• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue I can not send mail to the outside

P

python

Regular Pleskian
the messages that sent from my server do not reach the outside, the problem with iptables since if I deactivate it and they arrive.

register the record at the end of my rules as follows:

iptables -A OUTPUT -j LOG

in the var / log / messages logs I get this:

Oct 9 12:57:00 server kernel: IN= OUT=em1 SRC=xx.xx.xx.xx DST=173.194.221.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56682 PROTO=TCP SPT=2423 DPT=25 WINDOW=42340 RES=0x00 SYN URGP=0
Oct 9 12:57:02 server kernel: IN= OUT=em1 SRC=xx.xx.xx.xx DST=173.194.221.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57695 PROTO=TCP SPT=2423 DPT=25 WINDOW=42340 RES=0x00 SYN URGP=0
Oct 9 12:57:06 server kernel: IN= OUT=em1 SRC=xx.xx.xx.xx DST=74.125.130.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54423 PROTO=TCP SPT=54073 DPT=25 WINDOW=42340 RES=0x00 SYN URGP=0
Oct 9 12:57:07 server kernel: IN= OUT=em1 SRC=xx.xx.xx.xx DST=74.125.130.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55009 PROTO=TCP SPT=54073 DPT=25 WINDOW=42340 RES=0x00 SYN URGP=0
Oct 9 12:57:09 server kernel: IN= OUT=em1 SRC=xx.xx.xx.xx DST=74.125.130.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55291 PROTO=TCP SPT=54073 DPT=25 WINDOW=42340 RES=0x00 SYN URGP=0



can someone help me interpret this log

add that only happens when sending mail to the outside if sending inside server works well
 
Last edited:
You will need to provide your full iptables setting for further analysis, if iptables rules are blocking outgoing packets on port 25:
# iptables --list
 
thank you for your interest in helping me, I do not stop to go around the internet and I do not find the solution, I'm sure to sea something very basic but I'm learning with iptables and not meeting.

The problem is that I do not receive mail from external servers everything else okay. (I can send, receive and send a my local server)

use postfix devecot for mail management
I have some conflict with the http ... plesk everything else works fine except the mail.

regards



[root@server]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere multiport dports http,https
ACCEPT tcp -- anywhere anywhere tcp dpt csync-https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:caupc-remote
ACCEPT tcp -- localhost.localdomain localhost.localdomain tcp dpt:mysql
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level alert prefix "INPUT "

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level alert prefix "FORWARD "

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere multiport sports http,https state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt csync-https state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere multiport dports imap,imaps
ACCEPT tcp -- anywhere anywhere multiport dports pop3,poppassd
ACCEPT tcp -- anywhere anywhere tcp dpt op3s
ACCEPT tcp -- anywhere anywhere tcp spt:caupc-remote state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level alert prefix "OUTPUT "

Chain DOCKER (0 references)
target prot opt source destination

Chain DOCKER-ISOLATION (0 references)
target prot opt source destination

Chain f2b-SSH (0 references)
target prot opt source destination

Chain f2b-plesk-dovecot (0 references)
target prot opt source destination

Chain f2b-plesk-horde (0 references)
target prot opt source destination

Chain f2b-plesk-login (0 references)
target prot opt source destination

Chain f2b-plesk-modsecurity (0 references)
target prot opt source destination

Chain f2b-plesk-postfix (0 references)
target prot opt source destination



note: modify the iptables and what happens now is that messages do not arrive from outside my server is to say the reverse now the problem is the latter that I say not the title.
 
Last edited:
I think that the problem is in the first chain of iptables. You are accepting ports 80, 443, 3306, but where are the mail ports? The policy "drop" means that all that is not covered by the rules in that chain will be dropped, and the chain looks very restrictive to me. As the mail ports are not part of it, they are not covered, hence traffic to and from them is being dropped. The chain is missing the Plesk ports, mail ports, poppassd, postgres, openvpn, netbios ports and ftp and many more. It does not look correct at all and is blocking way too much.

Did you try to clear all rules from iptables, then remove the Plesk firewall component and re-add the firewall-component? Then activate the Plesk firewall and look into iptables again. It should then have a proper setup.
 
hello, if it is true it is very restrictive but it is what I want, really the only thing that does not work is the receipt of emails from abroad.
everything else works fine
 
[root@server]# iptables -n --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2122
ACCEPT tcp -- 127.0.0.1 127.0.0.1 tcp dpt:3306
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 1 prefix "INPUT "

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 1 prefix "FORDWARD "

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:8443 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 143,993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,106
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:2122 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 1 prefix "OUTPUT "

Chain f2b-SSH (0 references)
target prot opt source destination

Chain f2b-plesk-dovecot (0 references)
target prot opt source destination

Chain f2b-plesk-horde (0 references)
target prot opt source destination

Chain f2b-plesk-login (0 references)
target prot opt source destination

Chain f2b-plesk-modsecurity (0 references)
target prot opt source destination

Chain f2b-plesk-postfix (0 references)
target prot opt source destination


I can not receive messages from outside even opening all smtp pop imap ports.

Even once it works I want to set the iptables well but now I do not understand why I do not receive mail from outside.
regards
 
in the iptables log I am realizing that sometimes the mail does not arrive because it is obvious for example this package is not coming:

Oct 10 11:52:39 server kernel: OUTPUT IN= OUT=em1 SRC=XX.XX.XX.XX DST=217.114.59.66 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=54070 PROTO=UDP SPT=50093 DPT=123 LEN=56

You are denying the output packet using the udp protocol with source port 50093 and destination 123

to do tests to verify these log I put these rules in mail

iptables -A INPUT -p tcp --dport 10:50000 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 10:50000 -j ACCEPT
iptables -A INPUT -p udp --dport 10:50000 -j ACCEPT
iptables -A OUTPUT -p udp --sport 10:50000 -j ACCEPT


and it worked well but not always is to say in the last log that did not work and I use a purto greater than 50000 use the 50093 it is normal not to receive that package.


My question then is because it uses those ports as varied and the protocol udp at the moment so that it should allow all the ports, I am new and I want to configure my firewall (iptables) the safest way possible allowing the minimum on and exit.

Someone explain to me why this happens?
 
Last edited:
You must log in or register to reply here.

Similar threads

Linulex
Question How do i find outgoing website uid when using nginx?
Replies
2
Views
876
Linulex
Linulex
M
Input How my firewall helped in uncovering a malicious PHP-script
Replies
1
Views
2K
virtubox
virtubox
L
A lot of "Firewall: *UDP_OUT Blocked*" on ports 67 and 68
Replies
2
Views
7K
Lord Senil
L
P
plesk sever getting abnormal shutdown
Replies
2
Views
2K
hardweb
H
Back
Top