Hello, I have an ubuntu 14.04 server running postfix. I wanted to test it with telnet on port 25. Alas I receive connection refused errors although I can ssh to the server fine and see that master is listening on port 25. I ssh'd to another machine outside of my lan and tried telnet from there. I was able to connect fine. Does anyone have any suggestions how I can troubleshoot this? My hosts.deny file is empty. Here's the server's iptables -L output. My wan address is not listed. Thanks for your help! Randy root@foucault:/etc/postfix# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ErrorAccess tcp -- anywhere anywhere multiport dports http,https fail2ban-ReqLimit tcp -- anywhere anywhere multiport dports http,https fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ErrorAccess (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ReqLimit (1 references) target prot opt source destination REJECT all -- hosted-by.sistem724.com.tr anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Chain fail2ban-dovecot (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-postfix (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination REJECT all -- www.albena.bg anywhere reject-with icmp-port-unreachable REJECT all -- 182.100.67.115 anywhere reject-with icmp-port-unreachable REJECT all -- dynamicip-188-232-146-41.pppoe.omsk.ertelecom.ru anywhere reject-with icmp-port-unreachable REJECT all -- outgoing-auas.carlson.com anywhere reject-with icmp-port-unreachable REJECT all -- 221.233.125.180 anywhere reject-with icmp-port-unreachable REJECT all -- 2h56.xjtu.edu.cn anywhere reject-with icmp-port-unreachable REJECT all -- vps3d196-static.vdrs.net anywhere reject-with icmp-port-unreachable REJECT all -- static.vdc.vn anywhere reject-with icmp-port-unreachable REJECT all -- grupoazul130.static.host.gvt.net.br anywhere reject-with icmp-port-unreachable REJECT all -- 182.100.67.114 anywhere reject-with icmp-port-unreachable REJECT all -- luna933.server4you.de anywhere reject-with icmp-port-unreachable REJECT all -- 115.231.222.45 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.7 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.15 anywhere reject-with icmp-port-unreachable REJECT all -- static.vdc.vn anywhere reject-with icmp-port-unreachable REJECT all -- 218.205.48.105 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.4 anywhere reject-with icmp-port-unreachable REJECT all -- 5-14-20-84.residential.rdsnet.ro anywhere reject-with icmp-port-unreachable REJECT all -- 94.102.53.182 anywhere reject-with icmp-port-unreachable REJECT all -- dynamic.vdc.vn anywhere reject-with icmp-port-unreachable REJECT all -- 59.57.253.94 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.9 anywhere reject-with icmp-port-unreachable REJECT all -- 183.136.216.4 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
Port 25 is matched by 'fail2ban-dovecot' and 'fail2ban-postfix' which do nothing. So, check postfix main config. -- William On Thu, Feb 19, 2015 at 10:59:01PM -0500, Randy Jonasz wrote:
Hello,
I have an ubuntu 14.04 server running postfix. I wanted to test it with telnet on port 25. Alas I receive connection refused errors although I can ssh to the server fine and see that master is listening on port 25. I ssh'd to another machine outside of my lan and tried telnet from there. I was able to connect fine. Does anyone have any suggestions how I can troubleshoot this? My hosts.deny file is empty.
Here's the server's iptables -L output. My wan address is not listed. Thanks for your help!
