Iptables rule to send email

iptablessles

I have to send emails (and only send, not receive) from a linux server (SUSE Linux Enterprise Server 11) and I think I should add kind of the following rule to the iptables: 

iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

But I am not quite sure, since my OUTPUT iptables rules suggest to me that with the current rules I should be able to send emails, but actually I can't.

This are my OUTPUT iptables rules:

Chain OUTPUT (policy ACCEPT XXM packets, XXM bytes)
 pkts bytes target     prot opt in     out     source               destination
  xxM   xxG ACCEPT     all  --  any    lo      anywhere             anywhere
  xxM   xxM SST-OUTPUT  all  --  any    any     anywhere             anywhere

I have always felt reluctant to change the rules in the bare iptables, but I think that if the default policy is "ACCEPT" I should be able to send emails just with the current rules, am I wrong?

The error I get is: Name service error for name=xxxxx.xxx type=MX: Host not found, try again what makes me think that the problem must be in the /etc/resolv.conf or somewhere else.

The INPUT rules are:

Chain INPUT (policy DROP)
 target     prot opt in     out     source               destination
  ACCEPT     all  --  lo     any     anywhere             anywhere
  ACCEPT     all  --  any    any     anywhere             anywhere            state ESTABLISHED
  ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED
  ACCEPT     tcp  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED tcp spt:smtp
  LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
  DROP       all  --  any    any     anywhere             anywhere

Note: I added the INPUT rule suggested by @Otheus in the 4th place.

Best Answer

Output policy is set to ACCEPT? then there is no need to create an OUTPUT rule. Rather, you need an incoming rule to either (1) accept established connections or (2) accept non-syn packets from port 25. The first is preferred and is accomplished in Linux with:

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

If you want to be more restrictive, you add the port to the rule:

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -p tcp -m tcp --sport 25 -j ACCEPT

You can test with one of telnet, socat, nc, nmap. Also keep in mind, many times ISPs filter port 25 access (you have to use their own mail gateway -- done to eliminate SPAM). And smtp+ssl sometimes uses port 465 and other times 587.

Per your error, "Name service error", the actual problem is DNS resolution. The above rule will also handle that one, but again if you want to be more restrictive, the --sport is 53.

Related Topic