Documentation request: Iptables for portmapping

[arendvw]

The smtp server does not support binding to multiple ports. Which is fine, but I've seen quite some issues on this in the issue tracker - and it took me some time figure this out. Perhaps it's an idea to make a note of it in the documentation (even though you can argue firewall management is out of scope for postal's documentation)

I think @willpower232 's advice should be documented in the install docs, I would recommend the section
"Configuring Postal SMTP" to have added:

1. It's recommended to always run your smtp server on port 25.
2. Use iptables (or ufw) to map additional ports.

There are my notes on the topic:

IPv4 Port mapping

/sbin/iptables -t nat -A PREROUTING -d 172.31.30.15 -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.31.30.15:25
/sbin/iptables -t nat -A OUTPUT     -d 172.31.30.15 -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.31.30.15:25

IPv6 Port mapping example:

/sbin/ip6tables -t nat -I PREROUTING -d e7a4:365f:b8bf:13b7::1 -p tcp -m tcp --dport 587 -j DNAT --to-destination [e7a4:365f:b8bf:13b7::1]:25
/sbin/iptables -I OUTPUT -d e7a4:365f:b8bf:13b7::1 -p tcp -m tcp --dport 587 -j DNAT --to-destination [e7a4:365f:b8bf:13b7::1]:25

UFW IPv4 Port mapping

For ipv4, add to the top of /etc/ufw/before.rules:

*nat 
:PREROUTING ACCEPT [0:0] 
:OUTPUT ACCEPT [0:0] 
-A PREROUTING -d 172.31.30.15 -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.31.30.15:25 
-A OUTPUT     -d 172.31.30.15 -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.31.30.15:25 
COMMIT

UFW IPv6 Port mapping

For ipv6, add to the top of /etc/ufw/before6.rules:

# NAT table rules
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 2a01:4f8:1c0c:7c19::1 -p tcp -m tcp --dport 587 -j DNAT --to-destination [2a01:4f8:1c0c:7c19::1]:25
-A OUTPUT     -d 2a01:4f8:1c0c:7c19::1 -p tcp -m tcp --dport 587 -j DNAT --to-destination [2a01:4f8:1c0c:7c19::1]:25
COMMIT

Restart ufw to add the different rules:
service ufw restart

Don't forget to allow access to port 587:
ufw allow 587/tcp

[willpower232]

My two cents would be that we didn't need to modify /etc/sysctl.conf to accomplish the port forwarding and that we use port 2525 to avoid the standard ports and therefore any confusion arising from expectations in client software.

Also we don't really work with IPv6 inbound at the minute, we have it connected for outbound traffic so I can't comment on that part.

[arendvw]

I've updated my comments for the sysctl conf.
@willpower232 How do you handle bounces? Don't you need the server available at port 25 in order to receive bounces / incoming e-mail? Or do you just map port 2525 to port 25, and communicate port 2525 to all your clients?

[willpower232]

Using iptables means that the server is still listening on port 25 but also gets the traffic from 2525.

The server is still capable of receiving incoming email on the automated psrp addresses.

Using 2525 means our client websites are guaranteed to be able to send email using Postal.

Our sole use of Postal is transactional which means that bounces are pretty low overall.

[pjv]

I'm now running postal SMTP on port 25 and forwarding 2525 => 25 as i think @willpower232 is doing.

after googling around a bit, I'm now using the following simplified UFW rules at the top of both /etc/ufw/before.rules and also /etc/ufw/before6.rules

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 2525 -j REDIRECT --to-port 25
COMMIT

I'm doing this to avoid specifying particular IP's / interfaces in the ruleset because I've got several IPV4 and IPV6 addresses active and all pointing at the postal server.

Everything is working as expected, but if anyone knows of a reason that the above ruleset is problematic or a reason why the IP's / interfaces should be specified, please let me know.

[willpower232]

As long as you're happy to receive SMTP connections on all the IP addresses, I don't think theres really a problem.

[afanjul]

Hello, I've redirected the traffic on port 2525 to 25, however how do i open that port? I mean, if a do a telnet to 2525 it doesn't respond at all: A simple iptables -t nat -L -n -v shows this:

Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            163.172.xxx.xxx      tcp dpt:2525 to:163.172.xxx.xxx:25

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 118 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            163.172.xxx.xxx      tcp dpt:2525 to:163.172.xxx.xxx:25

Chain POSTROUTING (policy ACCEPT 1 packets, 118 bytes)

what else do i have to do to make it work? do i have to restart postal or something? refresh the iptables in any way?

[willpower232]

Is Postal definitely listening on 163.172.xxx.xxx:25?

[afanjul]

I think it's listening in all the interfaces/ips, it is valid like that?

[willpower232]

That seems to be correct so there may be another firewall blocking your connection

[afanjul]

That seems to be correct so there may be another firewall blocking your connection

You were right @willpower232, I had another supervisor firewall...

Reviewing this issue, I have realised that SMTP is only listening in tcp6 port (as you can see in the screenshot), unlike other services like (sshd, beamn.smp, epmd) that are listening on both protocols, is that correct? should I do/add anything in the smtp_config section?

thanks

[willpower232]

By default, listening on IPv6 listens on IPv4 as well so there is no problem there.