SMTP Postfix Server Configuration

cbarcellos · December 30, 2023, 2:01am

I’m trying to configure a Postfix server. I’m being able to receive emails, but I cannot send emails because it seems that the outgoing port connection 25 is somehow not being able to connect.

When i try to telnet the external server, I get this:

telnet gmail-smtp-in.l.google.com 25
Trying 142.250.0.27...
Trying 2800:3f0:4003:c03::1a...
telnet: Unable to connect to remote host: Network is unreachable

I’ve tried a lot of suggestions from other threads but none of them worked, I end up with the following configuration:

/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow openvpn udp port 1194" dst-port=1194 in-interface-list=!LAN protocol=udp
add action=drop chain=input comment="drop everything else not from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall nat
add action=dst-nat chain=dstnat comment="forward mail ports to 10.10.20.105" dst-address=!10.10.20.0/24 dst-address-type=local dst-port=25,443,993 protocol=tcp to-addresses=10.10.20.105
add action=masquerade chain=srcnat comment="Harpin Nat"
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Any suggestion will be very appreciated.

Carlos

mkx · December 30, 2023, 9:40am

If you have an appropriate computer (e.g. linux machine), try to run tcptraceroute towards TCP port 25 of smtp gateway of google. It should show the place where connection gets blocked. It wouldn’t surprise me if it would be your ISP blocking connections to plain SMTP port in attempt to block e-mail spam.

cbarcellos · December 30, 2023, 3:23pm

I did the traceroute, it seems that this is going after my ISP (invistanet). I’m not sure how to read the remaining stars (*), not sure if this is going thru or just rebouncing.

traceroute gmail-smtp-in.l.google.com -p 25

traceroute to gmail-smtp-in.l.google.com (142.250.0.27), 30 hops max, 60 byte packets
 1  _gateway (10.10.20.80)  9.415 ms  9.127 ms  9.148 ms
 2  143-202-28-198.customer.invistanet.com.br (143.202.28.198)  10.502 ms  10.067 ms  10.181 ms
 3  143-202-29-30.customer.invistanet.com.br (143.202.29.30)  21.198 ms  21.037 ms  20.877 ms
 4  143-202-28-38.customer.invistanet.com.br (143.202.28.38)  20.717 ms  20.555 ms  20.380 ms
 5  72.14.218.100 (72.14.218.100)  20.219 ms  20.525 ms  19.898 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Amm0 · December 30, 2023, 4:35pm

You should allow TCP port 25 with an “accept” rule in /ip/filter BEFORE the “drop !LAN” rule.

Sob · December 30, 2023, 5:02pm

tcptraceroute = not the same thing as traceroute

And allowing any port won’t help, because they are all allowed already. Look at forward, not input, there’s no drop in forward.

cbarcellos · December 30, 2023, 5:25pm

my ISP was blocking the incoming of ports below 1024. Sorry for the inconvenience!