• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Port 25 blocked despite firewalls explicitly open

P

pould

Basic Pleskian
Server operating system version
Ubuntu 24.04.4
Plesk version and microupdate number
18.0.68 #1
Hi,

Weird problem. SMTP isn't working on Port 25 despite the firewall explicitly opening it and firewall as ISP also open.
Message in Postfix is 4.4.1 deferred (connect to mail.targetdomain[IP address]:25: Connection timed out)

We've explicitly opened port 25 everywhere. Same result whether sending email from email client, webmail or phpmail.

Any ideas?
 
Try to telnet to the remote server from your Plesk server:
Bash: 
telnet mail.targetdomain 25

Do you have IPv6 on your server and a PTR for your IPv6 address?

Can you
Bash: 
mtr mail.targetdomain
?
 
Raul A. said:
Try to telnet to the remote server from your Plesk server:
Bash: 
telnet mail.targetdomain 25

Do you have IPv6 on your server and a PTR for your IPv6 address?

Can you
Bash: 
mtr mail.targetdomain
?
Click to expand...
Hi Raul,

telnet command gives me:

Trying 213.165.88.236...
telnet: Unable to connect to remote host: Connection timed out

That's the correct IP address.

Trying to create the traceroute gives me:

My traceroute [v0.95]
server.clergypensionaction.uk (217.154.56.230) -> mail.peter-ould.net (213.165.88.236) 2025-03-19T13:09:52+0000
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev

And then blank underneath (so no route found).
 
213.165.88.236 is blocking your IP address. I was able to telnet to 213.165.88.236:25. Or, you might have a drop policy on the OUTPUT chain without an accept rule:
Bash: 
iptables -S OUTPUT
-P OUTPUT DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
1742390582255.png
 
Raul A. said:
213.165.88.236 is blocking your IP address. I was able to telnet to 213.165.88.236:25. Or, you might have a drop policy on the OUTPUT chain without an accept rule:
Bash: 
iptables -S OUTPUT
-P OUTPUT DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
View attachment 28044
Click to expand...
If I execute iptables -S OUTPUT I get:

-P OUTPUT ACCEPT

The issue isn't recipient specific. No emails are getting out regardless of the domain sent to.
 
For what it's worth, I was able to connect to your server via port 25. If you're having issues sending on port 25, you'll want to open a ticket with ionos to unblock outbound port 25 since they block it for security reasons.

Bash: 
╭─root@akheera ~
╰─# telnet 213.165.88.236 25     
Trying 213.165.88.236...
Connected to 213.165.88.236.
Escape character is '^]'.
220 server.peter-ould.net ESMTP Postfix (Ubuntu)
^
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.
╭─root@akheera ~
╰─#
 
scsa20 said:
For what it's worth, I was able to connect to your server via port 25. If you're having issues sending on port 25, you'll want to open a ticket with ionos to unblock outbound port 25 since they block it for security reasons.

Bash: 
╭─root@akheera ~
╰─# telnet 213.165.88.236 25    
Trying 213.165.88.236...
Connected to 213.165.88.236.
Escape character is '^]'.
220 server.peter-ould.net ESMTP Postfix (Ubuntu)
^
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.
╭─root@akheera ~
╰─#
Click to expand...
It's definitely not that
 
Raul A. said:
Can you share all your firewall rules?
Bash: 
iptables -S
iptables -t nat -S
Click to expand...
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-plesk-postfix
-N f2b-recidive
-N f2b-ssh
-A INPUT -p tcp -j f2b-recidive
-A INPUT -p tcp -m tcp --dport 22 -j f2b-ssh
-A INPUT -p tcp -m multiport --dports 25,465,587 -j f2b-plesk-postfix
-A f2b-plesk-postfix -j RETURN
-A f2b-recidive -s 185.93.89.118/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 218.92.0.223/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 218.92.0.226/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 218.92.0.184/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 193.46.255.184/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -j RETURN
-A f2b-ssh -j RETURN

and

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

respectively
 
@pould FWIW You can conduct many different / separate tests here, at CheckTLS: The Email Encryption Testing Authority
Attached is a quick data snapshot after running the 'TestReceiver'. The results are self explanatory.
Only you can run the 'TestSender' as obviously, you need a configured e-mail client to do such a test.

Separate, but again FWIW
We use IONOS Cloud Servers, but have no issues at all with mail and/or port 25 although we use nftables, the successor to iptables (and others).

1.jpg

2.jpg
 
learning_curve said:
@pould FWIW You can conduct many different / separate tests here, at CheckTLS: The Email Encryption Testing Authority
Attached is a quick data snapshot after running the 'TestReceiver'. The results are self explanatory.
Only you can run the 'TestSender' as obviously, you need a configured e-mail client to do such a test.

Separate, but again FWIW
We use IONOS Cloud Servers, but have no issues at all with mail and/or port 25 although we use nftables, the successor to iptables (and others).

View attachment 28050

View attachment 28051
Click to expand...
TY,

You've got the wrong server. This is the result for the server where I'm having issues.


I can't do the send test however because I can't get past Port 25
 
pould said:
~~
telnet command gives me:
Trying 213.165.88.236...
telnet: Unable to connect to remote host: Connection timed out
That's the correct IP address.
~~
Click to expand...

Raul A. said:
~ 213.165.88.236 is blocking your IP address. I was able to telnet to 213.165.88.236:25 ~
Click to expand...

pould said:
~~ You've got the wrong server ~~
Click to expand...

Apologies. I'd read the first two posts above (too fast) so used that IP address, as a result :rolleyes:
Anyway, you've solved it now, so it's all ended well regardless.
 
You must log in or register to reply here.

Similar threads

Z
Issue Blocked ports 25-587
Replies
1
Views
388
zihniates
Z
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
2K
josemanuuxd
J
M
Issue Can't open Port 25. Please help
Replies
2
Views
4K
mhogue
M
P
Resolved Force Plesk to use port 25 alternative (Digital Ocean refuses to open 25)
Replies
4
Views
2K
Paul Larson
P
wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
590
Vladimir C.
V
Back
Top