Mail server - Opening ports in the firewall

In the previous article, we installed and configure the basics of courier. Now we need to open the ports in our firewall so we can access those services.

There are standard ports that are used to access most services.

For example, accessing a website generally uses port 80 for normal (HTTP) web pages and port 443 for secure (HTTPS) pages.

Smtp

Smtp generally uses port 25 for connections although there are recommendations for port 587 (see the official documentation for details).

Pop and pops

Pop and secure Pop use ports 110 and 995 respectively.

Imap and imaps

Imap and secure imap use ports 143 and 993 respectively.

Iptables

Following from the Slice setup, we need to edit the iptables.test.rules files to allow access to those ports. We will use port 25 for smtp at the moment. You can change it as you see fit.

Open the test rules file:

sudo nano /etc/iptables.test.rules

Just before the HTTP and HTTPS entries add the following details:

# Allows SMTP access
-A INPUT -p tcp --dport 25 -j ACCEPT

# Allows pop and pops connections
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# Allows imap and imaps connections 
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

Now we need to apply the new rules:

sudo iptables-restore < /etc/iptables.test.rules

Ok. Let's check the rules have been applied:

sudo iptables -L

In the output from the command should be the following information:

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps

Well, that seems to tie in nicely with what we want.

Permanent

Now we have tested the rules, we need to have them applied on a permanent basis.

You will need to have full root access for the next command so enter this:

sudo -i

This will place you in the root shell.

Now enter:

iptables-save > /etc/iptables.up.rules

One done, type:

exit

This will place you back at the admin users command prompt. Don't stay in the root shell.

Done.

Summary

Opening the default mail ports in our firewall has ensure we have access to the pop, pops, imap and imaps services we have configured and started.

Phew! Now we are ready to add users and domains to our MySQL database and start using the mail server.

The next article looks at that in detail.

PickledOnion

Article Comments:

Shawn commented Wed Sep 24 11:50:45 UTC 2008:

for smtp use i placed the line

<blockquote>
    <p>-A INPUT -p tcp --dport 587 -j ACCEPT</p>
</blockquote>

under the similar line for port 25 for smtp. otherwise I was unable to connect through outlook for sending mail

Shawn commented Wed Sep 24 11:52:55 UTC 2008:

ok so it didnt post right, ill have to play with markdown rules. anyways the line was:

-A INPUT -p tcp --dport 587 -j ACCEPT

hope that helps

Matías commented Thu Nov 13 22:15:42 UTC 2008:

Great article. Slicehost rocks!

Nuno commented Thu Dec 18 16:31:10 UTC 2008:

Thanks for the howto. It nearly works, except for the fact that it is refusing incoming connections on all the Courier ports.

Details here: http://forum.slicehost.com/comments.php?DiscussionID=2812&page=1#Item_1

If you may have a look, i'd be grateful.

Thanks, Nuno.

PickledOnion commented Fri Dec 19 10:59:08 UTC 2008:

Nuno,

Not sure what you may have wrong but the series works 'out of the box' - I have tested it again and again and have never had an issue.

I'm afraid that all I can suggest is going through the series line by line as you have something setup differently.

PickledOnion

Will commented Sat Jan 31 19:30:28 UTC 2009:

Isn't that last part, iptables-save > /etc/iptables.up.rules, supposed to be iptables-save > /etc/iptables.test.rules ?

PickledOnion commented Mon Feb 02 12:34:49 UTC 2009:

Will,

No. That is saving the rules to the 'permanent' rules file.

This is the file that is used when you reboot (assuming you have followed the Slice setup articles).

PickledOnion

Don commented Sat Mar 14 14:54:43 UTC 2009:

Ok, I have made it through the entire tutorial perfectly up until this point.

When I open the iptables.testrules there is nothing in there. I add the indication lines and then when I try to apply the rules it says: iptables-restore: line 2 failed

I have tried cutting and pasting the lines several times and typing them manually but with the same result each time. The data is being saved in the file when I exit it.

Any ideas?

Don

Don commented Sat Mar 14 15:31:27 UTC 2009:

Ok I wound up getting it to work by manually entering each line from the shell. iptables -A INPUT etc.......

Then it was all there and good. I'm still not sure what went wrong but this may help someone else.

