Hi, Jasen: We configured a smarthost with an iptable to block all incoming port traffic. What is the rule which allows for the local server to connect to the address 127.0.0.1:25 ?
Read attached exim error log file and the current iptable configuration for details. Regards, Hal On Sun, Aug 20, 2017 at 3:23 AM, Jasen Betts <[email protected]> wrote: > On 2017-08-20, Ltc Hotspot via Exim-users <[email protected]> wrote: >> Dear Exim Users: >> >> Is this a valid rule to authorize local access to Exim: >> -A cP-Firewall-1-INPUT -s 127.0.0.1:25 -p tcp -m state --state NEW -m >> tcp --dport 25 -j ACCEPT >> > > No, "-s 127.0.0.1:25" is wrong. > > "-s 127.0.0.1/8" probably makes the most sense. > > > You may want to specify adestination address too, especially if your > firewall is doing NAT for some of 127.0.0.0/8. > > > Local access in a different way is by having execute permission on > /usr/lib/sendmail. > > -- > This email has not been checked by half-arsed antivirus software > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/
The service “exim” appears to be down. Server imap.dslcomputer.com Primary IP Address 97.74.13.78 Service Name exim Service Status failed ? Notification The service “exim” appears to be down. Service Check Method The system failed to connect to this service’s TCP/IP port. Reason Service check failed to complete Timeout while trying to connect to service: Died Number of Restart Attempts 180 Service Check Raw Output The 'exim' service passed the check. Startup Log Starting clamd: [ OK ] Starting exim: [ OK ] Starting spamd: (XID s7asa6) The “spamd” service is disabled. [FAILED] Log Messages 2017-08-19 22:38:04 exim 4.89 daemon started: pid=22409, -q1h, listening for SMTP on port 26 (IPv4) port 10025 (IPv4) port 587 (IPv4) port 52525 (IPv4) port 24 (IPv4) port 25 (IPv4) port 2525 (IPv4) 2017-08-19 22:23:01 exim 4.89 daemon started: pid=19902, -q1h, listening for SMTP on port 26 (IPv4) port 10025 (IPv4) port 587 (IPv4) port 52525 (IPv4) port 24 (IPv4) port 25 (IPv4) port 2525 (IPv4) Memory Information Used 2.3 GB Available 1.69 GB Installed 4 GB Load Information 0.23 0.08 0.05 Uptime 6 days, 9 hours, 51 minutes, and 41 seconds IOStat Information avg-cpu: %user %nice %system %iowait %steal %idle 0.17 0.04 0.04 0.01 0.00 99.74 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn Top Processes PID Owner CPU % Memory % Command 24256 root 0.58 0.10 sshd: root [priv] 24278 root 0.54 0.31 /usr/local/cpanel/scripts/restartsrv_crond --check --notconfigured-ok 24149 root 0.52 0.70 tailwatchd - chkservd - crond check 7933 cpanelsolr 0.49 13.77 /usr/lib/jvm/jre-1.8.0/bin/java -server -Xms512m -Xmx512m -XX:NewRatio=3 -XX:SurvivorRatio=4 -XX:TargetSurvivorRatio=90 -XX:MaxTenuringThreshold=8 -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 -XX:+CMSScavengeBeforeRemark -XX:PretenureSizeThreshold=64m -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=50 -XX:CMSMaxAbortablePrecleanTime=6000 -XX:+CMSParallelRemarkEnabled -XX:+ParallelRefProcEnabled -XX:-OmitStackTraceInFastThrow -verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:/home/cpanelsolr/server/logs/solr_gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=9 -XX:GCLogFileSize=20M -Dsolr.log.dir=/home/cpanelsolr/server/logs -Djetty.port=8984 -DSTOP.PORT=7984 -DSTOP.KEY=solrrocks -Dhost=127.0.0.1 -Duser.timezone=UTC -Djetty.home=/home/cpanelsolr/server -Dsolr.solr.home=/home/cpanelsolr/server/solr -Dsolr.install.dir=/home/cpanelsolr -Xss256k -Dsolr.autoSoftCommit.maxTime=3000 -Dsolr.log.muteconsole -XX:OnOutOfMemoryError=/home/cpanelsolr/bin/oom_solr.sh 8984 /home/cpanelsolr/server/logs -jar start.jar --module=http 24248 root 0.46 0.37 cPhulkd - processor - http socket The chkservd process attempts to connect to “127.0.0.1:25” in order to validate that this service is functioning. If you blocked connections with iptables or the “Host Access Control” interface in WHM, this failure may be a false positive. To resolve this issue, either open the firewall to allow connections as the root user to “127.0.0.1:25” or disable checks for this service in WHM’s “Service Manager” interface with the “Configure Monitor Settings” link below. Configure Monitor Settings: https://imap.dslcomputer.com:2087/scripts/srvmng#service-chkservd Configure chkservd: https://imap.dslcomputer.com:2087/scripts2/tweaksettings?find=chkservd Disable HTML notifications: https://imap.dslcomputer.com:2087/scripts2/tweaksettings?find=chkservd_plaintext_notify The system generated this notice on Sunday, August 20, 2017 at 5:53:07 AM UTC.
root@imap [/etc/sysconfig]# vim iptables "iptables" 71L, 5507C-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT -A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.191.214.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.149.210.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.191.151.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.148.219.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.149.206.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.186.27.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.191.158.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.186.172.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.149.36.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.149.155.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.69.130.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.213.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.200.247.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.186.218.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.200.129.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.149.205.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.148.222.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.148.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.69.62.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.68.193.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.186.60.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.149.154.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.148.229.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.186.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 54.149.26.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.28.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.29.118.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.29.142.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.29.144.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.29.147.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.29.152.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.29.162.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.58.5.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -s 52.58.7.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j DROP68,187% -- INSERT --68,187% COMMIT69,191%
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
