Earlier today my MIAB server started refusing connections, except from internal private ip addresses - with 1 exception - the ‘root’ page - that just says this is mail in a box & has link to MIAB - shows, but the /mail, /admin, etc pages - which just give ‘This site can’t be reached’ error messages.
However, if I connect on my private sub-net (192.168.x.x) all work perfectly. if I run the admin status checks, it says that everything is running, but nothing is available on my public IP address. (This is NAT’ed from my router - and has not been changed - although I chnaged the NATing to a different machine to test, and could connect no problems - point it back to the MIAB & it can’t connect).
I also checked ther firewall, all OK - and even disabled it to test, and no different (and I’d expect it would refuse internal IP connecting as well if it was the firewall).
Trying tpo sort this - it was working at 8am this morning (Sydney time), and just stopped working without my touching anything (as I was at work).
Checked with ISP - and no ports are blocked by them for my IP address.
Any ideas on what else I can check?
No idea. Too complicated a setup.
Try telneting to the ports from outside. Or use port checker: Port Checker - Check Open Ports Online
For udp scan here
REMEBER: you need UDP port 53 also open for DNS. The rest are TCP.
If your machine is behind a hardware firewall (or virtual equivalent, such as an AWS security group), ensure that the following ports are open: 22 (SSH), 25 (SMTP), 53 (DNS; must be open for both tcp & udp), 80 (HTTP), 443 (HTTPS), 465 (SMTP submission), 993 (IMAP), 995 (POP) and 4190 (Sieve). It doesn’t hurt to block other ports,
do
sudo apt update
sudo apt upgrade
sudo systemctrl reboot
rerun setup
sudo mailinabox
disable temporarily IPV6 google it for ubuntu
make ubuntu prefer IPV4 systemwide, google it
the symtax for the pages is:
https://box.yourdomain.com/mail
/cloud/contacts
/cloud/calendar
/admin
/cloud/index.php/login
/cloud
Replace box.yourdomain.com with your IP see if the pages are OK?
You need the subdomain in front for the admin page. mine in the e.g. above is box.
Only /mail works without the subdomain.
IP6 is always off.
Ports are open & correct (and have been for some time - note that MIAB was working perfectly for ages, then stopped - and seems to be that it is refusing almost all cconnections from the gateway 192.168.100.254- but accepting on the local network 192.168.100.0/24) - and NAT’d from my router (which os only device with a public IP address) to the MIAB server.
All packages are up to date (and that may be the problem - if a package update has either updated a config file, or chnaged how it works, blocking ther ports).
Telnet locally - fine - telnet via gateway using it’s public address gets refused - so server is listening on ports fine, just refusing those coming from the gateway).
In case it was the NATing failing on trhe gateway, I bought another gateway, and configured it - no change.
Definately appears to be an issue on the server - eitherUbuntu blocking everything, or all the services refusing connections when NOT from the local network (except, of course, the gateway is on the network, but is NATing the connections).
Data flow is pretty easy to follow:
Internet device connects to gateway on port 443 which forwards to internal server on port 443
(obviously other ports for appropriate services - 25 for basic SMTP, etc)
Colin
Hi Colin.
Please note that this is unsupported and MIAB should run in the cloud.
As far as I remember no one discussed a setup behind a NAT for at least 2 years.
Try to remember what steps you took last time to make your setup work again.
@andrew responded to some router behind NAT questions in 2022. Maybe he can help. Otherwise, move your MIAB to a VPS provider. There are also some free ones available in Australia such as OCI in the free tier which you then upgrade to PayAsyouGo and keep the free tier instances and disk space and pay nothing. It just makes no sense to run MIAB without rDNS at home, which I suppose your ISP does not provide at the moment?
By the way please explain how (previously when your setup worked) did you handle the rDNS of the local natted IP with the MIAB, and the external proper public IP. The HELO/EHLO issue? Most mail servers will not outright reject your messages but will filter them as SPAM if this issue is not resolved? Or do you send out via Relay?
