iptables: open port 25 CentOS 7 [closed]

I have problems opening port 25 for sendmail on my CentOS 7 machine.

Here's my iptables configuration:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Service is running:

[root@server1 /]# netstat -tnlp | grep sendmail
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      5857/sendmail       

Any ideas why it's not working? Thanks a lot for the help!

The problem is that the default sendmail configuration is to only listen on localhost, not external interfaces, you will need to reconfigure Sendmail to allow this.

You will need to install sendmail-cf:

sudo yum install sendmail-cf

Then, edit your DAEMON_OPTIONS:

cd /etc/mail
sudo vi sendmail.mc

Look for the entry:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Change it to:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

Save the file, run make:

make

Restart sendmail:

sudo systemctl restart sendmail

That should open you up to listening on port 25 on all interfaces, which should be compatible with the firewall ruleset you have given above.

I believe your binding is where you need to look at, desirable output should be:

# netstat -an | egrep '\:25.*LISTEN'
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 :::25                       :::*                        LISTEN      
# 

As in your case if you disable firewall all together, you still won't be able to reach your smtp server due to binding to local loop interface only, assuming you're using postfix, look at inet_interfaces inside of your main.cf.