Topic: Incoming POP blocked by ipchains?

[Steven Beasley]

I have a 5.5 server set up (default server/gateway config) and have recently set up a domain etc.  My problem is the server seems unable to incoming mail on port 110.

I've tried telnetting to my ip on port 110 externally and the connection is refused, however if I try it from the box itself (telnetting to the external ip address), it's fine.  Outbound mail is fine.  qmail is running, and mail from internal accounts make it to the POP server.  These only seems to affect mail (or any communication on 110) from the outside world.

I have not made any changes to ipchains, yet it seems it is blocked.  I'm not very good w/ipchains at all.  Any suggestions would be most appreciated!

Thanks!

-Steven

[Steven Beasley]

Here is my config...

Chain input (policy DENY):
target     prot opt     source                destination           ports
icmpIn     icmp ------  anywhere             anywhere              any ->   any
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
denylog    tcp  ------  anywhere             anywhere              0:chargen ->$
denylog    udp  ------  anywhere             anywhere              0:chargen ->$
denylog    tcp  ------  anywhere             anywhere              any ->   0:c$
denylog    udp  ------  anywhere             anywhere              any ->   0:c$
DENY       all  ------  BASE-ADDRESS.MCAST.NET/4 anywhere              n/a
DENY       all  ------  anywhere             BASE-ADDRESS.MCAST.NET/4  n/a
ACCEPT     tcp  ------  anywhere             localhost             any ->   www
ACCEPT     tcp  ------  anywhere             gaz.xenden.com        any ->   www
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   www
REDIRECT   tcp  ------  192.168.22.0/24      anywhere              any ->   www$
ACCEPT     all  ------  192.168.22.0/24      anywhere              n/a
ACCEPT     tcp  !y----  anywhere             anywhere              any ->   any
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   auth
ACCEPT     udp  ------  anywhere             66.89.51.211          any ->   113
ACCEPT     udp  ------  anywhere             anywhere              bootps:bootp$
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   ftp$
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   ftp
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   www
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   htt$
ACCEPT     ipv6-crypt------  anywhere             66.89.51.211          n/a
ACCEPT     udp  ------  anywhere             66.89.51.211          500 ->   500
ACCEPT     udp  ------  ntp-0.gw.uiuc.edu    anywhere              any ->   ntp
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   1723
ACCEPT     gre  ------  anywhere             66.89.51.211          n/a
ACCEPT     gre  ------  anywhere             66.89.51.211          n/a
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   smtp
ACCEPT     tcp  ------  anywhere             66.89.51.211          any ->   ssh
denylog    tcp  -y----  anywhere             66.89.51.211          any ->   mys$
DENY       udp  ------  anywhere             anywhere              any ->   rou$
DENY       tcp  ------  anywhere             anywhere              any ->   net$
DENY       udp  ------  anywhere             anywhere              any ->   net$
denylog    tcp  -y----  anywhere             66.89.51.211          any ->   squ$
ACCEPT     tcp  -y----  anywhere             66.89.51.211          ftp-data -> $
ACCEPT     tcp  ------  anywhere             anywhere              any ->   102$
ACCEPT     udp  ------  anywhere             anywhere              any ->   102$
denylog    all  ------  anywhere             anywhere              n/a
Chain forward (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  192.168.22.0/24      192.168.22.0/24       n/a
ACCEPT     all  ------  192.168.22.0/24      192.168.22.0/24       n/a
MASQ       all  ------  192.168.22.0/24      anywhere              n/a
DENY       all  ------  anywhere             anywhere              n/a
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
icmpOut    icmp ------  anywhere             anywhere              any ->   any
-          tcp  ------  anywhere             anywhere              any ->   www
-          tcp  ------  anywhere             anywhere              any ->   ssh
-          tcp  ------  anywhere             anywhere              any ->   tel$
-          tcp  ------  anywhere             anywhere              any ->   ftp
-          tcp  ------  anywhere             anywhere              any ->   pop3
-          tcp  ------  anywhere             anywhere              any ->   smtp
-          tcp  ------  anywhere             anywhere              any ->   ftp$
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
DENY       all  ------  BASE-ADDRESS.MCAST.NET/4 anywhere              n/a
DENY       all  ------  anywhere             BASE-ADDRESS.MCAST.NET/4  n/a
ACCEPT     icmp ------  192.168.22.0/24      anywhere              any ->   any
ACCEPT     all  ------  anywhere             192.168.22.0/24       n/a
ACCEPT     tcp  !y----  66.89.51.211         anywhere              ftp-data -> $
ACCEPT     tcp  !y----  66.89.51.211         anywhere              ftp ->   any
ACCEPT     tcp  !y----  66.89.51.211         anywhere              www ->   any
ACCEPT     tcp  !y----  66.89.51.211         anywhere              https ->   a$
ACCEPT     tcp  !y----  66.89.51.211         anywhere              smtp ->   any
ACCEPT     tcp  !y----  66.89.51.211         anywhere              ssh ->   any
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
Chain denylog (9 references):
target     prot opt     source                destination           ports
DENY       all  ------  anywhere             anywhere              n/a
Chain icmpIn (1 references):
target     prot opt     source                destination           ports
ACCEPT     icmp ------  anywhere             anywhere              echo-reply
ACCEPT     icmp ------  anywhere             anywhere              destination-$
ACCEPT     icmp ------  anywhere             anywhere              source-quench
ACCEPT     icmp ------  anywhere             anywhere              time-exceeded
ACCEPT     icmp ------  anywhere             anywhere              parameter-pr$
ACCEPT     icmp ------  anywhere             anywhere              echo-request
denylog    all  ------  anywhere             anywhere              n/a
Chain icmpOut (1 references):
target     prot opt     source                destination           ports
ACCEPT     icmp ------  anywhere             anywhere              echo-request
ACCEPT     icmp ------  anywhere             anywhere              echo-reply
ACCEPT     icmp ------  anywhere             anywhere              destination-$
ACCEPT     icmp ------  anywhere             anywhere              source-quench
ACCEPT     icmp ------  anywhere             anywhere              time-exceeded
ACCEPT     icmp ------  anywhere             anywhere              parameter-pr$
denylog    all  ------  anywhere             anywhere              n/a

