[Postfixbuch-users] Offtopic firewall

Alexander Busam a.busam at hofmann-foerdertechnik.com
Mi Apr 1 08:17:28 CEST 2009


Hallo,

ich verwende das Firewall-Script von Peer Heinlein um den Mailserver 
abzusichern. Ich habe noch den LDAP-Server aufgenommen, damit der 
Mailserver die Authentifizierung durchführen kann.

Alles, bis auf das Versenden (intern/extern) von Mails funktioniert. 
Kann mir jemand weiterhelfen ?

Im folgenden die Konfiguration aus dem Firewall-Script, der main.cf, 
master.cf und der Fehlermail und die Ausgabe aus der /var/log/mail:

Firewall-Script:
===========

#! /bin/sh

# Author: Alexander Busam
#
# /etc/init.d/iptables_script
#
### BEGIN INIT INFO
# Provides:       iptables
# Required-Start: $network
# Should-Start:
# Required-Stop:
# Default-Start:  3 5
# Default-Stop:
# Description:    start the iptables configuration
### END INIT INFO


# IP-Adresse des Netzwerkinterfaces
ip_nr=192.168.1.27

# IP-Adresse des lokalen DNS-Servers
ip_ldns=192.168.1.26/32

# IP-Adresse des lokalen LDAP-Servers
ip_lldap=192.168.1.26/32


# IP-Adresse des lokalen Netzes
ip_lnet=192.168.1.0/24


IPT=/usr/sbin/iptables


. /etc/rc.status

# Reset status of this service
rc_reset

case "$1" in

    start)


        #Alle Regeln löschen
       
    $IPT -F
        $IPT -X
        $IPT -t nat -F
        $IPT -t nat -X


    # Durch unsere default-Regel (P=policy) machen wir alles zu.
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP


    # Wir erlauben nun pauschal alle Verbindungen, die zu bereits
    # aufgebauten Verbindungen gehören. WELCHE Verbindungen aufgebaut
    # werden dürfen, regeln wir anschließend.
    # Wir ziehen diesen Regelsatz vor, da wir Rechenpower sparen: Ein
    # Großteil der Pakete wird durch diese Regel durchgelassen, und so
    # können wir recht früh die Prüfung beenden.

    $IPT -A INPUT  -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPT -A INPUT  -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT

    #
    # Benötigte Dienste müssen wir nun einzeln freischalten:
    #

    # Mailempfang SMTP weltweit
    $IPT -A INPUT  -p TCP -d $ip_nr --sport 1024: --dport 25 \
         -m state --state NEW -j ACCEPT

    # Alternativ-Beispiel: Mailempfang nur von den IPs 91.198.250.0/24
    # zulassen -- beispielsweise einem externen Spamfilterservice:
    #$IPT -A INPUT  -p TCP -d \$ip_nr --sport 1024: --dport 25 \
    #         -s 91.198.250.0/24 -m state --state NEW -j ACCEPT


    # Mailversand weltweit
    $IPT -A OUTPUT -p TCP -s $ip_nr --sport 25 --dport 1024: \
         -m state --state NEW -j ACCEPT

    # POP3, POP3s, IMAP, IMAPs aus dem LAN erlauben 110 143 993 995
    $IPT -A INPUT  -p TCP -d $ip_nr -s $ip_lnet \
         --sport 1024: -m multiport --dports 110,143,993,995 \
         -m state --state NEW -j ACCEPT


    # Die Server dürfen NTP-Server abfragen:
    $IPT -A OUTPUT -p TCP -s $ip_nr --sport ntp \
        --dport ntp -m state --state NEW -j ACCEPT


    # Anfragen an den DNS-Server unseres LANs (TCP und UDP) erlauben
    # (angenommen, unser Mailserver nutzt ausgehend einen Port >1024)
    $IPT -A OUTPUT -p TCP -s $ip_nr -d $ip_ldns \
         --sport 1024: --dport 53 \
         -m state --state NEW -j ACCEPT

    $IPT -A OUTPUT -p UDP -s $ip_nr -d $ip_ldns \
         --sport 1024: --dport 53 \
         -m state --state NEW -j ACCEPT

    # LDAP-Zugriff erlauben.
    $IPT -A OUTPUT -p TCP -s $ip_nr -d $ip_lldap \
         --sport 1024: -m multiport --dports 389,636 \
         -m state --state NEW -j ACCEPT

    # Sofern SSH tatsächlich eingesetzt wird, schalten wir es
    # noch für einige IP-Nummern/Netze frei:
    # Unser LAN:
    $IPT -A INPUT  -p TCP -d $ip_nr -s $ip_lnet \
         --sport 1024: --dport 22 \
         -m state --state NEW -j ACCEPT

   
    echo -n  "ip-tables gestartet"

    # Remember status and be verbose
    rc_status -v

    ;;

    stop)

    #Alle Regeln löschen

    $IPT -F
    $IPT -X
    $IPT -t nat -F
    $IPT -t nat -X
   
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT

    echo -n "ip-tables gelöscht"

