[Dovecot] Setting up webmail in DMZ
I have a Smoothwall server on my network and am running three network interfaces off it.
- local LAN 192.168.0.0 with PCs and an internal dovecot server on 192.168.0.154.
- internet interface
- DMZ 192.168.2.0 which has a linux web server 192.168.2.1 on which I want to install a webmail so I can access my email remotely.
Originally 192.168.2.1 couldn't see the 192.168.0.0 network but with some help from the Smoothwall forums I have fixed that. The problem now is that 192.168.2.1 can't connect to the dovecot server on 192.168.0.154. When I "telnet 192.168.0.154 993" or "telnet 192.168.0.154 143" I get a "Connection refused" error. But these commands work fine from PCs on the 192.168.0.0 network.
I'm pretty sure there's no firewall on the dovecot server and /etc/hosts.allow and /etc/hosts.deny are empty.
Is there a default setting that I need to change in Dovecot that only allows connections from machines on the same subnet?
--- On Mon, 9/8/10, Phill Edwards philledwards@gmail.com wrote:
From: Phill Edwards philledwards@gmail.com Subject: [Dovecot] Setting up webmail in DMZ To: dovecot@dovecot.org Date: Monday, 9 August, 2010, 7:14 I have a Smoothwall server on my network and am running three network interfaces off it.
- local LAN 192.168.0.0 with PCs and an internal dovecot server on 192.168.0.154.
- internet interface
- DMZ 192.168.2.0 which has a linux web server 192.168.2.1 on which I want to install a webmail so I can access my email remotely.
Originally 192.168.2.1 couldn't see the 192.168.0.0 network but with some help from the Smoothwall forums I have fixed that. The problem now is that 192.168.2.1 can't connect to the dovecot server on 192.168.0.154. When I "telnet 192.168.0.154 993" orĀ "telnet 192.168.0.154 143" I get a "Connection refused" error. But these commands work fine from PCs on the 192.168.0.0 network.
I'm pretty sure there's no firewall on the dovecot server and /etc/hosts.allow and /etc/hosts.deny are empty.
Is there a default setting that I need to change in Dovecot that only allows connections from machines on the same subnet?
Phil,
Looks like a routing / firewall problem to me. Normally, once you've installed a piece of hw, be that a mail server or a web server, the following applies :
. From the Local area to the DMZ :
any node can access _any_ service (smtp/pop3/http/https etc.) inside the DMZ
. From the outside world to the DMZ :
only selected services can be accesses that are configured by the admin from the firewall interface. So if you want port 25 to be visible from the outside world, you will have to define a port-forwarding rule for the machine inside the DMZ
. From the DMZ to the local area network :
Most service would seems blocked (ping, telnet, ssh, DNS etc.). However, this is not true. Selected services from the DMZ to the lan are accessible.
I really don't think this is a dovecot error. However I would check the following :
any dovecot configuration that might act as a stopping point for such issues ( I don't think it exists btw).
Check routes on smoothwall. There might be something weird there
Make sure the DMZ works as it should.
Check your subnetting. Normally, on a 192.168.x.x network on the LAN you need to subnet a /16 subnet for the DMZ network.
At this point,my money is on routing and subnetting.
HTH,
s.
Phill Edwards put forth on 8/8/2010 11:14 PM:
Originally 192.168.2.1 couldn't see the 192.168.0.0 network but with some help from the Smoothwall forums I have fixed that.
One more example of DMZs creating more grief for a newbie than benefit...
The Smoothie has those ports open to your web server, but it's not routing the packets to your dovecot server. We know the ports are open because you get "Connection refused", which is what Linux does when no service daemon is listening and responding on a port. Translated into newbie speak: It's the Smoothie box itself which said "Connection refused" to your web server.
So, now you need to learn about Smoothie/Linux IP routing. The guys on the forum you mentioned should be able to assist. That's a better place to get assistance, as your problem has nothing to do with Dovecot.
Good luck.
-- Stan
participants (3)
-
Phill Edwards
-
Spyros Tsiolis
-
Stan Hoeppner