Problem - Application bypass Firewall Rules

Hi,

Im using IX latest version (5.1.30) with CentOS 7 and I have the Firewall turned ON with IMAPS 993 port closed and also port 587 is closed by default because i never installed on IX the Alternate SMTP Server Settings.

You can see my firewall details on the image screenshot I leave bellow:

The problem is that even with this ports closed, I have an application that seens to bypass / ignore this rules. I describe in more detail bellow:

I have migrated a PHP application to this server and the application uses the IMAPS protocol to get email tickets to the helpdesk and the 587 port to send out the emails. Both this settings where already setup before the migration and after the migration was done I was very surprise to see that both the ticket fetching using the 993 IMAPS and sending email using the 587 SMTP port, keep working.

So it seems the application is bypassing / ignoring the firewall rules, or the firewall rules are not being setting up properly.

Just one final note to say that I have also notice that besides the application fetching and sending email, i’m also receiving the default email notifications (ex: backup email notifications) from this server on my email. How can this happen if both port 25 and 587 are closed?

Can anyone please help me resolve this? How using SSH can I check and make sure of what ports are open and closed?

Thanks

Hi Nqservices
I thought mail servers would use TLS over non secure, so port 587 is used for mail server to mail server connections, when using TLS. Qmail first uses port 25, to make the initial connection, then port 25 is upgraded to TLS port 587 before any credentials or information is passed. However, if the receiving or sending mail server your connecting too, is only capable of non secure port 25 email, qmail does not upgrade the connection to TLS port 587.
I am sorry if I am wrong though, as each platform can be configured differently.
You can SSH into your server and use the following commands to identify and review the service port open and what is using the service. The port used to show you is 587, but you can change the port to the port you want to check from your nmap output
I hope that helps a little
Many thanks
John
nmap -sT -O <your IP aadress or localhost>
cat /etc/services | grep 587
netstat -anp | grep 587
lsof -i | grep 587

Hi @d2d4j

Thanks for the help. Bellow are the results for the commands you told me to make.

Is strange that it seems nmap shows ports 21, 25 and 3306 as open, when as you can see on my firewall image screenshot, they are closed.

About the port 587, making the other tests i don’t understand the results, so i need you to tell me if its open or not.

In a simple way, on the IW Firewall all the email ports (25,587,993,etc…) are closed and the database 3306 port is also closed. So how can my server keep sending emails? Should’t all email be blocked by the firewall?

Or the firewall is not working properly?

Thanks


[root@subdomain ~]# nmap -sT -O 11.111.111.11

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-16 18:43 WEST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0

Nmap scan report for subdomain.mydomain.com (11.111.111.11)
Host is up (0.00010s latency).
Not shown: 992 closed ports

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
24/tcp open priv-mail
25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https
3306/tcp open mysql

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.00 seconds

[root@subdomain ~]# cat /etc/services | grep 587

submission 587/tcp msa # mail message submission
submission 587/udp msa # mail message submission
pra_elmd 1587/tcp pra-elmd # pra_elmd
pra_elmd 1587/udp pra-elmd # pra_elmd
masc 2587/tcp # MASC
masc 2587/udp # MASC
p2pgroup 3587/tcp # Peer to Peer Grouping
p2pgroup 3587/udp # Peer to Peer Grouping

[root@subdomain ~]# netstat -anp | grep 587

unix 3 [ ] STREAM CONNECTED 13587 -

[root@subdomain ~]# lsof -i | grep 587

[root@subdomain ~]# (it does not shows nothing)


Hi Nqservices
Many thanks, and sorry for the delay, we have our grandchildren for the week
I could be wrong, but just looking at your nmap result, it si not showing port 587 or 993 as open, whilst port 25 is shown as open, but without knowing how many IP you have set, it could be using one of the IP, so you may want to set qmail to use a specific IP. However, I believe this is already taken care off by IW now, so there has to be something else holding the port open, which I will have to have a think about
I think your services are using localhost, and therefore able to send email out, and if your helpdesk is on same server, imaps would also work internally.
The firewall only blocks/stops incoming, leaving localhost alone and does not stop outgoing, unless you specifically set the rule using SSH to stop outgoing, not just incoming. I think most firewalls work this way.
If you run the same namp command, you should see more open ports I think
Many thanks
John

Hi @d2d4j

Thanks for your help.

Im still confused. I have done an external post test at: https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap and it showed just the 22,80,443, and 24 ports as open. All other ports show on the test as closed.

So from outside it seems the firewall is working properly, by having the ports closed.

I thought that having on the firewall both TCP+UDP IN/OUT blocked on port 587 and 993 would block any inside/local or outside communication on this ports. But i guess not, because my CRM application keeps sending and fetching emails using 587 and 993 ports.

Also on my nmap result it says that the port 21/tcp is open. But is not!

So do you think all is ok with my setup? Or is there any problem with my firewall settings?

Thanks

Hi Nqservices

Many thanks.
The firewall should block on your IP, but localhost is not blocked (localhost is not available to outside world), but you can block ports on localhost, however, you need to manually set rules to do so from SSH
I would need to run certain tests before commenting on your firewall, which I cannot do without knowing IP or domain, sorry. However, your nmap does appear to show firewall working normally as expected.
Is it an issue for yoru CRM using 587 and 993, which I assume is working well on the localhost.
Port 21, open or closed, sorry, I am unclear, as you posted nmap showing 22,80,443, and 24 open, then post nmap shows 21 as open, so a further test needs to be performed to confirm if open or closed.
I hope that helps a little
Many thanks
John