Where it has been working and just stopped one morning, I would say it is either your ISP or your router. Are you paying for a Business Connection? The port blocking would not necessarily show for your specific account. Some providers block all ports by default for Residential accounts. Maybe your ISP made a policy or equipment change. Did you buy a different brand or model for the new router, or was it the same as what your were using? It could be they did an update which broke something.
I run three MIAB VM’s on a Dell Server behind a PfSense Router on a Business Connection. I use external DNS hosted by GoDaddy, and the reverse DNS is the provider default for each IP which includes the public IP and provider name.
@Mr_Bill Thanks for replying. This proves my point that this is not a good idea. Most mail server blacklist will mark your IP as residential and will list you. Does your mail end up in SPAM?
Hi - I’ve got a similar setup and run it just fine at a couple of sites. It’s certainly possible but does take more thought and care than renting server space. Some general thoughts:
Fail2ban might be causing your problem - fail2ban will (mostly) detect incoming connections that fail several times over a short period, including ssh, web, and mail traffic and it then blocks everything from that external address. The fail2ban logs will tell you what’s going on.
“netcat” is a good way to test a connection (cleaner than telnet). Try connecting from #1 local addresses, #2 from the router (if you can), #3 from several different external addresses. But don’t go changing things - that’s not debugging, it’s just random hole digging.
When you say “all connections from public address” what protocols do you mean? Can you ssh in from an external device? What about http to the server website? And smtp email?
Don’t go disabling IPv6 on your box. MIAB doesn’t need IPv6 access but it does need IPv6 to be running on the server.
Interesting! @JoshData Is this true? Do you really need IPv6 for MIAB to work? Or is this a thing in Ubuntu that runs the services properly?
I don’t think there’s any specific reason why IPv6 is needed, but I am not very good with IPv6 things and I know there have been some issues over the years that probably relate to different defaults set up by VM providers.
If it turns out that something we’re doing makes IPv6 required, maybe someone will be able to contribute a fix.
Have a look at threads like this https://discourse.mailinabox.email/t/how-do-i-disable-ipv6-in-ubuntu-22-04-on-linode/11794 …
It appears that some MIAB components expect IPv6 internally on the server, even if it’s not available to access the rest of the world. So if your provider doesn’t do IPv6, or you don’t provide a global (external) address, that’s fine but I’d suggest you don’t completely disable IPv6.
IPv6 does involve some “interesting” setup (for reverse DNS stuff), so it’s probably easier (at least initially) to remove any IPv6 external address. There are a few threads about running with/without IPv6.
I don’t have any issues. I’ve only been using MIAB for a few years, but have been running my own mail servers for about twenty years. I have had my current IP block and provider for ten years.
Ok - all sorted now.
A few notes around it:
-
NAT is quite simple & works well (and is used by most corporates to protect their servers - I work for a large multi-national company, and we use NATing & proxy servers to split our network into protected sub-nets, and to keep application/service servers off the public network). (A couple little things to watch setting it up, but it really is quite simple & straight-forward to do - biggest watch is the DNS server - I use the DNS on the hosting company I use for web sites, and placed all the required entries in there. Reverse DNS is done at my ISP, who had no issues in setting it up for me - a single line in their reverse DNS).
-
IPv6 isn’t required for anything in MIAB - if IPv6 was mandatory for any of the services used by MIAB then it would break MIAB on many networks.
-
Fail2Ban was the root cause. What happened was that there was a massive influx of failed attempts to connect, but, as Fail2Ban looks at the logs, it saw my NATing gateway as the source of the attacks, rather than the actual server/s that it was forwarding connections from. (Looks to be a design error in postfix, and possibly other applications, where they log the NATing server as the source of a connection rather than the actual source IP/FQDN of the originating point.
I’ve white-listed my NATing gateway now so that fail2ban doesn’t blacklist it again - and look into the logging options for postfix to see if there is an option to list the source of a connection, rather than the forwarding server.
(As an aside, been working in IT since the 1970’s, have setup too many mail servers to be able to count them, ranging in size from tiny with only a handful of users, to those for major corporates spread across multiple countries, sub-nets & different character sets with tens of thousands of users.)