Google Compute Engine will not allow incoming smtp connections - smtp

I have a virtual machine (CentOS) running on Google's Compute Engine and everything seems pretty straight forward, have read all the documentation I can find, but this one thing is hanging me up. I know outbound SMTP connections are blocked by the GCE, but incoming should be no problem from what I've read. However, I've configured the server correctly (I think) and added the firewall for SMTP through gcutil, but still no dice:
gcutil addfirewall smtp --description="Incoming smtp allowed." --allowed="tcp:smtp"
This adds the rule to allow SMTP connections.
gcutil listfirewalls
+------------------------+---------------------------------------+---------+------------+-------------+-------------+
| name | description | network | source-ips | source-tags | target-tags |
+------------------------+---------------------------------------+---------+------------+-------------+-------------+
| default-allow-internal | Internal traffic from default allowed | default | 10.0.0.0/8 | | |
| default-ssh | SSH allowed from anywhere | default | 0.0.0.0/0 | | |
| http2 | Incoming http allowed. | default | 0.0.0.0/0 | | |
| pop3 | Incoming pop3 allowed. | default | 0.0.0.0/0 | | |
| smtp | Incoming smtp allowed. | default | 0.0.0.0/0 | | |
+------------------------+---------------------------------------+---------+------------+-------------+-------------+
SMTP rule is listed. Other ports work fine, I can get into ports 80, 22, and 110. But when trying to get into port 25:
telnet nextcore.com 25
Trying 173.255.112.1...
It will not connect.
Connecting to localhost port 25 on the virtual machine works just fine:
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 nextcore.localdomain ESMTP Postfix
What am I missing?

I'm not sure what you have listening on port 25 (e.g. sendmail, postfix, etc). I can confirm that I also can't connect to your VM on port 25, though I can connect on port 80.
You can check which programs are listening on which ports with sudo netstat -lpn -A inet, e.g.
$ sudo netstat -lpn -A inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2691/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15845/nc
udp 0 0 0.0.0.0:23153 0.0.0.0:* 2291/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 2291/dhclient
udp 0 0 10.87.233.49:123 0.0.0.0:* 2566/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2566/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2566/ntpd
You might discover that your mail program is only listening on localhost (127.0.0.1), or that you are missing an entry in /etc/hosts.allow or have an entry in '/etc/hosts.deny` that blocks requests from outside your local network.

You can take a look at this: https://developers.google.com/compute/docs/networking#mailserver
You will see that Google Compute Engine blocks outbound connections on ports 25, 465, and 587.
The instruction for setting up postfix to work with GCE is available on that page as well.

Related

MySQL is not accessible via remote client

I got the problem that my mysql, while locally (Ubuntu 20.04.3 LTS) available, can't be reached via a remote client:
telnet 127.0.0.1 3306
Trying 127.0.0.1...
Connected to 127.0.0.1.
but
telnet xxx.xxx.xxx.xxx 3306
Trying xxx.xxx.xxx.xxx...
telnet: Unable to connect to remote host: Connection refused
I tried everything I found, but to no success. This is what I tried / checked:
/etc/mysql/mysql.conf.d/mysqld.cnf
bind-address = ::
mysqlx-bind-address = ::
I also tried to set those addresses to "0.0.0.0", the result is the same
I also did a restart via systemctl restart mysql and netstat -ntlup shows
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::3306 :::* LISTEN 567829/mysqld
tcp6 0 0 :::33060 :::* LISTEN 567829/mysqld
UFW is inactive
ufw status
Status: inactive
There is a mysql user with remote access
SELECT user, host, account_locked, password_expired FROM user;
+---------+-----------+----------------+------------------+
| user | host | account_locked | password_expired |
+---------+-----------+----------------+------------------+
| my_user | % | N | N |
This user has read permissions to all tables of a database. I executed a FLUSH PRIVILEGES;.
Server accessibility
The server generally is accessible from remote. I can connect via SSH and HTTP/HTTPS. I set the server provider firewall settings (Hetzner Cloud Server) and 3306 aswell as 33060 are allowed incoming ports.
I checked the MySQL server accessibility on the server itself via its remote IP, my local computer and from another external server. All show the above mentioned "Connection refused" via telnet and when trying to connect via the mysql command.
Those were all the tips and configurations I found on existing solutions of this problem. I am stuck for two days now and can't find a way forwards. Does anyone have an idea?

