HPE Community
Operating System - Linux
1753490 Members
5173 Online
108794 Solutions
New Discussion юеВ

Re: Can't get pop-3 working

 
Vernon Brown_3
Advisor

тАО08-29-2002 05:57 AM

тАО08-29-2002 05:57 AM

Can't get pop-3 working

Reformatted and reinstalled RedHat 7.1 Linux on an HP 8500 running as a dedicated web server and firewall for my LAN. Sendmail works. ipop3 in xinetd.d is set to on. netstat -an shows port 110 listening. I can telnet to localhost 110 successfully but only when I am logged on to the server. Can't telnet to port 110 from the LAN. Can telnet Ok to port 25. Can send and receive email manually with telnet and the mail command.

How can I determine what is blocking remote access to port 110 ??

Many thanks in advance !!
0 Kudos
Reply
8 REPLIES 8
Paul R. Dittrich
Esteemed Contributor

тАО08-29-2002 06:11 AM

тАО08-29-2002 06:11 AM

Re: Can't get pop-3 working

How is your firewall configured?
I don't believe that POP3 is allowed in any of the default firewall configs so you'll have to be explicit.

Paul
0 Kudos
Reply
Vernon Brown_3
Advisor

тАО08-29-2002 06:31 AM

тАО08-29-2002 06:31 AM

Re: Can't get pop-3 working

Thaks Paul !
I'm using the default ipchains that installed with RH 7.1. I'm not sure where the config files are. I found ipchains in /etc/ipchains but am not sure how to format an entry to allow pop3.

1. How to format the ipchains entry ?
2. Is the ipchains in /etc the correct config file ?
0 Kudos
Reply
Paul R. Dittrich
Esteemed Contributor

тАО08-29-2002 12:46 PM

тАО08-29-2002 12:46 PM

Re: Can't get pop-3 working

As I recall ipchains -L will list your current config.

For the details you want, try this URL:
http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

HTH,
Paul
0 Kudos
Reply
Mark Fenton
Esteemed Contributor

тАО08-29-2002 04:16 PM

тАО08-29-2002 04:16 PM

Re: Can't get pop-3 working

Vernon, to allow pop3 you'll need to construct a ruleset similar to this:

ipchains -A input -p tcp --source-port 110 -j ACCEPT

with an optional specification as to on which interface the packet originates:

ipchains -A input -p tcp -i interface --source-port 110 -j ACCEPT

Recommend you look into any of the firewalling scripts that are out there -- watchdog, shorewall (iptables vice chains) and others. Check out http://freshmeat.net and search for ipchains firewall for more.

hth
Mark
0 Kudos
Reply
Vernon Brown_3
Advisor

тАО08-30-2002 11:04 AM

тАО08-30-2002 11:04 AM

Re: Can't get pop-3 working

Thanks Mark, and Paul.

That got it working !

I found /etc/sysconfig/ipchains and added an entry for port 110 by copying the entry for port 80 and changing 80 to 110.

Mark; I ment to assign 10 points -- mouse slipped :( For some reason I have to submit twice before the points will appear on the messages.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО09-10-2002 10:15 AM

тАО09-10-2002 10:15 AM

Re: Can't get pop-3 working

You SHOULD not use your port 80 ipchains entry as a template for popmail.

You want any user to access your web server, if its intent is a public server.

Do you want the entire world to be able to use popmail?

If you are letting your users access their mail from the outside, then you need full access, if however, you only let your users access their popmail while in the office or dialed in, restrict access to your local network.

For example, if your local network is 192, this would be the ipchains entry.

-A input -s 192.168.0.1/0 -d 192.168.0.1/0 110 -p tcp -y -j ACCEPT

-s is source, -d is where you want it to go, such as directing it through an Exchange server and whatnot. The exchange server will have to let the Linux box do relay.

I know, popmail can and should be configured to require an encrypted login, but there are security exploits and holes in the various products. Openning up this port to the public internet is a security risk.

I run and NSP and will have to open up things, but it will be on a IP address by IP address basis. Only IP's I authorize will be permitted to relay via popmail.

Steve

I do it one address at a time, so
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Vernon Brown_3
Advisor

тАО09-10-2002 03:06 PM

тАО09-10-2002 03:06 PM

Re: Can't get pop-3 working

Thanks Steven; I do have a couple of users who are outside my local network and use my server for their email.

I do, however, need to restrict Telnet and FTP to the local network. Can you conjure up an entry that would do that ?? Would be a great help; now I have to turn off Telnet and FTP in /etc/xinetd.d and reboot and the ADSL-START in my script times out as many as six times before it gets connected.

Vern
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО09-11-2002 09:49 AM

тАО09-11-2002 09:49 AM

Re: Can't get pop-3 working

This whole thing is actually quite interesing.

Here is the bottom half of my ipchains config file.

-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

Notice whats missing. Nothing for port 21 ftp. Under these circumstances, a microsoft scripted ftp connection works, but a tool like ws_ftp won't connect.

Here is how I'd go about restricting access to telnet or ftp. I'm running an NSP, so I pretty much have to let users telnet in from anywhere, though I never use the root password from the outside for fear of it getting intercepted in clear text.

Change the port 23 line to this.
-A input -s 192.168.0.10/0 -d 0/0 23 -p tcp -y -j ACCEPT

My understanding is that should restrict telnet access in this case to a source address of 192.168.0.10, which is not public and could be any of your local IP addresses.

I've not tried this yet, but you should be able to authorize a range with this syntax.

-A input -s 192.168.0.10/20 -d 0/0 23 -p tcp -y -j ACCEPT

You can work with the -d(destination) parameter to restrict access to certain IP addresses.

For educational purposes, take a look at the port 53 entry, DNS. I'm doing my own DNS for my NSP, so this has to be wide open. To get the site to work, I had to authorize both udp and tcp. I'm not sure why that is, but it probably has something to do with how the client requests the name lookup.

I hope this helps. If you need something more direct or I've made a mistake, feel free to contact me through other means. If it helps, please assign me a point or two, I'm trying to be helpful but nobody seems to think I deserve a point.

Steve





Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.