LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-20-2009, 09:22 AM   #1
malesh
LQ Newbie
 
Registered: Nov 2008
Posts: 8

Rep: Reputation: 0
Mail sending problem – Postfix Connection timed out (port 25)


Hi all,

I can't solve my problem by myself so I'm ask you for help (on my Tarzan English).
Short question, my problem is that I get this message when I'm trying to send a mail outside LAN:

Quote:
postfix/smtp[7806]: connect to alt1.gmail-smtp-in.l.google.com[209.85.221.29]: Connection timed out (port 25)
Long question
My problem is: I have two ISP, etc ISP1 and ISP2. ISP1 has a static IP address, ISP2 dynamic. Part of my route.sh looks like this:

Quote:
ip -s route add default scope global \
nexthop via $ISP1_GW dev $ISP1_INT weight 1 \
nexthop via $ISP2_GW dev $ISP2_INT weight 1 ||
ip -s route add default nexthop via $ISP1_GW dev $ISP2_INT

# ISP2 Only
#ip -s route add default nexthop via $ISP2_GW dev $ISP2_INT weight 1

# ISP1 Only
#ip -s route add default nexthop via $ISP1_GW dev $ISP1_INT weight 1
When I don't change anything in previous, everything works fine. When I comment first 4 lines and uncomment last line, everything works fine to.
But, if I want that people on my LAN surf on ISP2 only (its 10x faster) I receive a previous message “Connection timed out (port 25)”. I can receive mail, I can send/receive mails in LAN but I can't send mails outside.

In my firewall I have lines that force SMTP to go on ISP1

Quote:
# Force SMTP ISP1:
$I -t mangle -A PREROUTING -p tcp --dport 25 -s ! $LOC_NET -j MARK --set-mark 25
$I -t mangle -A OUTPUT -p tcp --dport 25 -d ! $LOC_NET -j MARK --set-mark 25
$I -t mangle -A PREROUTING -p tcp --dport 25 -s ! $LOC_NET -j ROUTE --oif isp1
$I -t mangle -A OUTPUT -p tcp --dport 25 -d ! $LOC_NET -j ROUTE --oif isp1
$I -t nat -A POSTROUTING -m mark --mark 25 -j SNAT --to-source $ISP1_IP
echo -----------------------------------

ip rule delete fwmark 25 table ISP1
ip rule add fwmark 25 table ISP1

ip route flush cache
Do someone know where is the problem?
Thanks
 
Old 03-20-2009, 11:41 AM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Let's go slowly:

First create the routing tables.

Code:
# the main table does load balancing
ip route add to default \
  nexthop via $ISP1_GW weight 1 \
  nexthop via $ISP2_GW weight 1

# table ISP1 sends everything to ISP1.
ip route add table ISP1 to default via $ISP1_GW

# table ISP2 sends everything to ISP2.
ip route add table ISP2 to default via $ISP2_GW
Now, mark traffic according to the interface it
passes through. $ISP1_INT traffic gets a mark of 1;
$ISP2_INT traffic gets a 2.

Code:
# Notes: 1. A connmark is 'remembered' for the duration of the 'connection'.
#        2. You'll have to deal with traffic to/from this machine separately. These 
#           rules only affect traffic to/from the LAN.

# incoming traffic
iptables -t mangle -A PREROUTING  -i $ISP1_INT  -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING  -i $ISP2_INT  -j CONNMARK --set-mark 2

# outgoing traffic
iptables -t mangle -A POSTROUTING -o $ISP1_INT  -j CONNMARK --set-mark 1
iptables -t mangle -A POSTROUTING -o $ISP2_INT  -j CONNMARK --set-mark 2
Now the routing. We only care about packets incoming on the LAN interface:

Code:
# copy the connmark (if any) to the packet so we can use fwmark
iptables -t mangle -A PREROUTING  -i $IF_LAN  -j CONNMARK --restore-mark

# packets going to port 25 should be marked with a '1'
iptables -t mangle -A PREROUTING  -i $IF_LAN -p tcp --dport 25  -j MARK --set-mark 1

# Packets which marked are committed to an interface. 
# Unmarked packets will use the main routing table
ip rule add prio 100 iif $LAN_INT fwmark 1 table ISP1
ip rule add prio 200 iif $LAN_INT fwmark 2 table ISP2
I think that's it.

Last edited by Berhanie; 03-20-2009 at 11:46 AM.
 
Old 03-20-2009, 02:25 PM   #3
malesh
LQ Newbie
 
Registered: Nov 2008
Posts: 8

Original Poster
Rep: Reputation: 0
Berhanie, thanks,
I did everything you tell me, but when I change weight (otherways, my LAN stil surf on both ISP) in

Quote:
# the main table does load balancing
ip route add to default \
nexthop via $ISP1_GW weight 1 \
nexthop via $ISP2_GW weight 20
i receive a message from google

Quote:
... status=bounced (host gmail-smtp-in.1.google.com ... said ... The IP you're using to send mail is not authorized to 550-5.7.1 send mail directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at....)
P.S. I have commented all lines i've pasted here in my first post

Last edited by malesh; 03-20-2009 at 02:50 PM.
 
Old 03-20-2009, 06:39 PM   #4
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
That error is an authorization problem:

From RFC 1893:

Quote:
X.7.1 Delivery not authorized, message refused

The sender is not authorized to send to the destination.
This can be the result of per-host or per-recipient
filtering. This memo does not discuss the merits of any
such filtering, but provides a mechanism to report such.
This is useful only as a permanent error.
It looks like gmail doesn't like your IP address. This usually
happens when coming from a dynamic IP address, but it can happen
with a static address (e.g. when the ISP is a known source of
spam). But, you should really make sure that:

1. You're sending the mail from your LAN, not from the router (unless
you've made changes to account for that case).

2. When sending mail from the LAN, the connection exits using
interface $ISP_INT, as we intend. You can use iftop on the router
for that.

It might also help if you posted a dump of your iptables rules
for each table in effect (e.g. for the mangle table: iptables -t mangle -L -n),
a dump of all your routing tables (ip route ls, ip route ls table ISP1, etc),
and a dump of your rules (ip rule ls).

Last edited by Berhanie; 03-20-2009 at 09:54 PM. Reason: corrected earlier gibberish
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: connection to host port: 22: Connection timed out lost connection cucolin@ Linux - Server 4 11-22-2011 07:15 AM
Deferred: Connection timed out with mail bartl Linux - Newbie 1 12-09-2007 05:47 AM
sendmail - Connection timed out [dsn=4.0.0 stat=Deferred: Connection timed out] ananthak Linux - Software 0 04-24-2007 08:28 AM
Postfix: Connection timed out Kristijan Linux - Networking 3 09-28-2006 06:11 AM
Postfix mail transfer agent not sending mail locally or to other servers sketelsen Linux - Software 3 02-09-2006 12:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration