CSF, CC_ALLOW_FILTER and POSTFIX
Posted: 18 Oct 2014, 17:59
Hi.
I have a deployment using CENTOS, WEBMIN, POSTFIX and CSF firewall.
I use to manage CSF through the WEBMIN interface. Everything perfect, all the rules working fine.
Some time Ago, I started using the CSF feature: CC_ALLOW_FILTER, which looks like it is working fine too. However, I got a weird issue with POSTFIX mailing.
I used to limit the access to my server only to USA and Canada, so my CC_ALLOW_FILTER configuration was set to "US,CA". Then I started having some users from ITALY, so I needed to "unblock" that country too, then I changed that option to: "US,CA,IT"
After That, I tried to send emails to 2 different users (who use different IP's from ITALY, from 2 far geo locations inside ITALY) but both of them are rejected with weird error messages in 'maillog" (I already investigated those error codes from POSTFIX side, and none of the responses and troubleshooting tips have solved to correct those error codes)
The mails keep stuck in the "Mail Queue" of the POSTFIX without being delivered, and showing errors like:
--- status=deferred (connect to mail. SERVER . com [Italian recipient ipaddress]: Connection refused)
--- 451 Temporary local problem - please try later (in reply to RCPT TO command))
However, as soon as I DISABLE the CSF firewall, OR, as soon as I Disable CC_ALLOW_FILTER option (deleting all countries in that field, allowing only Firewall to work with the regular PORT filtering TCP/UDP), ALL the QUEUED messages to ITALY starts to flow and they are delivered without issue.
This happen ONLY with ITALY ip's. It really works with mail recipients from CANADA or USA without any issue (while I keep using CC_ALLOW_FILTER with either: "US,CA,IT" or just "US,CA", doesn't matter, it keeps delivering mails to US and CA fine)
So, I run some tests, for example, I took the IP from the Italian recipient, and I perfomed a "SEARCH" inside the CSF interface, and it gives this:
--------------------------------------
Searching for (ipnumber)...
Chain num pkts bytes target prot opt in out source destination
CC_ALLOWF 43103 0 0 RETURN all -- * * (ipnumber).0/20 0.0.0.0/0
-------------------------------------
The other IP:
Searching for (ipnumber)...
Chain num pkts bytes target prot opt in out source destination
CC_ALLOWF 44313 0 0 RETURN all -- * * (ipnumber).0/22 0.0.0.0/0
--------------------------------------
So, looks like the CSF setup is supposed to ALLOW requests from those IP's.
Also, I tested my domain in some "PING" public worldwide websites, and looks like ITALY is allowed, as well as USA and Canada, to ping me:
Argentina - Buenos Aires (arbue01) Unknown host:
U.S.A. - Atlanta (usatl02) Packets lost (100%)
Australia - Sydney (ausyd02) Unknown host:
Canada - Vancouver (cavan02) Packets lost (100%)
Italy - Milan (itmil01) Packets lost (100%
Indonesia - Jakarta (idjkt02) Unknown host:
India - Mumbai (inbom01) Not available
Italy - Padova (itpda01) Packets lost (100%)
Also, I tried to change the SMTP_BLOCK, and switching from 1 to 0 does not help either.
Other settings I have are:
SMTP_ALLOWLOCAL = 1
SMTP_PORTS 25,26,465
And of course, I have ports 25,26,465 under "TCP_IN" in IPv4 Port Settings section.
I checked also the directory: /var/lib/csf/zone and I see all my CC zones correctly:
us.zone it.zone ca.zone.
EVEN if I WHITELIST specifically those 2 Italian Ip's in csf.allow, don't fix the problem, the mails still don't leave QUEUE list. JUST disabling that CC_ALLOW_FILTER option or disabling the entire Firewall is the only way to be allowed to send mails to ITALY.
So, my question is...: Have you heard if there is something that POSTFIX could be impacted while using this CC_ALLOW_FILTER option or that I need to tweak differently in order to use that CC option while using POSTFIX in same server? Why does it work only with US and CA ? Why do the tests show everything is OK with those italian Ips outside, but sending an email to this specific country is being queued unless I deactivate this function or disabling the entire Firewall?
