# Cannot Send mail to net. [SOLVED]

## NotQuiteSane

subject says it all.

I belive my issue is with the firewall (using shorewall)

my error:

```
Aug  9 00:14:56 [postfix/qmgr] 69CF61FADC: to=<nqs@<deleted>>, relay=none

, delay=0, status=deferred (delivery temporarily suspended: connect to 3dogs.hom

elinux.net[70.x.x.x]: Connection refused)
```

smtp rules:

```
teena% sudo cat /etc/shorewall/rules| grep -i SMTP

#       Example: Accept SMTP requests from the DMZ to the internet

#       ACCEPT  dmz     net       tcp   smtp

SMTP/DNAT       net     loc1:192.168.0.10       tcp     25

ACCEPT  loc1:192.168.0.10       net     tcp     25      25# smtp outbound
```

inbound smtp works, I just cannot sent out to the world.

TIA,

NQS

----------

## massimo

I guess this rule doesn't look right, delete the last '25' and try again.

```

ACCEPT  loc1:192.168.0.10       net     tcp     25      25# smtp outbound

```

----------

## NotQuiteSane

ok, I'm still having trouble with this.  (re-)followed this

my config files:

```
[root@mike /root]# cat /etc/postfix/main.cf| grep -vh '^#' "$@" | grep -v '^$'

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myhostname = mike.3dogs.homelinux.net

mydomain = 3dogs.homelinux.net

mydomain = nqs.is-a-geek.net

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain, localhost,$mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 192.168.0.0/24, 127.0.0.0/8

relayhost = $mydomain

 

mailbox_command = /usr/bin/procmail

  

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks,reject_invalid_hostname

smtpd_client_restrictions = permit_mynetworks,reject_rbl_client relaays.orb.org

smtpd_recipient_restrictions= permit_mynetworks,reject_unauth_destination,permit

smtpd_sender_restrictions = permit_mynetworks,reject_unknown_sender_domain

smtpd_data_restrictions = reject_unauth_pipelining

strict_rfc821_envelopes = no

virtual_alias_maps = hash:/etc/postfix/virtual

virtual_alias_domains = hash:/etc/postfix/virtual

transport_maps = hash:/etc/postfix/transport

relay_domains = $mydestination,$transport_maps

[root@mike /root]# 
```

```
[root@mike /root]# cat /etc/sasl2/smtpd.conf | grep -vh '^#' "$@" | grep -v '^$'

pwcheck_method:saslauthd

mech_list: plain login

[root@mike /root]# 
```

```
[root@mike /root]# cat /usr/lib/sasl2/smtpd.conf | grep -vh '^#' "$@" | grep -v '^$'

pwcheck_method:saslauthd

mech_list: plain login

[root@mike /root]# 
```

```
[root@mike /root]# cat /etc/conf.d/saslauthd | grep -vh '^#' "$@" | grep -v '^$'

SASLAUTH_MECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH}"

[root@mike /root]# 
```

```
[root@mike /root]# cat /etc/mail/aliases | grep -vh '^#' "$@" | grep -v '^$'

MAILER-DAEMON:      postmaster

postmaster:         root

adm:                root

bin:                root

daemon:             root

exim:               root

lp:                 root

mail:               root

named:              root

nobody:             root

postfix:            root

root:               nqs

abuse:              postmaster

ftp:                root

hostmaster:         root

news:               usenet

noc:                root

security:           root

usenet:             root

uucp:               root

webmaster:          root

www:                webmaster

[root@mike /root]# 
```

and here's an expert from the log after i attempted to send mail to an external account

```
Sep 11 18:47:23 [postfix/virtual] fatal: bad string length 0 < 1: virtual_mailbox_base = 

Sep 11 18:47:24 [postfix/master] warning: process /usr/lib/postfix/virtual pid 16336 exit status 1

Sep 11 18:47:24 [postfix/master] warning: /usr/lib/postfix/virtual: bad command startup -- throttling

Sep 11 18:47:35 [postfix/pickup] A23021E339: uid=1000 from=<nqs>

Sep 11 18:47:35 [postfix/cleanup] A23021E339: message-id=<20060912014735.GB15071@nqs.is-a-geek.net>

Sep 11 18:47:35 [postfix/qmgr] A23021E339: from=<nqs@mike.3dogs.homelinux.net>, size=1634, nrcpt=1 (queue active)

Sep 11 18:47:36 [postfix/smtp] connect to 3dogs.homelinux.net[67.42.50.114]: Connection refused (port 25)

Sep 11 18:47:36 [postfix/smtp] A23021E339: to=<nqs@tigger.tmcom.com>, relay=none, delay=0.44, delays=0.07/0.16/0.2/0, 

dsn=4.4.1, status=deferred (connect to 3dogs.homelinux.net[67.42.50.114]: Connection refused)
```

