email server - VERY small scale

Issues related to configuring your network
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

email server - VERY small scale

Post by lightman47 » 2022/09/09 17:44:04

RHEL 8

Experimenting with trying to set up an email server for perhaps 6-8 users and following RHEL 8 Documentation. I've NOT yet forwarded ports from 'the outside' - and that may be a while, or never at all! That said, I run across these instructions:
Configure the firewall for sending and receiving emails using the following steps:

Procedure

To add the service

# firewall-cmd --permanent --add-service=servicename

Replace the servicename with any of the services in the /etc/services. For example, smtp, submission.

Reload the service for the change to take effect

# systemctl reload firewalld
However, 'submission' is listed in /etc/services (as 'msa') but I get
Error: INVALID_SERVICE: 'submission' not among existing services
Ideas/hints/tips?
Thank you.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: email server - VERY small scale

Post by TrevorH » 2022/09/09 18:14:09

Services are defined in /usr/lib/firewalld/services and you can look in the xml files there to see what does what.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: email server - VERY small scale

Post by lightman47 » 2022/09/10 15:40:39

So, in there I found smtp-submission.xml. Then:
# systemctl enable --now smtp-submission
Failed to enable unit: Unit file smtp-submission.service does not exist.
I am learning, but don't know enough to understand what I need to do now. :?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: email server - VERY small scale

Post by jlehtone » 2022/09/10 16:54:45

Basics are in man firewall-cmd

The things in /usr/lib/firewalld/services are predefined FirewallD services.
Those are neither Systemd service units, which you enable and start with systemctl.
The Systemd service units do start programs, like mail server. The programs use network
ports, like tcp/22. The /etc/services has names for some ports to hint which program(s) usually do use that port.

FirewallD service is firewalld syntax list of ports and other details. It is more a convenience if /etc/services, FirewallD, and systemd unit use same name for related things.

Rather than look at /usr/lib/firewalld/services/ you can: sudo firewall-cmd --get-services

You said that there is "smtp-submission". Then you should get its description with:
sudo firewall-cmd --info-service=smtp-submission

If the details look like what you need, then:

Code: Select all

sudo firewall-cmd --permanent --add-service=smtp-submission
sudo firewall-cmd --reload
Now the output of sudo nft list ruleset should contain the allow-rules that you want.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: email server - VERY small scale

Post by lightman47 » 2022/09/11 15:12:44

Thank you - I got all the expected results you mentioned.

An Aside:
May I gather from this that firewalld is essentially a 'front-end' to nftables? I've been trying to figure this out for a long time; I always thought it was a '3rd' option to nftables and the old.iptables and never understood the connection.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: email server - VERY small scale

Post by TrevorH » 2022/09/11 15:37:00

It's some hideous front end for whatever real firewall is underlying it. It's a massive bloated pig, designed by committee that tries to be all things to all men and fails miserably. It has an arcane and unintuitive command line syntax and is generally horrid.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: email server - VERY small scale

Post by jlehtone » 2022/09/13 06:46:58

... and that was the polite version ...

Yes, FirewallD is a mere front-end. It does express the logic of "zone-based ruleset" quite well.
That in itself is no fault, although we don't all use/need the zone-based approach.

A more serious flaw was that it took long for FirewallD to introduce support for features
that are essential in a router or when you need to filter outgoing traffic.
EL8 now has some of those and EL9 should have most, but frankly there has been little
incentive to check them out as I'm not "sufficiently human" to need a front-end.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: email server - VERY small scale

Post by lightman47 » 2022/09/13 16:31:49

:lol: I'd sensed displeasure some time ago!

Thanks - knowing that I will feel better about exploring, playing with, & learning nftables without fear of creating conflicts with the few things I'd done in firewalld. I'd never really tried anything with iptables as I didn't feel I knew enough about the O.S. until fairly recently. I greatly appreciate your help.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: email server - VERY small scale

Post by lightman47 » 2022/09/13 17:45:46

As far as my 'email server' experiment:

I'm undecided where to go from here - non-working (certificate complaints) but all services running fine. The machine mail command results (I think) are winding up in that users' system var/mail. Clearly, I need more knowledge before attempting this; I've messed-up system mailing and forgotten all the things I've edited (both the files and the changes). The machine is otherwise functioning normally. I'm suspecting the easiest 'reset' will be a clean reinstall and scripted software/user installations followed by settings recovery from backups.

It was something I tried, learned from, and discovered I didn't know enough yet. ;)

Post Reply