1

Topic: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.0
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hey Zhang,

Thank you for iredmail 1.0! smile

I've just tried to install it on Debian 10 but after i added the firewall rules using the installer script the firewall service for debian was not working anymore.

So i did another install and at the firewall rules step this is the question asked:

< Question > Would you like to use firewall rules provided by iRedMail?
< Question > File: /etc/default/iptables, with SSHD ports: 22. [Y|n]

If i searched correctly the file iptables is not used anymore on Debian 10, it's nftables.

Might that be a small problem in the firewall script that doesn't detect Debian 10 firewall file properly?

In the meantime i skipped the firewall rules, will add them manually later from the example config files.

#edit: even when manually installing nftables before launching iredmail installer the install script still thinks iptables is the file. Answering no then manually copying the nftables.conf provided in the sample firewall folder and restarting nftables works great!

Thanks smile

#edit: also discovered that after a fresh install i have the same bug that the one you reported here:

https://sogo.nu/bugs/view.php?id=4684

[Warning] Aborted connection 34 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)

I've tried reinstalling from scratch with only sogo and iredadmin and this problem happens right after the post-install reboot.

This problem also translates to mariadb service not beeing able to be terminated on server regular reboot / shutdown: "A stop job is running for Mariadb database service" is displayed and freezes the server indefinitively until manual power off.

Disabling the 2 sogo crob job stop the errors as previously reported in the forum.

I created an account and sent a message on the sogo bug report topic.

But i'm surprised to get this error on a fresh debian 10 install with mariadb. Am i the only one?

#edit2: also noticed that when i click on "logout" on iredadmin pannel i get a "internal server error" message. It doesn't block anything but i thought i'd just mention it also here too smile

2

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem)

So yeah, u still can use iptbles, but it is just an wrapper to nf_tables. Nothing wrong with useing it.
I also use debian buster and only use iptables as layer without a problem

3

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

The problem is not using iptables, the problem is that when you use iredmail 1.0 installer on a fresh debian buster and answer yes to "Would you like to use firewall rules provided by iRedMail?" it crashes debian firewall service.

4 (edited by CrashXRU 2020-02-04 12:42:49)

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

Neutro wrote:

The problem is not using iptables, the problem is that when you use iredmail 1.0 installer on a fresh debian buster and answer yes to "Would you like to use firewall rules provided by iRedMail?" it crashes debian firewall service.

if you do not like the messages in the log just delete script's that creates the iredmail (ip6tables & iptables)

5

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

Debian 10 has a broken version of iptables, you need to upgrade it from buster-backports to fix an serious segfault issue, that can happen with fail2ban.

Problem is, this implementation works together with iptables-restore, and the following happens:
1. iptables gets installed (empty ruleset)
2. iptables-restore gets installed together with fail2ban
3. iptables-restore invokes a flush ruleset appended with an import of the provided rules

flushing an empty ruleset and then appending rules to it causes an segmentation fault in 1.8.2-4


How 2 fix:
Create file /etc/apt/sources.list.d/buster-backports.list with the following:

deb https://deb.debian.org/debian buster-backports main

Create file /etc/apt/preferences.d/buster-backport with the following:

Package: *
Pin: release o=Debian,a=buster-backports
Pin-Priority: 400

Save file.

run:
sudo apt-get install apt-transport-https

sudo apt-get update

sudo apt-get -t buster-backports install iptables iptables-persistent

This leaves u with an working environment, thus u need to implement the wirewall rules yourself but the broken package is replaced

6

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

Neutro wrote:

< Question > Would you like to use firewall rules provided by iRedMail?
< Question > File: /etc/default/iptables, with SSHD ports: 22. [Y|n]

"/etc/default/iptables" in this prompt text is a mistake (fixed in development edition), but the copied (sample) file is correct and the destination path (/etc/nftables.conf) is correct.

Neutro wrote:

The problem is not using iptables, the problem is that when you use iredmail 1.0 installer on a fresh debian buster and answer yes to "Would you like to use firewall rules provided by iRedMail?" it crashes debian firewall service.

I will test it later.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

7

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

Neutro wrote:

The problem is not using iptables, the problem is that when you use iredmail 1.0 installer on a fresh debian buster and answer yes to "Would you like to use firewall rules provided by iRedMail?" it crashes debian firewall service.

Cannot reproduce this issue locally.
Btw, what do you mean "it crashes debian firewall service"?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

8

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

ZhangHuangbin wrote:
Neutro wrote:

The problem is not using iptables, the problem is that when you use iredmail 1.0 installer on a fresh debian buster and answer yes to "Would you like to use firewall rules provided by iRedMail?" it crashes debian firewall service.

Cannot reproduce this issue locally.
Btw, what do you mean "it crashes debian firewall service"?


Look at Post #5, it is a known bug in iptables 1.8.2-4 which is in debian10 stable.
Can u maybe implement my solution which installs iptables from buster-backports?

https://bugs.debian.org/cgi-bin/bugrepo … bug=949101

9 (edited by Neutro 2020-02-06 09:15:50)

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

ZhangHuangbin wrote:
Neutro wrote:

Cannot reproduce this issue locally.
Btw, what do you mean "it crashes debian firewall service"?

When i did "systemctl status nftables" it said that it was stopped because it failed at starting.

I tried again today on a fresh VM and i didn't get this problem anymore while i did the same thing i've done 3 times 2 weeks ago.

Well it's working now so whatever happend it's good smile

Also no more problem like i had with sogo cron.

The only thing that changed is that i've tried on a vm on workstation this time while i was using an ESXI server running on a laptop before... Strange!

Thanks for your help anyway!

10

Re: Some non blocking issues with fresh iRedMail 1.0 install on Debian 10

Cthulhu wrote:

Can u maybe implement my solution which installs iptables from buster-backports?

Cthulhu wrote:

Can u maybe implement my solution which installs iptables from buster-backports?

No plan to enable buster-backports repo in iRedMail installer, sorry.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee