outbound port 25 blocked

I am using centos 7 with postfix with smtp. The mail server was working fine, but then it stopped working. I cannot telnet to Gmail or any other server on port 25,587,465. However, when I telnet myowndomain.com 25 < it works.

It seems as if I cannot telnet to port 25 or any port of other servers. The error is given below.

Jun 16 05:24:06 SSSS postfix/submission/smtpd[25687]: connect from unknown[172.17.0.2] Jun 16 05:24:06 SSSS postfix/submission/smtpd[25687]: Anonymous TLS connection established from unknown[172.17.0.2]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Jun 16 05:24:06 SSSS postfix/submission/smtpd[25687]: 0F69747687: client=unknown[172.17.0.2]

Jun 16 05:24:06 SSSS postfix/cleanup[25690]: 0F69747687: message-id=<545ce193-e481-4319-a5d9-ff701666afc8@meta.SSSS.org>

Jun 16 05:24:06 SSSS postfix/qmgr[24527]: 0F69747687: from=, size=6806, nrcpt=1 (queue active)

Jun 16 05:24:06 SSSS postfix/submission/smtpd[25687]: disconnect from unknown[172.17.0.2] Jun 16 05:24:12 SSSS postfix/smtpd[25473]: connect from unknown[89.248.171.223]

Jun 16 05:24:12 SSSS postfix/smtpd[25473]: warning: unknown[89.248.171.223]: SASL LOGIN authentication failed: authentication failure

Jun 16 05:24:12 SSSS postfix/smtpd[25473]: disconnect from unknown[89.248.171.223]

Jun 16 05:24:36 SSSS postfix/smtp[25691]: connect to smtp1.linuxfoundation.org[140.211.169.13]:25: Connection timed out

Jun 16 05:24:55 SSSS postfix/smtpd[25473]: connect from unknown[155.133.64.146] Jun 16 05:24:55 SSSS postfix/smtpd[25473]: warning: unknown[155.133.64.146]: SASL LOGIN authentication failed: authentication failure Jun 16 05:24:55 SSSS postfix/smtpd[25473]: disconnect from unknown[155.133.64.146]

MAIN.CF:

inet_protocols = ipv4
inet_interfaces = all 
smtpd_recipient_restrictions =  permit_sasl_authenticated ,permit_mynetworks , reject_invalid_hostname, reject_unauth_destination,check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org,   reject_rbl_client bl.spamcop.net
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

telnet connection:

[root@mail ~]# telnet alt4.gmail-smtp-in.l.google.com 25
Trying 74.125.28.27...
telnet: connect to address 74.125.28.27: Connection timed out
Trying 2607:f8b0:400e:c04::1a...
telnet: connect to address 2607:f8b0:400e:c04::1a: Network is unreachable

any solution? I have already tried many tutorials from online, but didn't help.

Nix

Posted 2017-06-16T05:35:31.667

Reputation: 3

Are you trying to relay email out through your mail server, and if so, are you trying to telnet to port 25 on other mail servers from your mail server and thats failing? If so, what happens if you telnet out on port 587? – davidgo – 2017-06-16T06:30:22.270

@davidgo I am trying to telnet to the mail server, i.e where I have hosted postfix. I unable to connect to port 25 of Gmail SMTP. When I try to send email locally i.e testing postfix I still cannot send email, in this case, it just adds to the queue instead of being sent. – Nix – 2017-06-16T06:37:21.360

Answers

This does not look like an issue with your mail server config.

It seems to me like your provider is blocking SMTP - which is not uncommon. If they are doing this you would need to ask them to lift the block, or relay your email through their SMTP server by adding a line relayhost = XXX.XXX.XXX.XXX to your postfix main.conf file.

Just to be on the safe side, you may want to try the following 2 lines to rule out a firewall issue on your box.

iptables -I OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -I INPUT -m state --state ESTABLISEHD,RELATED -j ACCEPT

davidgo

Posted 2017-06-16T05:35:31.667

Reputation: 49 152

thank you. it was blocked by digital ocean without giving any prior notice that they are going to block the ports. – Nix – 2017-06-17T10:12:37.800

iptables -I INPUT -m state --state ESTABLISEHD change to ESTABLISHED,RELATED -j ACCEPT – Vignesh Chinnaiyan – 2019-04-17T21:57:23.570

You can use tcptraceroute program to locate where the connection is blocked.

AnFi

Posted 2017-06-16T05:35:31.667

Reputation: 771

It you are sending out email to port 25, you need a static IP if you want to avoid your mail being classified as spam. Many ISPs will block outgoing email on port 25 from dynamic IP addresses. There is some DNS configuration you will need to do, including coordinating with your ISP to get the correct PTR record configured. The may also block 465 (SMTPS) which is considered deprecated now that startTLS is available in the protocol. Your ISP should provide an SMTP relay server through which you can send email.

Many ISPs may charge for a static IP address, in some cases even for business class services. Smaller ISPs are more likely to provide a static IP address on request or at a minimal cost.

It is less common for port 587 (Submission) to be blocked by ISPs. This should require authentication before mail can be sent, which makes using it to send spam more difficult. It it is blocked, I would check your own firewall configuration.

Many ISPs have provided their dynamic IP ranges to blacklist providers. When and if this is used to block connections, is determined by the administrators of the mail servers you are connecting to. The tcptraceroute command can be used to determine if you are blocked at the end site.

Some sites may perform a callout to your email server to ensure you are a legitimate sender. It is unusual to do this before connecting, but if you haven't forwarded email traffic in your router to your server it will fail.

Most/many ISPs don't provide IPv6 so trying to connect over IPv6 will fail. You could use a tunnel broker to resolve that issue. This would enable you to configure a static IPv6 address for your mail server. (Again, you would need to configure DNS appropriately.)

It is not that difficult to configure a mail server correctly. However, even banks, airlines and governments get it wrong.

BillThor

Posted 2017-06-16T05:35:31.667

Reputation: 9 384