Don

Will commented Thu Mar 26 15:37:07 UTC 2009:

Hey Don, That happened to me too. I found this site for help with that. They give you a standard iptables file, already filled out:

http://www.iheartlinux.com/2008/12/02/basic-iptables-configuration/

It worked for me. Cheers

Will

tmurphy commented Sat Apr 25 05:07:13 UTC 2009:

having an issue with with a multi domain setup? I have 2 domains set up on my mail server ( Ubuntu hardy, Postfix, and Courier. Set up everything following PickledOnion's articles. ) One is the primary domain and the MX records for both domains are set to point to it ( lets call it it mail.myprimarydomain.com. ) I can send and receive emails from the primary domain just fine. The secondary domain however, while able to send, can only receive emails from within its domain ( users of the domain can email each other ), it can also receive emails from gmail and from yahoo. But other external domains cannot send emails to the secondary, and get no bounce notification. Assistance greatly appreciated

chovy commented Fri May 15 17:37:53 UTC 2009:

I decided to use port 587, but it needs to be changed somewhere else as wewll....

moped commented Fri May 29 17:02:28 UTC 2009:

chovy a simple google search shows where - /etc/postfix/master.conf and uncomment the submission line

Jonathan commented Wed Jul 15 19:29:33 UTC 2009:

Hi. When I enter: sudo nano /etc/iptables.test.rules nothing comes up. It is an empty file. Is this because I am using shorewall? If so, how do I configure shorewall to accept these ports?

Thanks!

Brian Armstrong commented Fri Jul 31 23:37:38 UTC 2009:

For anyone not getting "sudo -i" to work, just use "su" instead.

Mark commented Sun Sep 20 21:12:14 UTC 2009:

I know it's a basic point but after editing the iptables rules, restart the server for the changes to take effect.

Also, it's worth noting that the different SMTP ports are listed under different titles in the "state RELATED,ESTABLISHED" column. This the case in Apache at least:

Port 587 displays as "Submission" Port 465 displays as ssmtp

datakid commented Fri Sep 25 22:38:55 UTC 2009:

Pickled Onion, re Don's problem - is it that you need it to look like this?

*filter

Allows SMTP access

-A INPUT -p tcp --dport 25 -j ACCEPT

Allows pop and pops connections

-A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT

Allows imap and imaps connections

-A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT COMMIT

around the

Svetlana commented Thu Oct 29 22:01:12 UTC 2009:

Thanks a lot to moped. It fixed my problem

Beverly G commented Wed Dec 16 08:18:18 UTC 2009:

I ran into this problem where my ISP is blocking port 25 from sending emails. I think this has become a common standard.. but anyhow. I wanted to keep port 25 open, but I wanted to also open up port 587 to use as an alternative but didn't want to change the postfix configuration. So I addeded this rule --

iptables -t nat -I PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 25

Then I just tested to make sure I could access through that port by using

telnet myserverip 587

Shoaib commented Sun Dec 20 23:01:53 UTC 2009:

Everything going fine upto this article. The problem: When I open the file /etc/iptables.test.rules and enter:

Allows SMTP access

-A INPUT -p tcp --dport 25 -j ACCEPT

Allows pop and pops connections

-A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT

Allows imap and imaps connections

-A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT

and save it and then run sudo iptables-restore < /etc/iptables.test.rules I get the error: iptables-restore: line 2 failed

chris commented Tue Aug 10 13:02:58 UTC 2010:

I was getting

iptables-restore: line 2 failed

and when I ran the command

sudo nano /etc/iptables.test.rules

The file was empty so I added a basic set-up from here

http://www.routermods.com/2008/12/02/basic-iptables-configuration/

and then continued with adding

Allows SMTP access

-A INPUT -p tcp --dport 25 -j ACCEPT

Allows pop and pops connections

-A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT

Allows imap and imaps connections

-A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT

The command

sudo iptables-restore < /etc/iptables.test.rules

worked correctly then and did not give any errors.

Bread commented Wed Nov 03 23:56:02 UTC 2010:

If you get "iptables-restore: line 2 failed:" TRY the following:

*filter

Allows SMTP access

-A INPUT -p tcp --dport 25 -j ACCEPT

Allows pop and pops connections

-A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT

Allows imap and imaps connections

-A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT

COMMIT

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)