    # Remember status and be verbose
    rc_status -v

    ;;

    status)

    $IPT -L
    $IPT -t nat -n -L

    rc_status -v

    ;;
    *)
        echo "Usage: $0 {start|stop|status}"
        exit 1

esac
rc_exit


main.cf
=====

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
allow_min_user = yes
biff = no
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix24/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 3d
message_size_limit = 50000000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = hmmailsrv.hofmann-intern.de
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix24/README_FILES
relay_domains = hash:/etc/postfix/relay_domains, 
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix24/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_helo_name = mail.hofmann-foerdertechnik.com
smtp_sasl_auth_enable = no
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/access_recipient_roleaccounts,    
check_recipient_access hash:/etc/postfix/access_recipient_ok,    
check_sender_access mysql:/etc/postfix/access_sender.mysql    
check_recipient_access hash:/etc/postfix/access_recipient_reject,    
reject_unknown_recipient_domain,    permit_sasl_authenticated,    
permit_mynetworks,     reject_rbl_client zen.spamhaus.org,    
reject_rbl_client ix.dnsbl.manitu.net,    reject_rbl_client 
bl.spamcop.net,    reject_rbl_client dnsbl.njabl.org,    
check_policy_service unix:public/postgrey    reject_unauth_destination, 
    permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport, 
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual, 
proxy:ldap:/etc/postfix/virtual.ldap


master.cf
======

#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

# ohne amavisd
#smtp      inet  n       -       n       -       -       smtpd

# mit amavisd
192.168.1.27:25    inet  n       -       n       -       50       smtpd
#    -o content_filter=smtp:[127.0.0.1]:10024
    -o smtpd_proxy_filter=127.0.0.1:10024
        -o content_filter=

#192.168.1.28:25 inet  n       -       n       -       10       smtpd

#submission inet n      -       n       -       -       smtpd
#    -o smtpd_etrn_restrictions=reject
#    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps    inet  n       -       n       -       10       smtpd -o 
smtpd_tls_wrappermode=yes -o content_filter=smtp:[127.0.0.1]:10024
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
    -o content_filter:[127.0.0.1]:10024
#    -o smtpd_proxy_filter=127.0.0.1:10024
#    -o content_filter=
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       50       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
localhost:10025 inet    n    -    n    -    -    smtpd 
    -o content_filter=
    -o smtpd_proxy_filter=
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o receive_override_options=no_unknown_recipient_checks
#,no_address_mappings
scache      unix    -    -    n    -    1    scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
# Mails per Dovecot-Deliver ausliefern -- maximal 10 Mails gleichzeitig
dovecot   unix  -       n       n       -       10      pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
cyrus      unix    -    n    n    -    -    pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m 
${extension} ${user}
uucp      unix    -    n    n    -    -    pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop 
$recipient
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc 
${sender} ${recipient}
retry     unix  -       -       n       -       -       error
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

# classic HylaFAX email-to-fax setup
fax       unix  -       n       n       -       1       pipe
  flags=R user=fax argv=/usr/bin/faxmail -n ${user}

# classic HylaFAX email-to-sms setup
sms       unix  -       n       n       -       1       pipe
  flags=R user=fax argv=/usr/local/bin/mail2yaps ${user} ${sender}

# gnarwl autoreply support
gnarwl    unix  -       n       n       -       -       pipe
  flags=F user=gnarwl argv=/usr/bin/gnarwl -a $user -s $sender


Fehler-Mail:
=========
From: MAILER-DAEMON at hmmailsrv.hofmann-intern.de (Mail Delivery System)
To: postmaster at hmmailsrv.hofmann-intern.de (Postmaster)
Subject: Postfix SMTP server: errors from 
hmsmbsrv.hofmann-intern.de[192.168.1.26]
Message-Id: <20090401054533.B982D4006 at hmmailsrv.hofmann-intern.de>

Transcript of session follows.

 Out: 220 hmmailsrv.hofmann-intern.de ESMTP Postfix
 In:  EHLO [192.168.2.165]
 Out: 250-hmmailsrv.hofmann-intern.de
 Out: 250-PIPELINING
 Out: 250-SIZE 50000000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-AUTH LOGIN PLAIN
 Out: 250-AUTH=LOGIN PLAIN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH PLAIN AGFiAGFicGFzcw==
 Out: 235 2.0.0 Authentication successful
 In:  MAIL FROM:<a.busam at hfm.alexander-busam.de> SIZE=912
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<a.busam at hofmann-foerdertechnik.com>
 Out: 451 4.3.0 Error: queue file write error

Session aborted, reason: lost connection

/var/log/mail:
==========

Apr  1 07:58:02 hmmailsrv postfix/smtpd[24570]: connect from 
hmsmbsrv.hofmann-intern.de[192.168.1.26]



Mehr Informationen über die Mailingliste Postfixbuch-users