How should I check if my ISP blocks port 25?
cmd> telnet <some well known email provider IP> 25
to determine which exactly host (subdomain) is listening port 25:
nslookup -q=MX <top-level domain>
For example:
cmd> nslookup -q=MX gmail.com
gmail.com MX preference = 50, mail exchanger = gsmtp147.google.com
gmail.com MX preference = 50, mail exchanger = gsmtp183.google.com
gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.google.com
gsmtp147.google.com internet address = 209.85.147.27
gsmtp183.google.com internet address = 64.233.183.27
gmail-smtp-in.l.google.com internet address = 64.233.183.114
cmd> telnet gsmtp147.google.com 25
220 mx.google.com ESMTP l27si12759488waf.25
On Linux, you can 'dig', I guess.
http://www.canyouseeme.org/
telnet host 25
Just select a host that you know is listening on port 25.
You could call them and ask.
Probing a server that listens on your desired port is of course the best option, as abatishchev has shown.
In the case where you can't find an "echo" service on your desired port or you want to know who is blocking you on the path you can resort to firewalking. Firewalking probes the path by starting with a Time-To-Live (TTL) set to zero and then icrementing it by one each iteration. When you stop getting "ICMP TTL Exceeded" messages that means the next hop in the chain is filtering your packets.
You can use hping3 to do this:
:~$ hping3 -z -T -p 25 server.com
or use Firewalk which was created for exactly this.
Edit: Any NAT devices on the route will silently destroy your results since the TTL is reset to whatever sane value the router sees fit.
Related
I am setting up a fail2ban instance, everything works fine as expected, but I have been noticing some rules has built-in ports, for example:
...
[domino-smtp]
port = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
...
filter = sshd
logpath = /var/log/auth.log
port = ssh
...
[phpmyadmin-syslog]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
...
So, when it states that port is ssh or http or whatever, where do fail2ban get these bindings from? How do I know what ports can I use as names and which as just port numbers?
Named ports are used by many tools besides f2b. In most Linux distributions they are defined in /etc/services (a subset of IANA's official list).
I am using gerrit 3.2.1
After I tried everything I can do to configure my gerrit.sendemail, I failed to send a verification mail
[sendemail]
enable = true
smtpServer = smtp.offce365.com
smtpServerPort = 587
smtpEncryption = ssl
sslVerify = false
smtpUser = gerrit#gerritserver.com
smtpPass = pswd
I refered to https://groups.google.com/forum/#!msg/repo-discuss/RWvdXR-Z4nA/1USSK1F6AAAJ\
but seems I met different problem,
For the encryption, according with office 365, the SMTP uses STARTTLS, but seems it always fail. I tried ssl, tls, neither works.
I also tried port 25.
[2020-06-16T14:33:53.834+0800] [WorkQueue-2] INFO com.googlesource.gerrit.plugins.deleteproject.fs.RepositoryCleanupTask : Cleaning up expired git repositories... Done
[2020-06-16T14:35:32.927+0800] [plugin-manager-preloader] INFO com.googlesource.gerrit.plugins.manager.OnStartStop : 66 plugins successfully pre-loaded
[2020-06-16T14:36:13.420+0800] [HTTP PUT /accounts/self/emails/name%40emailhost.com (flynn from 127.0.0.1)] ERROR com.google.gerrit.server.restapi.account.CreateEmail : Cannot send email verification message to name#emailhost.com
com.google.gerrit.exceptions.EmailException: Mail Error: Connection timed out (Connection timed out)
at com.google.gerrit.server.mail.send.SmtpEmailSender.open(SmtpEmailSender.java:437)
at com.google.gerrit.server.mail.send.SmtpEmailSender.send(SmtpEmailSender.java:207)
at com.google.gerrit.server.mail.send.OutgoingEmail.send(OutgoingEmail.java:225)
at com.google.gerrit.server.restapi.account.CreateEmail.apply(CreateEmail.java:164)
at com.google.gerrit.server.restapi.account.CreateEmail.apply(CreateEmail.java:121)
at com.google.gerrit.server.restapi.account.CreateEmail.apply(CreateEmail.java:71)
Is this related to this question on the mailing list?
Also, when I check the office365 smtp settings it looks like it should use tls instead of ssl:
SMTP Host: smtp.office365.com
SMTP Port: 587
SSL Protocol: OFF
TLS Protocol: ON
SMTP Username: (your Office365 username)
SMTP Password: (your Office365 password)
Try to change your settings to tls and maybe you need to implement the workaround for java11.
1 more tip when I come back to this 3 years later...
I met another problem with similar phenominal.
It turns out some mail server requires the field 'from' must be equal to 'smtpUser'.
Trying to set up mailgun through nullmailer for email delivery from a box (let's call it a.example.com).
After some experimenting I found out that this works well for my /etc/nullmailer/remotes:
smtp.mailgun.org smtp --port=587 --user=postmaster#mg.example.com --pass=PASSWORD
But this only works on b.example.com, not on a.example.com that I wanted to set this up on. Looking further into this it looks as if mailgun is blocking my server.
On my laptop and b.example.com this works:
$ telnet smtp.mailgun.org 587
Trying 52.38.21.43...
Connected to smtp.mailgun.org.
Escape character is '^]'.
220 ak47 ESMTP ready
But on a.example.com it stops:
$ telnet smtp.mailgun.org 587
Trying 52.38.21.43...
Now I wonder if Mailgun is blocking a.example.com? And if so, if this is only temporary. And if not, what is going on here?
Found out that Scaleway.com (where a.example.com is) decided to block outgoing SMTP traffic by default.
I have two SMTP servers listening on ports 2525 and 2526.
But I have only 1 public IP address.
I'd like to use postfix (already installed on my server) to receive emails only for domain xxx.company.com and domain yyy.company.com, and redirect those emails to server 1 (port 2525) for domain xxx.company.com and server 2 (port 2526) for domain yyy.company.com.
Postfix will not be used to send emails. Just receive.
I tried several postfix configurations but I haven't figured out how to do this properly.
For now, I end up with this:
In main.cf:
mydomain = company.com
mydestination = xxx.company.com, yyy.company.com
relay_domains = xxx.company.com, yyy.company.com
transport_maps = hash:/etc/postfix/transport
local_recipient_maps =
unknown_local_recipient_reject_code = 550
In transport.cf:
*xxx.company.com 2525:[localhost]
*yyy.company.com 2526:[localhost]
In master.cf, the following line has been uncommented:
local unix - n n - - local
But I still have an "unknown user" error if my maillog file.
I would like to be more accurate for local_recipients so I don't let the entire world enter my postfix.
Does anyone have an out-of-the-box example of such kind of configuration ?
Thanks,
Jeremy B.
Your main.cf should be
#/etc/postfix/main.cf
mydomain = company.com
mydestination = xxx.company.com, yyy.company.com
relay_domains =
transport_maps = hash:/etc/postfix/transport
local_recipient_maps = hash:/etc/postfix/local_users
also add the following files
#/etc/postfix/local_users
# Here ACCEPT can be anything,postfix doesn't use it.
someuser#xxx.company.com ACCEPT
someuser#yyy.company.com ACCEPT
#/etc/postfix/transport
xxx.company.com smtp:[localhost]:2525
yyy.company.com smtp:[localhost]:2526
# modify localhost, if the server1 and server2 is not on localhost
Hope that helps.
I have a strange problem that recently popped on my Debian Squeeze server.
I've had Exim4 configured to use SMTP-AUTH with encryption setup and running on this box for a long time, but now it doesn't work.
At first I thought it was maybe my certificates expired, but that wasn't the case, they're good for several more years.
It appears that the server isn't listening on port 25 any longer.
If I try to telnet to port 25 it times out.
If I run netstat -tulpen on the server nothing is listening on port 25.
I'm using the splitconf for Exim4.
In conf.d/main I'm enabling MAIN_TLS_ENABLE=true
In conf.d/auth/30_exim4-config_examples I have the following
# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.Debian.gz
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
#
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
On the server if I run this command:
swaks -a -tls -q HELO -s localhost -au A_USER_NAME -ap '<>'
I get this ...
=== Trying localhost:25...
* Error connecting 0.0.0.0 to localhost:25:
* IO::Socket::INET: connect: Connection refused
Can someone point me to some more advanced debugging techniques?
OK. I figured it out.
Comcast blocks port 25. I don't know why this is coming up now, unless they've recently started blocking it.
I had to change a line in /etc/default/exim4
From this
SMTPLISTENEROPTIONS='-oX 25 -oP /var/run/exim4/exim.pid'
To this
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
I also added this to /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
tls_on_connect_ports=465
It's odd that this just popped up, unless a Debian package updated the /etc/default/exim4 file. It's confusing, but it's working. Hopefully this will be helpful to someone in the future.
Cheers.