very odd issue with Telnet port 25
-
Hi,
I was wondering if someone could help me on this very very odd issue,
Currently i have pfsense on the lasted version,
here is the part that is odd,
So i have in site A an email server and Site B another email server both having pfsense but no site to site
so from site A I telnet to site B 190.xx.xx.xx 25
and no response
but if i use another network i can telnet to site B
so i thought, it has to be a blockage from site B pfsense i checked and nothing i dont see traffic
so i check on site A the states and found thisEMAIL tcp 200.xxx.xxx.xx (192.168.3.101:38810) -> 190.xx.xx.xx:25 SYN_SENT:CLOSED 5 / 0 300 B / 0 Bso im trying to wrap my head around this how is this possible?
2.4.5-RELEASE-p1 (amd64) built on Tue Jun 02 17:51:17 EDT 2020 FreeBSD 11.3-STABLETutorials:
https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials
-
SYN_SENT:CLOSED means that state saw a SYN packet but the target never responded.
So check on 190.x.x.x with tcpdump. See if the packet arrives and if a response goes back out. If it never arrived, it was blocked upstream. If it responds, but the response never makes it back, then you have to track down where the response is going, perhaps it's taking an incorrect/unexpected path and ends up dropped.
-
Thanks for the reply, i was checking on the states and never arrives on port 25
So what i did is send an email from gmail to email server 190
and it arrived and checked with wireshark but i do the same thing on the email server of 200.xx.xxx. the email server tells me connection timeout so i dont know if its site A pfsense or site B pfsensebut i check on
-
so im thinking it might be my lSP but not sure which to call from the site A or Site B?
-
Almost all ISPs filter outbound to destination port 25 to arbitrary servers as an anti-spam measure.
Can you connect port 25 to the outgoing servers your ISP has in place?
-
thanks for the reply,
what i realized something very funky going on,
i manage few other sites those sites also have lSP of site B
i also try to telnet and cant telnet if i have the lSP of site A
So I connect using my data plan which does not use nor lSP A or B
and i can telnet both Site A and Site B i know that there is not blockage because i checked the states and does not appear
Tomorrow im going to test a few things with the lSP to see if there blocking my other lSPwhen you say connect to port 25 to the outgoing servers not sure what you mean
I have both on site A and Site B postfix email servers with both pfsense on each site but no site to site because there completely not relevant to each other, only thing is that site A this morning send an email to site B and i got those errors -
hmm whats even now odd is that on site A cannot send emails to gmail servers only, as for hotmail yahoo and others seems to work ok
im getting this
delay=74266, delays=74204/0.3/62/0, dsn=4.4.1, status=deferred (connect to alt2.aspmx.l.google.com[64.233.167.26]:25: Connection timed out)i try to telnet and just stays there
check the states and found this, called google and they say nothing is wrong so im like WTFLAN tcp 192.168.3.101:34614 -> 64.233.167.26:25 CLOSED:SYN_SENT 5 / 0 300 B / 0 B EMAIL tcp 200.1xx.xxx:34770 (192.168.3.101:34614) -> 64.233.167.26:25 SYN_SENT:CLOSED 5 / 0 300 B / 0 B -
If your ISP filters outbound 25 there is nothing google can do about it.
You are supposed to submit to outbound mail servers on port 587 with required authentication.
-
@killmasta93 said in very odd issue with Telnet port 25:
but if i use another network
Have pfSense A using that network to connect to B and your good ! (?)
-
@Derelict well today, it seems that site A now can now telnet site B i have no idea how it got fixed but now site A cannot send to gmail, my lSP could filter outbound smtp even if the modem is in bridge mode? and pfsense is doing all the NAT?
This is the log im getting
relay=none, delay=121889, delays=121738/0.43/150/0, dsn=4.4.1, status=deferred (connect to aspmx3.googlemail.com[209.85.202.27]:25: Connection timed out)@Gertjan seems that today site A and site B can telnet each other i have no idea what happened
Tutorials:
https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials
-
@killmasta93 said in very odd issue with Telnet port 25:
my lSP could filter outbound smtp even if the modem is in bridge mode? and pfsense is doing all the NAT?
Yes - pretty much all ISP filter outbound 25 on their home connection types..
-
@killmasta93 said in very odd issue with Telnet port 25:
my lSP could filter outbound smtp even if the modem is in bridge mode?
