Just been having a look at one of my Russian test servers and it’s also struggling to email my own address. You gave me a light bulb moment - it won’t connect because I can’t set a rDNS/PTR yet with this specific hosting provider.
did you try to run a traceroute towards these yahoo IPs to see if you get blocked on the way already or if yahoo is rejecting your connection attempts because of other reasons?
piping some string into a mail command is not a reliable mail test in any way. rather try connecting to the destination mail server via telnet to see proper responses.
For gmail/hotmail, you need to get all your DNS records in order: rDNS, SPF, DKIM, DMARC
Then, maybe, just maybe the email will be accepted, unless you try to send via the muppets than run ATT, sbcglobal et al, group.
afaik @bubblecatcher server is with hetzner and has an rdns set, at least when I checked based on the domain names above.
that’s why I suggest to see if he even can make a connection to those IPs and especially port 25 etc.
I still think he is either blocked by his own firewall settings or maybe with those providers directly. for the latter however you normally get a proper 5.7.1 or something and not just connection refused…
Note although the main server IP is not on any blacklist, one other IP in server is listed, though looks like this is to do with mail/dns setup which i am looking into.
that iptables listing tells a story. do you even know, what half of the rules you put in there are doing?
I suggest for a simple test to change the policies of INPUT and OUTPUT chain to ACCEPT and try sending a mail. if it works, you know what you messed up.
btw. that’s what ipset is for, hashing large lists of IPs and subnets instead having them ressource-hogging inside iptables. and on top of that you (want to) use csf? paranoid much?
anyway, this is far off from what Hestia sets or does at all so in no way related.
as said before, if you want to find what causes your troubles start from scratch. iptables+fail2ban which comes with hestia works out of the box.
if you change that dramatically by running scripts that implement large blocklist in a questionable way and on top put in a second firewall appliance in parallel, I am afraid no one can help you.
TL;DR; YOU are blocking yourself from sending mails to the outside world with installing/running too much stuff that you can’t properly debug yourself. and it’s not related to hestia.
^ You’d cringe if you saw my complete blocklist (ipset/CSF).
Typically 12 countries, nearly all the csf.blocklists plus AWS and now DO, on some servers. Plus, of course the idiots who broadcast/scan on the local networks.
Ain’t nothing to do with HestiaCP though.
No worries, I do use ipset myself with a few selected blocklists.
However I don’t think iptables is the right place for weird rules trying to match uids or gids trying to control whos allowed to send out mail … just sayin’