Randy
root@foucault:/etc/postfix# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ErrorAccess tcp -- anywhere anywhere multiport dports http,https fail2ban-ReqLimit tcp -- anywhere anywhere multiport dports http,https fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain fail2ban-ErrorAccess (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Chain fail2ban-ReqLimit (1 references) target prot opt source destination REJECT all -- hosted-by.sistem724.com.tr anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
Chain fail2ban-dovecot (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Chain fail2ban-postfix (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references) target prot opt source destination REJECT all -- www.albena.bg anywhere reject-with icmp-port-unreachable REJECT all -- 182.100.67.115 anywhere reject-with icmp-port-unreachable REJECT all -- dynamicip-188-232-146-41.pppoe.omsk.ertelecom.ru anywhere reject-with icmp-port-unreachable REJECT all -- outgoing-auas.carlson.com anywhere reject-with icmp-port-unreachable REJECT all -- 221.233.125.180 anywhere reject-with icmp-port-unreachable REJECT all -- 2h56.xjtu.edu.cn anywhere reject-with icmp-port-unreachable REJECT all -- vps3d196-static.vdrs.net anywhere reject-with icmp-port-unreachable REJECT all -- static.vdc.vn anywhere reject-with icmp-port-unreachable REJECT all -- grupoazul130.static.host.gvt.net.br anywhere reject-with icmp-port-unreachable REJECT all -- 182.100.67.114 anywhere reject-with icmp-port-unreachable REJECT all -- luna933.server4you.de anywhere reject-with icmp-port-unreachable REJECT all -- 115.231.222.45 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.7 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.15 anywhere reject-with icmp-port-unreachable REJECT all -- static.vdc.vn anywhere reject-with icmp-port-unreachable REJECT all -- 218.205.48.105 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.4 anywhere reject-with icmp-port-unreachable REJECT all -- 5-14-20-84.residential.rdsnet.ro anywhere reject-with icmp-port-unreachable REJECT all -- 94.102.53.182 anywhere reject-with icmp-port-unreachable REJECT all -- dynamic.vdc.vn anywhere reject-with icmp-port-unreachable REJECT all -- 59.57.253.94 anywhere reject-with icmp-port-unreachable REJECT all -- 115.239.228.9 anywhere reject-with icmp-port-unreachable REJECT all -- 183.136.216.4 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
--- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
On 15-02-19 11:34 PM, William Park wrote:
Port 25 is matched by 'fail2ban-dovecot' and 'fail2ban-postfix' which do nothing. So, check postfix main config. Alas I can telnet to port 25 from outside of my lan. What would restrict my lan address? The server is in Germany. I can telnet from work at McMaster University but nothing from my home.
Here's my main.config # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/server.crt smtpd_tls_key_file = /etc/ssl/private/server.key smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_req_ccert = no smtpd_tls_ask_ccert = yes # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = foucault.rjonasz.ca alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = foucault.rjonasz.ca, localhost.rjonasz.ca, localhost relayhost = mynetworks = 127.0.0.0/8 80.241.217.178/32 [::ffff:127.0.0.0]/104 [::1]/128 207.210.30.47/32 198.7.63.205/32 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/ #smtpd_sasl_type = dovecot #smtpd_sasl_path = private/auth-client #smtpd_sasl_local_domain = #smtpd_sasl_security_options = noplaintext,noanonymous #broken_sasl_auth_clients = yes #smtpd_sasl_auth_enable = yes #smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom #smtp_connection_cache_destinations = smtp.gmail.com default_transport = smtp default_destination_concurrency_limit = 5 virtual_alias_domains = rjonasz.ca rjonasz.com rjonasz.net rjonasz.org virtual_alias_maps = hash:/etc/postfix/virtual smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination Cheers, Randy
On 20/02/15 11:57 AM, Randy Jonasz wrote:
On 15-02-19 11:34 PM, William Park wrote:
Port 25 is matched by 'fail2ban-dovecot' and 'fail2ban-postfix' which do nothing. So, check postfix main config. Alas I can telnet to port 25 from outside of my lan. What would restrict my lan address? The server is in Germany. I can telnet from work at McMaster University but nothing from my home. [...]
Just a guess, but since you've got fail2ban running, have you checked to see if you accidentally banned your IP address when testing? I've done that before. I'd suggest double-checking the fail2ban log to see if your IP address is listed, and/or make sure it's whitelisted in your fail2ban config. If that's not the problem though, then I'm not sure what's going on with Postfix...
On Thu, Feb 19, 2015 at 10:59:01PM -0500, Randy Jonasz wrote:
Hello,
I have an ubuntu 14.04 server running postfix. I wanted to test it with telnet on port 25. Alas I receive connection refused errors although I can ssh to the server fine and see that master is listening on port 25. I ssh'd to another machine outside of my lan and tried telnet from there. I was able to connect fine. Does anyone have any suggestions how I can troubleshoot this? My hosts.deny file is empty.
Here's the server's iptables -L output. My wan address is not listed. Thanks for your help!
Randy
[snip] It is possible that the ISP that you use from home is blocking outbound TCP/25 connection attempts? Try installing tcptraceroute on your home machine and see if you can contact any external mail servers, i.e. # host -t MX google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. ... # tcptraceroute alt4.aspmx.l.google.com. 25
Thanks Steve! That's the problem. I can telnet to my ISP's smtp server but not any other. Now I'll have to phone my ISP when I get home and have them change their port blocks. Wish me luck. Randy Do not ask who I am and do not ask me to remain the same: leave it to our bureaucrats and our police to see that our papers are in order. At least spare us their morality when we write. --Michel Foucault On 15-02-20 01:42 PM, Steve Harvey wrote:
tcptraceroute alt4.aspmx.l.google.com. 25
On 02/20/2015 01:55 PM, Randy Jonasz wrote:
Now I'll have to phone my ISP when I get home and have them change their port blocks. Wish me luck.
