Page 1 of 1
Port blocked even though its in the incoming/outgoing allow
Posted: 16 May 2013, 14:06
by kisonay
I am having trouble sending email from my server using CSF to a third party email provider.
I need to connect to the third party via port 587. I have confirmed that this port is added TCP_IN and TCP_OUT list (was there by default) saved and restarted but the connection times out.
If I disable CSF it can connect and send email without a problem.
What would cause this to be blocked even though it is in the IN/OUT list?
Re: Port blocked even though its in the incoming/outgoing al
Posted: 16 May 2013, 15:12
by chatwizrd
What happens when you telnet to port 587? Do you see any blocked lines in /var/log/messages
Re: Port blocked even though its in the incoming/outgoing al
Posted: 16 May 2013, 20:17
by kisonay
Code: Select all
rMBP:~$ telnet 174.xx.xx.xxx 587
Trying 174.136.14.97...
telnet: connect to address 174.xx.xx.xxx: Connection refused
telnet: Unable to connect to remote host
Nothing appears in /var/log/messages
But taking that a step further, when I try to sent the email I see the following in /var/log/messages
Code: Select all
May 16 15:21:53 s1 suhosin[26482]: ALERT - configured request variable name length limit exceeded - dropped variable 'moodle/.../formchangechecker-min_js' (attacker '74.xxx.xxx.xxx', file '/home/...yui_combo.php')
So it looks like it is suhosin combined with csf may be causing the problem.
Re: Port blocked even though its in the incoming/outgoing al
Posted: 16 May 2013, 20:43
by kisonay
OK so I was able to modify the suhosin.ini file and was able prevent the item showing in messages but csf is still blocking the connection.
Looking at the output when csf is starting I see the following related to 587
Code: Select all
ACCEPT tcp opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 state NEW tcp dpt:587
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 state NEW tcp dpt:587
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587 owner UID match 0
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:587
ACCEPT tcp opt in * out * ::/0 -> ::/0 tcp dpt:587 owner UID match 0
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587 owner UID match 32001
ACCEPT tcp opt in * out * ::/0 -> ::/0 tcp dpt:587 owner UID match 32001
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587 owner GID match 12
ACCEPT tcp opt in * out * ::/0 -> ::/0 tcp dpt:587 owner GID match 12
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587 owner GID match 32006
ACCEPT tcp opt in * out * ::/0 -> ::/0 tcp dpt:587 owner GID match 32006
ACCEPT tcp opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:587
does that look correct?
Re: Port blocked even though its in the incoming/outgoing al
Posted: 16 May 2013, 20:48
by Sergio
Is port 587 added on the SMTP_PORTS in CSF?
Like:
SMTP_PORTS = 25,26,465,587
Re: Port blocked even though its in the incoming/outgoing al
Posted: 16 May 2013, 21:14
by kisonay
Sergio wrote:Is port 587 added on the SMTP_PORTS in CSF?
Like:
SMTP_PORTS = 25,26,465,587
Yes it is listed, so that is the problem.
If I turn off SMTP_BLOCK it sends fine. If I leave it on and remove port 587, change and restart, my connection is still blocked. I would rather not turn it off.
Re: Port blocked even though its in the incoming/outgoing al
Posted: 16 May 2013, 21:45
by kisonay
I was able to fix it. In my troubleshooting I changed the mailing app to use port 25 rather than 587. Once I changed it back to 587 and made sure that it was removed from SMTP_PORTS all started working correctly.
Thank you both for your help!