Zimbra and iptables problem

[zimico]

Dear all,
Today, my mail server stops sending and recieving mail. After checking, I see that if I stop iptables then the mail flow works again. In the log file, there are a lot of info about can not access to required services such as dns, amavisd, etc... as the following:

Code: Select all

Mar  2 09:18:52 mail postfix/smtp[18396]: 1E7E9202CE1: to=<abc@gmail.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=gmail.com type=MX: Host not found, try again)

or

Code: Select all

Mar  2 23:57:11 mail amavis[5707]: (05707-11) (!)Requesting process rundown, task exceeded allowed time
Mar  2 23:57:11 mail postfix/smtp[4839]: EF436202C4E: to=<minhhoang@x.x.x>, relay=127.0.0.1[127.0.0.1]:10024, delay=289, delays=1.1/0.01/0/288, dsn=4.3.2, status=deferred (host 127.0.0.1[127.0.0.1] said: 421 4.3.2 Service shutting down, closing channel (in reply to RCPT TO command))

The result of dig:

Code: Select all

[root@mail ~]# dig gmail.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 238
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gmail.com.                     IN      A

;; ANSWER SECTION:
gmail.com.              299     IN      A       216.58.199.5

;; Query time: 48 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar  2 23:58:57 2018
;; MSG SIZE  rcvd: 43

My server info is:

Code: Select all

[zimbra@mail ~]$ zmcontrol -v
Release 8.7.1_GA_1670.RHEL6_64_20161025035141 RHEL6_64 FOSS edition.

My iptables:

Code: Select all

[root@mail ~]# iptables -nL --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
3    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x14
8    ACCEPT     tcp  --  x.x.x.x       0.0.0.0/0           state NEW tcp dpt:22
9    ACCEPT     tcp  --  y.y.y.y         0.0.0.0/0           state NEW tcp dpt:22
10   ACCEPT     udp  --  x.x.x.x        0.0.0.0/0           state NEW udp dpt:161
11   ACCEPT     udp  --  y.y.y.y         0.0.0.0/0           state NEW udp dpt:161
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED tcp spt:53
13   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED udp spt:53
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
17   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
18   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
20   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
21   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
22   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
23   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7071
24   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9071
25   LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 6 level 6 prefix `DROP ON INPUT: '

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

I use this iptables config for another server without any issue. Hope that some one can give me advice on this issue.
Many thanks,

[tonster]

This is not a zimbra problem. Sounds like you're blocking dns requests based on the limited logs you provided.

Sent from my SM-G950U using Tapatalk

[zimico]

Dear,
Thank for your comment. I will remove the LOGGING rule. BTW this firewall configuration is based on Zimbra's wiki: https://wiki.zimbra.com/wiki/Firewall_Configuration
Many thanks,

[zimico]

Dear,
Removing logging rule does not solve the problem. The are somethings very strange from Zimbra behavior.
However, I manage to create a new IPTABLES configuration and it seems to fix the problem. The main point is I apply the same rule for both INPUT and FORWARD chain.
Regards,

[tonster]

Dear,
Removing logging rule does not solve the problem. The are somethings very strange from Zimbra behavior.
However, I manage to create a new IPTABLES configuration and it seems to fix the problem. The main point is I apply the same rule for both INPUT and FORWARD chain.
Regards,

Logging rules only log, so they wouldn't solve anything. This isn't a zimbra issue at all, and the wiki you reference is a community contribution, not official zimbra documentation. The relevant documentation on what ports are needed to be opened publicly vs. what is private is at https://wiki.zimbra.com/wiki/Ports. Only the things in the External access section should be considered for public access.

[zimico]

Dear tonster,
I misunderstood your previous comment about logs/logging. I am investigating on this issue to try to figure out why with the same iptables configuration, one server is ok and another server has problem. As I mentioned, when I apply the same rule for both input and forward chain, my zimbra server seems to be ok now.

Best regards.