topic Can't get pop-3 working in Operating System - Linux

Can't get pop-3 working

Vernon Brown_3 — Thu, 29 Aug 2002 12:57:20 GMT

Reformatted and reinstalled RedHat 7.1 Linux on an HP 8500 running as a dedicated web server and firewall for my LAN. Sendmail works. ipop3 in xinetd.d is set to on. netstat -an shows port 110 listening. I can telnet to localhost 110 successfully but only when I am logged on to the server. Can't telnet to port 110 from the LAN. Can telnet Ok to port 25. Can send and receive email manually with telnet and the mail command.

How can I determine what is blocking remote access to port 110 ??

Many thanks in advance !!

Re: Can't get pop-3 working

Paul R. Dittrich — Thu, 29 Aug 2002 13:11:40 GMT

How is your firewall configured?
I don't believe that POP3 is allowed in any of the default firewall configs so you'll have to be explicit.

Paul

Re: Can't get pop-3 working

Vernon Brown_3 — Thu, 29 Aug 2002 13:31:02 GMT

Thaks Paul !
I'm using the default ipchains that installed with RH 7.1. I'm not sure where the config files are. I found ipchains in /etc/ipchains but am not sure how to format an entry to allow pop3.

1. How to format the ipchains entry ?
2. Is the ipchains in /etc the correct config file ?

Re: Can't get pop-3 working

Paul R. Dittrich — Thu, 29 Aug 2002 19:46:30 GMT

As I recall ipchains -L will list your current config.

For the details you want, try this URL:
http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

HTH,
Paul

Re: Can't get pop-3 working

Mark Fenton — Thu, 29 Aug 2002 23:16:09 GMT

Vernon, to allow pop3 you'll need to construct a ruleset similar to this:

ipchains -A input -p tcp --source-port 110 -j ACCEPT

with an optional specification as to on which interface the packet originates:

ipchains -A input -p tcp -i interface --source-port 110 -j ACCEPT

Recommend you look into any of the firewalling scripts that are out there -- watchdog, shorewall (iptables vice chains) and others. Check out http://freshmeat.net and search for ipchains firewall for more.

hth
Mark

Re: Can't get pop-3 working

Vernon Brown_3 — Fri, 30 Aug 2002 18:04:05 GMT

Thanks Mark, and Paul.

That got it working !

I found /etc/sysconfig/ipchains and added an entry for port 110 by copying the entry for port 80 and changing 80 to 110.

Mark; I ment to assign 10 points -- mouse slipped :( For some reason I have to submit twice before the points will appear on the messages.

Re: Can't get pop-3 working

Steven E. Protter — Tue, 10 Sep 2002 17:15:25 GMT

You SHOULD not use your port 80 ipchains entry as a template for popmail.

You want any user to access your web server, if its intent is a public server.

Do you want the entire world to be able to use popmail?

If you are letting your users access their mail from the outside, then you need full access, if however, you only let your users access their popmail while in the office or dialed in, restrict access to your local network.

For example, if your local network is 192, this would be the ipchains entry.

-A input -s 192.168.0.1/0 -d 192.168.0.1/0 110 -p tcp -y -j ACCEPT

-s is source, -d is where you want it to go, such as directing it through an Exchange server and whatnot. The exchange server will have to let the Linux box do relay.

I know, popmail can and should be configured to require an encrypted login, but there are security exploits and holes in the various products. Openning up this port to the public internet is a security risk.

I run and NSP and will have to open up things, but it will be on a IP address by IP address basis. Only IP's I authorize will be permitted to relay via popmail.

Steve

I do it one address at a time, so

Re: Can't get pop-3 working

Vernon Brown_3 — Tue, 10 Sep 2002 22:06:19 GMT

Thanks Steven; I do have a couple of users who are outside my local network and use my server for their email.

I do, however, need to restrict Telnet and FTP to the local network. Can you conjure up an entry that would do that ?? Would be a great help; now I have to turn off Telnet and FTP in /etc/xinetd.d and reboot and the ADSL-START in my script times out as many as six times before it gets connected.

Vern

Re: Can't get pop-3 working

Steven E. Protter — Wed, 11 Sep 2002 16:49:08 GMT

This whole thing is actually quite interesing.

Here is the bottom half of my ipchains config file.

-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

Notice whats missing. Nothing for port 21 ftp. Under these circumstances, a microsoft scripted ftp connection works, but a tool like ws_ftp won't connect.

Here is how I'd go about restricting access to telnet or ftp. I'm running an NSP, so I pretty much have to let users telnet in from anywhere, though I never use the root password from the outside for fear of it getting intercepted in clear text.

Change the port 23 line to this.
-A input -s 192.168.0.10/0 -d 0/0 23 -p tcp -y -j ACCEPT

My understanding is that should restrict telnet access in this case to a source address of 192.168.0.10, which is not public and could be any of your local IP addresses.

I've not tried this yet, but you should be able to authorize a range with this syntax.

-A input -s 192.168.0.10/20 -d 0/0 23 -p tcp -y -j ACCEPT

You can work with the -d(destination) parameter to restrict access to certain IP addresses.

For educational purposes, take a look at the port 53 entry, DNS. I'm doing my own DNS for my NSP, so this has to be wide open. To get the site to work, I had to authorize both udp and tcp. I'm not sure why that is, but it probably has something to do with how the client requests the name lookup.

I hope this helps. If you need something more direct or I've made a mistake, feel free to contact me through other means. If it helps, please assign me a point or two, I'm trying to be helpful but nobody seems to think I deserve a point.

Steve