Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 5 May 2007 21:31:38 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: setup on Linux behind DNAT (was: cannot get this to work)

Matt,

I'm afraid that you've posted this to the wrong list.  Your question has
almost nothing to do with popa3d; it is about general network services
and routing setup on Linux.  Since you appear to be setting this up on
Openwall GNU/*/Linux (Owl), you should have posted the question to
owl-users.  I am responding on popa3d-users for now since the question
was raised in here anyway, but you may want to move further discussion
to owl-users (please include an adequate amount of context if you do).

I've changed the Subject to be more descriptive.

On Thu, May 03, 2007 at 12:49:37AM -0600, matt mix wrote:
> I have been trying for a couple days now to successfully setup this popa3d 
> server to receive emails. I am using the basic out of the box openwall 
> configurations and I have modified the postfix main.cf file the best I can 
> and created a test user. I am able to locally connect and do a STAT w/ no 
> problem. I dont know if this is a routing issue or a configuration within 
> the postfix config files or not.

If you can connect "locally" (is that "telnet localhost 110"?) and "do a
STAT" (is that USER ..., PASS ..., then STAT?), then you have no problem
with the popa3d setup.

Yes, your problem could be with routing or the like.  No, it can't be
with Postfix, which provides the SMTP service, not POP3.

On Owl, the Postfix + popa3d setup should work almost out of the box -
all you need to do is enable and start the services:

	control postfix server
	chkconfig popa3d on
	service popa3d start

I'm not sure what you've edited in Postfix's main.cf.  About the only
thing you should have changed there is the "mydomain = ..." setting,
although in many cases even that is optional (if the domain name can be
correctly inferred from your hostname).

> iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 110 -j DNAT --to 
> 192.168.1.153
> iptables          -A forwarding_rule -i $WAN -p tcp --dport 110 -d 
> 192.168.1.153 -j ACCEPT

This might be OK, but it is impossible to tell for sure without having
full context.  The "prerouting_rule" and "forwarding_rule" chain names
are not standard.  You must have other rules that would "jump" to those
chain names in order for them to be used.  For example:

	iptables -t nat -A PREROUTING -j prerouting_rule
	iptables -A FORWARD -j forwarding_rule

or you may just use the standard PREROUTING and FORWARD names directly.

> and I repeated the above for udp.

There was no need.  POP3 uses 110/tcp only.

> I checked my apache server and verified that it is working fine and 
> forwarding to another machine successfully. By connecting with a non-local 
> ip. However we cannot connect to the pop server via telnet or mail2web on 
> that external ip. No traffic showed up heading to port 110 either when I 
> looked for traffic on port 110 with wireshark locally.

This suggests that you have a problem with your DNAT setup for 110/tcp,
but not for 80/tcp.

Why don't you simply host these public services right on your router,
though (given that it's running Linux, too)?  You don't gain any
security by having traffic forwarded into your internal network like
that.  If you want greater security, then setup a DMZ separate from your
internal network (you'd need 3 NICs in your router) - or is that what
you're doing already, with the only reason for your use of DNAT being
the lack of another Internet-routable IP address?

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