Postfix issue : iptables rules and can't receive email from outside
My Postfix server was working fine until last days but now, I can't receive emails from outside (I mean with an email of different domain name like gmail for example). I must make notice that I can send email from the server to gmail.
From what I have seen, I think that issue may be my iptables rules :
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
REJECT tcp -- anywhere anywhere reject-with tcp-reset
with the following /etc/iptables/rules.v4 :
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*filter
:INPUT DROP [4:160]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8850:1128793]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*mangle
:PREROUTING ACCEPT [7537:917236]
:INPUT ACCEPT [7537:917236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16961:1999319]
:POSTROUTING ACCEPT [16961:1999319]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
# Generated by iptables-save v1.4.14 on Tue Jun 28 02:59:45 2016
*nat
:PREROUTING ACCEPT [357:19884]
:POSTROUTING ACCEPT [9413:566093]
:OUTPUT ACCEPT [9344:563333]
COMMIT
# Completed on Tue Jun 28 02:59:45 2016
Moreover, my server seems to listen on 25 port :
# netstat -an |grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp6 0 0 :::25 :::* LISTEN
unix 2 [ ] DGRAM 4255589627 /var/spool/postfix/dev/log
unix 15 [ ] DGRAM 4255589625 /dev/log
unix 2 [ ACC ] STREAM LISTENING 4255652970 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 4255590038 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711673 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711672
unix 3 [ ] STREAM CONNECTED 4255711663 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711662
unix 2 [ ] DGRAM 4255711642
unix 3 [ ] STREAM CONNECTED 4255711639 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4255711638
unix 2 [ ] DGRAM 4255711627
unix 2 [ ] DGRAM 4255594798
unix 2 [ ] DGRAM 4255590141
unix 3 [ ] STREAM CONNECTED 4255590098
unix 3 [ ] STREAM CONNECTED 4255590097
and nmap on my server (from outside) returns :
Host is up (0.065s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds
Finally, here's my /etc/postfix/master.cf :
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
# spf postfix
policy unix - n n - - spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
Here's the answer of email received by gmail when I sent from gmail to my postfix server :
This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has been delayed:
[email protected]
Message will be retried for 1 more day(s)
Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
[domain.com 239.178.123.80: socket error]
I don't understand why netstat tells me that it listens to port 25 and nmap indicates this port is not opened.
If anyone could see what's wrong, this would be fine.
Thanks in advance.
Solution 1:
Run
iptables -I INPUT 5 -p tcp -m tcp --dport 25 -j ACCEPT
To have the rule applied inmediately.
Also edit your /etc/iptables/rules.v4 and just after the rule with the 443 port, add
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT