Can't connect 587 port from external postfix/dovercot using tls

0

Can't connect to the smtp port 567

I built mail server postfix+dovecot.

openssl s_client -starttls smtp -crlf -connect localhost:587

This works and be able to send email manually.

openssl s_client -starttls smtp -crlf -connect smtp.example.com:587

shows this error

connect: Connection refused
connect:errno=61

What I have checked are netstat, iptables.

Both look work well for 587 submission.

netstat -anutp

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:58592         127.0.0.1:587           ESTABLISHED 2793/openssl    
tcp        0    388 133.242.184.252:22      210.149.252.243:46415   ESTABLISHED -               
tcp        0      0 127.0.0.1:587           127.0.0.1:58592         ESTABLISHED -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
udp        0      0 133.242.184.252:123     0.0.0.0:*                           -               
udp        0      0 127.0.0.1:123           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:123             0.0.0.0:*                           -               
udp6       0      0 :::123                  :::*                                -

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:3000
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Is there any other points I should check???

whitebear

Posted 2017-09-06T06:36:43.280

Reputation: 273

Answers

1

Remember that iptables rules are read top to bottom. When you add a rule with -A it's appended at the end (or after the given number), when you use -I it is inserted in front.

Now you basically have:

  1. accept ICMP, HTTP, SSH, ...
  2. reject everything
  3. accept SMTP, POP3

So you need to move the "accept SMTP..." rules above the blanket reject.

You can delete them and re-add by manually specifying the position:

     iptables -A INPUT 7 -p tcp ...
(or) iptables -I INPUT 8 -p tcp ...

(Use iptables -L --line to see rule numbers.)

Alternatively, edit the full list at once – and just swap the lines around:

iptables-save > rules.txt
nano rules.txt
iptables-restore < rules.txt

Side notes:

  • In the future, it might be better if you posted the rules using iptables -S or even iptables-save; it's a bit easier to scan than the heavily-reformatted -L output. (Or maybe both.)

  • Dovecot only speaks POP/IMAP/LMTP, but not SMTP. Your SMTP server is Postfix.

  • When using netstat with the -p option, you should run the command as root, otherwise it won't actually display any of the process information.

user1686

Posted 2017-09-06T06:36:43.280

Reputation: 283 655

Thanks for your great explaination. I was not familliar with iptables. also thank you for your advice about POP/IMAP , netstat. It's quite helpful! My problem was of course solved – whitebear – 2017-09-06T07:30:32.677

1

Iptables sequentially try to match your rules in the order they appear. In your case (as said in comments, please provide the result of iptables -S commands, as we lack information with iptables -L like the matching interface)

  1. if packets match state RELATED,ESTABLISHED on interface ?, they are accepted and no more match on these packets is done ;
  2. else, if packets match icmp on interface ? they are accepted, and no more match on these packets is done;
  3. else, iptables accept all packets on interface ?
  4. ....

So given we don't know on which interface are done the rules, I think that your only REJECT rule (on INPUT table) is matched on the same interface than you tcp dpt:smtp rule. As your REJECT rule is matched before your snmp rule, the last is never matched.

EDIT too long to write the post ...

vera

Posted 2017-09-06T06:36:43.280

Reputation: 760

THanks as you mentioned the order was problem. I need to learn about iptables more. – whitebear – 2017-09-06T10:43:00.373

Asked: 2017-09-06T06:36:43.280

Viewed: 475 times

Active: 2017-09-06T07:55:49.230