majorlinux/MajorWiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c66d3a6fd0ad2c43d336ff8eed29e5569450c6c4
MajorWiki/05-troubleshooting/networking/firewalld-mail-ports-reset.md
MajorLinux 6592eb4fea wiki: audit fixes — broken links, wikilinks, frontmatter, stale content (66 files) 
- Fixed 4 broken markdown links (bad relative paths in See Also sections)
- Corrected n8n port binding to 127.0.0.1:5678 (matches actual deployment)
- Updated SnapRAID article with actual majorhome paths (/majorRAID, disk1-3)
- Converted 67 Obsidian wikilinks to relative markdown links or plain text
- Added YAML frontmatter to 35 articles missing it entirely
- Completed frontmatter on 8 articles with missing fields

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 11:16:29 -04:00

3.1 KiB
Raw Blame History

title, domain, category, tags, status, created, updated
title domain category tags status created updated
firewalld: Mail Ports Wiped After Reload (IMAP + Webmail Outage) troubleshooting networking
firewalld
mail
imap
fedora
ports
published 2026-04-02 2026-04-02

firewalld: Mail Ports Wiped After Reload (IMAP + Webmail Outage)

If IMAP, SMTP, and webmail all stop working simultaneously on a Fedora/RHEL mail server, firewalld may have reloaded and lost its mail port configuration.

Symptoms

  • openssl s_client -connect mail.example.com:993 returns Connection refused
  • Webmail returns connection refused or times out
  • SSH still works (port 22 is typically in the persisted config)
  • firewall-cmd --list-services --zone=public shows only ssh dhcpv6-client mdns or similar — no mail services
  • Mail was working before a service restart or system event

Why It Happens

firewalld uses two layers of configuration:

  • Runtime — active rules in memory (lost on reload or restart)
  • Permanent — written to /etc/firewalld/zones/public.xml (survives reloads)

If mail ports were added with firewall-cmd --add-service=imaps (without --permanent), they exist only in the runtime config. Any event that triggers a firewall-cmd --reload — including Fail2ban restarting, a system update, or manual reload — wipes the runtime config back to the permanent state, dropping all non-permanent rules.

Diagnosis

# Check what's currently allowed
firewall-cmd --list-services --zone=public

# Check nftables for catch-all reject rules
nft list ruleset | grep -E '(reject|accept|993|143)'

# Test port 993 from an external machine
openssl s_client -connect mail.example.com:993 -brief

If the only services listed are ssh and the port test shows Connection refused, the rules are gone.

Fix

Add all mail services permanently and reload:

firewall-cmd --permanent \
  --add-service=smtp \
  --add-service=smtps \
  --add-service=smtp-submission \
  --add-service=imap \
  --add-service=imaps \
  --add-service=http \
  --add-service=https
firewall-cmd --reload

# Verify
firewall-cmd --list-services --zone=public

Expected output:

dhcpv6-client http https imap imaps mdns smtp smtp-submission smtps ssh

Key Notes

  • Always use --permanent when adding services to firewalld on a server. Without it, the rule exists only until the next reload.
  • Fail2ban + firewalld: Fail2ban uses firewalld as its ban backend (firewallcmd-rich-rules). When Fail2ban restarts or crashes, it may trigger a firewall-cmd --reload, resetting any runtime-only rules.
  • Verify after any firewall event: After Fail2ban restarts, system reboots, or firewall-cmd --reload, always confirm mail services are still present with firewall-cmd --list-services --zone=public.
  • Check the permanent config directly: cat /etc/firewalld/zones/public.xml — if mail services aren't in this file, they'll be lost on next reload.

Related

Reference in New Issue View Git Blame Copy Permalink