No smtp connections to outside

Discussion in 'Installation/Configuration' started by lnxgs, Jul 12, 2024.

  1. lnxgs

    lnxgs Member

    Hello,
    I decided to reinstall ispconfig on my new server using the automatic script on a Debian 12.
    I've have problem to send email. No smtp connectivity outside.
    "telnet mailserver2.example.com 25" or what ever do not reply.
    I suspect a lot of firewall rules generated by the installer are blocking my traffic.

    root@srv01:/var/log# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    f2b-sshd tcp -- anywhere anywhere multiport dports ssh
    ufw-before-logging-input all -- anywhere anywhere
    ufw-before-input all -- anywhere anywhere
    ufw-after-input all -- anywhere anywhere
    ufw-after-logging-input all -- anywhere anywhere
    ufw-reject-input all -- anywhere anywhere
    ufw-track-input all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-logging-forward all -- anywhere anywhere
    ufw-before-forward all -- anywhere anywhere
    ufw-after-forward all -- anywhere anywhere
    ufw-after-logging-forward all -- anywhere anywhere
    ufw-reject-forward all -- anywhere anywhere
    ufw-track-forward all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-logging-output all -- anywhere anywhere
    ufw-before-output all -- anywhere anywhere
    ufw-after-output all -- anywhere anywhere
    ufw-after-logging-output all -- anywhere anywhere
    ufw-reject-output all -- anywhere anywhere
    ufw-track-output all -- anywhere anywhere

    Chain f2b-sshd (1 references)
    target prot opt source destination
    REJECT all -- melted-peace.aeza.network anywhere reject-with icmp-port-unreachable
    RETURN all -- anywhere anywhere

    Chain ufw-after-forward (1 references)
    target prot opt source destination

    Chain ufw-after-input (1 references)
    target prot opt source destination
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
    ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
    ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
    ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

    Chain ufw-after-logging-forward (1 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

    Chain ufw-after-logging-input (1 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

    Chain ufw-after-logging-output (1 references)
    target prot opt source destination

    Chain ufw-after-output (1 references)
    target prot opt source destination

    Chain ufw-before-forward (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp parameter-problem
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ufw-user-forward all -- anywhere anywhere

    Chain ufw-before-input (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ufw-logging-deny all -- anywhere anywhere ctstate INVALID
    DROP all -- anywhere anywhere ctstate INVALID
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp parameter-problem
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
    ufw-not-local all -- anywhere anywhere
    ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns
    ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
    ufw-user-input all -- anywhere anywhere

    Chain ufw-before-logging-forward (1 references)
    target prot opt source destination

    Chain ufw-before-logging-input (1 references)
    target prot opt source destination

    Chain ufw-before-logging-output (1 references)
    target prot opt source destination

    Chain ufw-before-output (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ufw-user-output all -- anywhere anywhere

    Chain ufw-logging-allow (0 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "

    Chain ufw-logging-deny (2 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

    Chain ufw-not-local (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
    DROP all -- anywhere anywhere

    Chain ufw-reject-forward (1 references)
    target prot opt source destination

    Chain ufw-reject-input (1 references)
    target prot opt source destination

    Chain ufw-reject-output (1 references)
    target prot opt source destination

    Chain ufw-skip-to-policy-forward (0 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain ufw-skip-to-policy-input (7 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain ufw-skip-to-policy-output (0 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain ufw-track-forward (1 references)
    target prot opt source destination

    Chain ufw-track-input (1 references)
    target prot opt source destination

    Chain ufw-track-output (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere ctstate NEW
    ACCEPT udp -- anywhere anywhere ctstate NEW

    Chain ufw-user-forward (1 references)
    target prot opt source destination

    Chain ufw-user-input (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere multiport dports 40110:40210
    ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
    ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
    ACCEPT tcp -- anywhere anywhere tcp dpt:submissions
    ACCEPT tcp -- anywhere anywhere tcp dpt:submission
    ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
    ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
    ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy
    ACCEPT udp -- anywhere anywhere udp dpt:domain

    Chain ufw-user-limit (0 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain ufw-user-limit-accept (0 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain ufw-user-logging-forward (0 references)
    target prot opt source destination

    Chain ufw-user-logging-input (0 references)
    target prot opt source destination

    Chain ufw-user-logging-output (0 references)
    target prot opt source destination

    Chain ufw-user-output (1 references)
    target prot opt source destination


    Any suggestion?
    Note: in my old server I installed ispconfig manually and I have no ufw iptables rules.
    Thank you
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not the case. ISPConfig never blocks outgoing SMTP connections. The most likely reason for your issue is that the ISP that provides the internet connection for this system or the data center where you host it blocks port 25 outgoing; almost all providers and data centers do it these days. Contact the ISP or data center and check it with them.
     
  3. lnxgs

    lnxgs Member

    You are right. Looking for support I've found:
    Outgoing traffic to ports 25 and 465 are blocked by default on all Cloud Servers
    You are currently not allowed to unblock these ports.

    ...hetzner.cloud
    I need to change the provider. Thank you
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Hetzner will unblock the ports after some time, they just block them for new clients as a security measure, contact them. Most other cloud providers block port 25 as well, but unlike Hetzner, many of them will never unblock them.
     
  5. lnxgs

    lnxgs Member

    I have used a Kimsufi since 10 years and port 25 is open.
    But now, I have to leave them because my server is old technology and they dropped the support for new Linux distributions (like Debian 12, last Ubuntu...). :(
    I've just asked Hetzner for opening the port. I can wait a month or so. I hope they allow me.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I have used Hetzner for a long time, and port 25 is open on all of my systems. ;) It's just that you are a new customer. Many people sign up at cloud hosters these days just to send spam, and that's what they try to prevent, as they have to protect their IP addresses and subnets from getting banned.
     
    ahrasis likes this.
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Agreed with @till, Hetzner will normally approve it but they will also monitor it temporarily as well, for the reasons stated above.


    Just to add extra notes, for those who run home server / lab like me, I can vouch Hetzner is really a good option to build and run mail and dns server, in extension to ISPConfig panel, web (with ftp/ssh), roundcube (mail UI), database, and backup server that can be run from home. Alternatively, one also can use a free (or paid) relay mail (e.g. Google Workspace) and dns server (e.g. Cloudflare), to that ISPConfig's home extension, which is currently my selected option for more than 6 years now. I have plans to lease several public IPs from ISP to maintain own mail and dns server in the future, but that is when some of the projects fully materialized, hopefully sooner than later.
     
  8. lnxgs

    lnxgs Member

    Hello,
    I chose them for the price that is competitive. I got the answer: "an unblock is only possible after the first paid invoice." So I have to wait about a month and it's ok.
     
    ahrasis and till like this.

Share This Page