Cannot send mail outside my LAN with Postfix

A_AZAZEL_A · 04-04-2010, 12:47 AM

Hi there,

My problem is that I cannot send mail with postfix. For all mail I get connection timeout
Example:
(delivery temporarily suspended: connect to d.mx.mail.yahoo.com[209.191.88.254]:25: Connection timed out)

Can you tell me what is the problem?

Thank you!

thiemel · 04-04-2010, 02:58 AM

Hi,
it is probably blocked by you ISP/firewall. To check availability of services, you can try telnet and/or nmap:

# telnet <server> <port>

Code:

krtek@ftp1 ~ $ telnet mail.wifizabreh.net 25
Trying 10.0.0.1...
Connected to mail.wifizabreh.net.
Escape character is '^]'.
220 gate1.wifizabreh.net ESMTP Postfix (Debian/GNU)
^]

telnet> quit
Connection closed.
krtek@ftp1 ~ $ telnet mail.wifizabreh.net 23
Trying 10.0.0.1...
telnet: connect to address 10.0.0.1: Connection refused

# nmap [-v] [-A] <server>

Code:

krtek@ftp1 ~ $ nmap -v mail.wifizabreh.net                                                         
                                                                                                      
Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-04 09:54 CEST                                       
Initiating Ping Scan at 09:54                                                                         
Scanning 10.0.0.1 [2 ports]                                                                           
Completed Ping Scan at 09:54, 0.00s elapsed (1 total hosts)                                           
Initiating Parallel DNS resolution of 1 host. at 09:54                                                
Completed Parallel DNS resolution of 1 host. at 09:54, 0.01s elapsed                                  
Initiating Connect Scan at 09:54                                                                      
Scanning 10.0.0.1 [1000 ports]                                                                        
Discovered open port 443/tcp on 10.0.0.1
Discovered open port 22/tcp on 10.0.0.1
Discovered open port 80/tcp on 10.0.0.1
Discovered open port 53/tcp on 10.0.0.1
Discovered open port 111/tcp on 10.0.0.1
Discovered open port 25/tcp on 10.0.0.1
Discovered open port 631/tcp on 10.0.0.1
Completed Connect Scan at 09:54, 0.03s elapsed (1000 total ports)
Host 10.0.0.1 is up (0.0014s latency).
Interesting ports on 10.0.0.1:
Not shown: 990 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

A_AZAZEL_A · 04-04-2010, 03:43 AM

Ok my firewall is bloking port 25.
Can you tell me how can I enable port 25 from my firewall?
The server is Debian Lenny.

repo · 04-04-2010, 04:02 AM

Quote:

Ok my firewall is bloking port 25.

Is your firewall blocking port 25 outgoing, or is your ISP blocking port 25 outgoing?
Can you sent with the firewall disabled?
Do you have a fixed or dynamic IP?
If you have a dynamic IP, most SMPT servers will refuse the connection.
Why don't you use the SMTP from your provider as smarthost?

hua · 04-04-2010, 04:32 AM

The port 25 can be blocked by the device what is responsible for you internet connection. (ADSL router or any other device). You have to set up that device. This is your public network connection and the device gives you a Public IP address - what can be dynamic (changing) or static (always the same) as told above. The first thing has to be done is forward your port from that Public IP address to your local network address. (for example - [209.191.88.254]:25 forwarded to [192.168.1.10]:25).
You have to find out what kind of device you use for internet connection and set it up to forward that port.
(As told by thiemel although you do this your ISP can block that port)

A_AZAZEL_A · 04-04-2010, 04:33 AM

Quote:

Originally Posted by repo

Is your firewall blocking port 25 outgoing, or is your ISP blocking port 25 outgoing?
Can you sent with the firewall disabled?
Do you have a fixed or dynamic IP?
If you have a dynamic IP, most SMPT servers will refuse the connection.
Why don't you use the SMTP from your provider as smarthost?

My ISP isn't blocking, I've verified with this tool http://www.canyouseeme.org/ .
I cannot send with firewall disabled.
I have a static IP.

