Postfix server - does not receive external email

[joelalpers]

Hello all -

I have been running an email server on a Red Hat 9 system for 5 years, and wanting to upgrade it
to the latest Fedora OS. A few days ago it crashed, helping me decide on when to do it

The server is running Fedora 11 (up-to-date). Clients are Fedora 11 and Windows XP machines
using Thunderbird for accessing email.

The server is running Postfix and Dovecot.

Within my local network I can send and receive emails.
I can also send email to addresses outside of my local network.

The only problem is that I cannot receive --ANY-- email from outside the local network.

I cannot think of anything aside from my firewall (iptables) or postfix config that could be
causing the problem. Below are my iptables file, and the postfix main.cf changes that I
have made. Any help greatly appreciated!!!


iptables (the same file I was using on Red Hat version 9 with one minor deprecated syntax changed):

*nat
:PREROUTING ACCEPT [22:1894]
:POSTROUTING ACCEPT [14:840]
:OUTPUT ACCEPT [17:1356]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [28143:13743218]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [775083:69212122]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A FORWARD -s 192.168.111.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.111.0/255.255.255.0 -j ACCEPT
-A FORWARD ! -s 192.168.111.0/255.255.255.0 -j DROP
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 2049 --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 111 --dport 111 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --tcp-flags SYN,RST,ACK SYN -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --tcp-flags SYN,RST,ACK SYN -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --tcp-flags SYN,RST,ACK SYN -j REJECT
COMMIT


Changes to Postfix main.cf:

myhostname = mail.jkalpers.com
mydomain = jkalpers.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain
mynetworks = 192.168.111.0/8 127.0.0.0/8
relay_domains =

[ninjashoes]

wouldnt the issue likely be with dovecot if you can send and not receive?

are you using port 25?

[joelalpers]

Quote:

Originally Posted by ninjashoes

wouldnt the issue likely be with dovecot if you can send and not receive?

are you using port 25?

Thanks for writing!

Just to clarify, I -can- receive mail (in Thunderbird) as long as that mail originates within my domain. I cannot receive any email from "the other side of the firewall". That is why I suspected the firewall / Postfix part of the chain. But I am not an expert by any means.

Postfix is listening on Port 25.
Dovecot is listening on Port 110, which is what Thunderbird is set (it's default) for POP3.
I have verified this with
lsof -i tcp:25
and
lsof -i tcp:110
and can post the results if it will help.

Perhaps these clues may help:

My server/firewal (iptables) machine is running Postfix and Dovecot. (named Sharkstooth)
I am running Thunderbird on a client machine on the local network. (named LongsPeak).

If I log into Sharkstooth and type "mail" it reports only mail sent from either of these two machines
to my mail account --- nothing from outside my domain. This doesn't even use Dovecot - just a
simple text-based email reader. That is why I didn't suspect Dovecot.

I did set up a GMAIL account so I can send myself test messages from outside my domain.
None of them get through to even this simple test of using the "mail" program on the server.

I hope this helps - I am baffled by this, and am certain it is something very simple (and will
probably make me feel stupid when I know what it is)

Joel.

[smr54]

How is the server connected to the Internet? Through a router? If so, is the router configured to redirect port 25 to the machine running postfix?

[joelalpers]

I just checked my GMAIL account, and have warnings for the test messages I tried to send
yesterday to myself from outside my domain:


Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at http://mail.google.com /support/bin/answer.py?answer=7720
[jkalpers.com (1): Connection timed out]

Their suggestions:

* The other domain doesn't have up-to-date MX records or is otherwise misconfigured.
* The other domain is blacklisting or graylisting messages from Gmail.
* The other domain is experiencing temporary networking problems.

I do have an MX record. If my server is blacklisting or graylisting, I don't know about it.

Joel.

[smr54]

I'm not sure about Fedora (I've only setup postfix in CentOS and *BSD), but black or greylisting of gmail shouldn't be the issue.

One way to test is to try to telnet (from outside) to your mailserver and see if the errors give any hints.

If you have a copy of your old main.cf then you can compare it with the new and see what differences are there. It often turns out to be a typo .

[joelalpers]

Quote:

Originally Posted by smr54

I'm not sure about Fedora (I've only setup postfix in CentOS and *BSD), but black or greylisting of gmail shouldn't be the issue.

One way to test is to try to telnet (from outside) to your mailserver and see if the errors give any hints.

If you have a copy of your old main.cf then you can compare it with the new and see what differences are there. It often turns out to be a typo .

I do still have a copy of the old main.cf, and used it as a guide for what to set in
the new copy. I have compared them, but will do another time and make sure
there are no typos, thanks for the suggestion.


I did try a telnet from an outside machine (telnet mail.jkalpers.com). The error is:

Could not open connection to the host, on port 23: Connection failed.

Now, I don't have telnet from the outside enabled in my firewall (i.e.port 23 is not
in the accept list) so I don't know if this reveals much.

