Outgoing connections on port 25 => refused, postfix?

kingfisher · 01-24-2007, 06:35 AM

Hello all.

I recently tried to upgrade my mailserver with some greylisting functionality, however, since yesterday I cannot send mails to any external mailserver on port 25.

Once I shutdown my firewall => everything works.

My /var/log/mail.log says the following:

Code:

Jan 24 12:07:03 deepthought postfix/smtp[23827]: connect to mx0.gmx.de[213.165.64.100]: Connection timed out (port 25)

Jan 24 12:07:03 deepthought postfix/smtp[23827]: 2D03F3A4107: to=<xxxxxxx@gmx.de>, relay=none, delay=60, status=deferred (connect to mx0.gmx.de[213.165.64.100]: Connection timed out)

without firewall active, the mail gets through though...

I know that my ISP doesn't block port 25.

My Iptables rule for Port 25 config looks like this:

Code:

# Port 25
$iptables -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -I OUTPUT -o eth0 -p TCP --sport 25 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

postconf -n:

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
disable_vrfy_command = yes
mailbox_size_limit = 0
mailbox_transport = cyrus
mydestination = $myhostname, $mydomain, localhost.$mydomain
myhostname = headbangerz.org
mynetworks = 127.0.0.0/8, 85.10.198.7
myorigin = /etc/mailname
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-relay.cf
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
setgid_group = postdrop
smtp_tls_CAfile = /etc/certs/cert.pem
smtp_tls_cert_file = /etc/certs/cert.pem
smtp_tls_key_file = /etc/certs/key.pem
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Mailserver)
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks,       permit_sasl_authenticated,      reject_unauth_destination,      permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/certs/cert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/certs/cert.pem
smtpd_tls_key_file = /etc/certs/key.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/mysql-transport.cf

any ideas?

acid_kewpie · 01-24-2007, 07:12 AM

well your second line says that no new connections to port 25 are allowed to be established outbound. that rule appears to really do *nothing* other than create the problem you are having... why did you add it?

kingfisher · 01-24-2007, 07:47 AM

umm, how would the rule have to look then?

acid_kewpie · 01-24-2007, 09:10 AM

well it wouldn't exist in the first place.

chort · 01-24-2007, 09:50 AM

Those two rules only deal with inbound connections. Mail sent outbound by Postfix is going to source from an ephemeral port and have a destination of 25/tcp. What are the rest of your firewall rules?

acid_kewpie · 01-24-2007, 11:42 AM

oh yeah so it does... what a moron...

kingfisher · 01-24-2007, 06:33 PM

Quote:

Originally Posted by acid_kewpie

oh yeah so it does... what a moron...

thanks for the tip! I rechecked my rules and now it's working the way it should be.
strange thing is that I didn't change the rules in the first place...

however, this doesn't directly make me a moron, does it?

chort · 01-24-2007, 09:33 PM

Quote:

Originally Posted by kingfisher

thanks for the tip! I rechecked my rules and now it's working the way it should be.
strange thing is that I didn't change the rules in the first place...

Great.

Quote:

however, this doesn't directly make me a moron, does it?

I don't want to put words in his mouth, but I'm pretty sure that comment was self-referrential.

acid_kewpie · 01-25-2007, 01:53 AM

Quote:

Originally Posted by chort

I don't want to put words in his mouth, but I'm pretty sure that comment was self-referrential.

Oh yeah absolutely, i couldn't tell the difference between --sport and --dport.