Cannot send emails even though ports are unblocked

navanchauhan · January 16, 2021, 9:12am

Hi, I recently discovered YunoHost and it is by far the best thing out there. In a few weeks I will try to start contributing as much as I can

My YunoHost server

Hardware: Linode 2GB Ram VPS. YunoHost installed on a fresh copy of Debian 10
YunoHost version: 4.1.4.4
I have access to my server : Through SSH and YunoHost Admin interface
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain: Installed WireGuard through the backports repository and OpenVPN through normal repository. Added custom rule to iptables /etc/yunohost/hooks.d/post_iptable_rules/custom_openvpn_rule.

Custom Rule:

#!/bin/sh

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    
# Required-Stop:
# X-Start-Before:    
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6 
# Short-Description: Enables and disables firewall rules
# Description:       Enables and disables the firewall rules
#                    using iptables(8)
### END INIT INFO

LOCKFILE=/var/lock/firewall.lock
IPTABLES=/sbin/iptables

# External interface
EXT_IF=eth0

# OpenVPN public address
VPN_EXT_ADDR="72.14.187.137"

# OpenVPN private address
VPN_INT_ADDR="10.8.0.1"

set -e

. /lib/lsb/init-functions

# Load firewall rules
start_firewall() {

    if [ -f "${LOCKFILE}" ]; then
		log_failure_msg "Lock file exists, firewall is already enabled?"
		exit 1
	fi

	if ! lockfile ${LOCKFILE} ; then
		log_failure_msg "Cannot create a lock file!"
		exit 1
	fi

	log_success_msg "Enabling firewall rules using iptables(8)."

	# Remove any existing rules from all chains
	${IPTABLES} -F
	${IPTABLES} -F -t nat
	${IPTABLES} -F -t mangle

	# Remove any pre-existing user-defined rules
	${IPTABLES} -X
	${IPTABLES} -X -t nat 
	${IPTABLES} -X -t mangle
		
   	# Zero the counters
	${IPTABLES} -Z

	# Default policy
	${IPTABLES} -P INPUT DROP
	${IPTABLES} -P OUTPUT ACCEPT
	${IPTABLES} -P FORWARD ACCEPT

   	# Trust the local host
	${IPTABLES} -A INPUT -i lo -j ACCEPT

   	# Trust the internal networks
	${IPTABLES} -A INPUT -p all -m state --state NEW -s 10.0.0.0/8 -j ACCEPT

   	# Accept established sessions
	${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
        # NAT rules
	${IPTABLES} -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MASQUERADE

        # One-To-One NAT for vpn.example.org
	${IPTABLES} -t nat -I PREROUTING -i ${EXT_IF} -d ${VPN_EXT_ADDR} -j DNAT --to-destination ${VPN_INT_ADDR} 
   	${IPTABLES} -t nat -I POSTROUTING -o ${EXT_IF} -s ${VPN_INT_ADDR} -j SNAT --to-source ${VPN_EXT_ADDR}

	log_success_msg "Firewall rules loaded successfully."
}

reset_firewall() {
    
	log_success_msg "Disabling iptables(8) firewall rules."

   	# Remove any existing rules from all chains
	${IPTABLES} -F
	${IPTABLES} -F -t nat
	${IPTABLES} -F -t mangle

   	# Remove any pre-existing user-defined rules
	${IPTABLES} -X
	${IPTABLES} -X -t nat 
	${IPTABLES} -X -t mangle
   
	# Zero the counters
	${IPTABLES} -Z
			
	${IPTABLES} -P INPUT ACCEPT
	${IPTABLES} -P OUTPUT ACCEPT
	${IPTABLES} -P FORWARD ACCEPT

	log_success_msg "Firewall shutdown successful."
}

status_firewall() {
		
	if [ -f "${LOCKFILE}" ]; then
		log_success_msg "Firewall is enabled."
	else
		log_success_msg "Firewall is disabled."
	fi
}
	
case "${1}" in
	start)
		start_firewall
		;;
	reset)
		reset_firewall
		;;
	stop)
		reset_firewall
		rm -f "${LOCKFILE}"
		;;
	status)
		status_firewall
		;;
	reload|restart|force-reload)
		reset_firewall
		rm -f "${LOCKFILE}"
		start_firewall
		;;
	*)
		echo "usage: ${0} {start|stop|reload|restart|force-reload|reset" >&2
		;;
esac

Description of my issue

The error for SMTP port has been happening before this. I can receive emails and send locally but outgoing mail is not working.

First, I thought that was because Linode was blocking the port and that indeed was the case. I opened a support ticket and they have lifted the restriction. The Port 25 is open for both TCP and UDP. I have checked if the port is open using online port checker tools as well as nmap. Result of running nmap -p 25 72.14.187.137 is:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-16 14:26 IST
Nmap scan report for li53-137.members.linode.com (72.14.187.137)
Host is up (0.28s latency).

PORT   STATE SERVICE
25/tcp open  smtp

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

I can even telnet into port 25

Trying 72.14.187.137...
Connected to li53-137.members.linode.com.
Escape character is '^]'.
220 domainname.tld Service ready

Full dump of the diagnosis, as I cannot use the integrated use YunoPaste (More about this in additional notes)

YunoHost Diagnosis: YunoHost Paste

Edit: Removed unrelated issue about network configuration due to Linode Network Manager

Typhlos · January 16, 2021, 10:31am

Hello,

Your ISP might be blocking the port 25 preventing you from sending emails. See if you can unlock it or ask for it to be unlocker. If you can’t, you need to use a smtp relay to bypass that lock.

For example, you can use mailjet that offers 200 emails per day on its free plan.It’s the one I use because my ISP definitely block the port 25 and it does its job. You can also apparently use gmail as a smtp relay if you have an account but I’ve never succeded to configure it correctly, maybe you’ll have more luck than me.

Another solution is to invest in a VPN that will offer you a clean access to the Internet without blocking any port. A few VPNs can offer you a static public IP like windscribe for instance.

navanchauhan · January 16, 2021, 10:32am

I am pretty sure my ISP is not blocking it. Linode has confirmed that they have unlocked the port and I can nmap and telnet to verify that.

Is there any other way to check if the port has been blocked?

Typhlos · January 16, 2021, 10:34am

The port 25 might not be blocked ingoing but might still be blocked outgoing, that’s what says your diagnosis in the Email section.

It might be the endpoint of your VPN that is blockling the port 25.

navanchauhan · January 16, 2021, 10:39am

I am sorry, I misunderstood that. You are absolutely right. I tried telnet smtp.gmail.com 25 and it is stuck on:

Trying 2800:3f0:4003:c01::6c...

Either there is an issue with IPv6 configuration or Linode did not completely allow outgoing port 25. I’ll try to contact them again

Typhlos · January 16, 2021, 10:41am

No issue Check also the VPN you are using, the issue might come from there if the issue isn’t with Linode.

navanchauhan · January 16, 2021, 11:02am

There was an error on Linode’s end, they hadn’t saved the configuration changes

Thank You for pointing that possibility out.

For others who stumble across this issue, a good way to check if your outgoing port is being blocked is to just run telnet smtp.gmail.com 25

If your output is similar to:

Trying 2800:3f0:4003:c02::6d...
Trying 64.233.190.108...
telnet: Unable to connect to remote host: Connection timed out

This means your outgoing ports are being blocked and you should check first your firewall and then with your ISP.

system · January 31, 2021, 11:02am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.