I don't want to use the SMTP from my provider.

The output for the command:
telnet mail.wifizabreh.net 25
Trying 93.99.169.125...
telnet: Unable to connect to remote host: Connection timed out

Thank you!

A_AZAZEL_A · 04-04-2010, 04:59 AM

I don't use any device like adsl modem or router, I am connected directly to the net.

Can fail2ban have something to do with this issue?

My maillog is

part of it)

Apr 4 13:50:03 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 13:50:03 mail imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Apr 4 13:50:04 mail postfix/smtpd[10303]: connect from localhost.localdomain[127.0.0.1]
Apr 4 13:50:04 mail postfix/smtpd[10303]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Apr 4 13:50:04 mail postfix/smtpd[10303]: disconnect from localhost.localdomain[127.0.0.1]
Apr 4 13:50:23 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 13:50:23 mail imapd: LOGIN, user=office@crazy4web.ro, ip=[::ffff:127.0.0.1], port=[50937], protocol=IMAP
Apr 4 13:50:23 mail imapd: LOGOUT, user=office@crazy4web.ro, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=391, time=0
Apr 4 13:55:03 mail pop3d: Connection, ip=[::ffff:127.0.0.1]
Apr 4 13:55:03 mail pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Apr 4 13:55:03 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 13:55:03 mail imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Apr 4 13:55:03 mail postfix/smtpd[10370]: connect from localhost.localdomain[127.0.0.1]
Apr 4 13:55:03 mail postfix/smtpd[10370]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Apr 4 13:55:03 mail postfix/smtpd[10370]: disconnect from localhost.localdomain[127.0.0.1]
Apr 4 14:00:03 mail pop3d: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:00:03 mail pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Apr 4 14:00:03 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:00:03 mail imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Apr 4 14:00:04 mail postfix/smtpd[10434]: connect from localhost.localdomain[127.0.0.1]
Apr 4 14:00:04 mail postfix/smtpd[10434]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Apr 4 14:00:04 mail postfix/smtpd[10434]: disconnect from localhost.localdomain[127.0.0.1]
Apr 4 14:00:23 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:00:23 mail imapd: LOGIN, user=office@crazy4web.ro, ip=[::ffff:127.0.0.1], port=[45530], protocol=IMAP
Apr 4 14:00:24 mail imapd: LOGOUT, user=office@crazy4web.ro, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=391, time=1
Apr 4 14:05:03 mail pop3d: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:05:03 mail pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Apr 4 14:05:03 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:05:03 mail imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Apr 4 14:05:03 mail postfix/smtpd[10521]: connect from localhost.localdomain[127.0.0.1]
Apr 4 14:05:03 mail postfix/smtpd[10521]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Apr 4 14:05:03 mail postfix/smtpd[10521]: disconnect from localhost.localdomain[127.0.0.1]
Apr 4 14:10:03 mail pop3d: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:10:03 mail pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Apr 4 14:10:03 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:10:03 mail imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Apr 4 14:10:04 mail postfix/smtpd[10600]: connect from localhost.localdomain[127.0.0.1]
Apr 4 14:10:04 mail postfix/smtpd[10600]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Apr 4 14:10:04 mail postfix/smtpd[10600]: disconnect from localhost.localdomain[127.0.0.1]
Apr 4 14:10:24 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:10:24 mail imapd: LOGIN, user=office@crazy4web.ro, ip=[::ffff:127.0.0.1], port=[53539], protocol=IMAP
Apr 4 14:10:24 mail imapd: LOGOUT, user=office@crazy4web.ro, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=391, time=0
Apr 4 14:15:03 mail pop3d: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:15:03 mail pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Apr 4 14:15:03 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Apr 4 14:15:03 mail imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0

hua · 04-04-2010, 06:42 AM

If you are directly connected to the net than only thing can disable the SMTP port is the local firewall. Based on the name of the thread I was expecting that you are (the postfix server) on the local network.

