very odd issue with Telnet port 25
I was wondering if someone could help me on this very very odd issue,
Currently i have pfsense on the lasted version,
here is the part that is odd,
So i have in site A an email server and Site B another email server both having pfsense but no site to site
so from site A I telnet to site B 190.xx.xx.xx 25
and no response
but if i use another network i can telnet to site B
so i thought, it has to be a blockage from site B pfsense i checked and nothing i dont see traffic
so i check on site A the states and found this
EMAIL tcp 200.xxx.xxx.xx (192.168.3.101:38810) -> 190.xx.xx.xx:25 SYN_SENT:CLOSED 5 / 0 300 B / 0 B
so im trying to wrap my head around this how is this possible?
2.4.5-RELEASE-p1 (amd64) built on Tue Jun 02 17:51:17 EDT 2020 FreeBSD 11.3-STABLE
SYN_SENT:CLOSED means that state saw a SYN packet but the target never responded.
So check on 190.x.x.x with tcpdump. See if the packet arrives and if a response goes back out. If it never arrived, it was blocked upstream. If it responds, but the response never makes it back, then you have to track down where the response is going, perhaps it's taking an incorrect/unexpected path and ends up dropped.
Thanks for the reply, i was checking on the states and never arrives on port 25
So what i did is send an email from gmail to email server 190
and it arrived and checked with wireshark but i do the same thing on the email server of 200.xx.xxx. the email server tells me connection timeout so i dont know if its site A pfsense or site B pfsense
but i check on
so im thinking it might be my lSP but not sure which to call from the site A or Site B?
Almost all ISPs filter outbound to destination port 25 to arbitrary servers as an anti-spam measure.
Can you connect port 25 to the outgoing servers your ISP has in place?
thanks for the reply,
what i realized something very funky going on,
i manage few other sites those sites also have lSP of site B
i also try to telnet and cant telnet if i have the lSP of site A
So I connect using my data plan which does not use nor lSP A or B
and i can telnet both Site A and Site B i know that there is not blockage because i checked the states and does not appear
Tomorrow im going to test a few things with the lSP to see if there blocking my other lSP
when you say connect to port 25 to the outgoing servers not sure what you mean
I have both on site A and Site B postfix email servers with both pfsense on each site but no site to site because there completely not relevant to each other, only thing is that site A this morning send an email to site B and i got those errors
hmm whats even now odd is that on site A cannot send emails to gmail servers only, as for hotmail yahoo and others seems to work ok
im getting this
delay=74266, delays=74204/0.3/62/0, dsn=4.4.1, status=deferred (connect to alt2.aspmx.l.google.com[184.108.40.206]:25: Connection timed out)
i try to telnet and just stays there
check the states and found this, called google and they say nothing is wrong so im like WTF
LAN tcp 192.168.3.101:34614 -> 220.127.116.11:25 CLOSED:SYN_SENT 5 / 0 300 B / 0 B EMAIL tcp 200.1xx.xxx:34770 (192.168.3.101:34614) -> 18.104.22.168:25 SYN_SENT:CLOSED 5 / 0 300 B / 0 B
If your ISP filters outbound 25 there is nothing google can do about it.
You are supposed to submit to outbound mail servers on port 587 with required authentication.
Gertjan last edited by
@Derelict well today, it seems that site A now can now telnet site B i have no idea how it got fixed but now site A cannot send to gmail, my lSP could filter outbound smtp even if the modem is in bridge mode? and pfsense is doing all the NAT?
This is the log im getting
relay=none, delay=121889, delays=121738/0.43/150/0, dsn=4.4.1, status=deferred (connect to aspmx3.googlemail.com[22.214.171.124]:25: Connection timed out)
@Gertjan seems that today site A and site B can telnet each other i have no idea what happened
my lSP could filter outbound smtp even if the modem is in bridge mode?
Absolutely. Anyone in the path between you and the server can filter on anything they want. Almost all of them do except on business class services and even then you often have to ask for it to be opened. Blame the spammers - the wretched scum.
