Solved IPFW is blocking incoming emails to server

Hello,

recently I installed IPFW on the server. Everything seems to be fine but incoming emails.

When I enable the firewall it blocks incoming mails from external servers.

I am using FreeBSD 11.

Here is my firewall rules:

Code:
##############################
#  IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 10 allow all from any to any via lo0
$cmd 20 deny all from any to 127.0.0.0/8
$cmd 30 deny all from 127.0.0.0/8 to any
$cmd 40 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 50 check-state
$cmd 60 allow tcp from any to any established
$cmd 70 allow all from any to any out keep-state
$cmd 80 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 61 allow udp from any to any 53 in setup keep-state
$cmd 62 allow tcp from any to any 53 in setup keep-state
$cmd 65 allow tcp from any to any 80 in setup keep-state
$cmd 72 allow tcp from any to any 443 in setup keep-state
$cmd 100 allow tcp from any to any 35000-35999 out setup keep-state
$cmd 110 allow tcp from any to any 465 in setup keep-state
$cmd 120 allow tcp from any to any 465 out setup keep-state
$cmd 130 allow tcp from any to any 993 in setup keep-state
$cmd 140 allow tcp from any to any 995 in setup keep-state

#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 04600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 04610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 04620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 04630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 04640 deny log logamount 50 tcp from any to any tcpflags syn,fin

##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any
$cmd 04650 deny log logamount 50 tcp from any to any tcpflags syn,rst



I would appreciate you help.
 
I assume that you are talking about the port SMTP over TLS – 465. Are your sure that peers won't use the more common ports 25 or 587?

As a side note, you need to remove the setup directive from the udp rule #61, because udp packets do not have SYN and ACK bits in their packets, and ipfw(8) may inappropriately match such rules.
 
@obfigna

Thank you for your reply,

No actually the SMTP is working fine on Port 587 and 465. The problem is with incoming emails.

When I stop IPFW, all previous emails deliver successfully but as long as the firewall is on nothing.

I had to turn the firewall off because of this issue .

And regarding the UDP: Thank you very much, its done!

Regards.
 
I assume that you are talking about the port SMTP over TLS – 465. Are your sure that peers won't use the more common ports 25 or 587?

As a fastmail user, I just drop by to say that, for example, fastmail does indeed use SMTPS by default, so I always have a TCP exception in output for 465 too ;)
 
@obsigna

Thank you for your reply,

No actually the SMTP is working fine on Port 587 and 465. The problem is with incoming emails.

When I stop IPFW, all previous emails deliver successfully but as long as the firewall is on nothing.

I had to turn the firewall off because of this issue .

And regarding the UDP: Thank you very much, its done!

Regards.

Well then, as Kristof Provost, said already, you need to open port 25 for incoming SMTP.
 
Thank you for your reply.

Since this is not a shared server and port 25 is already block in our network, We are using port 587 instead that is the reason we have blocked it.

Here is my latest IPFW rules, but still not successful :
Code:
##############################
#  IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 10 allow all from any to any via lo0
$cmd 20 deny all from any to 127.0.0.0/8
$cmd 30 deny all from 127.0.0.0/8 to any
$cmd 40 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 50 check-state
$cmd 60 allow tcp from any to any established
$cmd 70 allow all from any to any out keep-state
$cmd 80 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 61 allow udp from any to any 53 in setup keep-state
$cmd 62 allow tcp from any to any 53 in setup keep-state
$cmd 65 allow tcp from any to any 80 in setup keep-state
$cmd 72 allow tcp from any to any 443 in setup keep-state
$cmd 100 allow tcp from any to any 35000-35999 out setup keep-state
$cmd 110 allow tcp from any to any 465 in setup keep-state
$cmd 120 allow tcp from any to any 465 out setup keep-state
$cmd 130 allow tcp from any to any 993 in setup keep-state
$cmd 140 allow tcp from any to any 993 out setup keep-state
$cmd 150 allow tcp from any to any 995 in setup keep-state
$cmd 160 allow tcp from any to any 995 out setup keep-state
$cmd 170 allow tcp from any to any 587 in setup keep-state
$cmd 180 allow tcp from any to any 587 out setup keep-state


#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 04600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 04610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 04620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 04630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 04640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 04650 deny log logamount 50 tcp from any to any tcpflags syn,rst


##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any


Your help is really appreciated
 
Since this is not a shared server and port 25 is already block in our network, We are using port 587 instead that is the reason we have blocked it.
You mentioned that external servers couldn't send e-mail; are those servers part of your network and do they realize that the used SMTP port should be 587 instead of 25?

Because if you referred to randomly external mail servers then I don't think your setup is ever going to work. Because when sending e-mail then port 25 is the defacto standard for that so if you block that port then how is an external server ever going to be able to drop off e-mail?
 
You mentioned that external servers couldn't send e-mail; are those servers part of your network and do they realize that the used SMTP port should be 587 instead of 25?

Because if you referred to randomly external mail servers then I don't think your setup is ever going to work. Because when sending e-mail then port 25 is the defacto standard for that so if you block that port then how is an external server ever going to be able to drop off e-mail?
No, we can not receive email. It is not about sending email, it about receiving.

as external servers I meant : Gmail, iCloud etc.

Sorry for not being clear.

Thank you
 
No, we can not receive email. It is not about sending email, it about receiving.

as external servers I meant : Gmail, iCloud etc.
For that to work you will need to open port 25 for incoming connections, there's no way around it.

When a mail server sends e-mail it does so by trying to contact port 25 on a remote server in order to initiate the session. This is a known standard, see also /etc/services. You need to think these things through: your receiving action implies that the other side is performing a sending action. And to sent e-mail you need to contact port 25.

So: as Kristof Provost already mentioned above: the solution to your problem is to open port 25.

(edit)

I'd also suggest that you study Chapter 28 of the FreeBSD handbook a bit more, it explains the e-mail process in pretty good details.
 
Back
Top