Quote:

Cannot send mail outside my LAN with Postfix

Because LAN is a Local Area Network what means that its IP addresses are Private not public.
What gives the nmap for your IP? (nmap <publicIP>)
And what is the output of the ifconfig? (Ip adress of the interface)

A_AZAZEL_A · 04-04-2010, 06:46 AM

# nmap 77.81.134.246

Starting Nmap 4.62 ( http://nmap.org ) at 2010-04-04 14:44 EEST
Interesting ports on mail.crazy4web.ro (77.81.134.246):
Not shown: 1702 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 1.098 seconds

# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0f:ea:46:66:5b
inet addr:77.81.134.246 Bcast:77.81.134.255 Mask:255.255.255.0
inet6 addr: fe80::20f:eaff:fe46:665b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33663864 errors:49463 dropped:13660 overruns:9870 frame:0
TX packets:39903793 errors:0 dropped:0 overruns:3 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3570643727 (3.3 GiB) TX bytes:1765309534 (1.6 GiB)
Interrupt:10 Base address:0xe800

eth1 Link encap:Ethernet HWaddr 00:0e:e8:f8:9e:d3
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20e:e8ff:fef8:9ed3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38474611 errors:368 dropped:646 overruns:131 frame:0
TX packets:26894738 errors:0 dropped:0 overruns:4 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1208874873 (1.1 GiB) TX bytes:3085694603 (2.8 GiB)
Interrupt:12 Base address:0xec00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:129258 errors:0 dropped:0 overruns:0 frame:0
TX packets:129258 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12283193 (11.7 MiB) TX bytes:12283193 (11.7 MiB)

hua · 04-04-2010, 06:56 AM

Then try this.

Quote:

telnet 77.81.134.246 25

Based upon this output it should work. And what is the output of the iptables -L? (I think debian uses iptables)
And with domain too:

Quote:

telnet mail.crazy4web.ro 25

A_AZAZEL_A · 04-04-2010, 07:05 AM

telnet 77.81.134.246 25 is connecting
telnet mail.crazy4web.ro 25 is connecting

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
drop-and-log-it all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere mail.crazy4web.ro
ACCEPT all -- anywhere mail.crazy4web.ro state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere mail.crazy4web.ro state NEW,RELATED,ESTABLISHED tcp dpt:www
drop-and-log-it all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
drop-and-log-it all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- mail.crazy4web.ro 192.168.0.0/24
ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
drop-and-log-it all -- anywhere 192.168.0.0/24
ACCEPT all -- mail.crazy4web.ro anywhere
drop-and-log-it all -- anywhere anywhere

Chain drop-and-log-it (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

hua · 04-04-2010, 07:44 AM

You are telneting the server from the local console or from another PC? If you are doing this from another PC you should try it on local console too. Did you tried to turn off the firewall completely?

BE CAREFUL with your firewall if you are connecting to your server remotely. You can cut off yourself from ssh. If you are not on the local console rather be careful! Don't forget to backup your firewall configuration too - to be able to restore the settings
To open your firewall do this. The commands may be a little different for Debian.

Quote:

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT

After this the iptables -L should give this:

Quote:

# iptables -L
Chain INPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)

Chain OUTPUT (policy ACCEPT)

Again, I expecting THAT YOU ARE at a local root shell. If you are not don't risk! In case you don't know what you are doing DON'T DO IT.
When the firewall is off, try telnet the server again.
z

A_AZAZEL_A · 04-05-2010, 06:08 AM

Ok now I've tried to use SMTP from gmail as smarthost and when I type mailq command I get this:
(Server certificate not trusted)
How can I get rid of this?

thiemel · 04-08-2010, 04:44 AM

Quote:

Originally Posted by A_AZAZEL_A

Ok now I've tried to use SMTP from gmail as smarthost and when I type mailq command I get this:
(Server certificate not trusted)
How can I get rid of this?

Try Google. ;-) There are some HOWTOs how to setup postfix to work with Google. I've done it so and it work-for-me(tm).

E.g.:
http://www.marksanborn.net/linux/sen...tu-lts-server/
and/or
http://ubuntuforums.org/showthread.php?t=894355