dovecot Outlook failure

Rick Stevens ricks at nerd.com
Fri Oct 24 17:21:59 UTC 2008 

Karl Pearson wrote:
> On Thu, 23 Oct 2008, Rick Stevens wrote:
> 
>> Karl Pearson wrote:
>>> I'm in a client office, and they use Outlook. I installed a new server
>>> after theirs was hacked into from China (story for another time). I've
>>> installed Fedora 8 and everything is working, except dovecot from inside
>>> the network (it's not going to work from outside anymore :) ).
>>>
>>> If I sit at an XP PC and telnet 10.0.0.240 110 it just hangs for awhile,
>>> then times out and ends up back at a DOS prompt. Same for 143 (IMAP).
>>>
>>> I can telnet 10.0.0.240 25 and send email all day long.
>>>
>>> I setup an Evolution account for both POP3 and IMAP on the server and it
>>> works fine.
>>>
>>> I have configured 2 other PCs with Fedora 8 in the last 2 months and
>>> they both work fine. What am I missing here?
>>
>> Uh, really dumb question, but did you "chkconfig dovecot on" to make
>> sure it starts on boot?  Did you start it via "service dovecot start"?
>> Does "netstat -lpn" show dovecot listening on ports 110 and 143?
> 
> No, that's not the least bit dumb. I didn't and it wasn't, but that 
> wasn't the problem because I did that pretty early on, and fixed it. The 
> server had been rebooted a few times since.
> 
> I did find the problem, though hadn't come across it before. It was 
> iptables not 'trusting' those services to be accessed from a remote IP 
> address. Thus, it worked on the server, but not from anywhere else. I 
> did iptables -F and turned it off. The server is behind a very nice 
> Linux-based firewall, and those services aren't NATted anyway. Only 25, 
> 80 and 22 are open, and 22 to root is forbidden. The old server had been 
> on a DMZ, with Samba and everything else open for the world to see.

Ah!  Yeah, that'd block them for sure.  iptables was going to be my next
question, but you beat me to it!  Heheheheheh!

> When I install other servers, I typically disable iptables from starting 
> at boot because I have my own scripts to do it for me.
> 
> With the information you gave in the last thread I started, I may be 
> re-thinking that strategy. It bit me big this time.

I'll help if I can.  I just finished my PCI-hardening stuff so I've got
a pretty good grip on security stuff now...iptables, external firewalls,
ssh restrictions, session timeouts, authentication and sudo off LDAP,
the lot.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- I never drink water because of the disgusting things that fish do  -
-                                  in it.                            -
-                                                      -- WC. Fields -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list