When another system sends an email to my domain, does it try to open a port
number? If so, which one? Port 25? (i.e. is port 25 used for the SMTP server
regardless of whether a process is sending or requesting email???)

Thanks -

Joel.

[smr54]

My bad, and apologies--I was using mental shorthand. When testing a mailserver, you can try telnetting on port 25, e.g.

telnet myserver 25

to see if it's listening.

For your other question yes, port 25 has to be directed from the outside, e.g., your router, to the server running postfix, if it is going to receive mail from outside.

http://wiki.centos.org/HowTos/postfix

gives some nice tips, though it's for CentOS 5.x


mail.jkalpers.com gives me an unknown address. Running dig -t MX jkalpers.com indicates that your mailserver is known to the outside world simply as jkalpers.com. Trying to telnet jkalpers.com 25 just hangs, possibly indicating an issue on my machine, or indicating that port 25 is not open to the outside world on your mailserver.

---------- Post added at 03:34 PM CST ---------- Previous post was at 02:58 PM CST ----------

Also in /etc/master.cf (not main.conf) sometimes, you have to uncomment the line


smtp inet n - n - - smtpd


(though it shouldn't be commented out in the first place. Never hurts to be sure though, that there isn't a # in front of it.)

netstat -an |grep 25 should show something like

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

[Doug G]

Did you check with your isp to verify they aren't blocking port 25?

[joelalpers]

Thank you all for your suggestions and help.

I said a few messages back that when the problem would be found, it would be something simple that
would make me feel stupid. How right I was!

I had an incorrect IP address entered for my domain --- xxx,xxx,xxx,230 instead of xxx.xxx.xxx.225

I had never thought to look at that, since I could access external WEB pages - Duh! Didn't occur to
me that it has to agree with the registered IP number to make the rest of the things work.

Again, thanks to all who offered help, and sorry for the wild goose chase!

Joel.

[smr54]

Glad it's fixed--I remember having an obvious typo in main.cf once, and I simply kept overlooking it. Something like forgetting a slash or the like.

[joelalpers]

Hello -

I have a Fedora-11 server runing CUPS that has a local HP4+ printer attached. It works fine
locally (i.e prints test pages). I am trying to share this printer with another Fedora-11 computer
AND with a Windows XP computer using Samba.

On the machine that the printer is connected to, my /etc/cups/printer.conf file shows the printer:

# Printer configuration file for CUPS v1.4.2
# Written by cupsd on 2010-01-28 23:10
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
<Printer HP_LaserJet_4_Plus>
Info HP LaserJet 4 Plus
Location
MakeModel HP LaserJet 4 Plus Foomatic/gutenprint-ijs-simplified.5.2
DeviceURI parallel:/dev/lp0
State Idle
StateTime 1264745362
Type 8392724
Filter application/vnd.cups-raw 0 -
Filter application/vnd.cups-postscript 100 foomatic-rip
Filter application/vnd.cups-pdf 0 foomatic-rip
Filter application/vnd.apple-pdf 25 foomatic-rip
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>

Similarly, the /etc/printcap knows the printer is there:

# This file was automatically generated by cupsd(8) from the
# /etc/cups/printers.conf file. All changes to this file
# will be lost.
HP_LaserJet_4_Plus|HP LaserJet 4 Plus:rm=Sharkstooth:rp=HP_LaserJet_4_Plus:

From the Fedora-11 client, I get the following error message:

Page 1 (Scheduler not running?):
{'cups_connection_failure': False}
Page 2 (Choose printer):
{'cups_dests_available': [('Stylus-Photo-R280', None),
('hp-LaserJet-1300', None)],
'cups_queue_listed': False}
Page 3 (Local or remote?):
{'printer_is_remote': True}
Page 4 (Remote address):
{'remote_server_ip_address': '192.168.111.7',
'remote_server_name': '\\\\sharkstooth'}
Page 5 (Check network server sanity):
{'remote_server_name_resolves': False,
'remote_server_try_connect': '\\\\sharkstooth'}
Page 6 (Locale issues):
{'printer_page_size': None,
'system_locale_lang': 'en_US',
'user_locale_ctype': 'en_US',
'user_locale_messages': 'en_US'}

The Windows XP cannot see the printer at all. I do have Samba running, and I can
see (on the Windows XP machine) my home directory on the Fedora-11 server, so I know
at least that the basic Samba is operating (just not printer sharing).

On the client Fedora-11 machine, if I run System->Administration->Printing->New, it simply
gives me the rotating "busy" indicator infinitely (or at least, it seems like it!)

Now, the big hurdle was getting to see /home/joela directories on the XP machine from the
Fedora-11 server, and that is working, but it would sure be nice to be able to access the
remote printer from XP as well....

Any bright ideas? (I am fresh out!)

Joel.

---------- Post added at 11:42 PM CST ---------- Previous post was at 11:39 PM CST ----------

My sincere apologies - I accidentally posted this as a reply to a prior (solved) issue. I will
re-post it to a new thread.

Sorry for any confusion!

Joel.