MySQL Error 61 cannot connect

I read this SO post. And a few others. I've set up a Amazon EC2 server on ubuntu. I created a MySQL database and I'm trying to connect to it via MySQL Workbench.
Using standard TCP / IP over ssh I am able to connect using a .pem key.
I created a new user using the Workbench GUI and have granted the new user all privileges.
Within Amazon EC2 interface I added tot he security group to allow both ssh and TCP each with source 0.0.0.0/0 and ::/0.
When I ssh into the server via the terminal I am able to connect this user to MySQL mysql -uthe_new_usr -p. I am unable to within MySQL Workbench.
mysql> SELECT User, Host FROM mysql.user;
+------------------+------------------+
| User | Host |
+------------------+------------------+
| root | % |
| reporting | % |
| root | 127.0.0.1 |
| root | ::1 |
| root | ip-123-45-67-891 |
| debian-sys-maint | localhost |
| root | localhost |
+------------------+------------------+
Once again, I am able to connect using the standard TCP / IP over SSH option which uses my .pem key. But I'm trying to create a standard TCP / IP connection with the newly created user.
On the connection wizard there are inputs for hostname, port and username:
I changed the entry in hostname to the IPv4 field shown my EC2 instance dashboard in a similar format of number xx.xxx.x.xxx. This is the same hostname I used for the TCP / IP over ssh connection (Which does work using a .pem key).
I changed the user to the same username that I set when I created the new user, via Workbench, with my root user.
For the port I've tried leaving as is 3306, 22 and removing it. Here's a screen of the security group for my EC2 instance.
When I click "Test Connection" I get the message "Failed to Connect to MySQL at xx.xxx.x.xxx:3306 with user my_new_usr. Can't connect to MySQL server on 'xx.xxx.x.xxx' (61)".
From the linked SO post at the top, I typed netstat -tulpen in my remote connection too:
ubuntu#ip-xxx-xx-xx-xxx:~$ netstat -tulpen;
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 9331 -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 106 12552 -
tcp6 0 0 :::22 :::* LISTEN 0 9345 -
udp 0 0 0.0.0.0:49678 0.0.0.0:* 0 7949 -
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 8029 -
udp6 0 0 :::28589 :::* 0 7950 -
I'm not sure where to look next?
With the help of a friend:
Edited my.cnf file in so that bind address = 0.0.0.0
Then had to restart mysql sudo restart mysql
That did it.

Unable to get remote access to MySQL / MariaDB on Centos7

im trying to get remote access to my MySQL / MariaDB server however it keep denying my access. Here is my setup:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
mysql
MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';
+----------+------+
| User | Host |
+----------+------+
| feed_user| % |
+----------+------+
my.cnf
[mysqld]
local-infile=0
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
!includedir /etc/my.cnf.d
netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 30227/mysqld
The server is within my local network, on a different subnet.
Internal firewall is set to allow connections between the two subnets, can see the traffic being accepted.
Any ideas on why it wont allow me remote access?
Thanks
Chris
Turns out i was adding the rules to iptables instead of firewalld. After adding the rules to firewalld i was able to access the the server remotely.

Connecting to Amazon RDS Mysql from a server

I'm struggling to connect to my Mysql instance on Amazon RDS from a web server. I get this error:
Error: Unable to connect to MySQL.
Debugging errno: 2005
Debugging error: Unknown MySQL server host 'my-database-address.eu-west-1.rds.amazonaws.com:3306' (20)
Using this connection function:
$connect = mysqli_connect("my-database-address.eu-west-1.rds.amazonaws.com", "username", "password","database");
I've setup my Instance to use a Security Group with the following settings:
RULE | TYPE | PROTOCOL | PORT RANGE | SOURCE
Inbound | MYSQL/Aurora | TCP | 3306 | Anywhere
Outbound | MYSQL/Aurora | TCP | 3306 | Anywhere
Am I missing some rules in my security group? Should I specify the server IP address instead of chosing "Anywhere". Or is my function wrong?

GCE Allows Connects from Internal Network Only After Reboot

I have been using the GCE for about a year now, and have not run into this problem before. The VM is CentOS, has services running on http, smpt, pop3, pop3s, a few others. It has a static IP address assigned as well.
This morning, the VM was rebooted and when it came back up, no external connections were getting through. The GCE firewall rules have not changed:
Ubuntu:~$ gcloud compute firewall-rules list
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS
default-allow-http default 0.0.0.0/0 tcp:80 http-server
default-allow-https default 0.0.0.0/0 tcp:443 https-server
default-allow-internal default 10.0.0.0/8 tcp:1-65535,udp:1-65535,icmp
default-ssh default 0.0.0.0/0 tcp:22
http2 default 0.0.0.0/0 tcp:80
https default 0.0.0.0/0 tcp:443
msa default 0.0.0.0/0 tcp:587
pop3 default 0.0.0.0/0 tcp:110
pop3s default 0.0.0.0/0 tcp:995
smtp default 0.0.0.0/0 tcp:25
smtps default 0.0.0.0/0 tcp:465
I shut down the VM, created a new temporary VM and mounted the boot disk from the VM into the temporary VM to read through the log files, but didn't find any errors, it appeared everything was starting up correctly.
I read somewhere that there was an issue at one time with iptables creating some restrictive rules on accident, and I noticed that iptables was indeed running (though it might have been running all this time, not sure), so I disabled it.
Local services appear to be listening:
[root#]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
And I can connect from the temporary VM via the internal network:
[repair ~]$ telnet 10.240.26.51 995
Trying 10.240.26.51...
Connected to 10.240.26.51.
Escape character is '^]'.
^]
So, connecting via the internal network works fine, but connecting from anywhere outside via the static IP does not work. Any ideas of what I might have missed? 1) Services appear to be listening on the server, 2) Server firewall should (now) be off, though was on before, 3) GCE firewall rules should be allowing external traffic, 4) But no dice on getting a connection in, not even using: gcloud compute ssh
Well, very odd, but it turns out that the IP I've been using from Google as a static IP for my VM, simply doesn't work (or route?) anymore. Hope this helps somebody else that may come across this issue, that if you have checked everything and you still can't get connections from outside, try checking that your static IP actually works.