[Dovecot] Setting up webmail in DMZ

Spyros Tsiolis stsiol at yahoo.co.uk
Mon Aug 9 09:15:26 EEST 2010 

--- On Mon, 9/8/10, Phill Edwards <philledwards at gmail.com> wrote:

> From: Phill Edwards <philledwards at gmail.com>
> Subject: [Dovecot] Setting up webmail in DMZ
> To: dovecot at dovecot.org
> Date: Monday, 9 August, 2010, 7:14
> I have a Smoothwall server on my
> network and am running three network
> interfaces off it.
> 
> 1) local LAN 192.168.0.0 with PCs and an internal dovecot
> server on
> 192.168.0.154.
> 2) internet interface
> 3) DMZ 192.168.2.0 which has a linux web server 192.168.2.1
> on which I
> want to install a webmail so I can access my email
> remotely.
> 
> Originally 192.168.2.1 couldn't see the 192.168.0.0 network
> but with
> some help from the Smoothwall forums I have fixed that. The
> problem
> now is that 192.168.2.1 can't connect to the dovecot server
> on
> 192.168.0.154. When I "telnet 192.168.0.154 993" or 
> "telnet
> 192.168.0.154 143" I get a "Connection refused" error. But
> these
> commands work fine from PCs on the 192.168.0.0 network.
> 
> I'm pretty sure there's no firewall on the dovecot server
> and
> /etc/hosts.allow and /etc/hosts.deny are empty.
> 
> Is there a default setting that I need to change in Dovecot
> that only
> allows connections from machines on the same subnet?
> 

Phil,

Looks like a routing / firewall problem to me.
Normally, once you've installed a piece of hw, be that a mail server
or a web server, the following applies :

. From the Local area to the DMZ :

any node can access _any_ service (smtp/pop3/http/https etc.)
inside the DMZ

. From the outside world to the DMZ :

only selected services can be accesses that are configured by the
admin from the firewall interface. So if you want port 25 to be visible
from the outside world, you will have to define a port-forwarding rule
for the machine inside the DMZ

. From the DMZ to the local area network :

Most service would seems blocked (ping, telnet, ssh, DNS etc.). However,
this is not true. Selected services from the DMZ to the lan are
accessible.

I really don't think this is a dovecot error. However I would check 
the following :

1. any dovecot configuration that might act as a stopping point
for such issues ( I don't think it exists btw).

2. Check routes on smoothwall. There might be something weird there

3. Make sure the DMZ works as it should.

4. Check your subnetting. Normally, on a 192.168.x.x network on the LAN
you need to subnet a /16 subnet for the DMZ network.

At this point,my money is on routing and subnetting.

HTH,

s.

More information about the dovecot mailing list