Hi, all email via my server has suddenly refused and is stuck in the mailq:
2020-07-27 18:23:55 1k06qx-0004Sr-4S <=
[email protected] H=host86-190-128-189.range86-190.btcentralplus.com ([192.168.1.169]) [22.214.171.124] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no SNI=“ mail.innesphotography.co.uk” A=dovecot_plain: S=747 [email protected] [email protected]
2020-07-27 18:23:56 1k06qx-0004Sr-4S H=mx-eu.mail.am0.yahoodns.net [126.96.36.199] Connection refused
2020-07-27 18:23:57 1k06qx-0004Sr-4S H=mx-eu.mail.am0.yahoodns.net [188.8.131.52] Connection refused
2020-07-27 18:23:57 1k06qx-0004Sr-4S == R=dnslookup T=remote_smtp defer (111): Connection refused [email protected]
2020-07-27 18:25:11 1k06sA-0004aQ-Vf <=
H=localhost ( [email protected] webmail.michael-innes.co.uk) [127.0.0.1] P=esmtp S=504 [email protected]
2020-07-27 18:25:11 1k06sA-0004aQ-Vf == R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host for ‘ [email protected] mail.com’
I have check if in block lists and have found only positive,
This comes up as an ancestor issue with no obvious means to removal.
Should not that domains the server that do not show in this list also fail to send?
2020-07-27 18:31:41 1k06yT-0004k4-KS <=
[email protected] H=host86-190-128-189.range86-190.btcentralplus.com ([192.168.1.169]) [184.108.40.206] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no SNI=“mail.carpconnect.biz” A=dovecot_plain: [email protected] S=650 [email protected]z
2020-07-27 18:31:41 1k06yT-0004k4-KS == R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host for ‘ [email protected] mail.com’
Just been having a look at one of my Russian test servers and it’s also struggling to email my own address. You gave me a light bulb moment - it won’t connect because I can’t set a rDNS/PTR yet with this specific hosting provider.
When send email via console
echo “Test message from server” | mail -s “Test message from server”
it works for receiving email domains on server, but not external emails such as gmail?
did you try to run a traceroute towards these yahoo IPs to see if you get blocked on the way already or if yahoo is rejecting your connection attempts because of other reasons?
piping some string into a mail command is not a reliable mail test in any way. rather try connecting to the destination mail server via telnet to see proper responses.
For gmail/hotmail, you need to get all your DNS records in order: rDNS, SPF, DKIM, DMARC
Then, maybe, just maybe the email will be accepted, unless you try to send via the muppets than run ATT, sbcglobal et al, group.
@bubblecatcher server is with hetzner and has an rdns set, at least when I checked based on the domain names above.
that’s why I suggest to see if he even can make a connection to those IPs and especially port 25 etc.
I still think he is either blocked by his own firewall settings or maybe with those providers directly. for the latter however you normally get a proper 5.7.1 or something and not just connection refused…
Thanks for reply
First off, all was working fine until recently so doubt it something i have done, possible an update?