I will appreciate your comments.
Thanks.
I have a deployment using CENTOS, WEBMIN, POSTFIX and CSF firewall.
I use to manage CSF through the WEBMIN interface. Everything perfect, all the rules working fine.
Some time Ago, I started using the CSF feature: CC_ALLOW_FILTER, which looks like it is working fine too. However, I got a weird issue with POSTFIX mailing.
I used to limit the access to my server only to USA and Canada, so my CC_ALLOW_FILTER configuration was set to "US,CA". Then I started having some users from ITALY, so I needed to "unblock" that country too, then I changed that option to: "US,CA,IT"
After That, I tried to send emails to 2 different users (who use different IP's from ITALY, from 2 far geo locations inside ITALY) but both of them are rejected with weird error messages in 'maillog" (I already investigated those error codes from POSTFIX side, and none of the responses and troubleshooting tips have solved to correct those error codes)
The mails keep stuck in the "Mail Queue" of the POSTFIX without being delivered, and showing errors like:
--- status=deferred (connect to mail. SERVER . com [Italian recipient ipaddress]: Connection refused)
--- 451 Temporary local problem - please try later (in reply to RCPT TO command))
However, as soon as I DISABLE the CSF firewall, OR, as soon as I Disable CC_ALLOW_FILTER option (deleting all countries in that field, allowing only Firewall to work with the regular PORT filtering TCP/UDP), ALL the QUEUED messages to ITALY starts to flow and they are delivered without issue.
This happen ONLY with ITALY ip's. It really works with mail recipients from CANADA or USA without any issue (while I keep using CC_ALLOW_FILTER with either: "US,CA,IT" or just "US,CA", doesn't matter, it keeps delivering mails to US and CA fine)
So, I run some tests, for example, I took the IP from the Italian recipient, and I perfomed a "SEARCH" inside the CSF interface, and it gives this:
--------------------------------------
Searching for (ipnumber)...
Chain num pkts bytes target prot opt in out source destination
CC_ALLOWF 43103 0 0 RETURN all -- * * (ipnumber).0/20 0.0.0.0/0
-------------------------------------
The other IP:
Searching for (ipnumber)...
Chain num pkts bytes target prot opt in out source destination
CC_ALLOWF 44313 0 0 RETURN all -- * * (ipnumber).0/22 0.0.0.0/0
--------------------------------------
So, looks like the CSF setup is supposed to ALLOW requests from those IP's.
Also, I tested my domain in some "PING" public worldwide websites, and looks like ITALY is allowed, as well as USA and Canada, to ping me:
Argentina - Buenos Aires (arbue01) Unknown host:
U.S.A. - Atlanta (usatl02) Packets lost (100%)
Australia - Sydney (ausyd02) Unknown host:
Canada - Vancouver (cavan02) Packets lost (100%)
Italy - Milan (itmil01) Packets lost (100%
Indonesia - Jakarta (idjkt02) Unknown host:
India - Mumbai (inbom01) Not available
Italy - Padova (itpda01) Packets lost (100%)
Also, I tried to change the SMTP_BLOCK, and switching from 1 to 0 does not help either.
Other settings I have are:
SMTP_ALLOWLOCAL = 1
SMTP_PORTS 25,26,465
And of course, I have ports 25,26,465 under "TCP_IN" in IPv4 Port Settings section.
I checked also the directory: /var/lib/csf/zone and I see all my CC zones correctly:
us.zone it.zone ca.zone.
EVEN if I WHITELIST specifically those 2 Italian Ip's in csf.allow, don't fix the problem, the mails still don't leave QUEUE list. JUST disabling that CC_ALLOW_FILTER option or disabling the entire Firewall is the only way to be allowed to send mails to ITALY.
So, my question is...: Have you heard if there is something that POSTFIX could be impacted while using this CC_ALLOW_FILTER option or that I need to tweak differently in order to use that CC option while using POSTFIX in same server? Why does it work only with US and CA ? Why do the tests show everything is OK with those italian Ips outside, but sending an email to this specific country is being queued unless I deactivate this function or disabling the entire Firewall?
I will appreciate your comments.
Thanks.