get into Exchange thru a firewall you need port 135 (both tcp and udp I think) as well as two other adjacent high ports that Exchange chooses randomly. You can force Exchange to use two particular ports with a registry entry, then open these in the FW. I found a MS Knowledge Base article on this a while back explaining which registry key determines the ports. I don''t have the link, but searching their support site for "exchange firewall" should get you there. Note: Microsoft does NOT recommend opening these port to the internet! I recall that being mentioned in the knowledge base article. You have been forewarned. --Micha Palo. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Thank You very much, Micha!
Palo.
-----Original Message-----
From: Micha Silver [mailto:Micha@arava.co.il]
Sent: Wednesday, March 10, 2004 8:11 AM
To: ''Mailing List for Experienced Shorewall Users''
Subject: RE: [Shorewall-users] IMAP client over firewall?
-----Original Message-----
From: Varga Pavol [mailto:pavol.varga@dashofer.sk]
Sent: Tuesday, March 09, 2004 10:51 PM
To: Linux - Shorewall-Users
Subject: [Shorewall-users] IMAP client over firewall?
Hi,
thank You all for your insurance that it is not a Shorewall job.
This disablement caused conflict with M$Outlook''s
profile/account setting (wasn''t the same! = my bad).
To TimeLORD:
Dik za pripomienku, chcel som povedat "through firewall"
And now, when IMAP4 works perfectly, I have the next problem,
how to set up Shorewall for M$Outlook client. I tried to forward a 135
port, but it don''t work. (This is a temporary problem, until we replace
whole Exchange.)
To allow users to get into Exchange thru a firewall you need port 135
(both
tcp and udp I think) as well as two other adjacent high ports that
Exchange
chooses randomly. You can force Exchange to use two particular ports
with a
registry entry, then open these in the FW. I found a MS Knowledge Base
article on this a while back explaining which registry key determines
the
ports. I don''t have the link, but searching their support site for
"exchange
firewall" should get you there.
Note: Microsoft does NOT recommend opening these port to the internet! I
recall that being mentioned in the knowledge base article. You have been
forewarned.
--Micha
Palo.
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Varga Pavol (9.3.2004 21:50):> And now, when IMAP4 works perfectly, I have the next problem, >how to set up Shorewall for M$Outlook client. I tried to forward a 135 >port, but it don''t work. (This is a temporary problem, until we replace >whole Exchange.)In "native mode", Outlook use RPC with Exchange .. during "handshake" they randomly open some ports > 1024. If your Exchange and Outlook are in trusted LAN, then maybe U should not filter connection to your Exchange server if U want to use that "native mode" ... or allow all connections to ports > 1024 and 135 (U should check your /var/log/messages to see what ports u should open). If Exchange and/or Outlook are in not trusted zone, then U should not use "native mode". It''s better to use for example IMAP4S (secure IMAP) and then only one port is needed to open (tcp 993). Or use for example OpenVPN between client and server and then U need to allow only VPN connection and U can tunnel "native mode" inside VPN connection. If U use Outlook2003 AND Windows2003 AND Exchange2003, then U can use "RPC over HTTP" tunneling (some kind of "native mode") and in that case U need to allow only HTTP port. Enjoy :-) TimeLord