It's common practice these days, to use a different port number for off net SMTP. Even better, use SMTPS. These might be a better solution than trying to get your ISP to stop blocking 25.
On Fri, Feb 20, 2015 at 01:55:36PM -0500, Randy Jonasz wrote:
Thanks Steve! That's the problem. I can telnet to my ISP's smtp server but not any other.
Now I'll have to phone my ISP when I get home and have them change their port blocks. Wish me luck.
I hightly doubt they will, but it is worth asking. If you pay for a static IP, then I suspect they are more likely to do it. I can certainly telnet to port 25 from my teksavvy VDSL2 connection with a static IP. Another option people use is to use a port other than 25 of course. -- Len Sorensen
On 20 February 2015 at 13:55, Randy Jonasz <rjonasz@gmail.com> wrote:
Thanks Steve! That's the problem. I can telnet to my ISP's smtp server but not any other.
Now I'll have to phone my ISP when I get home and have them change their port blocks. Wish me luck.
"Open port 25" disappeared at around the time of the Code Red worm (http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29) When infected hosts sending out spam got to be a gigantic plague, it became common for ISPs to block port 25 to cut down on the amount of spam they were forwarding. I seriously doubt that your ISP will be willing to change their port blocks. They will most likely say something about "blah, blah, security best practice." An actual reference to claimed security best practice is thus: <https://www.m3aawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf> -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
On Fri, Feb 20, 2015 at 04:40:45PM -0500, Christopher Browne wrote:
"Open port 25" disappeared at around the time of the Code Red worm (http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29)
When infected hosts sending out spam got to be a gigantic plague, it became common for ISPs to block port 25 to cut down on the amount of spam they were forwarding.
I seriously doubt that your ISP will be willing to change their port blocks. They will most likely say something about "blah, blah, security best practice."
An actual reference to claimed security best practice is thus: <https://www.m3aawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf>
Well from what I have found, teksavvy at least blocks port 25 outbound for dynamic IP users, and does not block it for static IP users (unless they get spam complaints for that specific IP in which case they will add a block for that IP only). So that explains why it is not blocked for me at least. -- Len Sorensen
On Fri, Feb 20, 2015 at 04:40:45PM -0500, Christopher Browne wrote:
"Open port 25" disappeared at around the time of the Code Red worm (http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29)
When infected hosts sending out spam got to be a gigantic plague, it became common for ISPs to block port 25 to cut down on the amount of spam they were forwarding.
I seriously doubt that your ISP will be willing to change their port blocks. They will most likely say something about "blah, blah, security best practice."
Yeah, I got tired trying to explain to the tech rep at my ISP about what I wanted so I just added a smtp port to postfix. Now everything works. Thanks to everybody who responded. Randy
On Fri, Feb 20, 2015 at 07:50:52PM -0500, Randy Jonasz wrote:
On Fri, Feb 20, 2015 at 04:40:45PM -0500, Christopher Browne wrote:
"Open port 25" disappeared at around the time of the Code Red worm (http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29)
When infected hosts sending out spam got to be a gigantic plague, it became common for ISPs to block port 25 to cut down on the amount of spam they were forwarding.
I seriously doubt that your ISP will be willing to change their port blocks. They will most likely say something about "blah, blah, security best practice."
Yeah, I got tired trying to explain to the tech rep at my ISP about what I wanted so I just added a smtp port to postfix. Now everything works.
Can you clearify? If your ISP is blocking outgoing port 25, then adding port 25 to postfix doesn't do anything, because postfix will never receive anything. Do you mean, you added port 587 (submission) to postfix? -- William
On Sun, 2015-02-22 at 01:36 -0500, William Park wrote:
Can you clearify? If your ISP is blocking outgoing port 25, then adding port 25 to postfix doesn't do anything, because postfix will never receive anything. Do you mean, you added port 587 (submission) to postfix?
Hi William, I added a smtp port postfix's master.cf file. I have a debian machine at home which I configured exim to use the non standard port. Cheers, Randy
participants (8)
-
Blaise Alleyne -
Christopher Browne -
James Knott -
Lennart Sorensen -
Randy Jonasz -
Randy Jonasz -
Steve Harvey -
William Park