I have been struggle with an issue for the last 3 weeks. I've recently acquired a new vps server, and for some reason something is blocking port 25 and I cannot find what.
Step to reproduce:
telnet smtp.1and1.es 25
- traceroute on port 25 to any server will fail on the first hop.
I checked - DNS and are fine as the domain is converted to the ip, and ping work as expected.
I have disabled fail2ban and firewall by doing:
service fail2ban stop service firewalld stop
Tried again, telnet smtp.1and1.es 25
And same result timeout.
All maillogs show unreachable host on port 25, for all emails notifications.
It is a VPS so there is an external firewall, the external firewall is all open.
So I wondering what else cloud be blocking the port?
It is definitely an issue with outgoing traffic on 25. But I can't find what is blocking it.
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
f2b-plesk-wordpress tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-login tcp -- anywhere anywhere multiport dports cddbp-alt,pcsync-https
f2b-BadBots tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-apache tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-roundcube tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-horde tcp -- anywhere anywhere multiport dports http,https,empowerid,7081
f2b-plesk-dovecot tcp -- anywhere anywhere multiport dports imap,imap3,imaps,pop3,pop3s,sieve
f2b-plesk-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-plesk-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
f2b-recidive tcp -- anywhere anywhere
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:12443
ACCEPT tcp -- anywhere anywhere tcp dpt:11443
ACCEPT tcp -- anywhere anywhere tcp dpt:11444
ACCEPT tcp -- anywhere anywhere tcp dpt:8447
ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:poppassd
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:postgres
ACCEPT tcp -- anywhere anywhere tcp dpt:ogs-server
ACCEPT tcp -- anywhere anywhere tcp dpt:glrpc
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmptype 8 code 0
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain f2b-BadBots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-dovecot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-horde (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-login (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-proftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-roundcube (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-plesk-wordpress (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-recidive (1 references)
target prot opt source destination
REJECT all -- 223.71.208.114 anywhere reject-with icmp-port-unreachable
REJECT all -- 221.229.172.75 anywhere reject-with icmp-port-unreachable
REJECT all -- 278660.customer.zol.co.zw anywhere reject-with icmp-port-unreachable
REJECT all -- 118.70.168.251 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Most VPS companies prohibit and block outbound traffic on port 25 to stop them being used for spamming. You'll need to use a third-party mail relay that listens on a different port (which may well be a service that your VPS company can provide).