now' again, it seems to me to be a firewall issue, but I thought i had set up shorewall to allow all outgoing connections

```
[root@teena /root]# cat /etc/shorewall/rules| grep -vh '^#' "$@" | grep -v '^$'

SECTION NEW

SSH/ACCEPT loc1         all

SSH/ACCEPT loc2         all

SSH/ACCEPT dmz          all

SSH/DNAT   net:166.70.29.17     loc1:192.168.0.10       

Ping/ACCEPT loc1        all

Ping/ACCEPT loc2        all

Ping/ACCEPT dmz         all

SMTP/DNAT       net     loc1:192.168.0.10       tcp     25

DNAT            net             loc1:192.168.0.10       tcp     6890:6999

ACCEPT  $FW     loc1:192.168.0.10       tcp     111

ACCEPT  $FW     loc1:192.168.0.10       udp

[root@teena /root]# 
```

suggestions?  also, i've been considering it, would it help if i got a static ip?

NQS

----------

## massimo

You only allow connections from your subnet and you want to be able to access your email server from the outside of your subnet. I guess you have to change at least these two settings:

```

mynetworks_style = subnet

mynetworks = 192.168.0.0/24, 127.0.0.0/8

```

----------

## NotQuiteSane

Ok, I got sidetracked by a gcc update.  even with distcc, it took forever.

i changed mynetworks:

```
[root@mike /root]# cat /etc/postfix/main.cf| grep -vh '^#' "$@" | grep -v '^$' | grep mynetworks 

mynetworks_style = class

mynetworks = 192.168.0.0/28, 192.168.1.0, 192.168.2.0, 127.0.0.0/8
```

however, now I get:

```
Oct 30 21:49:38 [postfix/smtp] connect to 192.168.0.1[192.168.0.1]: Connection refused (port 25)

Oct 30 21:49:38 [postfix/smtp] 350DF1FAA1: to=<nqs@deleted>, relay=none, delay=0.22, delays=0.15/0.07/0.01/0, dsn=4.4.1, status=deferred (connect to 192.168.0.1[192.168.0.1]: Connection refused)
```

complete (sanatized) /etc/shorewall/rules (on 192.168.0.1) looks like this:

```
[root@teena /root]# cat /etc/shorewall/rules| grep -vh '^#' "$@" | grep -v '^$' 

SECTION NEW

SSH/ACCEPT loc1      all

SSH/ACCEPT loc2      all

SSH/ACCEPT dmz      all

SSH/DNAT   net:<deleted private ip>   loc1:192.168.0.10   

Ping/ACCEPT loc1   all

Ping/ACCEPT loc2   all

Ping/ACCEPT dmz      all

SMTP/DNAT   net   loc1:192.168.0.10   tcp   25

   

DNAT      net      loc1:192.168.0.10   tcp   6890:6999

ACCEPT      loc1   all         tcp   3632

ACCEPT      loc2   all         tcp   3632

ACCEPT      dmz   all         tcp   3632

ACCEPT   $FW   loc1:192.168.0.10   tcp   111

ACCEPT   $FW   loc1:192.168.0.10   udp

[root@teena /root]# 
```

```
[root@teena /root]# cat /var/log/everything/current | grep -i shorewall | grep -i smtp
```

returns nothing.  no error messages about dropping packets, nothing.

help, please.

NQS

----------

## NotQuiteSane

bump.

just moving back to page one.  hopefully someone will suggest the proper fix while i,m at work.

NQS

----------

## massimo

 *NotQuiteSane wrote:*   

> 
> 
> ```
> 
> /snip
> ...

 

I'm not sure if this rule is responsible for your problem but SMTP/DNAT implicates tcp/25, so maybe putting this rule this way will solve your problem...

```

SMTP/DNAT   net   loc1:192.168.0.10

```

----------

## NotQuiteSane

 *massimo wrote:*   

>  *NotQuiteSane wrote:*   
> 
> ```
> 
> /snip
> ...

 

nope.  Connection still refused

NQS

----------

## NotQuiteSane

Solved.

I followed the advice of a friend, uninstalled all related files (except procmail & fetchmail), deleted all config files, and then re-installed

NQS

----------

