very odd issue with Telnet port 25

killmasta93

Hi,
I was wondering if someone could help me on this very very odd issue,
Currently i have pfsense on the lasted version,
here is the part that is odd,
So i have in site A an email server and Site B another email server both having pfsense but no site to site
so from site A I telnet to site B 190.xx.xx.xx 25
and no response
but if i use another network i can telnet to site B
so i thought, it has to be a blockage from site B pfsense i checked and nothing i dont see traffic
so i check on site A the states and found this

EMAIL 	tcp 	200.xxx.xxx.xx (192.168.3.101:38810) -> 190.xx.xx.xx:25 	SYN_SENT:CLOSED 	5 / 0 	300 B / 0 B

so im trying to wrap my head around this how is this possible?

2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLE

jimp

SYN_SENT:CLOSED means that state saw a SYN packet but the target never responded.

So check on 190.x.x.x with tcpdump. See if the packet arrives and if a response goes back out. If it never arrived, it was blocked upstream. If it responds, but the response never makes it back, then you have to track down where the response is going, perhaps it's taking an incorrect/unexpected path and ends up dropped.

killmasta93

Thanks for the reply, i was checking on the states and never arrives on port 25
So what i did is send an email from gmail to email server 190
and it arrived and checked with wireshark but i do the same thing on the email server of 200.xx.xxx. the email server tells me connection timeout so i dont know if its site A pfsense or site B pfsense

but i check on

killmasta93

so im thinking it might be my lSP but not sure which to call from the site A or Site B?

Derelict

Almost all ISPs filter outbound to destination port 25 to arbitrary servers as an anti-spam measure.

Can you connect port 25 to the outgoing servers your ISP has in place?

killmasta93

thanks for the reply,
what i realized something very funky going on,
i manage few other sites those sites also have lSP of site B
i also try to telnet and cant telnet if i have the lSP of site A
So I connect using my data plan which does not use nor lSP A or B
and i can telnet both Site A and Site B i know that there is not blockage because i checked the states and does not appear
Tomorrow im going to test a few things with the lSP to see if there blocking my other lSP

when you say connect to port 25 to the outgoing servers not sure what you mean
I have both on site A and Site B postfix email servers with both pfsense on each site but no site to site because there completely not relevant to each other, only thing is that site A this morning send an email to site B and i got those errors

killmasta93

hmm whats even now odd is that on site A cannot send emails to gmail servers only, as for hotmail yahoo and others seems to work ok

im getting this

delay=74266, delays=74204/0.3/62/0, dsn=4.4.1, status=deferred (connect to alt2.aspmx.l.google.com[64.233.167.26]:25: Connection timed out)

i try to telnet and just stays there
check the states and found this, called google and they say nothing is wrong so im like WTF

LAN 	tcp 	192.168.3.101:34614 -> 64.233.167.26:25 	CLOSED:SYN_SENT 	5 / 0 	300 B / 0 B 	
EMAIL 	tcp 	200.1xx.xxx:34770 (192.168.3.101:34614) -> 64.233.167.26:25 	SYN_SENT:CLOSED 	5 / 0 	300 B / 0 B

Derelict

If your ISP filters outbound 25 there is nothing google can do about it.

You are supposed to submit to outbound mail servers on port 587 with required authentication.

Gertjan

@killmasta93 said in very odd issue with Telnet port 25:

but if i use another network

Have pfSense A using that network to connect to B and your good ! (?)

killmasta93

@Derelict well today, it seems that site A now can now telnet site B i have no idea how it got fixed but now site A cannot send to gmail, my lSP could filter outbound smtp even if the modem is in bridge mode? and pfsense is doing all the NAT?

This is the log im getting

relay=none, delay=121889, delays=121738/0.43/150/0, dsn=4.4.1, status=deferred (connect to aspmx3.googlemail.com[209.85.202.27]:25: Connection timed out)

@Gertjan seems that today site A and site B can telnet each other i have no idea what happened

johnpoz

@killmasta93 said in very odd issue with Telnet port 25:

my lSP could filter outbound smtp even if the modem is in bridge mode? and pfsense is doing all the NAT?

Yes - pretty much all ISP filter outbound 25 on their home connection types..

Derelict

@killmasta93 said in very odd issue with Telnet port 25:

my lSP could filter outbound smtp even if the modem is in bridge mode?

Absolutely. Anyone in the path between you and the server can filter on anything they want. Almost all of them do except on business class services and even then you often have to ask for it to be opened. Blame the spammers - the wretched scum.

