Resolved Cannot send emails unreachable port 25

[bruno911]

I have a VPS cloud server with 1and1, and I am using plesk 12.5 on Centos 7

Since I migrated from a smaller VPS, I have a problem that I cannot send any email from any customer, I tried using php all emails get stuck in the email queue. I checked the maillog and I got many like this:

postfix/smtp[30486]: connect to alt2.gmail-smtp-in.l.google.com[74.125.68.26]:25: Connection timed out

So, I tried:

telnet alt2.gmail-smtp-in.l.google.com 25

And it does not connect.

I contacted 1and1 and I asked them to open port 25 for income/outcome traffic, they did it, on plesk firewall I have opened that port, I came back to 1and1, they said confirmed 25 port is open on their side.

So on plesk I opened all ports in the firewall. Still same issue, only the port 25 is blocked for outgoing traffic.

I checked that iptables, and iptables is not installed. So I believe the only filter will be plesk firewall.

A traceroute on the port 25 fails on the first hop on the ip 82.223.18.2. that ip is not my VPS IP nor my gateway ip.

So 1and1 keeps saying it is a plesk issue as in their side all is correct.

Any ideas?

 

[UFHH01]

Hi bruno911,

if ( for what ever reason ), the firewall, Fail2Ban, or SELinux ) is the root cause of your issue, the first thing you should do, is to STOP the depending services:

service Fail2Ban stop
setenforce 0​

Next, you would FLUSH all iptables ( firewall ), so that no possible misconfiguration can block your ports:

iptables -F​

You can now CHECK AGAIN, if you are able to connect to for example "telnet alt2.gmail-smtp-in.l.google.com 25" and if mails are being delivered and received as expected ( pls. see again your log - files, after you tried the mail - usage with a test - eMail! ).


There are now two further options:

1. Your test results are negativ : => Report back possible issues/errors/problems, when you try to restart the services postfix/qmail/dovecot or/and imap-courier and post the results of "service SERVICE-NAME status" ( where "SERVICE-NAME" should be replaced with the depending used mail - software on your server! ), "netstat -tulpn | grep :25" and "netstat -tulpn | grep :110". It can help as well to post the corresponding configuration files of your used mail - software.
2. Your test results are positiv : => Inspect your corresponding logs of "Fail2Ban" ( /var/log/fail2ban.log - this path can vary, depending to your unique configuration of Fail2Ban ), "SELinux" ( /var/log/audit/audit.log ) and check your firewall for possible misconfigurations/errors/problems/issues and post them here, if you would like help with your investigations.

 

[bruno911]

Hi UFHH01,

thank you for your response.

I tried all and still not luck.

When I do
iptables -F
the server crashes and I have to restart it.

Here is the content of iptables --list, none of it is blocking outgoing traffic on port 25

Chain INPUT (policy DROP)
target prot opt source destination
f2b-plesk-wordpress tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-login tcp -- anywhere anywhere multiport dports cddbp-alt,pcsync-https
f2b-BadBots tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-apache tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-roundcube tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-horde tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-dovecot tcp -- anywhere anywhere multiport dports imap,imap3,imaps,pop3,pop3s,sieve
f2b-plesk-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-plesk-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
f2b-recidive tcp -- anywhere anywhere
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:12443
ACCEPT tcp -- anywhere anywhere tcp dpt:11443
ACCEPT tcp -- anywhere anywhere tcp dpt:11444
ACCEPT tcp -- anywhere anywhere tcp dpt:8447
ACCEPT tcp -- anywhere anywhere tcp dptcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dptop3
ACCEPT tcp -- anywhere anywhere tcp dptop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dptoppassd
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dptostgres
ACCEPT tcp -- anywhere anywhere tcp dptgs-server
ACCEPT tcp -- anywhere anywhere tcp dpt:glrpc
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dptpenvpn
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmptype 8 code 0
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:smtp

Chain f2b-BadBots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-plesk-dovecot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-plesk-horde (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-plesk-login (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-plesk-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-plesk-proftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-plesk-roundcube (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-plesk-wordpress (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-recidive (1 references)
target prot opt source destination
REJECT all -- 223.71.208.114 anywhere reject-with icmp-port-unreachable
REJECT all -- 221.229.172.75 anywhere reject-with icmp-port-unreachable
REJECT all -- 278660.customer.zol.co.zw anywhere reject-with icmp-port-unreachable
REJECT all -- 118.70.168.251 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere


Any ideas?

 

[UFHH01]

Hi bruno911,

When I do
iptables -F
the server crashes and I have to restart it.

This is a very strange behaviour. Pls. contact your hosting provider to solve this specific issue and investigate for example with the help of log - files, why your server "crashes" and what the root cause is. It might help to switch to "debug - level - mode" in depending configuration files, so that you get a more verbose output in the depending logs.

Unfortunately, the provided informations and facts are insufficient to suggest how you should continue with the investigations to solve your issue(s). You totally miss to report, as suggested in my previous post, what the output of the commands are, which results in the fact, that further investigations can't be done.
Due to possible network - issues, possible mis- or unconfigured services or system components, it could be faster for you to re-install your server completely, instead of investigating where your root case is - that really depends very much on your very own linux knowledge and your server administration skills.

 

[Giacomo Berdondini]

Hello, sorry to update an old post, but I'm facing the same problem here.
1and1 cloud server, Plesk Onyx 17.0.17 Update #35, Postfix. Port 25 opened in 1and1 cloud manager firewall.
I can connect to the server via a simple "telnet server.address.com 25", but from the server I can't connect to anything via port 25.
That means postfix is unable to send any of the outgoing emails.

The server is a fresh install, I didn't touch any configuration file because I wanted to test all of the network settings before start working on it.

First of all, @bruno911 dido you find a solution?
Secondly, UFHH01 (thank you, I've read so many of yours replies over the year that saved me many of my days) can you please tell me what log / config files I can provide to you? I did the basic tests you described above but no luck.

 

[UFHH01]

Hi Giacomo Berdondini,

pls. note, that each Plesk version differs and we therefore created different sub - forums for the different Plesk versions. If you desire help for Plesk Onyx, you would certainly create a thread at => Home > Forum > Plesk Discussion > Plesk Onyx for Linux

 

[Giacomo Berdondini]

Ok, thank you.
I posted my issue in the right forum (Issue - Can't send mail - can't telnet to any destination on port 25), really hope someone would help since it's very frustrating.
Thank for pointing me to the right place.
Best regards,
Giacomo