1 Topic by NightStorm (edited by NightStorm 2015-11-14 18:48:51)

  • NightStorm
  • Member
  • Offline
  • Registered: 2013-08-25
  • Posts: 11

Topic: Locked out of server after iRedMail install

I've got to be doing something stupid.  I run the installer (0.9.2) and do the reboot at the end. as suggested.  When the server comes back up I am no longer able to ssh in.  Should I not take the default iredmail firewall rules?

I took the defaults in the below section:
  [ INFO ] Disable SELinux in /etc/selinux/config.
  < Question > Would you like to use firewall rules provided by iRedMail?
  < Question > File: /etc/firewalld/zones/iredmail.xml, with SSHD port: 22. [Y|n]
  [ INFO ] Copy firewall sample rules: /etc/firewalld/zones/iredmail.xml.
  < Question > Restart firewall now (with SSHD port 22)? [y|N]

The first time I ran it I answered "y" to that last "Restart" question and then I got locked out on reboot.  I figured I'd not been careful so I reloaded the server (CentOS 7, minimal) and did it again.  The second time I answered "no" but I am locked out again on the second try.

It does say "with SSHD port 22", am I misreading it?


==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro?no
- Related log if you're reporting an issue:
====

*** Update ***
I managed to get in and find that iptables has this kind of rule sets:
[root@neuron /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
INPUT_direct  all  --  anywhere             anywhere           
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere           
INPUT_ZONES  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
FORWARD_direct  all  --  anywhere             anywhere           
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere           
FORWARD_IN_ZONES  all  --  anywhere             anywhere           
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere           
FORWARD_OUT_ZONES  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination


I am allowed back in if I do an "iptables --flush".  Prior to that there is no connectivity.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by NightStorm

  • NightStorm
  • Member
  • Offline
  • Registered: 2013-08-25
  • Posts: 11

Re: Locked out of server after iRedMail install

Interesting .. seems to be a compatibility problem and/or a bug in the CentOS 7 installer.  I did three reloads of CentOS 7 followed by three iRedMail installs and got locked out each time.  I then did a CentOS 6 install and it worked just fine, first time.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Locked out of server after iRedMail install

Does it work if you run 'firewall-cmd --complete-reload'?

4 Reply by NightStorm

  • NightStorm
  • Member
  • Offline
  • Registered: 2013-08-25
  • Posts: 11

Re: Locked out of server after iRedMail install

After I reboot I get the following message when trying to ssh into the server:
  ssh: connect to host myhost.com port 22: No route to host

I then enable a backdoor ssh, login, and issue the "firewall-cmd --complete-reload" command as follows:
   [root@www /]# firewall-cmd --complete-reload
   Error: '/sbin/ip6tables -t raw -I PREROUTING 2 -m rpfilter --invert -j DROP' failed: ip6tables: No chain/target/match by that name.

The port appears to now be available as I get this when I try to ssh into the server:
   ssh: connect to host myhost.com port 22: Connection timed out

5 Reply by NightStorm (edited by NightStorm 2015-11-16 07:30:32)

  • NightStorm
  • Member
  • Offline
  • Registered: 2013-08-25
  • Posts: 11

Re: Locked out of server after iRedMail install

Given the error message I got when I issued "firewall-cmd --complete-reload" I did this command:
# egrep rpfilter $(find /etc -type f)
  /etc/firewalld/firewalld.conf:# IPv6_rpfilter
  /etc/firewalld/firewalld.conf:IPv6_rpfilter=yes

That showed me that /etc/firewalld/firewalld.conf has a configuration for "rpfilter".  I changed it to "no" and rebooted.

When the server came back up I was able to ssh into it.  Also the "firewall-cmd" no longer gave me an error message.

BUT!

There appears to be a block on port 80 from the outside.  The following will succeed when issued from the server itself:
  [root@myhost etc]# telnet localhost 80
  Trying ::1...
  telnet: connect to address ::1: Connection refused
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  ^CConnection closed by foreign host.

However from outside it fails:
  > telnet myhost.com 80
  Trying 192.xxx.xxx.xxx...                                                                                                 
  telnet: connect to address xxx.xxx.xxx.xxx: No route to host 

I used CentOS 7 with nginx.  Also:
  [root@myhost ~]# systemctl status nginx
  nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
     Active: active (running) since Sun 2015-11-15 05:57:36 EST; 12min ago
    Process: 1068 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
    Process: 1026 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
    Process: 980 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
   Main PID: 1070 (nginx)
     CGroup: /system.slice/nginx.service
             ├─1070 nginx: master process /usr/sbin/nginx
             └─1071 nginx: worker process

  Nov 15 05:53:29 www.myhost.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
  Nov 15 05:53:29 www.myhost.com nginx[2175]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
  Nov 15 05:53:29 www.myhost.com nginx[2175]: nginx: configuration file /etc/nginx/nginx.conf test is successful
  Nov 15 05:53:29 www.myhost.com systemd[1]: Started The nginx HTTP and reverse proxy server.
  Nov 15 05:55:58 www.myhost.com systemd[1]: Stopping The nginx HTTP and reverse proxy server...
  Nov 15 05:55:58 www.myhost.com systemd[1]: Stopped The nginx HTTP and reverse proxy server.
  Nov 15 05:57:36 www.myhost.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
  Nov 15 05:57:36 www.myhost.com nginx[1026]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
  Nov 15 05:57:36 www.myhost.com nginx[1026]: nginx: configuration file /etc/nginx/nginx.conf test is successful
  Nov 15 05:57:36 www.myhost.com systemd[1]: Started The nginx HTTP and reverse proxy server.

6 Reply by NightStorm

  • NightStorm
  • Member
  • Offline
  • Registered: 2013-08-25
  • Posts: 11

Re: Locked out of server after iRedMail install

More looking around ...
  Should there be a "ZONE=iredmail" in one of the /etc/sysconfig/network-scripts/ifcfg-* files?  I tried adding it to one of them and doing a systemctl restart on both network and firewall, that seemed to work.
HOWEVER: after a reboot my ZONE=iredmail line got erased by some process and it is gone.  Must go somewhere else for CentOS 7?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Locked out of server after iRedMail install

iRedMail will set 'ZONE=iredmail' in /etc/firewalld/firewalld.conf, to use zone file /etc/firewalld/zones/iredmail.xml.

It looks like a bug caused by NetworkManager, reported in CentOS bugzilla:
https://bugs.centos.org/view.php?id=8153

8 Reply by NightStorm (edited by NightStorm 2015-11-16 09:28:02)

  • NightStorm
  • Member
  • Offline
  • Registered: 2013-08-25
  • Posts: 11

Re: Locked out of server after iRedMail install

Thanks .. explains a lot.

My work-around is to edit /etc/firewalld/firewalld.conf and change this:
  # default zone
  # The default zone used if an empty zone string is used.
  # Default: public
  DefaultZone=public

to this:
  DefaultZone=iredmail