Postfix issue : iptables rules and can't receive email from outside


My Postfix server was working fine until last days but now, I can't receive emails from outside (I mean with an email of different domain name like gmail for example). I must make notice that I can send email from the server to gmail.

From what I have seen, I think that issue may be my iptables rules :

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset

with the following /etc/iptables/rules.v4 :

# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
:INPUT DROP [4:160]
:OUTPUT ACCEPT [8850:1128793]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
:PREROUTING ACCEPT [7537:917236]
:INPUT ACCEPT [7537:917236]
:OUTPUT ACCEPT [16961:1999319]
:POSTROUTING ACCEPT [16961:1999319]
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
:OUTPUT ACCEPT [9344:563333]
# Completed on Tue Jun 28 02:59:45 2016

Moreover, my server seems to listen on 25 port :

# netstat -an |grep 25
tcp        0      0    *               LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN     
unix  2      [ ]         DGRAM                    4255589627 /var/spool/postfix/dev/log
unix  15     [ ]         DGRAM                    4255589625 /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     4255652970 /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     4255590038 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711673 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711672 
unix  3      [ ]         STREAM     CONNECTED     4255711663 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711662 
unix  2      [ ]         DGRAM                    4255711642 
unix  3      [ ]         STREAM     CONNECTED     4255711639 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711638 
unix  2      [ ]         DGRAM                    4255711627 
unix  2      [ ]         DGRAM                    4255594798 
unix  2      [ ]         DGRAM                    4255590141 
unix  3      [ ]         STREAM     CONNECTED     4255590098 
unix  3      [ ]         STREAM     CONNECTED     4255590097 

and nmap on my server (from outside) returns :

Host is up (0.065s latency).
Not shown: 994 closed ports
22/tcp  open     ssh
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds

Finally, here's my /etc/postfix/ :

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
# Do not forget to execute "postfix reload" after editing this file.
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
  -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in maildrop_destination_recipient_limit=1
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# ====================================================================
# Recent Cyrus versions can use the existing "lmtp" entry.
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
# Specify in one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
# ====================================================================
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in cyrus_destination_recipient_limit=1
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
# ====================================================================
# Old example of delivery via Cyrus.
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# ====================================================================
# See the Postfix UUCP_README file for configuration details.
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
# Other external delivery methods.
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/
  ${nexthop} ${user}

# spf postfix
policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Here's the answer of email received by gmail when I sent from gmail to my postfix server :

This is an automatically generated Delivery Status Notification



Delivery to the following recipient has been delayed:

Message will be retried for 1 more day(s)

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at
[ socket error]

I don't understand why netstat tells me that it listens to port 25 and nmap indicates this port is not opened.

If anyone could see what's wrong, this would be fine.

Thanks in advance.


Posted 2016-08-28T09:10:22.490

iptables -I INPUT 5 -p tcp -m tcp --dport 25 -j ACCEPT

To have the rule applied inmediately.

Also edit your /etc/iptables/rules.v4 and just after the rule with the 443 port, add

-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT


Posted 2016-08-28T09:10:22.490

NuTTyX: Thanks, it works. But I don't understand why nmap doesn't show opened port 25 after applying this iptables rules, is it normal ? – youpilat13 – 2016-08-28T10:48:32.177

Not sure why, but the results of your previous nmap were not consistent. Every port except for 22, 80, 443 (and now 25) should appear as either closed or filtered, but not mixed results. That could mean either there is another filter between your nmap and the server or the nmap is only scanning for those 6 ports (2 seconds for a scan is way too short to be complete) – NuTTyX – 2016-08-28T16:10:17.990

NuTTyX: Indeed, I think there are 2 others potential filters between the client of nmap command (my PC) and my dedicated server (on which I have the SMTP server) : first, there is my internet box : the configuration panel of my box has different options for filtering internet protocols. Secondly, I suspect my dedicated server (VPS) to pre-filter (I mean in front of dedicated server) internet traffic too. – youpilat13 – 2016-08-29T02:54:13.030

NuTTyX: So for the first one, I have to look up the default parameters (mostly the OUTPUT ports available because "nmap" command is going to outside from my PC ???) and for the second one, I am going to contact the administrator of my VPS and ask to him why, despite the fact that I have opened port 25 with iptables rule, I can't get to see it opened with nmap. – youpilat13 – 2016-08-29T02:54:21.723

The first line was enough to solve the problem for me (I didn't have a folder /etc/iptables) – Ben2209 – 2017-12-09T22:45:37.300