I have to send emails (and only send, not receive) from a linux server (SUSE Linux Enterprise Server 11) and I think I should add kind of the following rule to the iptables:
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
But I am not quite sure, since my OUTPUT iptables rules suggest to me that with the current rules I should be able to send emails, but actually I can't.
This are my OUTPUT iptables rules:
Chain OUTPUT (policy ACCEPT XXM packets, XXM bytes)
pkts bytes target prot opt in out source destination
xxM xxG ACCEPT all -- any lo anywhere anywhere
xxM xxM SST-OUTPUT all -- any any anywhere anywhere
I have always felt reluctant to change the rules in the bare iptables, but I think that if the default policy is "ACCEPT" I should be able to send emails just with the current rules, am I wrong?
The error I get is: Name service error for name=xxxxx.xxx type=MX: Host not found, try again
what makes me think that the problem must be in the /etc/resolv.conf or somewhere else.
The INPUT rules are:
Chain INPUT (policy DROP)
target prot opt in out source destination
ACCEPT all -- lo any anywhere anywhere
ACCEPT all -- any any anywhere anywhere state ESTABLISHED
ACCEPT icmp -- any any anywhere anywhere state RELATED
ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED tcp spt:smtp
LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- any any anywhere anywhere
Note: I added the INPUT rule suggested by @Otheus in the 4th place.
Best Answer
Output policy is set to ACCEPT? then there is no need to create an OUTPUT rule. Rather, you need an incoming rule to either (1) accept established connections or (2) accept non-syn packets from port 25. The first is preferred and is accomplished in Linux with:
If you want to be more restrictive, you add the port to the rule:
You can test with one of telnet, socat, nc, nmap. Also keep in mind, many times ISPs filter port 25 access (you have to use their own mail gateway -- done to eliminate SPAM). And smtp+ssl sometimes uses port 465 and other times 587.
Per your error, "Name service error", the actual problem is DNS resolution. The above rule will also handle that one, but again if you want to be more restrictive, the --sport is 53.