[Dan Brown]

RT*M: http://edocs.mitel.com/6000_SME_Server/smeserveruserguide/English/admin-otheremailsettings.html

[Steven Beasley]

It's set to public... and that shouldn't matter.  I'm not talking about user access, incoming messages are not making it to the pop server.

[Steven Beasley]

Problem resolved, it was temporarily set to private, thanks!

[Dan Brown]

Yes, it should matter.  Port 110 is port 110, and the public/private setting controls access to (among other things) port 110.  Port 110 is user access, period--mail delivery would happen on port 25.  If you're not getting mail from the outside world, your problem has nothing to do with port 110; most likely, your ISP is blocking port 25.

[Nuke]

I have been following similar threads for some time since I can't get incoming mail to work.  

How do I definitively determine that my ISP is blocking port 25. I have been told that the ISP doesn't block any ports.  I am not sure that I believe them.

What I have tried:
Check/read manuals.
Made sure that SME is set to public.
Tested webmail which works remotely to send.  
Internal to the network, mail works.
Made an successful SSL connection from outside of the SME network.  
Tried to connect to port 25 with SSL from outside the network expecting to get some response, but only received a time-out notice.
Tried samspade to get the nslookup mx information without success. This is a problem with me trying to get samspade to work. I am looking for command line tool for Windows so I can use the commands I am used to using from MacOSX.
What else should I try to be certain that port 25 is blocked from the ISP?

Thanks in advance
Nuke

[Nuke]

Finally got the nslookup to work

I used the following command nslookup -q=mx myDynDNS.homelinux.com

The result received was:
Authoritative answers can be found from:
homelinux.com
        origin = ns1.dyndns.org
        mail addr = hostmaster.dyndns.org
        serial = 2002363959
        refresh = 10800 (3H)
        retry   = 1800 (30M)
        expire  = 604800 (1W)
        minimum ttl = 1800 (30M)
It's like mail isn't forwarding from the dynamic dns site???

This wasn't the result that I expected to receive.  

Here is what I get within the network.

myDynDNS.homelinux.com    preference = 5, mail exchanger = main.myDynDNS.homelinux.com
myDynDNS.homelinux.com    nameserver = main.myDynDNS.homelinux.com
main.myDynDNS.homelinux.com       internet address = xxx.xxx.xxx.xxx

[Dan Brown]

Ignore SSL--just try to 'telnet yourhost.com 25' from outside your LAN.  If it times out, it's 99% certain your ISP is blocking port 25.  If that times out, but you're able to connect to your web server, that probability increases to 100%.