|
Message-ID: <20070505173138.GA27048@openwall.com> Date: Sat, 5 May 2007 21:31:38 +0400 From: Solar Designer <solar@...nwall.com> To: popa3d-users@...ts.openwall.com Subject: setup on Linux behind DNAT (was: cannot get this to work) Matt, I'm afraid that you've posted this to the wrong list. Your question has almost nothing to do with popa3d; it is about general network services and routing setup on Linux. Since you appear to be setting this up on Openwall GNU/*/Linux (Owl), you should have posted the question to owl-users. I am responding on popa3d-users for now since the question was raised in here anyway, but you may want to move further discussion to owl-users (please include an adequate amount of context if you do). I've changed the Subject to be more descriptive. On Thu, May 03, 2007 at 12:49:37AM -0600, matt mix wrote: > I have been trying for a couple days now to successfully setup this popa3d > server to receive emails. I am using the basic out of the box openwall > configurations and I have modified the postfix main.cf file the best I can > and created a test user. I am able to locally connect and do a STAT w/ no > problem. I dont know if this is a routing issue or a configuration within > the postfix config files or not. If you can connect "locally" (is that "telnet localhost 110"?) and "do a STAT" (is that USER ..., PASS ..., then STAT?), then you have no problem with the popa3d setup. Yes, your problem could be with routing or the like. No, it can't be with Postfix, which provides the SMTP service, not POP3. On Owl, the Postfix + popa3d setup should work almost out of the box - all you need to do is enable and start the services: control postfix server chkconfig popa3d on service popa3d start I'm not sure what you've edited in Postfix's main.cf. About the only thing you should have changed there is the "mydomain = ..." setting, although in many cases even that is optional (if the domain name can be correctly inferred from your hostname). > iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 110 -j DNAT --to > 192.168.1.153 > iptables -A forwarding_rule -i $WAN -p tcp --dport 110 -d > 192.168.1.153 -j ACCEPT This might be OK, but it is impossible to tell for sure without having full context. The "prerouting_rule" and "forwarding_rule" chain names are not standard. You must have other rules that would "jump" to those chain names in order for them to be used. For example: iptables -t nat -A PREROUTING -j prerouting_rule iptables -A FORWARD -j forwarding_rule or you may just use the standard PREROUTING and FORWARD names directly. > and I repeated the above for udp. There was no need. POP3 uses 110/tcp only. > I checked my apache server and verified that it is working fine and > forwarding to another machine successfully. By connecting with a non-local > ip. However we cannot connect to the pop server via telnet or mail2web on > that external ip. No traffic showed up heading to port 110 either when I > looked for traffic on port 110 with wireshark locally. This suggests that you have a problem with your DNAT setup for 110/tcp, but not for 80/tcp. Why don't you simply host these public services right on your router, though (given that it's running Linux, too)? You don't gain any security by having traffic forwarded into your internal network like that. If you want greater security, then setup a DMZ separate from your internal network (you'd need 3 NICs in your router) - or is that what you're doing already, with the only reason for your use of DNAT being the lack of another Internet-routable IP address? -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.