wiki: add firewalld mail ports reset article + session updates

- New article: firewalld mail ports wiped after reload (IMAP + webmail outage) - New article: Plex 4K codec compatibility (Apple TV) - New article: mdadm RAID recovery after USB hub disconnect - Updated yt-dlp article - Updated all index files: SUMMARY.md, index.md, README.md, category indexes - Article count: 41 → 42 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 16:15:02 -04:00
parent 0bcc2c822a
commit 279c094afc
10 changed files with 372 additions and 22 deletions
--- a/05-troubleshooting/networking/firewalld-mail-ports-reset.md
+++ b/05-troubleshooting/networking/firewalld-mail-ports-reset.md
@@ -0,0 +1,70 @@
+# firewalld: Mail Ports Wiped After Reload (IMAP + Webmail Outage)
+
+If IMAP, SMTP, and webmail all stop working simultaneously on a Fedora/RHEL mail server, firewalld may have reloaded and lost its mail port configuration.
+
+## Symptoms
+
+- `openssl s_client -connect mail.example.com:993` returns `Connection refused`
+- Webmail returns connection refused or times out
+- SSH still works (port 22 is typically in the persisted config)
+- `firewall-cmd --list-services --zone=public` shows only `ssh dhcpv6-client mdns` or similar — no mail services
+- Mail was working before a service restart or system event
+
+## Why It Happens
+
+firewalld uses two layers of configuration:
+- **Runtime** — active rules in memory (lost on reload or restart)
+- **Permanent** — written to `/etc/firewalld/zones/public.xml` (survives reloads)
+
+If mail ports were added with `firewall-cmd --add-service=imaps` (without `--permanent`), they exist only in the runtime config. Any event that triggers a `firewall-cmd --reload` — including Fail2ban restarting, a system update, or manual reload — wipes the runtime config back to the permanent state, dropping all non-permanent rules.
+
+## Diagnosis
+
+```bash
+# Check what's currently allowed
+firewall-cmd --list-services --zone=public
+
+# Check nftables for catch-all reject rules
+nft list ruleset | grep -E '(reject|accept|993|143)'
+
+# Test port 993 from an external machine
+openssl s_client -connect mail.example.com:993 -brief
+```
+
+If the only services listed are `ssh` and the port test shows `Connection refused`, the rules are gone.
+
+## Fix
+
+Add all mail services permanently and reload:
+
+```bash
+firewall-cmd --permanent \
+  --add-service=smtp \
+  --add-service=smtps \
+  --add-service=smtp-submission \
+  --add-service=imap \
+  --add-service=imaps \
+  --add-service=http \
+  --add-service=https
+firewall-cmd --reload
+
+# Verify
+firewall-cmd --list-services --zone=public
+```
+
+Expected output:
+```
+dhcpv6-client http https imap imaps mdns smtp smtp-submission smtps ssh
+```
+
+## Key Notes
+
+- **Always use `--permanent`** when adding services to firewalld on a server. Without it, the rule exists only until the next reload.
+- **Fail2ban + firewalld**: Fail2ban uses firewalld as its ban backend (`firewallcmd-rich-rules`). When Fail2ban restarts or crashes, it may trigger a `firewall-cmd --reload`, resetting any runtime-only rules.
+- **Verify after any firewall event**: After Fail2ban restarts, system reboots, or `firewall-cmd --reload`, always confirm mail services are still present with `firewall-cmd --list-services --zone=public`.
+- **Check the permanent config directly**: `cat /etc/firewalld/zones/public.xml` — if mail services aren't in this file, they'll be lost on next reload.
+
+## Related
+
+- [Linux Server Hardening Checklist](../../02-selfhosting/security/linux-server-hardening-checklist.md)
+- [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](fail2ban-imap-self-ban-mail-client.md)