Resolved Change from SMTP port 25 to another port

[Eberhard Gierke]

I tried the following.

Log into my server as root.
CD to /etc/postfix/
Create a backup of master.cf (cp master.cf master.cf-bak)
Open master.cf with a text editor
Find the line labeled: "smtp inet n ......"
Just below the line, insert a new line containing the following:
1234 inet n - n - - smtpd
Save the file.
Run "/etc/init.d/postfix restart" to restart Postfix.
Add the new port to iptables by running: "iptables -A INPUT -p tcp --dport 1234 -j ACCEPT"
So far everything has worked.

Now comes my problem ...
When I try to save the rule with the command
/etc/init.d/iptables save
AND/OR I try to restart "iptables",
/etc/init.d/iptables restart
I get the message ..
Incorrect path or filename.

I need the correct filename and path....
Can someone help me with my problem?

OS: Ubuntu 16.04.2 LTS‬
Plesk Onyx Version 17.5.3 Update #6

Many Thanks!!

 

[UFHH01]

Hi Eberhard Gierke,

at the moment, the usage of port "25" is hard - coded within Plesk files ( encrypted ) and can't be changed as far that I remember.
Pls. wait for a Plesk - Team - Member to verify my comment ( @IgorG ? ).

 

[Eberhard Gierke]

at the moment, the usage of port "25" is hard - coded within Plesk files ( encrypted ) and can't be changed as far

You could be right. I have found a way to save and activate the rule. BUT it does not work.

It would already be important (for me) to change the port 25 because I currently have a lot of " bad visitors" on my server.

@IgorG
Maybe you can help in this case.

Thank you!

 

[eilko]

Why would you want to change port 25? How would other mailservers find your mailserver? If you are the only one to send why not use the submission port and close 25?

 

[Eberhard Gierke]

submission port and close 25

Oh, you're absolutely right. I thought in the wrong direction.
I think port 587 is the solution.
Thank you for your suggestion I will implement this in the near future.

 

[IgorG]

You can add alternative port 26, for example with adding line

26 inet n - n - - smtpd

to

/etc/postfix/master.cf file and restart postfix service.
But it is not a permanent solution because postfix setting will be overwritten and next mail setting update in Plesk.

 

[mr-wolf]

Another option is to add a NAPT translation into iptables.
Sometimes Plesk rewrites master.cf (or other files) and without you knowing that addition is gone.

You need to open up port 1234 as well.
If you don't want it to listen to port 25 you need to block that port on the incoming interface and port.

-A INPUT -p tcp -d <wan-ip>  --dport 25 -j DROP
-A INPUT -p tcp  --dport 25 -j ACCEPT


-A PREROUTING -d <wan-ip>/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination <wan-ip>:25

BTW...

On each new Plesk server I check the iptables of its firewall to see if there are any differences with my own standard iptables.

I close incoming MySQL btw..

I then remove the Plesk firewall and make sure my iptables is loaded when the interface comes up.

I feel more comfortable with that simple handling of iptables than its not that flexible Plesk counterpart.

 

[Eberhard Gierke]

@IgorG
Thanks you for your explanation / reply about this case.

@mr-wolf
This seems to me a good idea to reduce the (bad) traffic on my server. Thank you for this suggestion.

 

[Eberhard Gierke]

@mr-wolf

-A INPUT -p tcp -d <wan-ip> --dport 25 -j DROP

Just a question about security.
The <wan-ip> is my server IP address?
In advance thank you for your reply!

 

[mr-wolf]

Yes, but it's only needed if you DON'T want it to respond to port 25.

Most likely it is enough to just comment the "--dport 25 -j ACCEPT" line
The line I gave is for a situation where you would have more than 1 IP on your server.
Traffic coming from and going to localhost interface is already accepted that far down the chain.


BTW... I'm merely giving you a solution to your question.
Like eiko said... why would you stop listening to port 25?

If you want I could write a script that does all dynamically without changing the firewall.

 

[Eberhard Gierke]

Thanks for your answer.

why would you stop listening to port 25?

Well, I have at this time relatively many "bad visitors" who try to log on my mailserver.
I would like that the port 25 is not visible via a portscanner ...

 

[mr-wolf]

I think this should work

cat /usr/local/sbin/change_smtp_port

#/bin/sh

SMTP=25
ALT_SMTP=1234

WANIP=`ifconfig | grep -o 'inet addr:[0-9.]*' | awk -F: '{print $2}' | egrep -v '^(10|192\.168|172\.1[6-9]|172\.2.|172\.3[01]|127)\.' | head -n1`
ACCEPTROW=`iptables --line-numbers -nL INPUT | grep -i "ACCEPT .* 0\.0\.0\.0/0 .* dpt:${SMTP}$" | head -n1 | awk '{print $1}'`
DROPROW=`iptables --line-numbers -nL INPUT | grep -i "DROP .* 0\.0\.0\.0/0 .* dpt:${SMTP}$" | head -n1 | awk '{print $1}'`

[ ${WANIP} ] || exit 1

if [ ${DROPROW} ] ; then
  echo "Port ${SMTP} is already getting dropped"
elif [ ${ACCEPTROW} ] ; then
  if [ ${ACCEPTROW} -gt 4 ] ; then
    iptables -I INPUT ${ACCEPTROW} -p tcp -m tcp -d ${WANIP} --dport ${ALT_SMTP} -j ACCEPT
    iptables -I INPUT ${ACCEPTROW} -p tcp -m tcp -d ${WANIP} --dport ${SMTP}     -j DROP

    iptables -t nat -A PREROUTING -d ${WANIP}/32 -p tcp -m tcp --dport ${ALT_SMTP} -j DNAT --to-destination ${WANIP}:${SMTP}
  else
    echo "I think something went wrong with the iptables detection, row ${ACCEPTROW} can't be true" >&2
  fi
else
  echo "I'm unable to detect the line where port ${SMTP} is accepted, I can't do anything" >&2
fi

 

[Eberhard Gierke]

Hey mr-wolf, great!
I thank you that you have done so much work!

I'll do it soon.