Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    very odd issue with Telnet port 25

    Scheduled Pinned Locked Moved NAT
    16 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93
      last edited by

      Hi,
      I was wondering if someone could help me on this very very odd issue,
      Currently i have pfsense on the lasted version,
      here is the part that is odd,
      So i have in site A an email server and Site B another email server both having pfsense but no site to site
      so from site A I telnet to site B 190.xx.xx.xx 25
      and no response
      but if i use another network i can telnet to site B
      so i thought, it has to be a blockage from site B pfsense i checked and nothing i dont see traffic
      so i check on site A the states and found this

      EMAIL 	tcp 	200.xxx.xxx.xx (192.168.3.101:38810) -> 190.xx.xx.xx:25 	SYN_SENT:CLOSED 	5 / 0 	300 B / 0 B
      

      so im trying to wrap my head around this how is this possible?

      2.4.5-RELEASE-p1 (amd64)
      built on Tue Jun 02 17:51:17 EDT 2020
      FreeBSD 11.3-STABLE
      

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      GertjanG DerelictD 2 Replies Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        SYN_SENT:CLOSED means that state saw a SYN packet but the target never responded.

        So check on 190.x.x.x with tcpdump. See if the packet arrives and if a response goes back out. If it never arrived, it was blocked upstream. If it responds, but the response never makes it back, then you have to track down where the response is going, perhaps it's taking an incorrect/unexpected path and ends up dropped.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          killmasta93
          last edited by

          Thanks for the reply, i was checking on the states and never arrives on port 25
          So what i did is send an email from gmail to email server 190
          and it arrived and checked with wireshark but i do the same thing on the email server of 200.xx.xxx. the email server tells me connection timeout so i dont know if its site A pfsense or site B pfsense

          but i check on ef72cb48-cc60-4b09-931f-277053dce3ba-image.png

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          1 Reply Last reply Reply Quote 0
          • K
            killmasta93
            last edited by

            so im thinking it might be my lSP but not sure which to call from the site A or Site B?

            Tutorials:

            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Almost all ISPs filter outbound to destination port 25 to arbitrary servers as an anti-spam measure.

              Can you connect port 25 to the outgoing servers your ISP has in place?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • K
                killmasta93
                last edited by

                thanks for the reply,
                what i realized something very funky going on,
                i manage few other sites those sites also have lSP of site B
                i also try to telnet and cant telnet if i have the lSP of site A
                So I connect using my data plan which does not use nor lSP A or B
                and i can telnet both Site A and Site B i know that there is not blockage because i checked the states and does not appear
                Tomorrow im going to test a few things with the lSP to see if there blocking my other lSP

                when you say connect to port 25 to the outgoing servers not sure what you mean
                I have both on site A and Site B postfix email servers with both pfsense on each site but no site to site because there completely not relevant to each other, only thing is that site A this morning send an email to site B and i got those errors

                Tutorials:

                https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                1 Reply Last reply Reply Quote 0
                • K
                  killmasta93
                  last edited by

                  hmm whats even now odd is that on site A cannot send emails to gmail servers only, as for hotmail yahoo and others seems to work ok

                  im getting this

                  delay=74266, delays=74204/0.3/62/0, dsn=4.4.1, status=deferred (connect to alt2.aspmx.l.google.com[64.233.167.26]:25: Connection timed out)
                  

                  i try to telnet and just stays there
                  check the states and found this, called google and they say nothing is wrong so im like WTF

                  LAN 	tcp 	192.168.3.101:34614 -> 64.233.167.26:25 	CLOSED:SYN_SENT 	5 / 0 	300 B / 0 B 	
                  EMAIL 	tcp 	200.1xx.xxx:34770 (192.168.3.101:34614) -> 64.233.167.26:25 	SYN_SENT:CLOSED 	5 / 0 	300 B / 0 B
                  

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    If your ISP filters outbound 25 there is nothing google can do about it.

                    You are supposed to submit to outbound mail servers on port 587 with required authentication.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    K 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @killmasta93
                      last edited by

                      @killmasta93 said in very odd issue with Telnet port 25:

                      but if i use another network

                      Have pfSense A using that network to connect to B and your good ! (?)

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • K
                        killmasta93 @Derelict
                        last edited by

                        @Derelict well today, it seems that site A now can now telnet site B i have no idea how it got fixed but now site A cannot send to gmail, my lSP could filter outbound smtp even if the modem is in bridge mode? and pfsense is doing all the NAT?

                        This is the log im getting

                        relay=none, delay=121889, delays=121738/0.43/150/0, dsn=4.4.1, status=deferred (connect to aspmx3.googlemail.com[209.85.202.27]:25: Connection timed out)
                        

                        @Gertjan seems that today site A and site B can telnet each other i have no idea what happened

                        Tutorials:

                        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                        johnpozJ DerelictD 2 Replies Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @killmasta93
                          last edited by

                          @killmasta93 said in very odd issue with Telnet port 25:

                          my lSP could filter outbound smtp even if the modem is in bridge mode? and pfsense is doing all the NAT?

                          Yes - pretty much all ISP filter outbound 25 on their home connection types..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate @killmasta93
                            last edited by Derelict

                            @killmasta93 said in very odd issue with Telnet port 25:

                            my lSP could filter outbound smtp even if the modem is in bridge mode?

                            Absolutely. Anyone in the path between you and the server can filter on anything they want. Almost all of them do except on business class services and even then you often have to ask for it to be opened. Blame the spammers - the wretched scum.

