Hein B.
03.07.07, 10:58
Hi,
ich habe das Problem aus anderer Sicht schon mal hier (http://www.linuxforen.de/forums/showthread.php?t=238424)gepostet.
Kurz zusammengefasst: Mails von t-online.com kommen nicht an, da nach dem EHLO keine Antwort mehr von t-online zu meinem postfix durchkommt.
Mittlerweile weiss ich ganz sicher, dass die Firewall-Einstellungen schuld an dem Problem sind.
Allerdings habe ich keine Ahnung, was ich da falsch gemacht habe ...
Meine Firewall ist ein eigener openBSD-Rechner, der vor den Mailserver gestellt ist.
hier ist die pf.conf:
oext_if="sis0"
ext_net="sis0:network"
int_if="sis1"
int_net="sis1:network"
trusted_mailsrv = "{ 194.25.134.0/24 }"
special = "*myNet*.157" # can do anything - see below
untrusted = "*myNet*.157" # block SSH to self from NAT addr
tunnel = "*myNet*.149" # allow SSH to tunnel-servers
priv_nets = "{ *myNet*.0/28 }"
provider = "{ *myNet*.0/24 }"
nat on $ext_if from !($ext_net) -> ($ext_if:0)
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block in log
pass out keep state
pass quick on lo
pass out quick on $int_if
pass in log on $int_if from $special keep state
pass in proto { icmp } keep state
pass from $trusted_mailsrv to any
pass in proto tcp from any to any user proxy keep state
pass in on $int_if from *myNet*.149/32 to *myNet*.157/32 keep state
pass out on $int_if from *myNet*.157/32 to *myNet*.149/32 keep state
pass in on $int_if inet proto { udp, tcp } to port domain keep state
pass in on $int_if inet proto tcp to !self port ssh keep state
pass in on $int_if inet proto tcp to port www keep state
pass in on $int_if inet proto tcp to port https keep state
pass in on $int_if inet proto tcp from any to any port 25 keep state
pass in on $int_if inet proto { udp, tcp } from any to any port ntp keep state
pass in on $int_if inet proto tcp from $int_net port www keep state
pass in on $int_if inet proto tcp from $int_net port https keep state
pass in on $int_if inet proto tcp from $int_net port smtp keep state
pass in on $int_if inet proto tcp from $int_net port ftp keep state
pass in on $int_if inet proto tcp from $int_net port ssh keep state
pass in on $ext_if inet proto { udp, tcp } from any to *myNet*.157 port 5900 keep state
block in on $ext_if inet proto tcp to self port ssh
pass in on $ext_if inet proto tcp to $tunnel port ssh keep state
pass in on $ext_if inet proto tcp from $provider to port ssh keep state
pass in on $ext_if inet proto tcp to port ftp keep state
pass in on $ext_if inet proto tcp to port www keep state
pass in on $ext_if inet proto tcp to port https keep state
pass in on $ext_if inet proto tcp from any to any port 25 keep state
pass in on $int_if proto tcp from any to self port ssh keep state
block in log on $int_if proto tcp from $untrusted to self port ssh
pass in on $ext_if proto { udp, tcp } to self port ntp keep state
pass in on $int_if inet proto udp to port 33434:33626
Ich bin ziemlich ratlos - die Mails kommen nur, wenn ich die Firewall komplett abschalte, selbst ein
pass from 194.25.134.0/24 to any
hilft nicht (194.25.134.0/24 ist das t-online-mailout Netz).
Hat jemand eine Idee?
schöne Grüße,
Hein B.
ich habe das Problem aus anderer Sicht schon mal hier (http://www.linuxforen.de/forums/showthread.php?t=238424)gepostet.
Kurz zusammengefasst: Mails von t-online.com kommen nicht an, da nach dem EHLO keine Antwort mehr von t-online zu meinem postfix durchkommt.
Mittlerweile weiss ich ganz sicher, dass die Firewall-Einstellungen schuld an dem Problem sind.
Allerdings habe ich keine Ahnung, was ich da falsch gemacht habe ...
Meine Firewall ist ein eigener openBSD-Rechner, der vor den Mailserver gestellt ist.
hier ist die pf.conf:
oext_if="sis0"
ext_net="sis0:network"
int_if="sis1"
int_net="sis1:network"
trusted_mailsrv = "{ 194.25.134.0/24 }"
special = "*myNet*.157" # can do anything - see below
untrusted = "*myNet*.157" # block SSH to self from NAT addr
tunnel = "*myNet*.149" # allow SSH to tunnel-servers
priv_nets = "{ *myNet*.0/28 }"
provider = "{ *myNet*.0/24 }"
nat on $ext_if from !($ext_net) -> ($ext_if:0)
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block in log
pass out keep state
pass quick on lo
pass out quick on $int_if
pass in log on $int_if from $special keep state
pass in proto { icmp } keep state
pass from $trusted_mailsrv to any
pass in proto tcp from any to any user proxy keep state
pass in on $int_if from *myNet*.149/32 to *myNet*.157/32 keep state
pass out on $int_if from *myNet*.157/32 to *myNet*.149/32 keep state
pass in on $int_if inet proto { udp, tcp } to port domain keep state
pass in on $int_if inet proto tcp to !self port ssh keep state
pass in on $int_if inet proto tcp to port www keep state
pass in on $int_if inet proto tcp to port https keep state
pass in on $int_if inet proto tcp from any to any port 25 keep state
pass in on $int_if inet proto { udp, tcp } from any to any port ntp keep state
pass in on $int_if inet proto tcp from $int_net port www keep state
pass in on $int_if inet proto tcp from $int_net port https keep state
pass in on $int_if inet proto tcp from $int_net port smtp keep state
pass in on $int_if inet proto tcp from $int_net port ftp keep state
pass in on $int_if inet proto tcp from $int_net port ssh keep state
pass in on $ext_if inet proto { udp, tcp } from any to *myNet*.157 port 5900 keep state
block in on $ext_if inet proto tcp to self port ssh
pass in on $ext_if inet proto tcp to $tunnel port ssh keep state
pass in on $ext_if inet proto tcp from $provider to port ssh keep state
pass in on $ext_if inet proto tcp to port ftp keep state
pass in on $ext_if inet proto tcp to port www keep state
pass in on $ext_if inet proto tcp to port https keep state
pass in on $ext_if inet proto tcp from any to any port 25 keep state
pass in on $int_if proto tcp from any to self port ssh keep state
block in log on $int_if proto tcp from $untrusted to self port ssh
pass in on $ext_if proto { udp, tcp } to self port ntp keep state
pass in on $int_if inet proto udp to port 33434:33626
Ich bin ziemlich ratlos - die Mails kommen nur, wenn ich die Firewall komplett abschalte, selbst ein
pass from 194.25.134.0/24 to any
hilft nicht (194.25.134.0/24 ist das t-online-mailout Netz).
Hat jemand eine Idee?
schöne Grüße,
Hein B.