[Postfixbuch-users] Offtopic firewall
Alexander Busam
a.busam at hofmann-foerdertechnik.com
Mi Apr 1 08:17:28 CEST 2009
Hallo,
ich verwende das Firewall-Script von Peer Heinlein um den Mailserver
abzusichern. Ich habe noch den LDAP-Server aufgenommen, damit der
Mailserver die Authentifizierung durchführen kann.
Alles, bis auf das Versenden (intern/extern) von Mails funktioniert.
Kann mir jemand weiterhelfen ?
Im folgenden die Konfiguration aus dem Firewall-Script, der main.cf,
master.cf und der Fehlermail und die Ausgabe aus der /var/log/mail:
Firewall-Script:
===========
#! /bin/sh
# Author: Alexander Busam
#
# /etc/init.d/iptables_script
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $network
# Should-Start:
# Required-Stop:
# Default-Start: 3 5
# Default-Stop:
# Description: start the iptables configuration
### END INIT INFO
# IP-Adresse des Netzwerkinterfaces
ip_nr=192.168.1.27
# IP-Adresse des lokalen DNS-Servers
ip_ldns=192.168.1.26/32
# IP-Adresse des lokalen LDAP-Servers
ip_lldap=192.168.1.26/32
# IP-Adresse des lokalen Netzes
ip_lnet=192.168.1.0/24
IPT=/usr/sbin/iptables
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
#Alle Regeln löschen
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
# Durch unsere default-Regel (P=policy) machen wir alles zu.
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Wir erlauben nun pauschal alle Verbindungen, die zu bereits
# aufgebauten Verbindungen gehören. WELCHE Verbindungen aufgebaut
# werden dürfen, regeln wir anschließend.
# Wir ziehen diesen Regelsatz vor, da wir Rechenpower sparen: Ein
# Großteil der Pakete wird durch diese Regel durchgelassen, und so
# können wir recht früh die Prüfung beenden.
$IPT -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Benötigte Dienste müssen wir nun einzeln freischalten:
#
# Mailempfang SMTP weltweit
$IPT -A INPUT -p TCP -d $ip_nr --sport 1024: --dport 25 \
-m state --state NEW -j ACCEPT
# Alternativ-Beispiel: Mailempfang nur von den IPs 91.198.250.0/24
# zulassen -- beispielsweise einem externen Spamfilterservice:
#$IPT -A INPUT -p TCP -d \$ip_nr --sport 1024: --dport 25 \
# -s 91.198.250.0/24 -m state --state NEW -j ACCEPT
# Mailversand weltweit
$IPT -A OUTPUT -p TCP -s $ip_nr --sport 25 --dport 1024: \
-m state --state NEW -j ACCEPT
# POP3, POP3s, IMAP, IMAPs aus dem LAN erlauben 110 143 993 995
$IPT -A INPUT -p TCP -d $ip_nr -s $ip_lnet \
--sport 1024: -m multiport --dports 110,143,993,995 \
-m state --state NEW -j ACCEPT
# Die Server dürfen NTP-Server abfragen:
$IPT -A OUTPUT -p TCP -s $ip_nr --sport ntp \
--dport ntp -m state --state NEW -j ACCEPT
# Anfragen an den DNS-Server unseres LANs (TCP und UDP) erlauben
# (angenommen, unser Mailserver nutzt ausgehend einen Port >1024)
$IPT -A OUTPUT -p TCP -s $ip_nr -d $ip_ldns \
--sport 1024: --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p UDP -s $ip_nr -d $ip_ldns \