                            Maybe google blocked you. Who knows. If you are sending the TCP SYN out and not getting a SYN/ACK back there is nothing the firewall can do about it. You have to look upstream.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • K
                              killmasta93
                              last edited by

                              @killmasta93 said in very odd issue with Telnet port 25:

                              [209.85.202.27
                              i run a traceroute from my mail server and got this

                              root@mail:~# tcptraceroute 209.85.202.27 25
                              Running:
                              	traceroute -T -O info -p 25 209.85.202.27 
                              traceroute to 209.85.202.27 (209.85.202.27), 30 hops max, 60 byte packets
                               1  10.141.95.1 (10.141.95.1)  12.028 ms  12.002 ms  11.933 ms
                               2  10.166.43.209 (10.166.43.209)  17.339 ms  17.344 ms  17.372 ms
                               3  10.166.41.245 (10.166.41.245)  14.014 ms  13.960 ms  13.919 ms
                               4  10.166.42.121 (10.166.42.121)  22.589 ms  22.542 ms  22.496 ms
                               5  * * *
                               6  * * *
                               7  * * *
                               8  * * *
                               9  * * *
                              10  * * *
                              11  * * *
                              12  * * *
                              13  * * *
                              14  * * *
                              15  * * *
                              16  * * *
                              17  * * *
                              18  * * *
                              19  * * *
                              20  * * *
                              21  * * *
                              22  * * *
                              23  * * *
                              24  * * *
                              25  * * *
                              26  * * *
                              27  * * *
                              28  * * *
                              29  * * *
                              30  * * *
                              

                              and from the firewall

                              1  10.141.95.1  8.649 ms  12.158 ms  11.091 ms
                              2  10.166.43.209  9.515 ms  19.408 ms  18.847 ms
                              3  10.166.41.245  23.194 ms  9.367 ms  11.197 ms
                              4  10.166.42.121  40.180 ms  58.736 ms  9.193 ms
                              5  74.125.118.246  23.555 ms
                                 74.125.147.120  17.149 ms
                                 74.125.118.246  18.600 ms
                              6  108.170.253.200  21.892 ms *
                                 108.170.253.215  17.819 ms
                              7  216.239.56.234  33.473 ms
                                 172.253.67.39  54.879 ms
                                 172.253.75.25  57.708 ms
                              8  108.170.253.215  22.872 ms
                                 216.239.43.150  56.011 ms
                                 108.170.253.196  21.441 ms
                              9  142.250.225.22  76.701 ms  89.611 ms
                                 172.253.75.25  65.203 ms
                              10  209.85.254.107  88.363 ms
                                 216.239.47.83  86.060 ms  79.247 ms
                              11  142.250.59.181  155.265 ms  150.934 ms
                                 142.250.59.183  156.677 ms
                              12  216.239.50.99  79.110 ms
                                 172.253.71.196  168.123 ms
                                 216.239.50.99  80.213 ms
                              13  172.253.71.173  155.475 ms
                                 172.253.71.163  171.246 ms
                                 172.253.71.154  167.008 ms
                              14  172.253.71.192  167.420 ms  165.423 ms  168.445 ms
                              15  * 172.253.71.80  168.256 ms *
                              16  172.253.73.199  161.964 ms  163.946 ms *
                              17  * * *
                              18  * * *
                              

                              Tutorials:

                              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan
                                last edited by Gertjan

                                Now who said you should / could use port 25 to send mail to a servers ?
                                Your ISP ? They were wrong from the last 3 decades or so. To make a long story short, they wind up blocking port 25 for everybody to everybody, expect their own mail server(s)

                                Please check the gmail port usage https://support.google.com/mail/answer/7126229?hl=en

                                Mail coming from a mail client should be send using port 587 which means you have to authenticate before sending, like POP and IMPAP.
                                Or you should use port 465 which is TLS all the way.

                                Port 25 is use for mail between mail servers.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate @killmasta93
                                  last edited by

                                  @killmasta93 said in very odd issue with Telnet port 25:

                                  So i have in site A an email server and Site B another email server

                                  He is talking about mail servers. And finding out how painful port 25 filtering is when you want to run a mail server.

                                  You will also be subject to DNS blacklists that have your IP address range as "dialup", "dynamic," or "residential."

                                  Honestly if you don't have business-class, statically-addressed service, running an SMTP server is going to be really hard.

                                  @killmasta93 you might need to instruct your email servers to use what is commonly called a "smart host" to which you forward all of your outbound mail. It will need to be on port 587 with authentication.

                                  Inbound port 25 should not be a problem but ISPs are known to do silly things. Be sure you are not an open relay.

                                  If you control both of these mail servers and just want to send mail directly between them, set them up so they use an alternate port when they talk to each other. I don't know the exact commands because it has been so long but I guarantee something like exim would do both of these tasks expertly. Probably postfix as well.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    killmasta93
                                    last edited by

                                    Thanks for the reply, well its seems that it got fixed by it self, i think it was getting greylisted by gmail refusing to talk to my email server on port 25 currently i run Proxmox mail gateway as my smart host and my backend a zimbra server which sends though proxmox, The internet is business with 5 static IPs, first time i see on the log connection lost on gmail servers. I have seen this on other servers but its either its dead or refusing to talk to me. As the curious part i could send to any other domain besides gmail which made me think that its not a ISP issue .But thank you again for the help.

                                    Tutorials:

                                    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.