mail delivery queued after configuring linux firewall

[infomate]

Guys,

My ZCS has been working perfectly for a few days now with both web client and pop3 client access from the net.

I enabled and configured my linux server firewall (according to the wiki), I can send emails but the cannot receive.

I noticed that all incoming mails gets queued and not delivered to individual mail boxes.

My server is directly connected to the net with public IP (thats why I want to setup the firewall).

heres my port setings:
# Accept Zimbra ports
-A INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 143 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 389 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 465 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 993 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 7993 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 995 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 7995 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 7071 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 7025 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 8080 --state NEW -j ACCEPT

Am I missing something? Do I need additional admin cnfiguration?

Robert

[phoenix]

If you followed the wiki article you seem to have missed port 22 & 161 that it also lists. What error messages are you seeing in the logs?

[uxbod]

Is the INPUT chain being tied down ? if not and you open up 22 and 161 to the world you may get a lot of nosey people probing your server

[infomate]

Sorry SSH is also open, I just did not think its necessary to for ZCS to work properly thats why i did not include it on the list.

I dont have active logging (which is my next problem). I can see the incoming emails on the admin site Mail Queues list under deferred column.

That means emails are reaching the server but it just cannot be delivered to the right box

Robert

[uxbod]

As Phoenix said in his previous post please check your Log Files - Zimbra :: Wiki as this should show why things are being deferred.

[phoenix]

Quote:

Originally Posted by infomate

Sorry SSH is also open, I just did not think its necessary to for ZCS to work properly thats why i did not include it on the list.

I dont have active logging (which is my next problem). I can see the incoming emails on the admin site Mail Queues list under deferred column.

That means emails are reaching the server but it just cannot be delivered to the right box

Robert

The likelihood is that you'll need a Split DNS set-up as you're behind the firewall, Postfix probably can't resolve the Zimbra server IP address.

[uxbod]

Quote:

Originally Posted by infomate

My server is directly connected to the net with public IP (thats why I want to setup the firewall).

If the server is on a public IP why would a split DNS be required ?

[Bill Brock]

If the mail is being queued, it's coming through the firewall. Since you say it's being queued but not delivered to the individual mailboxes, I don't think it's a firewall issue.

[infomate]

Thank you guys for the replies.

As I mentioned above that my log is not working, I was able to find out that under Fedora 8 the logger should rsyslog not syslog, after fiddling for a few days I finally got it to log.

Back to my main prob. As per Bill, I was thinking in the same line, that its not a firewall issue. But thats the only thing I did that caused the mails to get stuck in que. After re-doing the same 3 times (activating and deactivating the firewall) It suddenly worked with not problems.


Next question is, how robust would my system be, facing the net with public IP with just the linux firewall to defend it? should another router/firewall be necessary?

Are there other ways to harden zimbra?

Again thanks guys