OK, I've had another look at iptables. The reason the counters weren't working in iptables when mail was sent was because, for whatever reason, msmtp decided to use an ipv6 address intead of ipv4. Running msmtp --debug proved this. I knew that building a dual stack was going to cause issues.
I've locked ip6tables to force msmtp to use an ipv4 address for testing purposes, and it seems that there's some weird stuff going on, but I'm no iptables expert. The only way I could get mail through the firewall was to use the multiport module and open the smtp port (25) *and* the submission port (587) in the output chain. Using either one on its own didn't work, but I only seem to need port 587 open on the input chain. Then I noticed that the counters were working on the input chain but not on the output chain, even though mail was being sent. Looking at /etc/services I saw that there was a udp submission port 587; I don't know what its function is. I opened this port as well on the output chain and the counters started to record in both directions, but not on the udp port 587 rule itself. As I say, this seems really weird to me; it appears that I needed the udp port open to get the *other* counters recording, even though it doesn't record any traffic itself. If anybody has any comments I'd be grateful. I'm not sure how much time I'll have to investigate further as the bottom line is that mail is now being sent and recorded. I haven't set up logging yet but I will do when I have more time, and I'll be working on ip6tables, when I have a moment to spare,over the next couple of days. I should say that this is a very locked-down firewall with only the essential ports open on *both* input and output chains, with the standard policies of drop everything. Richard
-- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
