My iptables is causing postfix server not to send emails.
A problematic mail.log line is:
Mar 1 06:19:44 server postfix/smtp[9744]: 3D62CA06CA9:
to=, relay=none, delay=42, delays=2.3/0.01/40/0,
dsn=4.4.3, status=deferred (Host or domain name not found. Name
service error for name=gmail.com type=MX: Host not found, try again)
I found the other guy's explanation on how to fix this.
He proposed:
SERVER_IP="202.54.10.20"
DNS_SERVER="202.54.1.5 202.54.1.6"
for ip in $DNS_SERVER
do
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
done
Isn't there any simpler rule without using the IP?
Thank you very much.
Best Answer
Firewall paranoia doesn't really work if you don't even understand your firewall.
Just set the OUTPUT policy to ACCEPT and allow ESTABLISHED traffic back in.