CSF SMTP Auth Blocking Issue for Mailgun

[Ryan_D]

Hi,

I'm trying to figure out what configuration setting within ConfigServer Security & Firewall is causing SMTP emailing with 3rd party providers (in our case Mailgun) from working... If I disable ConfigServer Security & Firewall then the email sending works fine.

WordPress SMTP Mail Log

Code: Select all

Versions:
WordPress: 6.4.3
WordPress MS: No
PHP: 7.4.33
WP Mail SMTP: 3.11.1

Params:
Mailer: smtp
Constants: No
ErrorInfo: SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server SMTP code: 111 Additional SMTP info: Connection refused
Host: smtp.mailgun.org
Port: 587
SMTPSecure: tls
SMTPAutoTLS: bool(true)
SMTPAuth: bool(true)

Server:
OpenSSL: OpenSSL 1.1.1w 11 Sep 2023
Apache.mod_security: No

Debug:
Email Source: WP Mail SMTP
Mailer: Other SMTP
SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server SMTP code: 111 Additional SMTP info: Connection refused

SMTP Debug:
2024-02-07 23:06:26 Connection: opening to smtp.mailgun.org:587, timeout=300, options=array()

2024-02-07 23:06:27 Connection failed. Error #2: stream_socket_client(): unable to connect to smtp.mailgun.org:587 (Connection refused) [/home/account/public_html/wp-includes/PHPMailer/SMTP.php line 397]

2024-02-07 23:06:27 SMTP ERROR: Failed to connect to server: Connection refused (111)

SMTP Error: Could not connect to SMTP host. Failed to connect to server

IPTables Log

Code: Select all

Feb 7 23:15:38 SERVER_HERE kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=SERVER_IP_HERE DST=34.160.63.108 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33770 DF PROTO=TCP SPT=46312 DPT=587 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1005 GID=1007

Feb 7 23:15:37 SERVER_HERE kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=SERVER_IP_HERE DST=34.160.63.108 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33769 DF PROTO=TCP SPT=46312 DPT=587 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1005 GID=1007

We can see the IP of 34.160.63.108 with the port of 587 is being blocked because of a TCP_OUT rule.

IPTables Rules (Removed non-587 rules

Code: Select all

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
18       3   180 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
27       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587

Chain SMTPOUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      179 60106 ACCEPT     tcp  --  *      lo      0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587 owner GID match 988
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587 owner GID match 12
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587 owner UID match 1075
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587 owner UID match 990
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587 owner UID match 0
7        4   240 LOGDROPOUT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587

ip6tables filter table
======================
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
21       0     0 ACCEPT     tcp      !lo    *       ::/0                 ::/0                 ctstate NEW tcp dpt:587

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
31       0     0 ACCEPT     tcp      *      !lo     ::/0                 ::/0                 ctstate NEW tcp dpt:587

Chain SMTPOUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   240 ACCEPT     tcp      *      lo      ::/0                 ::/0                 multiport dports 25,26,465,587
2        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 multiport dports 25,26,465,587 owner GID match 988
3        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 multiport dports 25,26,465,587 owner GID match 12
4        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 multiport dports 25,26,465,587 owner UID match 1075
5        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 multiport dports 25,26,465,587 owner UID match 990
6        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 multiport dports 25,26,465,587 owner UID match 0
7        0     0 LOGDROPOUT  tcp      *      *       ::/0                 ::/0                 multiport dports 25,26,465,587

# ConfigServer Security & Firewall

Code: Select all

TCP_IN = 25,53,80,443,465,587,11211,49152:65534,30000:65400
TCP_OUT = 20,21,22,25,37,43,53,80,110,113,443,587,873,987,993,995,2082,2083,2086,2087,2089,2525,2703,8443,11211,44445,55556,7770:7800
UDP_IN = 53
UDP_OUT = 20,21,53,113,123,873,6277,24441

TCP6_IN = 21,25,53,80,443,465,587,987,11211
TCP6_OUT = 20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,11211,2089,2703
UDP6_IN = 53
UDP6_OUT =  20,21,53,113,123,873,6277,24441

CC_ALLOW_PORTS = GB,AU
CC_ALLOW_PORTS_TCP = 20,21,22,987,2087,2083
CC_ALLOW_PORTS_UDP = NONE
CC_DENY_PORTS = CN,KR,HK,IN,ID,MY,NG,PK,RU,SA,TW,SY,AE
CC_DENY_PORTS_TCP = 20,21,22,987,2082,2083,2086,2087,7090
CC_DENY_PORTS_UDP = NONE

As far as I can see, I've correctly allowed 587 correctly... I also added the Mailgun IP to the IP allowlist even though their SMTP IP might change.

Yet why is it still being blocked? Am I missing something obvious?

[geekytone]

Hello,

Check the "SMTP_BLOCK" settings which block the outgoing SMTP ports (defined by SMTP_PORTS settings) for users (then only the local SMTP server like postfix or exim is allowed to connect to external SMTP).

If you are using cPanel, check also if external SMTP is correctly allowed on WHM > Tweak Settings > SMTP Tweaks.

[Sergio]

Have you tried to add MAILGUN IPs in CSF white list?

Check https://www.webhostingtalk.com/showthread.php?t=1683550
read the 3rd post that will give you idea on how to get MAILGUN IPS

Sergio

[Ryan_D]

Hello,

Check the "SMTP_BLOCK" settings which block the outgoing SMTP ports (defined by SMTP_PORTS settings) for users (then only the local SMTP server like postfix or exim is allowed to connect to external SMTP).

If you are using cPanel, check also if external SMTP is correctly allowed on WHM > Tweak Settings > SMTP Tweaks.

You're spot on, it was the SMTP_BLOCK and I don't know how I didn't think about that... I want to keep that enabled though, can I whitelist to bypass that blocklist?

I expected the SMTPAUTH to do this but it doesn't appear to.

[geekytone]

Yes, all IP listed in csf.allow can bypass the SMTP_BLOCK. You can just add on csf.allow the following:

Code: Select all

tcp|out|d=587|d=1.2.3.4
tcp|in|s=587|s=1.2.3.4

(Don't forget to replace 1.2.3.4 with your server's IP address, and eventually replace the 587 port with your accurate port number)