Yes i did do traceroute and dig
traceroute to 220.127.116.11 (18.104.22.168), 30 hops max, 60 byte packets
1 static.78-47-66-225.clients.your-server.de (22.214.171.124) 0.313 ms 0.482 ms 0.635 ms
2 * core23.fsn1.hetzner.com (126.96.36.199) 1.537 ms core24.fsn1.hetzner.com (188.8.131.52) 7.426 ms
3 core1.fra.hetzner.com (184.108.40.206) 4.815 ms 4.952 ms core1.fra.hetzner.com (220.127.116.11) 5.035 ms
4 yahoo.peering.cz (18.104.22.168) 19.375 ms 18.834 ms 19.875 ms
5 UNKNOWN-188-125-89-X.yahoo.com (22.214.171.124) 20.335 ms 19.933 ms 19.466 ms
6 UNKNOWN-188-125-89-X.yahoo.com (126.96.36.199) 25.379 ms 27.604 ms 24.044 ms
7 xe-4-2-0.pat1.tc2.yahoo.com (188.8.131.52) 24.250 ms 25.258 ms 24.673 ms
8 UNKNOWN-66-196-65-X.yahoo.com (184.108.40.206) 40.263 ms 39.991 ms 41.017 ms
9 et-1-1-2.msr1.ir2.yahoo.com (220.127.116.11) 42.090 ms 41.365 ms ge-0-3-9-d104.pat1.the.yahoo.com (18.104.22.168) 41.103 ms
10 lo0.fab1-1-gdc.ir2.yahoo.com (22.214.171.124) 42.128 ms lo0.fab2-1-gdc.ir2.yahoo.com (126.96.36.199) 41.887 ms lo0.fab3-1-gdc.ir2.yahoo.com (188.8.131.52) 41.222 ms
11 usw1-1-lbb.ir2.yahoo.com (184.108.40.206) 42.195 ms usw2-1-lbb.ir2.yahoo.com (220.127.116.11) 41.109 ms usw1-1-lbb.ir2.yahoo.com (18.104.22.168) 41.381 ms
12 mtaproxy2.free.mail.vip.ir2.yahoo.com (22.214.171.124) 41.548 ms 40.999 ms 39.975 ms
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> 126.96.36.199
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39042
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;188.8.131.52. IN A
;; AUTHORITY SECTION:
. 1052 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072800 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Tue Jul 28 11:34:16 BST 2020
;; MSG SIZE rcvd: 117
Note this is not just yahoo or gmail, but any other email that sending is tried too, including
How can my own firewill be blocking me when it is turned off?
I need to configure DMARC, all others should be fine.
Could it be that Hetzner has decided to block port 25? Just a thought.
As per @Falzo try a telnet 25 test.
Hetzner usualy doesnt block any ports
tried telnet from my laptop.
Connected to mail.michael-innes.co.uk.
Escape character is ‘^]’.
250-server.lislehost.com Hello host86-190-128-189.range86-190.btcentralplus.com [18.104.22.168]
250-AUTH PLAIN LOGIN
Mail FROM: [email protected]
RCPT TO: [email protected]ichael-innes.co.uk
550 smtp auth required
you should try telnet not into your own server but
from your server to e.g. yahoos mailserver, because you can’t send mails there
edit: maybe also post the output of
iptables -nL and
csf -t and
ipset -L to see what else could be going on… you are not using selinux, right?
Output as requested.
iptables -nl output
csf: There are no temporary IP entries
ipset: command not found
I tried dropping all csf denied ips
still mail stuck in que.
telnet 22.214.171.124 25
Connected to 126.96.36.199.
Escape character is ‘^]’.
220 mtaproxy203.free.mail.ir2.yahoo.com ESMTP ready
Connection closed by foreign host.
So, it closed the connection before you could send a formatted test email?
Note although the main server IP is not on any blacklist, one other IP in server is listed, though looks like this is to do with mail/dns setup which i am looking into.
that iptables listing tells a story. do you even know, what half of the rules you put in there are doing?
I suggest for a simple test to change the policies of INPUT and OUTPUT chain to ACCEPT and try sending a mail. if it works, you know what you messed up.
btw. that’s what ipset is for, hashing large lists of IPs and subnets instead having them ressource-hogging inside iptables. and on top of that you (want to) use csf? paranoid much?
anyway, this is far off from what Hestia sets or does
at all so in no way related.
as said before, if you want to find what causes your troubles start from scratch. iptables+fail2ban which comes with hestia works out of the box.
if you change that dramatically by running scripts that implement large blocklist in a questionable way and on top put in a second firewall appliance in parallel, I am afraid no one can help you.
YOU are blocking yourself from sending mails to the outside world with installing/running too much stuff that you can’t properly debug yourself. and it’s not related to hestia.
^ You’d cringe if you saw my complete blocklist (ipset/CSF).
Typically 12 countries, nearly all the csf.blocklists plus AWS and now DO, on some servers. Plus, of course the idiots who broadcast/scan on the local networks.
Ain’t nothing to do with HestiaCP though.
No worries, I do use ipset myself with a few selected blocklists.
However I don’t think iptables is the right place for weird rules trying to match uids or gids trying to control whos allowed to send out mail … just sayin’