Page 1 of 1

email server - VERY small scale

Posted: 2022/09/09 17:44:04
by lightman47

Experimenting with trying to set up an email server for perhaps 6-8 users and following RHEL 8 Documentation. I've NOT yet forwarded ports from 'the outside' - and that may be a while, or never at all! That said, I run across these instructions:
Configure the firewall for sending and receiving emails using the following steps:


To add the service

# firewall-cmd --permanent --add-service=servicename

Replace the servicename with any of the services in the /etc/services. For example, smtp, submission.

Reload the service for the change to take effect

# systemctl reload firewalld
However, 'submission' is listed in /etc/services (as 'msa') but I get
Error: INVALID_SERVICE: 'submission' not among existing services
Thank you.

Re: email server - VERY small scale

Posted: 2022/09/09 18:14:09
by TrevorH
Services are defined in /usr/lib/firewalld/services and you can look in the xml files there to see what does what.

Re: email server - VERY small scale

Posted: 2022/09/10 15:40:39
by lightman47
So, in there I found smtp-submission.xml. Then:
# systemctl enable --now smtp-submission
Failed to enable unit: Unit file smtp-submission.service does not exist.
I am learning, but don't know enough to understand what I need to do now. :?

Re: email server - VERY small scale

Posted: 2022/09/10 16:54:45
by jlehtone
Basics are in man firewall-cmd

The things in /usr/lib/firewalld/services are predefined FirewallD services.
Those are neither Systemd service units, which you enable and start with systemctl.
The Systemd service units do start programs, like mail server. The programs use network
ports, like tcp/22. The /etc/services has names for some ports to hint which program(s) usually do use that port.

FirewallD service is firewalld syntax list of ports and other details. It is more a convenience if /etc/services, FirewallD, and systemd unit use same name for related things.

Rather than look at /usr/lib/firewalld/services/ you can: sudo firewall-cmd --get-services

You said that there is "smtp-submission". Then you should get its description with:
sudo firewall-cmd --info-service=smtp-submission

If the details look like what you need, then:

Code: Select all

sudo firewall-cmd --permanent --add-service=smtp-submission
sudo firewall-cmd --reload
Now the output of sudo nft list ruleset should contain the allow-rules that you want.

Re: email server - VERY small scale

Posted: 2022/09/11 15:12:44
by lightman47
Thank you - I got all the expected results you mentioned.

An Aside:
May I gather from this that firewalld is essentially a 'front-end' to nftables? I've been trying to figure this out for a long time; I always thought it was a '3rd' option to nftables and the old.iptables and never understood the connection.

Re: email server - VERY small scale

Posted: 2022/09/11 15:37:00
by TrevorH
It's some hideous front end for whatever real firewall is underlying it. It's a massive bloated pig, designed by committee that tries to be all things to all men and fails miserably. It has an arcane and unintuitive command line syntax and is generally horrid.

Re: email server - VERY small scale

Posted: 2022/09/13 06:46:58
by jlehtone
... and that was the polite version ...

Yes, FirewallD is a mere front-end. It does express the logic of "zone-based ruleset" quite well.
That in itself is no fault, although we don't all use/need the zone-based approach.

A more serious flaw was that it took long for FirewallD to introduce support for features
that are essential in a router or when you need to filter outgoing traffic.
EL8 now has some of those and EL9 should have most, but frankly there has been little
incentive to check them out as I'm not "sufficiently human" to need a front-end.

Re: email server - VERY small scale

Posted: 2022/09/13 16:31:49
by lightman47
:lol: I'd sensed displeasure some time ago!

Thanks - knowing that I will feel better about exploring, playing with, & learning nftables without fear of creating conflicts with the few things I'd done in firewalld. I'd never really tried anything with iptables as I didn't feel I knew enough about the O.S. until fairly recently. I greatly appreciate your help.

Re: email server - VERY small scale

Posted: 2022/09/13 17:45:46
by lightman47
As far as my 'email server' experiment:

I'm undecided where to go from here - non-working (certificate complaints) but all services running fine. The machine mail command results (I think) are winding up in that users' system var/mail. Clearly, I need more knowledge before attempting this; I've messed-up system mailing and forgotten all the things I've edited (both the files and the changes). The machine is otherwise functioning normally. I'm suspecting the easiest 'reset' will be a clean reinstall and scripted software/user installations followed by settings recovery from backups.

It was something I tried, learned from, and discovered I didn't know enough yet. ;)