nmap and iptables

Does a port being shown open in nmap always mean that connections to
those ports will get through my firewall?

Or does it simply mean that the port is open, but connections still has not reached
the firewall.

Just trying to figure out why imap connectios are failing.

Thanks

In article <pan.2004.10.15.23.13.54.962643@notboley.org>, Tommy M wrote:
>Does a port being shown open in nmap always mean that connections to
>those ports will get through my firewall?

Nowhere _NEAR_ enough information, A port being reported as open
means that _something_ responded - but you don't tell enough to say
what that might have been. Where did you run namp from? Where is the
imap server? How many systems between the two? Is the imap server
directly reachable from where you are testing, or is there some form of
port forwarding involved? 'nmap' comes with a heck of a lot of very
useful documentation - and the man page tells quite a lot about what
nmap is reporting.

>Or does it simply mean that the port is open, but connections still has not
>reached the firewall.

Not enough information. Go grab a copy of tcptraceroute if your
unidentified distribution doesn't have it. You can find that at
http://michael.toren.net/code/tcptraceroute/ and read the man page
that comes with it. Briefly, from whereever you are testing, use it
like traceroute, but tell it you want to connect to port 143.

>Just trying to figure out why imap connections are failing.

1. What are you using to poll the imap server?
2. What error message do you get?
3. Can you view the logs of the imap server? What do they say?
4. Use tcptraceroute to see if you can reach the imap server.
5. Use tcpdump -s 1500 and see what the packets are saying. The
dialog between the client and server should be human readable.
6. What is in the firewall ruleset? What logging have you set up?
What is in the firewall log?

Please remember, we're not looking over your shoulder. so you are
only going to get useful answers if you provide useful information.

Old guy

On Sat, 16 Oct 2004 22:19:56 -0500, Moe Trin wrote:

>
> Nowhere _NEAR_ enough information,

You are correct. My appologies

I was trying to figure out why I was having trouble setting up an imap
server on my system
--------------------------------------------------------------------
Linux lugh.boley.org 2.4.20-6 #1 Thu Feb 27 10:06:59 EST 2003 i686 i686
i386 GNU/Linux
Redhat 9
-----------------------------------------------------------------------
I was not able to connect. My first thought was firewall issue or port
being closed. nmap showed the port #143 open I posted to see if that
really meant the port was accessible. After my post, I developed a little
intellegence. I shut down the firewall and found I could connect just
fine.
So being open in nmap did not mean much.
I rewrote the the firewall rules to allow access on 143
ACCEPT tcp -- anywhere anywhere tcp dpt:imap flags:SYN,RST,ACK/SYN

This is in the input chain. I don't think I need an OUTPUT rule, but I
may be wrong.

Still having problems though.
I tested imap locally and off a remote shell account using some standard
commands

telnet host 143
a0001 login user passwd (one only hopes the real imap incrypts the
password)
a0002 select mailbox
a0003 fetch 1 body[text]
a0004 close
a0005 logout

This all worked fine.
A friend tested using his mailer (microsoft outlook express) yuck
He could read but not send and got this error code

"0x80042109 outlook is unable to connect to outgoing mailserver"

My research indicates that this means he did not set his mailer to
Authenticate to the smtp for outgoing mail and my system rejected it
because of that.
That is good and means I set up postfix correctly. No spammers today thank
you.
I will walk him through setting up authentication. I hope outlook does
this I really don't know.

Finally I tried setting the Ximam (evolution) mailer to connect to the imap server,
which is on the the same machine. I used the full name not localhost.
It connects but does not read the folders or mail under /var/spool/mail.
Instead after a really long time it lists some of the files in my home
directory. Very odd.
I shut it down and and did it again this time runing strace on the pid
for evolution-mail hoping to see what the problem was. This was a bit
ambitious since I am not a programmer.

gettimeofday({1098072097, 587854}, NULL) = 0
poll([{fd=3, events=POLLIN}, {fd=9, events=POLLIN}, {fd=16, events=POLLIN}, {fd=18, events=POLLIN}, {fd=20, events=POLLIN}, {fd=22, events=POLLIN}], 6, 0) = 0
ioctl(3, FIONREAD, [0]) = 0
write(3, "5\30\4\0\311\3\300\2V\3\300\2\17\0\26\0F\0\5\0\31 1\3\300"..., 248) = 248
gettimeofday({1098072097, 588495}, NULL) = 0
write(3, "5\30\4\0\312\3\300\0027\3\300\2\17\0m\0F\0\5\0\31 2\3\300"..., 92) = 92
ioctl(3, FIONREAD, [0]) = 0
poll([{fd=3, events=POLLIN, revents=POLLIN}, {fd=9, events=POLLIN}, {fd=16, events=POLLIN}, {fd=18, events=POLLIN}, {fd=20, events=POLLIN}, {fd=22, events=POLLIN}, {fd=8, events=POLLIN}, {fd=11, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=POLLIN}, {fd=14, events=POLLIN}, {fd=15, events=POLLIN}, {fd=25, events=POLLIN}, {fd=26, events=POLLIN}, {fd=27, events=POLLIN}, {fd=28, events=POLLIN}, {fd=29, events=POLLIN}], 17, 9150) = 1
gettimeofday({1098072097, 594672}, NULL) = 0
ioctl(3, FIONREAD, [32]) = 0
read(3, "\226\235\376\26\22\2\300\2\22\2\300\2\0\0\0\0\0\0 \0\0\346"..., 32) = 32
write(3, "(\30\4\0\22\2\300\2@\0\0\0\0\0\0\0", 16) = 16
read(3, 0xbfffe1b0, 32) = -1 EAGAIN ( Resource temporarily unavailable)

