Koozali.org formerly Contribs.org

XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube

XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« on: February 22, 2020, 07:25:25 PM »
Lets say you only want to allow users to have access to their email accounts from the US.

I have added in XTABLES-ADDONS ssmtpd Reject if != US.
Then I log in to Rouncube and attempt to send a message, I get an SMTP error.
From var/log/iptables -- grep GeoIP current |tai64nlocal
2020-02-21 16:41:13.764761500 Feb 21 16:41:13 Mysvr01 GeoIP BAN: ssmtpd IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00  SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=33772 CE DFTO=TCP SPT=49108 DPT=465 SEQ=3527349124 ACK=0 WINDOW=65495 SYN URGP=0

Then I checked, on the off-chance, Maxmind might have a country code for loopback..
geoiplook-country 127.0.0.1
Could not find an entry for this IP address (127.0.0.1)

Any Solutions?


Sending emails does still work from email clients - Thunderbird, Outlook, Mobile Phones.etc.
But of course, those are configured to use DNS names.
 

Offline ReetP

  • *
  • 2,570
Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #1 on: February 22, 2020, 07:38:24 PM »
You can't have a lookup for a private/reserved address as they could be used anywhere.... think - 127.0.0.1 is in every computer....

Please open a bug and I'm sure Michel will look at it
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #2 on: February 22, 2020, 08:08:31 PM »
Thank you ReetP,
  I submitted Bug 10881.
Understood on loopback. But Maxmind has other strange codes listed like JOBS INFO MUSEUM. It was just an Off-Chance that there was already a solution for local/private addresses.

Offline ReetP

  • *
  • 2,570
Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #3 on: February 22, 2020, 08:31:04 PM »
NP. Yes I saw the bug thanks. Sure Michel will follow up.

My guess is local addresses should be excluded by default as they are not resolvable on the internet in general so can't have a geo location either.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #4 on: February 23, 2020, 06:35:07 PM »
Sending Also works ok from Horde with ssmtpd Reject if != US

If we are asking XTABLES to exclude loopback.
iptables -nL |grep 127.0.0.1 = no results

I wanted to figure out why Roundcube and not Horde were affected.
A bit of research and grepping around.
/etc/e-smith/templates/etc/roundcubemail/config.inc.php/30IMAP:    {$OUT .= "   \$config['default_host'] = 'ssl://$DomainName';\n";}
/etc/e-smith/templates/etc/roundcubemail/config.inc.php/40SMTP:// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
/etc/e-smith/templates/etc/roundcubemail/config.inc.php/40SMTP: {$OUT .= "   \$config['smtp_server'] = 'ssl://localhost';\n";}


Why is 30imap using  $DomainName
And Why is 40SMTP using localhost.

Why not just have both use $DomainName

So I did that .
/etc/e-smith/templates-custom/etc/roundcubemail/config.inc.php/40SMTP
And changed line to
{$OUT .= "   \$config['smtp_server'] = 'ssl://$DomainName';\n";}


Reloaded roundcube
signal-event roundcube-update


And Walla! It Works!

Offline ReetP

  • *
  • 2,570
Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #5 on: February 23, 2020, 06:42:20 PM »
That should go on the bug really.

Localhost... because the application (not user) is local.

It depends how the application utilises the setting.

If it is strictly for the mail server then both could use localhost.

If it is also used to say setup some other parts if the applucation then it may need the local domain name.

Needs some closer inspection most likely.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #6 on: February 23, 2020, 07:13:06 PM »
ReetP,
   I copied this on the xtables bug 10881, but this also is a Roundcube issue.
Should I start a second bug for Roundcube and reference 10881 ?

Offline ReetP

  • *
  • 2,570
Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #7 on: February 23, 2020, 07:29:26 PM »
Try to be careful and don't conflate issues.

Work out what's happening with xtables first.

Remember, you need a login with IMAP wherever you are, but sending SMTP doesn't if you are 'local'.

They are not the same thing.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: XTABLES Ssmtpd Reject if (!=) blocks 127.0.0.1 example Roundcube
« Reply #8 on: February 24, 2020, 07:37:36 AM »
Hi,

I answered in bugzilla.
I am not sure we have to handle packets of localhost there in xt_geoip.