Sendmail help - dual homed NICs, w/IP forwarding

angelo l angelohl at hotmail.com
Fri May 13 21:24:09 UTC 2005 

===========THE CONFIGURATION======(problem at bottom)


         *==Internet==*
               |
               |
         ______|____________________
         |  Firewall                |
         |21 open to 116.168.1.2    |
         |22 open to 116.168.1.2    |
         |25 open to 116.168.1.2    |
         |80 open to 116.168.1.2    |
         |110 open to 116.168.1.2   |
         |113 open to 116.168.1.2   |
         |__________________________|
               |
         ______|_______________________________
         |  Server                             |
         |Eth0 (116.168.1.2)                   |
         |  (iptables - ipv4 fowarding enabled)|
         |Eth1 (10.12.1.1)                     |
         |_____________________________________|

1) I can ping th===========THE PROBLEM=============e address from eth0 to 
eth1 and vice versa with no problem, internet access from addresses on the 
eth1 subnet is no problem either.
2) On the server the only files I have edited are listed here (verbatim):

***/etc/mail/sendmail.cw contains:
mail

***/etc/mail/sendmail.mc contains:
divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTRUSTED_USER', `smmsp')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`smmsp')dnl
FEATURE(`relay_based_on_MX')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MASQUERADE_AS(`mydomainname.com')dnl
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

***/etc/mail/access contains:
localhost.localdomain		RELAY
localhost			RELAY
127.0.0.1			RELAY
116.168.1.2			RELAY
mydomainname.com			RELAY
# mail.mydomainname.com			RELAY
cyberpromo.com			REJECT
spam at buyme.com			550 Spammers shan't see sunlight here

***/etc/hosts
127.0.0.1	localhost.localdomain	localhost
#116.168.1.2	mail.mydomainname.com		mail

***/etc/mail/local-host-names contains:
localhost
localhost.localdomain
server1.mydomainname.com


***/etc/named.conf contains:
controls {
        inet 127===========THE PROBLEM=============.0.0.1 allow { localhost; 
} keys { rndckey; };
};
include "/etc/named.custom";
include "/etc/rndc.key";

zone  "0.0.127.in-addr.arpa" {
	type master;
	file  "0.0.127.in-addr.arpa.zone";
};
zone  "1.168.116.in-addr.arpa" {
	type master;
	file  "1.168.116.in-addr.arpa.zone";
};
zone  "localhost" {
	type master;
	file  "localhost.zone";
};
zone  "mydomainname.com" {
	type master;
	file  "mydomainname.com.zone";
};


***/etc/init.d/iptables contains:
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User-defined chain for ACCEPTED TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules
## Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 10.12.1.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.12.1.0 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 116.168.1.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 10.12.1.255 -j ACCEPT

## Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 116.168.1.2 -m state --state \
ESTABLISHED,RELATED -j ACCEPT

# REJECT THESE JERKS from accessing anything (HACKERS):
iptables -A INPUT -p tcp -s 66.232.147.175 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 67.169.132.93 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.128.100 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.183.254 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.153.41.139 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 210.51.188.113 -j REJECT --reject-with tcp-reset

# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 110 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay

# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT

# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# (4) FORWARD ip rules
# Accept packets I want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# (5) OUTPUT ip rules
# ONLY output packets with local addresses (NO spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.12.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 116.168.1.2 -j ACCEPT

# (6) POSTROUTING ip rules
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 116.168.1.2
# uncomment the bottom for DHCP if it works first
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


===========THE PROBLEM=============
Mail is going out to the Internet, but no matter what account I use (i.e., 
freebee sites or otherwise, mail isn't coming in. When I review the mail 
server logs, I see it trying to be delivered:

May 12 17:24:10 SERVER1 sendmail[3883]: j49NiYov005141: 
to=<root at localhost.localdomain.mydomainname.com>, 
ctladdr=<root at SERVER1.mydomainname.com> (0/0), delay=2+21:39:17, 
xdelay=00:00:00, mailer=esmtp, pri=5880651, 
relay=localhost.localdomain.mydomainname.com., dsn=4.0.0, stat=Deferred: 
Connection timed out with localhost.localdomain.mydomainname.com.

What is going on???

More information about the redhat-list mailing list