gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(mailserver): Add UCI firewall rules for mail ports

Browse Source 
The firewall-setup command now adds:
- Input rules for ports 25, 143, 465, 587, 993 (accept from WAN)
- Forward rules for mail ports (WAN -> LAN mailserver)
- DNAT rules in firewall.user (excluding LAN subnet)

This ensures nftables input_wan and forward_wan chains allow
mail traffic to reach the mailserver container.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-02-16 15:56:31 +01:00
parent f6f4176170
commit a0fc2cee62
1 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
package/secubox/secubox-app-mailserver/files/usr/sbin/mailctl
View File

@ -882,7 +882,42 @@ cmd_firewall_setup() {
log "Mail server IP: $mail_ip"
log "LAN subnet: $lan_subnet (excluded from redirect)"
# Create firewall.user rules
# Add UCI firewall rules for input (accept from WAN)
log "Adding input rules for mail ports..."
for port in 25 143 465 587 993; do
local rule_name="Mail-Port-${port}"
# Check if rule already exists
local exists=$(uci show firewall 2>/dev/null | grep "name='${rule_name}'" || true)
if [ -z "$exists" ]; then
uci add firewall rule >/dev/null
uci set firewall.@rule[-1].name="$rule_name"
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port="$port"
uci set firewall.@rule[-1].target='ACCEPT'
fi
done
# Add UCI firewall rules for forward (WAN -> LAN mailserver)
log "Adding forward rules for mail ports..."
for port in 25 143 465 587 993; do
local rule_name="Forward-Mail-${port}"
# Check if rule already exists
local exists=$(uci show firewall 2>/dev/null | grep "name='${rule_name}'" || true)
if [ -z "$exists" ]; then
uci add firewall rule >/dev/null
uci set firewall.@rule[-1].name="$rule_name"
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port="$port"
uci set firewall.@rule[-1].target='ACCEPT'
fi
done
uci commit firewall
# Create firewall.user rules for DNAT
local fw_file="/etc/firewall.user"
local fw_backup="${fw_file}.bak"