--sport 1024: --dport 53 \
-m state --state NEW -j ACCEPT
# LDAP-Zugriff erlauben.
$IPT -A OUTPUT -p TCP -s $ip_nr -d $ip_lldap \
--sport 1024: -m multiport --dports 389,636 \
-m state --state NEW -j ACCEPT
# Sofern SSH tatsächlich eingesetzt wird, schalten wir es
# noch für einige IP-Nummern/Netze frei:
# Unser LAN:
$IPT -A INPUT -p TCP -d $ip_nr -s $ip_lnet \
--sport 1024: --dport 22 \
-m state --state NEW -j ACCEPT
echo -n "ip-tables gestartet"
# Remember status and be verbose
rc_status -v
;;
stop)
#Alle Regeln löschen
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
echo -n "ip-tables gelöscht"
# Remember status and be verbose
rc_status -v
;;
status)
$IPT -L
$IPT -t nat -n -L
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 1
esac
rc_exit
main.cf
=====
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
allow_min_user = yes
biff = no
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix24/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 3d
message_size_limit = 50000000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = hmmailsrv.hofmann-intern.de
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix24/README_FILES
relay_domains = hash:/etc/postfix/relay_domains,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix24/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_helo_name = mail.hofmann-foerdertechnik.com
smtp_sasl_auth_enable = no
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/access_recipient_roleaccounts,
check_recipient_access hash:/etc/postfix/access_recipient_ok,
check_sender_access mysql:/etc/postfix/access_sender.mysql
check_recipient_access hash:/etc/postfix/access_recipient_reject,
reject_unknown_recipient_domain, permit_sasl_authenticated,
permit_mynetworks, reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client
bl.spamcop.net, reject_rbl_client dnsbl.njabl.org,
check_policy_service unix:public/postgrey reject_unauth_destination,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual,
proxy:ldap:/etc/postfix/virtual.ldap
master.cf
======
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
# ohne amavisd
#smtp inet n - n - - smtpd
# mit amavisd
192.168.1.27:25 inet n - n - 50 smtpd
# -o content_filter=smtp:[127.0.0.1]:10024
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=
#192.168.1.28:25 inet n - n - 10 smtpd
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - 10 smtpd -o
smtpd_tls_wrappermode=yes -o content_filter=smtp:[127.0.0.1]:10024
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
-o content_filter:[127.0.0.1]:10024
# -o smtpd_proxy_filter=127.0.0.1:10024
# -o content_filter=
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - 50 smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
#,no_address_mappings
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
# Mails per Dovecot-Deliver ausliefern -- maximal 10 Mails gleichzeitig
dovecot unix - n n - 10 pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}
retry unix - - n - - error
tlsmgr unix - - n 1000? 1 tlsmgr
# classic HylaFAX email-to-fax setup
fax unix - n n - 1 pipe
flags=R user=fax argv=/usr/bin/faxmail -n ${user}
# classic HylaFAX email-to-sms setup
sms unix - n n - 1 pipe
flags=R user=fax argv=/usr/local/bin/mail2yaps ${user} ${sender}
# gnarwl autoreply support
gnarwl unix - n n - - pipe
flags=F user=gnarwl argv=/usr/bin/gnarwl -a $user -s $sender
Fehler-Mail:
=========
From: MAILER-DAEMON at hmmailsrv.hofmann-intern.de (Mail Delivery System)
To: postmaster at hmmailsrv.hofmann-intern.de (Postmaster)
Subject: Postfix SMTP server: errors from
hmsmbsrv.hofmann-intern.de[192.168.1.26]
Message-Id: <20090401054533.B982D4006 at hmmailsrv.hofmann-intern.de>
Transcript of session follows.
Out: 220 hmmailsrv.hofmann-intern.de ESMTP Postfix
In: EHLO [192.168.2.165]
Out: 250-hmmailsrv.hofmann-intern.de
Out: 250-PIPELINING
Out: 250-SIZE 50000000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH LOGIN PLAIN
Out: 250-AUTH=LOGIN PLAIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: AUTH PLAIN AGFiAGFicGFzcw==
Out: 235 2.0.0 Authentication successful
In: MAIL FROM:<a.busam at hfm.alexander-busam.de> SIZE=912
Out: 250 2.1.0 Ok
In: RCPT TO:<a.busam at hofmann-foerdertechnik.com>
Out: 451 4.3.0 Error: queue file write error
Session aborted, reason: lost connection
/var/log/mail:
==========
Apr 1 07:58:02 hmmailsrv postfix/smtpd[24570]: connect from
hmsmbsrv.hofmann-intern.de[192.168.1.26]
Mehr Informationen über die Mailingliste Postfixbuch-users