MailCleaner is a nice Open Source Linux distribution that creates a spam filter appliance. It is designed to sit in between an email server and the internet and filter spam out of email using advanced rules, DNS RBL (realtime black list), and many other techniques. It also scans email for viruses. Although I no longer use MailCleaner (I have replaced it with ScrollOut F1), I remember coming across a big issue in the past that took me some time to figure out, so I thought I would share it.
Because MailCleaner is more or less an appliance, most aspects of the operating system are controlled by MailCleaner. A majority of the settings you need to change are easily available on the web interface, however firewall rules are not. MailCleaner is designed so that it manages all IPTables rules. If you manually add an IPTables rule from the command line, once it’s reloaded or the system is reboot, the rule is gone. That is because MailCleaner wipes out and reloads IPTables rules from data stored in its MySQL database. So, in order to open any additional ports, you must modify the database. I encountered this dilemma when I installed a remote monitoring client (the Nagios based Check_MK to be exact), and needed to open a port to allow the monitoring server to connect.
Lets assume I need to open up SSH (port 22) and RSYNC (port 873) and I only want my mail server’s IP, 220.127.116.11, to connect. Normally we would enter the following iptables commands:
sudo iptables -A INPUT -s 18.104.22.168/32 -p tcp -m tcp --dport 873 -j ACCEPT sudo iptables -A INPUT -s 22.214.171.124/32 -p tcp -m tcp --dport 22 -j ACCEPT
But in this case, we cannot. The good news is the MailCleaner will do it for you if you add the correct info into the MySQL database. Here’s how you do that (from a command prompt on the MailCleaner server):
[[email protected]]$ sudo /usr/mailcleaner/bin/mc_mysql -m mysql> use mc_config mysql> insert into external_access (service,port,protocol,allowed_ip) values('Rsync','873','TCP','126.96.36.199/32'); Query OK, 1 row affected (0.40 sec) mysql> insert into external_access (service,port,protocol,allowed_ip) values ('SSH','22','TCP','188.8.131.52/32'); Query OK, 1 row affected (0.06 sec)
After you exit MySQL, I suggest you go ahead and reboot. It is best to verify that the rules not only work, but work after a reboot. Once you’ve rebooted, take a look at IPTables to make sure the rules were added.
[[email protected]]$ iptables -L
You will probably see quite a few rules, depending on your particular MailCleaner settings, but you should be able to find a line that begins with ACCEPT, has your server IP address, and the port you added a rule for. That’s it! Leave a comment if you get stuck.