Maybe google blocked you. Who knows. If you are sending the TCP SYN out and not getting a SYN/ACK back there is nothing the firewall can do about it. You have to look upstream.

killmasta93

@killmasta93 said in very odd issue with Telnet port 25:

[209.85.202.27
i run a traceroute from my mail server and got this

root@mail:~# tcptraceroute 209.85.202.27 25
Running:
	traceroute -T -O info -p 25 209.85.202.27 
traceroute to 209.85.202.27 (209.85.202.27), 30 hops max, 60 byte packets
 1  10.141.95.1 (10.141.95.1)  12.028 ms  12.002 ms  11.933 ms
 2  10.166.43.209 (10.166.43.209)  17.339 ms  17.344 ms  17.372 ms
 3  10.166.41.245 (10.166.41.245)  14.014 ms  13.960 ms  13.919 ms
 4  10.166.42.121 (10.166.42.121)  22.589 ms  22.542 ms  22.496 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

and from the firewall

1  10.141.95.1  8.649 ms  12.158 ms  11.091 ms
2  10.166.43.209  9.515 ms  19.408 ms  18.847 ms
3  10.166.41.245  23.194 ms  9.367 ms  11.197 ms
4  10.166.42.121  40.180 ms  58.736 ms  9.193 ms
5  74.125.118.246  23.555 ms
   74.125.147.120  17.149 ms
   74.125.118.246  18.600 ms
6  108.170.253.200  21.892 ms *
   108.170.253.215  17.819 ms
7  216.239.56.234  33.473 ms
   172.253.67.39  54.879 ms
   172.253.75.25  57.708 ms
8  108.170.253.215  22.872 ms
   216.239.43.150  56.011 ms
   108.170.253.196  21.441 ms
9  142.250.225.22  76.701 ms  89.611 ms
   172.253.75.25  65.203 ms
10  209.85.254.107  88.363 ms
   216.239.47.83  86.060 ms  79.247 ms
11  142.250.59.181  155.265 ms  150.934 ms
   142.250.59.183  156.677 ms
12  216.239.50.99  79.110 ms
   172.253.71.196  168.123 ms
   216.239.50.99  80.213 ms
13  172.253.71.173  155.475 ms
   172.253.71.163  171.246 ms
   172.253.71.154  167.008 ms
14  172.253.71.192  167.420 ms  165.423 ms  168.445 ms
15  * 172.253.71.80  168.256 ms *
16  172.253.73.199  161.964 ms  163.946 ms *
17  * * *
18  * * *

Gertjan

Now who said you should / could use port 25 to send mail to a servers ?
Your ISP ? They were wrong from the last 3 decades or so. To make a long story short, they wind up blocking port 25 for everybody to everybody, expect their own mail server(s)

Please check the gmail port usage https://support.google.com/mail/answer/7126229?hl=en

Mail coming from a mail client should be send using port 587 which means you have to authenticate before sending, like POP and IMPAP.
Or you should use port 465 which is TLS all the way.

Port 25 is use for mail between mail servers.

Derelict

@killmasta93 said in very odd issue with Telnet port 25:

So i have in site A an email server and Site B another email server

He is talking about mail servers. And finding out how painful port 25 filtering is when you want to run a mail server.

You will also be subject to DNS blacklists that have your IP address range as "dialup", "dynamic," or "residential."

Honestly if you don't have business-class, statically-addressed service, running an SMTP server is going to be really hard.

@killmasta93 you might need to instruct your email servers to use what is commonly called a "smart host" to which you forward all of your outbound mail. It will need to be on port 587 with authentication.

Inbound port 25 should not be a problem but ISPs are known to do silly things. Be sure you are not an open relay.

If you control both of these mail servers and just want to send mail directly between them, set them up so they use an alternate port when they talk to each other. I don't know the exact commands because it has been so long but I guarantee something like exim would do both of these tasks expertly. Probably postfix as well.

killmasta93

Thanks for the reply, well its seems that it got fixed by it self, i think it was getting greylisted by gmail refusing to talk to my email server on port 25 currently i run Proxmox mail gateway as my smart host and my backend a zimbra server which sends though proxmox, The internet is business with 5 static IPs, first time i see on the log connection lost on gmail servers. I have seen this on other servers but its either its dead or refusing to talk to me. As the curious part i could send to any other domain besides gmail which made me think that its not a ISP issue .But thank you again for the help.