Problema do postfix: regras iptables e não podem receber e-mails de fora

1

Meu servidor Postfix estava funcionando bem até os últimos dias, mas agora não consigo receber e-mails de fora (quero dizer, com um e-mail de nome de domínio diferente, como o Gmail, por exemplo). Preciso notificar que posso enviar e-mails do servidor para o gmail.

Pelo que vi, acho que esse problema pode estar nas minhas regras do iptables:

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset

com o seguinte /etc/iptables/rules.v4 :

# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*filter
:INPUT DROP [4:160]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8850:1128793]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*mangle
:PREROUTING ACCEPT [7537:917236]
:INPUT ACCEPT [7537:917236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16961:1999319]
:POSTROUTING ACCEPT [16961:1999319]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*nat
:PREROUTING ACCEPT [357:19884]
:POSTROUTING ACCEPT [9413:566093]
:OUTPUT ACCEPT [9344:563333]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016

Além disso, meu servidor parece ouvir na porta 25:

# netstat -an |grep 25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN     
unix  2      [ ]         DGRAM                    4255589627 /var/spool/postfix/dev/log
unix  15     [ ]         DGRAM                    4255589625 /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     4255652970 /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     4255590038 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711673 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711672 
unix  3      [ ]         STREAM     CONNECTED     4255711663 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711662 
unix  2      [ ]         DGRAM                    4255711642 
unix  3      [ ]         STREAM     CONNECTED     4255711639 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711638 
unix  2      [ ]         DGRAM                    4255711627 
unix  2      [ ]         DGRAM                    4255594798 
unix  2      [ ]         DGRAM                    4255590141 
unix  3      [ ]         STREAM     CONNECTED     4255590098 
unix  3      [ ]         STREAM     CONNECTED     4255590097 

e nmap no meu servidor (de fora) retorna:

Host is up (0.065s latency).
Not shown: 994 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds

Por fim, aqui está meu /etc/postfix/master.cf :

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
  -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

# spf postfix
policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Eis a resposta do email recebido pelo gmail quando enviei do gmail para o meu servidor de postfix:

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

     [email protected]

Message will be retried for 1 more day(s)

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
[domain.com 239.178.123.80: socket error]

Eu não entendo porque netstat me diz que ele escuta a porta 25 e nmap indica que essa porta não está aberta.

Se alguém pudesse ver o que está errado, isso seria ótimo.

Obrigado antecipadamente.

    
por youpilat13 28.08.2016 / 11:10

1 resposta

1

Executar

iptables -I INPUT 5 -p tcp -m tcp --dport 25 -j ACCEPT

Para que a regra seja aplicada imediatamente.

Edite também o seu /etc/iptables/rules.v4 e logo após a regra com a porta 443, adicione

-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

    
por 28.08.2016 / 11:17