|Main Archive Page > Month Archives > postfix-users archives|
On 2011-07-08 Jeffrey Starin wrote:
> When I turn off the firewall (which I am loath to do) to my VPS I am
> able to use the command smtp_bind_address just fine.
> Otherwise, with firewall turned on, I am getting these time out
> errors in my maillog files:
> Jul 7 13:00:04 who postfix/pickup: 1F3274160009: uid=10003
> Jul 7 13:00:04 who postfix/cleanup: 1F3274160009:
> Jul 7 13:00:04 who postfix/qmgr: 1F3274160009:
> from=<blablabla@mydomain>, size=996, nrcpt=1 (queue active)
> Jul 7 13:00:34 who postfix/smtp: connect to
> 127.0.0.1[127.0.0.1]: Connection timed out (port 10027)
> Jul 7 13:00:34 who postfix/smtp: 1F3274160009:
> to=<email@example.com>, relay=none, delay=32, delays=1.9/0.01/30/0,
> dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:
> Connection timed out)
> I cannot find in the following list of rules (which is the default
> iptables policy for the hosting company I use) what is causing the
> connection timed out issue. If someone sees something please advise
> what needs to be done. I am at my wits end with this problem. Thank
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp
Almost 400 rules with tons of duplicates in them? You gotta be kidding.
Nobody's gonna bother checking these (unless they have A LOT of free
time on their hands).
Seriously, clean your ruleset (or rather: rebuild it from scratch)
before you try anything else.
As Harald already pointed out: for connections to localhost something
iptables -A INPUT -i lo -j ACCEPT
is perfectly fine. And unless you have rather strict security
requirements (in which case your ruleset would allow far less protocols
to begin with), you can simply accept everything in the OUTPUT chain:
iptables -P OUTPUT ACCEPT
Also, when posting your tables somewhere, use "iptables -nL" rather than
just "iptables -L".
-- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky