• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Port 25 blocked despite firewalls explicitly open

P

pould

Basic Pleskian
Server operating system version
Ubuntu 24.04.4
Plesk version and microupdate number
18.0.68 #1
Hi,

Weird problem. SMTP isn't working on Port 25 despite the firewall explicitly opening it and firewall as ISP also open.
Message in Postfix is 4.4.1 deferred (connect to mail.targetdomain[IP address]:25: Connection timed out)

We've explicitly opened port 25 everywhere. Same result whether sending email from email client, webmail or phpmail.

Any ideas?
 
Try to telnet to the remote server from your Plesk server:
Bash: 
telnet mail.targetdomain 25

Do you have IPv6 on your server and a PTR for your IPv6 address?

Can you
Bash: 
mtr mail.targetdomain
?
 
Raul A. said:
Try to telnet to the remote server from your Plesk server:
Bash: 
telnet mail.targetdomain 25

Do you have IPv6 on your server and a PTR for your IPv6 address?

Can you
Bash: 
mtr mail.targetdomain
?
Click to expand...
Hi Raul,

telnet command gives me:

Trying 213.165.88.236...
telnet: Unable to connect to remote host: Connection timed out

That's the correct IP address.

Trying to create the traceroute gives me:

My traceroute [v0.95]
server.clergypensionaction.uk (217.154.56.230) -> mail.peter-ould.net (213.165.88.236) 2025-03-19T13:09:52+0000
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev

And then blank underneath (so no route found).
 
213.165.88.236 is blocking your IP address. I was able to telnet to 213.165.88.236:25. Or, you might have a drop policy on the OUTPUT chain without an accept rule:
Bash: 
iptables -S OUTPUT
-P OUTPUT DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
1742390582255.png
 
Raul A. said:
213.165.88.236 is blocking your IP address. I was able to telnet to 213.165.88.236:25. Or, you might have a drop policy on the OUTPUT chain without an accept rule:
Bash: 
iptables -S OUTPUT
-P OUTPUT DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
View attachment 28044
Click to expand...
If I execute iptables -S OUTPUT I get:

-P OUTPUT ACCEPT

The issue isn't recipient specific. No emails are getting out regardless of the domain sent to.
 
For what it's worth, I was able to connect to your server via port 25. If you're having issues sending on port 25, you'll want to open a ticket with ionos to unblock outbound port 25 since they block it for security reasons.

Bash: 
╭─root@akheera ~
╰─# telnet 213.165.88.236 25     
Trying 213.165.88.236...
Connected to 213.165.88.236.
Escape character is '^]'.
220 server.peter-ould.net ESMTP Postfix (Ubuntu)
^
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.
╭─root@akheera ~
╰─#
 
scsa20 said:
For what it's worth, I was able to connect to your server via port 25. If you're having issues sending on port 25, you'll want to open a ticket with ionos to unblock outbound port 25 since they block it for security reasons.

Bash: 
╭─root@akheera ~
╰─# telnet 213.165.88.236 25    
Trying 213.165.88.236...
Connected to 213.165.88.236.
Escape character is '^]'.
220 server.peter-ould.net ESMTP Postfix (Ubuntu)
^
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.
╭─root@akheera ~
╰─#
Click to expand...
It's definitely not that
 
Raul A. said:
Can you share all your firewall rules?
Bash: 
iptables -S
iptables -t nat -S
Click to expand...
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-plesk-postfix
-N f2b-recidive
-N f2b-ssh
-A INPUT -p tcp -j f2b-recidive
-A INPUT -p tcp -m tcp --dport 22 -j f2b-ssh
-A INPUT -p tcp -m multiport --dports 25,465,587 -j f2b-plesk-postfix
-A f2b-plesk-postfix -j RETURN
-A f2b-recidive -s 185.93.89.118/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 218.92.0.223/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 218.92.0.226/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 218.92.0.184/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 193.46.255.184/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -j RETURN
-A f2b-ssh -j RETURN

and

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

respectively
 
@pould FWIW You can conduct many different / separate tests here, at CheckTLS: The Email Encryption Testing Authority
Attached is a quick data snapshot after running the 'TestReceiver'. The results are self explanatory.
Only you can run the 'TestSender' as obviously, you need a configured e-mail client to do such a test.

Separate, but again FWIW
We use IONOS Cloud Servers, but have no issues at all with mail and/or port 25 although we use nftables, the successor to iptables (and others).

1.jpg

2.jpg
 
learning_curve said:
@pould FWIW You can conduct many different / separate tests here, at CheckTLS: The Email Encryption Testing Authority
Attached is a quick data snapshot after running the 'TestReceiver'. The results are self explanatory.
Only you can run the 'TestSender' as obviously, you need a configured e-mail client to do such a test.

Separate, but again FWIW
We use IONOS Cloud Servers, but have no issues at all with mail and/or port 25 although we use nftables, the successor to iptables (and others).

View attachment 28050

View attachment 28051
Click to expand...
TY,

You've got the wrong server. This is the result for the server where I'm having issues.


I can't do the send test however because I can't get past Port 25
 
pould said:
~~
telnet command gives me:
Trying 213.165.88.236...
telnet: Unable to connect to remote host: Connection timed out
That's the correct IP address.
~~
Click to expand...

Raul A. said:
~ 213.165.88.236 is blocking your IP address. I was able to telnet to 213.165.88.236:25 ~
Click to expand...

pould said:
~~ You've got the wrong server ~~
Click to expand...

Apologies. I'd read the first two posts above (too fast) so used that IP address, as a result :rolleyes:
Anyway, you've solved it now, so it's all ended well regardless.
 
You must log in or register to reply here.

Similar threads

Z
Issue Blocked ports 25-587
Replies
1
Views
284
zihniates
Z
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
2K
josemanuuxd
J
M
Issue Can't open Port 25. Please help
Replies
2
Views
4K
mhogue
M
P
Resolved Force Plesk to use port 25 alternative (Digital Ocean refuses to open 25)
Replies
4
Views
2K
Paul Larson
P
wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
484
Vladimir C.
V
Back
Top