majorlinux/MajorWiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
MajorWiki/05-troubleshooting/networking/firewalld-mail-ports-reset.md
MajorLinux 6592eb4fea wiki: audit fixes — broken links, wikilinks, frontmatter, stale content (66 files) 
- Fixed 4 broken markdown links (bad relative paths in See Also sections)
- Corrected n8n port binding to 127.0.0.1:5678 (matches actual deployment)
- Updated SnapRAID article with actual majorhome paths (/majorRAID, disk1-3)
- Converted 67 Obsidian wikilinks to relative markdown links or plain text
- Added YAML frontmatter to 35 articles missing it entirely
- Completed frontmatter on 8 articles with missing fields

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 11:16:29 -04:00

80 lines
3.1 KiB
Markdown
Raw Permalink Blame History

---
title: "firewalld: Mail Ports Wiped After Reload (IMAP + Webmail Outage)"
domain: troubleshooting
category: networking
tags: [firewalld, mail, imap, fedora, ports]
status: published
created: 2026-04-02
updated: 2026-04-02
---
# firewalld: Mail Ports Wiped After Reload (IMAP + Webmail Outage)
If IMAP, SMTP, and webmail all stop working simultaneously on a Fedora/RHEL mail server, firewalld may have reloaded and lost its mail port configuration.
## Symptoms
- `openssl s_client -connect mail.example.com:993` returns `Connection refused`
- Webmail returns connection refused or times out
- SSH still works (port 22 is typically in the persisted config)
- `firewall-cmd --list-services --zone=public` shows only `ssh dhcpv6-client mdns` or similar — no mail services
- Mail was working before a service restart or system event
## Why It Happens
firewalld uses two layers of configuration:
- **Runtime** — active rules in memory (lost on reload or restart)
- **Permanent** — written to `/etc/firewalld/zones/public.xml` (survives reloads)
If mail ports were added with `firewall-cmd --add-service=imaps` (without `--permanent`), they exist only in the runtime config. Any event that triggers a `firewall-cmd --reload` — including Fail2ban restarting, a system update, or manual reload — wipes the runtime config back to the permanent state, dropping all non-permanent rules.
## Diagnosis
```bash
# Check what's currently allowed
firewall-cmd --list-services --zone=public
# Check nftables for catch-all reject rules
nft list ruleset | grep -E '(reject|accept|993|143)'
# Test port 993 from an external machine
openssl s_client -connect mail.example.com:993 -brief
```
If the only services listed are `ssh` and the port test shows `Connection refused`, the rules are gone.
## Fix
Add all mail services permanently and reload:
```bash
firewall-cmd --permanent \
--add-service=smtp \
--add-service=smtps \
--add-service=smtp-submission \
--add-service=imap \
--add-service=imaps \
--add-service=http \
--add-service=https
firewall-cmd --reload
# Verify
firewall-cmd --list-services --zone=public
```
Expected output:
```
dhcpv6-client http https imap imaps mdns smtp smtp-submission smtps ssh
```
## Key Notes
- **Always use `--permanent`** when adding services to firewalld on a server. Without it, the rule exists only until the next reload.
- **Fail2ban + firewalld**: Fail2ban uses firewalld as its ban backend (`firewallcmd-rich-rules`). When Fail2ban restarts or crashes, it may trigger a `firewall-cmd --reload`, resetting any runtime-only rules.
- **Verify after any firewall event**: After Fail2ban restarts, system reboots, or `firewall-cmd --reload`, always confirm mail services are still present with `firewall-cmd --list-services --zone=public`.
- **Check the permanent config directly**: `cat /etc/firewalld/zones/public.xml` — if mail services aren't in this file, they'll be lost on next reload.
## Related
- [Linux Server Hardening Checklist](../../02-selfhosting/security/linux-server-hardening-checklist.md)
- [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](fail2ban-imap-self-ban-mail-client.md)
Reference in New Issue View Git Blame Copy Permalink