Maybe google blocked you. Who knows. If you are sending the TCP SYN out and not getting a SYN/ACK back there is nothing the firewall can do about it. You have to look upstream.
i run a traceroute from my mail server and got this
root@mail:~# tcptraceroute 126.96.36.199 25 Running: traceroute -T -O info -p 25 188.8.131.52 traceroute to 184.108.40.206 (220.127.116.11), 30 hops max, 60 byte packets 1 10.141.95.1 (10.141.95.1) 12.028 ms 12.002 ms 11.933 ms 2 10.166.43.209 (10.166.43.209) 17.339 ms 17.344 ms 17.372 ms 3 10.166.41.245 (10.166.41.245) 14.014 ms 13.960 ms 13.919 ms 4 10.166.42.121 (10.166.42.121) 22.589 ms 22.542 ms 22.496 ms 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
and from the firewall
1 10.141.95.1 8.649 ms 12.158 ms 11.091 ms 2 10.166.43.209 9.515 ms 19.408 ms 18.847 ms 3 10.166.41.245 23.194 ms 9.367 ms 11.197 ms 4 10.166.42.121 40.180 ms 58.736 ms 9.193 ms 5 18.104.22.168 23.555 ms 22.214.171.124 17.149 ms 126.96.36.199 18.600 ms 6 188.8.131.52 21.892 ms * 184.108.40.206 17.819 ms 7 220.127.116.11 33.473 ms 18.104.22.168 54.879 ms 22.214.171.124 57.708 ms 8 126.96.36.199 22.872 ms 188.8.131.52 56.011 ms 184.108.40.206 21.441 ms 9 220.127.116.11 76.701 ms 89.611 ms 18.104.22.168 65.203 ms 10 22.214.171.124 88.363 ms 126.96.36.199 86.060 ms 79.247 ms 11 188.8.131.52 155.265 ms 150.934 ms 184.108.40.206 156.677 ms 12 220.127.116.11 79.110 ms 18.104.22.168 168.123 ms 22.214.171.124 80.213 ms 13 126.96.36.199 155.475 ms 188.8.131.52 171.246 ms 184.108.40.206 167.008 ms 14 220.127.116.11 167.420 ms 165.423 ms 168.445 ms 15 * 18.104.22.168 168.256 ms * 16 22.214.171.124 161.964 ms 163.946 ms * 17 * * * 18 * * *
Gertjan last edited by Gertjan
Now who said you should / could use port 25 to send mail to a servers ?
Your ISP ? They were wrong from the last 3 decades or so. To make a long story short, they wind up blocking port 25 for everybody to everybody, expect their own mail server(s)
Please check the gmail port usage https://support.google.com/mail/answer/7126229?hl=en
Mail coming from a mail client should be send using port 587 which means you have to authenticate before sending, like POP and IMPAP.
Or you should use port 465 which is TLS all the way.
Port 25 is use for mail between mail servers.
So i have in site A an email server and Site B another email server
He is talking about mail servers. And finding out how painful port 25 filtering is when you want to run a mail server.
You will also be subject to DNS blacklists that have your IP address range as "dialup", "dynamic," or "residential."
Honestly if you don't have business-class, statically-addressed service, running an SMTP server is going to be really hard.
@killmasta93 you might need to instruct your email servers to use what is commonly called a "smart host" to which you forward all of your outbound mail. It will need to be on port 587 with authentication.
Inbound port 25 should not be a problem but ISPs are known to do silly things. Be sure you are not an open relay.
If you control both of these mail servers and just want to send mail directly between them, set them up so they use an alternate port when they talk to each other. I don't know the exact commands because it has been so long but I guarantee something like exim would do both of these tasks expertly. Probably postfix as well.
Thanks for the reply, well its seems that it got fixed by it self, i think it was getting greylisted by gmail refusing to talk to my email server on port 25 currently i run Proxmox mail gateway as my smart host and my backend a zimbra server which sends though proxmox, The internet is business with 5 static IPs, first time i see on the log connection lost on gmail servers. I have seen this on other servers but its either its dead or refusing to talk to me. As the curious part i could send to any other domain besides gmail which made me think that its not a ISP issue .But thank you again for the help.