Absolutely. Anyone in the path between you and the server can filter on anything they want. Almost all of them do except on business class services and even then you often have to ask for it to be opened. Blame the spammers - the wretched scum.
Maybe google blocked you. Who knows. If you are sending the TCP SYN out and not getting a SYN/ACK back there is nothing the firewall can do about it. You have to look upstream.
-
@killmasta93 said in very odd issue with Telnet port 25:
[209.85.202.27
i run a traceroute from my mail server and got thisroot@mail:~# tcptraceroute 209.85.202.27 25 Running: traceroute -T -O info -p 25 209.85.202.27 traceroute to 209.85.202.27 (209.85.202.27), 30 hops max, 60 byte packets 1 10.141.95.1 (10.141.95.1) 12.028 ms 12.002 ms 11.933 ms 2 10.166.43.209 (10.166.43.209) 17.339 ms 17.344 ms 17.372 ms 3 10.166.41.245 (10.166.41.245) 14.014 ms 13.960 ms 13.919 ms 4 10.166.42.121 (10.166.42.121) 22.589 ms 22.542 ms 22.496 ms 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *and from the firewall
1 10.141.95.1 8.649 ms 12.158 ms 11.091 ms 2 10.166.43.209 9.515 ms 19.408 ms 18.847 ms 3 10.166.41.245 23.194 ms 9.367 ms 11.197 ms 4 10.166.42.121 40.180 ms 58.736 ms 9.193 ms 5 74.125.118.246 23.555 ms 74.125.147.120 17.149 ms 74.125.118.246 18.600 ms 6 108.170.253.200 21.892 ms * 108.170.253.215 17.819 ms 7 216.239.56.234 33.473 ms 172.253.67.39 54.879 ms 172.253.75.25 57.708 ms 8 108.170.253.215 22.872 ms 216.239.43.150 56.011 ms 108.170.253.196 21.441 ms 9 142.250.225.22 76.701 ms 89.611 ms 172.253.75.25 65.203 ms 10 209.85.254.107 88.363 ms 216.239.47.83 86.060 ms 79.247 ms 11 142.250.59.181 155.265 ms 150.934 ms 142.250.59.183 156.677 ms 12 216.239.50.99 79.110 ms 172.253.71.196 168.123 ms 216.239.50.99 80.213 ms 13 172.253.71.173 155.475 ms 172.253.71.163 171.246 ms 172.253.71.154 167.008 ms 14 172.253.71.192 167.420 ms 165.423 ms 168.445 ms 15 * 172.253.71.80 168.256 ms * 16 172.253.73.199 161.964 ms 163.946 ms * 17 * * * 18 * * * -
Now who said you should / could use port 25 to send mail to a servers ?
Your ISP ? They were wrong from the last 3 decades or so. To make a long story short, they wind up blocking port 25 for everybody to everybody, expect their own mail server(s)Please check the gmail port usage https://support.google.com/mail/answer/7126229?hl=en
Mail coming from a mail client should be send using port 587 which means you have to authenticate before sending, like POP and IMPAP.
Or you should use port 465 which is TLS all the way.Port 25 is use for mail between mail servers.
-
@killmasta93 said in very odd issue with Telnet port 25:
So i have in site A an email server and Site B another email server
He is talking about mail servers. And finding out how painful port 25 filtering is when you want to run a mail server.
You will also be subject to DNS blacklists that have your IP address range as "dialup", "dynamic," or "residential."
Honestly if you don't have business-class, statically-addressed service, running an SMTP server is going to be really hard.
@killmasta93 you might need to instruct your email servers to use what is commonly called a "smart host" to which you forward all of your outbound mail. It will need to be on port 587 with authentication.
Inbound port 25 should not be a problem but ISPs are known to do silly things. Be sure you are not an open relay.
If you control both of these mail servers and just want to send mail directly between them, set them up so they use an alternate port when they talk to each other. I don't know the exact commands because it has been so long but I guarantee something like exim would do both of these tasks expertly. Probably postfix as well.
-
Thanks for the reply, well its seems that it got fixed by it self, i think it was getting greylisted by gmail refusing to talk to my email server on port 25 currently i run Proxmox mail gateway as my smart host and my backend a zimbra server which sends though proxmox, The internet is business with 5 static IPs, first time i see on the log connection lost on gmail servers. I have seen this on other servers but its either its dead or refusing to talk to me. As the curious part i could send to any other domain besides gmail which made me think that its not a ISP issue .But thank you again for the help.
