iptables/smtp/dns question

[chy at genuity.com (Chuck Young)]

Remember your DMZ is logically separated.  The only thing preventing
connections is software...

Does your qmail give you any errors, like "unable to resolve MX record for
X.com, deferring" or something like that?  The fact that nothing comes back
in on 53UDP could mean that the mail server's DNS queries go out, but the
answers aren't allowed back in.  Just a shot, but HTH.

---------------
Chuck Young
Security Consulting
Genuity E-Services
--------------------

-----Original Message-----
From: discuss-admin at blu.org [mailto:discuss-admin at blu.org]On Behalf Of
greenberg at hcfama.org
Sent: Friday, February 08, 2002 9:43 AM
To: discuss at blu.org
Subject: iptables/smtp/dns question


Hoping someone can help me clarify a problem I am having setting
up a firewall.

I want to put our mail server (qmail) behind an iptables-based
firewall as part of a dmz.  Our LAN uses a separate range of private
ips.  They are physically segregated running through separate NICs.

I tried it out last night.  I could send mail from the LAN to the mail
server.  I could pop mail from the LAN.  I could receive mail from
the internet. I could not send mail to the internet (the mail did get
to the server, but sat in the qmail queue).

In retrospect, I am wondering whether the problem was actually
DNS-related.  We use a DNS server OUTSIDE our network, i.e. on
the internet.  I was allowing traffic out on port 53 from the mail
server, but not allowing it in.  Would this have prevented SMTPD
from being able to resolve email addresses to ips, and thus
queuing the mail on the server?

Sorry for being long-winded, just trying to be clear...
_______________________________________________
Discuss mailing list
Discuss at blu.org
http://www.blu.org/mailman/listinfo/discuss