select(4, [3], NULL, NULL, NULL) = 1 (in [3])
read(3, "\1\1\377\26\0\0\0\0h\220\340\0\210\0\307\0\0\0\0\ 0\0\0"..., 32) = 32
gettimeofday({1098072097, 595698}, NULL) = 0
ioctl(3, FIONREAD, [0]) = 0
poll([{fd=3, events=POLLIN, revents=POLLIN}, {fd=9, events=POLLIN}, {fd=16, events=POLLIN}, {fd=18, events=POLLIN}, {fd=20, events=POLLIN}, {fd=22, events=POLLIN}, {fd=8, events=POLLIN}, {fd=11, events=POLLIN}, {fd=12, events=POLLIN}, {fd=13, events=POLLIN}, {fd=14, events=POLLIN}, {fd=15, events=POLLIN}, {fd=25, events=POLLIN}, {fd=26, events=POLLIN}, {fd=27, events=POLLIN}, {fd=28, events=POLLIN}, {fd=29, events=POLLIN}], 17, 9142) = 1
gettimeofday({1098072098, 976586}, NULL) = 0
ioctl(3, FIONREAD, [96]) = 0
read(3, "\17\320\377\26\\\3\300\2\1\2\0\0\210\340\212\0\33 4\1\0"..., 96) = 96
ioctl(3, FIONREAD, [0]) = 0
gettimeofday({1098072098, 986161}, NULL) = 0
ioctl(3, FIONREAD, [0]) = 0

This seems to be stuck in some sort of loop. But that Resource temporarily
unavailable error looks promising. Could be a bug in the mailer, or just
some fundimental problem with checking imap mail when you are actually on
the server.

Not sure what my next steps are other than
1. fix outlood problem for friend.
2. have other people test different mailers
3. Check for known evolution bugs

Any suggestions are quite welcome.
Thanks
Tommy

In article <pan.2004.10.18.04.15.26.175761@notboley.org>, Tommy M wrote:

>I was not able to connect. My first thought was firewall issue or port
>being closed. nmap showed the port #143 open I posted to see if that
>really meant the port was accessible. After my post, I developed a little
>intellegence. I shut down the firewall and found I could connect just
>fine.
>So being open in nmap did not mean much.

"That depends" Open means _something_ is listening, and did not slam
the door on nmap.

>I tested imap locally and off a remote shell account using some standard
>commands
>
>telnet host 143
>a0001 login user passwd (one only hopes the real imap incrypts the
>password)

RFC2660 para 6.2.2 exerpt:

The LOGIN command identifies the client to the server and carries
the plaintext password authenticating this user.

>This all worked fine.
>A friend tested using his mailer (microsoft outlook express) yuck
>He could read but not send and got this error code
>
>"0x80042109 outlook is unable to connect to outgoing mailserver"

Can't help there - don't use IMAP.

>My research indicates that this means he did not set his mailer to
>Authenticate to the smtp for outgoing mail and my system rejected it
>because of that.
>That is good and means I set up postfix correctly. No spammers today thank
>you.

You may also want to check with your ISP (they may not want you running
a mail server), and check that the reverse DNS for your host isn't
showing some dynamic address - many people refuse mail from those addresses.

>I will walk him through setting up authentication. I hope outlook does
>this I really don't know.

Can't help there either - the last time I used windoze (1992), microsoft
hadn't invented networking yet, nevermind Outhouse.

>Finally I tried setting the Ximam (evolution) mailer to connect to the imap
>server, which is on the the same machine. I used the full name not localhost.
>It connects but does not read the folders or mail under /var/spool/mail.
>Instead after a really long time it lists some of the files in my home
>directory. Very odd.

The long delay could be your firewall, are you blocking port 113? It
could also be a hostname resolution - see that the _full_ name is
resolvable, and that the IP also resolves to the full name. Often this
can be set using the /etc/hosts file.

>I shut it down and and did it again this time runing strace on the pid
>for evolution-mail hoping to see what the problem was. This was a bit
>ambitious since I am not a programmer.

Neither am I. but the output doesn't look familiar. I usually use
strace with the -eopen flag, and do so with command line stuff.

>This seems to be stuck in some sort of loop. But that Resource temporarily
>unavailable error looks promising. Could be a bug in the mailer, or just
>some fundimental problem with checking imap mail when you are actually on
>the server.

I'm wondering if its a local configuration on the server. Have you tried
to use the client to connect to another server (does your ISP use IMAP?).

>Not sure what my next steps are other than

Why not pop over to comp.mail.imap (try a google search first).

Old guy