Skip to main content

linux - Postfix issue : iptables rules and can't receive email from outside


My Postfix server was working fine until last days but now, I can't receive emails from outside (I mean with an email of different domain name like gmail for example). I must make notice that I can send email from the server to gmail.


From what I have seen, I think that issue may be my iptables rules :


# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset

with the following /etc/iptables/rules.v4 :


# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*filter
:INPUT DROP [4:160]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8850:1128793]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*mangle
:PREROUTING ACCEPT [7537:917236]
:INPUT ACCEPT [7537:917236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16961:1999319]
:POSTROUTING ACCEPT [16961:1999319]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*nat
:PREROUTING ACCEPT [357:19884]
:POSTROUTING ACCEPT [9413:566093]
:OUTPUT ACCEPT [9344:563333]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016

Moreover, my server seems to listen on 25 port :


# netstat -an |grep 25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN     
unix  2      [ ]         DGRAM                    4255589627 /var/spool/postfix/dev/log
unix  15     [ ]         DGRAM                    4255589625 /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     4255652970 /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     4255590038 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711673 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711672 
unix  3      [ ]         STREAM     CONNECTED     4255711663 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711662 
unix  2      [ ]         DGRAM                    4255711642 
unix  3      [ ]         STREAM     CONNECTED     4255711639 /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     4255711638 
unix  2      [ ]         DGRAM                    4255711627 
unix  2      [ ]         DGRAM                    4255594798 
unix  2      [ ]         DGRAM                    4255590141 
unix  3      [ ]         STREAM     CONNECTED     4255590098 
unix  3      [ ]         STREAM     CONNECTED     4255590097

and nmap on my server (from outside) returns :


Host is up (0.065s latency).
Not shown: 994 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds

Finally, here's my /etc/postfix/master.cf :


#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
  -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

# spf postfix
policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Here's the answer of email received by gmail when I sent from gmail to my postfix server :


This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

     user@domain.com

Message will be retried for 1 more day(s)

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
[domain.com 239.178.123.80: socket error]

I don't understand why netstat tells me that it listens to port 25 and nmap indicates this port is not opened.


If anyone could see what's wrong, this would be fine.


Thanks in advance.



Answer



Run



iptables -I INPUT 5 -p tcp -m tcp --dport 25 -j ACCEPT



To have the rule applied inmediately.


Also edit your /etc/iptables/rules.v4 and just after the rule with the 443 port, add



-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT



Comments

Post a Comment

Popular Posts

Use Google instead of Bing with Windows 10 search

I want to use Google Chrome and Google search instead of Bing when I search in Windows 10. Google Chrome is launched when I click on web, but it's Bing search. (My default search engine on Google and Edge is http://www.google.com ) I haven't found how to configure that. Someone can help me ? Answer There is no way to change the default in Cortana itself but you can redirect it in Chrome. You said that it opens the results in the Chrome browser but it used Bing search right? There's a Chrome extension now that will redirect Bing to Google, DuckDuckGo, or Yahoo , whichever you prefer. More information on that in the second link.
Post a Comment
Read more

linux - Using an index to make grep faster?

I find myself grepping the same codebase over and over. While it works great, each command takes about 10 seconds, so I am thinking about ways to make it faster. So can grep use some sort of index? I understand an index probably won't help for complicated regexps, but I use mostly very simple patters. Does an indexer exist for this case? EDIT: I know about ctags and the like, but I would like to do full-text search. Answer what about cscope , does this match your shoes? Allows searching code for: all references to a symbol global definitions functions called by a function functions calling a function text string regular expression pattern a file files including a file
Post a Comment
Read more

How do I transmit a single hexadecimal value serial data in PuTTY using an Alt code?

I am trying to sent a specific hexadecimal value across a serial COM port using PuTTY. Specifically, I want to send the hex codes 9C, B6, FC, and 8B. I have looked up the Alt codes for these and they are 156, 182, 252, and 139 respectively. However, whenever I input the Alt codes, a preceding hex value of C2 is sent before 9C, B6, and 8B so the values that are sent are C2 9C, C2 B6, and C2 8B. The value for FC is changed to C3 FC. Why are these values being placed before the hex value and why is FC being changed altogether? To me, it seems like there is a problem internally converting the Alt code to hex. Is there a way to directly input hex values without using Alt codes in PuTTY? Answer What you're seeing is just ordinary text character set conversion. As far as PuTTY is concerned, you are typing (and reading) text , not raw binary data, therefore it has to convert the text to bytes in whatever configured character set before sending it over the wire. In other words, when y...
Post a Comment
Read more

linux - CentOs 7.1 - Install Tomcat 8

I am using this tutorial as a setup reference to getting a Tomcat 8 running on CentOs 7.1 , but after typing: [root@localhost tomcat]# sudo systemctl start tomcat I get the error: Job for tomcat.service failed. See 'systemctl status tomcat.service' and 'journalctl -xn' for details. systemctl status tomcat.service prints the following: [root@localhost tomcat]# systemctl status tomcat.service tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/etc/systemd/system/tomcat.service; disabled) Active: failed (Result: exit-code) since Wed 2015-11-25 16:54:33 CET; 1min 19s ago Process: 45873 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=203/EXEC) Nov 25 16:54:33 localhost.localdomain systemd[1]: Starting Apache Tomcat Web Application Container... Nov 25 16:54:33 localhost.localdomain systemd[1]: tomcat.service: control process exited, code=exited status=203 Nov 25 16:54:33 localhost.localdomain systemd[1]: Failed to start Apache Tomcat Web App...
Post a Comment
Read more