Hi, I'm trying to have RoundCube and php scripts send email to external domains on my CentOS CWP server. Inbound port 25 works fine (I can send email from yahoo to my mail server and retrieve it), but any outbound port 25 traffic form my server is blocked somewhere:
>telnet portquiz.net 25
Trying 52.47.209.216...
^C
It hangs. I've tried using the ip address for portquiz.net and get the same response. My email logs show similar problems:
Jun 13 03:10:17 www postfix/smtp[25090]: connect to mta7.am0.yahoodns.net[67.195.228.106]:25: Connection timed out
Postfix responds ok when I connect from the machine itself:
>telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 myXYZserver.com ESMTP Postfix
I've eliminated the three main suspects:
1. Internal iptables Firewall
I've disabled the iptables csf and lfd firewall from the CWP GUI, confirmed from ">iptables -L" and am still unable to telnet to port 25 on at an external server.
2. ISP's Server-Level Firewall
My ISP is Vultr.com and they provide configurable server-level firewall where inbound port 25 data can be rejected. I've configured the server-level firewall to allow port 25 in both directions, and have also tested disabling it entirely. Still no luck.
3. ISP-Level Firewall
My ISP also has a policy of blocking outbound port 25 so I emailed them to assure them I wasn't a spammer. They agreed and said they had unblocked port 25. I let them know about my outbound SMPT problems and asked again if they were sure they had unblocked it. They re-confirmed that port 25 was not blocked.
Is there any other culprit (some other firewall or config) that might be preventing outbound SMPT traffic, originating from my server, from getting out?
With the firewall off, outbound SMPT port 25 is still blocked; here's the output of iptables:
>iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-----------------------------------------------------------------------------
After I turn the firewall back on, here is the output for the iptables:
>iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 108.61.10.10.choopa.net anywhere tcp dpt:domain
ACCEPT udp -- 108.61.10.10.choopa.net anywhere udp dpt:domain
ACCEPT tcp -- 108.61.10.10.choopa.net anywhere tcp spt:domain
ACCEPT udp -- 108.61.10.10.choopa.net anywhere udp spt:domain
LOCALINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
INVALID tcp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
LOGDROPIN icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:urd
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:device2
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:mobrien-chat
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:eli
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:nbx-dir
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:domain
LOGDROPIN all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere 108.61.10.10.choopa.net tcp dpt:domain
ACCEPT udp -- anywhere 108.61.10.10.choopa.net udp dpt:domain
ACCEPT tcp -- anywhere 108.61.10.10.choopa.net tcp spt:domain
ACCEPT udp -- anywhere 108.61.10.10.choopa.net udp spt:domain
LOCALOUTPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT all -- anywhere anywhere
INVALID tcp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:auth
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:device2
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:mobrien-chat
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:eli
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:nbx-dir
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:autodesk-nlm
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:powerclientcsf
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:domain
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:auth
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ntp
LOGDROPOUT all -- anywhere anywhere
Chain ALLOWIN (1 references)
target prot opt source destination
ACCEPT all -- 10.0.2.2 anywhere
Chain ALLOWOUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.2.2
Chain DENYIN (1 references)
target prot opt source destination
DROP all -- 178.62.118.53 anywhere
DROP all -- 111.33.152.130 anywhere
DROP all -- net6-ip74.linkbg.com anywhere
[there are lots of these, I cut them out for the sake of brevity]
Chain DENYOUT (1 references)
target prot opt source destination
LOGDROPOUT all -- anywhere 178.62.118.53
LOGDROPOUT all -- anywhere 111.33.152.130
LOGDROPOUT all -- anywhere net6-ip74.linkbg.com
[there are lots of these, I cut them out for the sake of brevity]
Chain INVALID (2 references)
target prot opt source destination
INVDROP all -- anywhere anywhere ctstate INVALID
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
INVDROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
INVDROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
INVDROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
INVDROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW
Chain INVDROP (10 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain LOCALINPUT (1 references)
target prot opt source destination
ALLOWIN all -- anywhere anywhere
DENYIN all -- anywhere anywhere
Chain LOCALOUTPUT (1 references)
target prot opt source destination
ALLOWOUT all -- anywhere anywhere
DENYOUT all -- anywhere anywhere
Chain LOGDROPIN (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:bootps
DROP tcp -- anywhere anywhere tcp dpt:bootpc
DROP udp -- anywhere anywhere udp dpt:bootpc
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP udp -- anywhere anywhere udp dpt:auth
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:isakmp
DROP udp -- anywhere anywhere udp dpt:isakmp
DROP tcp -- anywhere anywhere tcp dpt:login
DROP udp -- anywhere anywhere udp dpt:who
DROP tcp -- anywhere anywhere tcp dpt:efs
DROP udp -- anywhere anywhere udp dpt:router
LOG tcp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *TCP_IN Blocked* "
LOG udp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *UDP_IN Blocked* "
LOG icmp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *ICMP_IN Blocked* "
DROP all -- anywhere anywhere
Chain LOGDROPOUT (201 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *TCP_OUT Blocked* "
LOG udp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *ICMP_OUT Blocked* "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
-----------------------------------------------------
Topic: outgoing port 25 SMTP traffic is blocked (Read 11991 times)
