Connat send mail to my server, Access Denied

Hello Community,

When I try to send email to “X” he recieved the email sucess
but when “X” want to send email for me he can’t with this error:

I tried to contact “X” support and they told me they 100% sure my server blocked them.
I searched on my server and found nth about the block

Any suggestions ?

Check Exim log.

exigrep '=>.*[email protected]' /var/log/exim4/mainlog* --no-pager

root@cloud:~# exigrep '=>.*[email protected]' /var/log/exim4/mainlog* --no-pager
2024-08-01 04:05:33 1sZQoW-009fzj-De <= 1axb2r01vmlc3bcti6ufrkzdjlp5qrj44wy8i4-it=advo-ak.ae@bf05x.hubspotemail.net H=bd77g5n.bf05x.hubspotemail.net [143.244.94.9] P=esmtps X=TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no K S=53810 DKIM=warmy.io id=1722499428161.b17ae489-4291-4157-b56d-0dcba1f16f35@bf05x.hubspotemail.net
2024-08-01 04:05:33 1sZQoW-009fzj-De => it <[email protected]> R=localuser T=local_delivery
2024-08-01 04:05:33 1sZQoW-009fzj-De Completed

2024-07-31 10:36:56 1sZARj-008zVU-DO <= [email protected] H=static.192.0.13.49.clients.your-server.de [49.13.0.192] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no K S=5688 [email protected]
2024-07-31 10:36:56 1sZARj-008zVU-DO => it <[email protected]> R=localuser T=local_delivery
2024-07-31 10:36:56 1sZARj-008zVU-DO Completed

2024-07-31 11:13:23 1sZB0z-0091KC-W8 <= [email protected] H=static.192.0.13.49.clients.your-server.de [49.13.0.192] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no K S=3398 id=K95RgNg1iX8nk0GICHY3Q1GSKAc7w8jVyaWiImTtc8@localhost.localdomain
2024-07-31 11:13:23 1sZB0z-0091KC-W8 => it <[email protected]> R=localuser T=local_delivery
2024-07-31 11:13:23 1sZB0z-0091KC-W8 Completed

2024-07-22 05:40:03 1sVpWU-00HRmh-SS <= [email protected] H=static.33.230.109.65.clients.your-server.de (localhost) [65.109.230.33] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae A=dovecot_login:[email protected] S=16963 [email protected]
2024-07-22 05:40:03 1sVpWU-00HRmh-SS => it <[email protected]> R=localuser T=local_delivery
2024-07-22 05:40:03 1sVpWU-00HRmh-SS Completed

2024-07-22 23:30:03 1sW6Dy-000ZjE-GA <= [email protected] H=static.33.230.109.65.clients.your-server.de (localhost) [65.109.230.33] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae A=dovecot_login:[email protected] S=22838 [email protected]
2024-07-22 23:30:03 1sW6Dy-000ZjE-GA => it <[email protected]> R=localuser T=local_delivery
2024-07-22 23:30:03 1sW6Dy-000ZjE-GA Completed

2024-07-25 11:07:14 1sX03l-002zY3-VQ malware acl condition: clamd /run/clamav/clamd.ctl : unable to connect to UNIX socket (/run/clamav/clamd.ctl): Connection refused
2024-07-25 11:07:14 1sX03l-002zY3-VQ <= 1axb7omvhz199vlqus5rdfy115xigo7x1a2bjk-it=advo-ak.ae@bf05x.hubspotemail.net H=bd77g9o.bf05x.hubspotemail.net [143.244.94.154] P=esmtps X=TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no K S=53518 DKIM=warmy.io id=1721919762837.1ad66f6b-9f06-48a1-bcad-e29452f71ece@bf05x.hubspotemail.net
2024-07-25 11:07:15 1sX03l-002zY3-VQ => it <[email protected]> R=localuser T=local_delivery
2024-07-25 11:07:15 1sX03l-002zY3-VQ Completed

2024-07-25 23:10:02 1sXBLG-003SJV-L2 malware acl condition: clamd /run/clamav/clamd.ctl : unable to connect to UNIX socket (/run/clamav/clamd.ctl): Connection refused
2024-07-25 23:10:03 1sXBLG-003SJV-L2 <= [email protected] H=static.33.230.109.65.clients.your-server.de (localhost) [65.109.230.33] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae A=dovecot_login:[email protected] S=36837 [email protected]
2024-07-25 23:10:03 1sXBLG-003SJV-L2 => it <[email protected]> R=localuser T=local_delivery
2024-07-25 23:10:03 1sXBLG-003SJV-L2 Completed

2024-07-24 17:59:55 1sWk1b-002EG8-8Z <= [email protected] H=mail-oo1-f45.google.com [209.85.161.45] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae K S=14641 DKIM=warmy.io id=CAH+CUVGFFzNNUL_HkD_a_og1J9L4+cnnkF7xRc-pG6-RqY1QhA@mail.gmail.com
2024-07-24 17:59:55 1sWk1b-002EG8-8Z => it <[email protected]> R=localuser T=local_delivery
2024-07-24 17:59:55 1sWk1b-002EG8-8Z Completed

2024-07-24 23:45:02 1sWpPa-002QaA-3r <= [email protected] H=static.33.230.109.65.clients.your-server.de (localhost) [65.109.230.33] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae A=dovecot_login:[email protected] S=22702 [email protected]
2024-07-24 23:45:02 1sWpPa-002QaA-3r => it <[email protected]> R=localuser T=local_delivery
2024-07-24 23:45:02 1sWpPa-002QaA-3r Completed

2024-07-23 07:30:13 1sWDie-000uIK-AM <= [email protected] H=hermes.27a.net [159.69.8.67] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no K S=3635 DKIM=sahsanu.net [email protected]
2024-07-23 07:30:13 1sWDie-000uIK-AM => it <[email protected]> R=localuser T=local_delivery
2024-07-23 07:30:13 1sWDie-000uIK-AM Completed

2024-07-23 08:18:11 1sWET4-000x3D-7r <= 01070190df871223-50bc40ac-5468-4a70-b342-63b27706d53e-000000@mail.hankocloud.com H=b224-11.smtp-out.eu-central-1.amazonses.com [69.169.224.11] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae S=4471 DKIM=amazonses.com id=01070190df871223-50bc40ac-5468-4a70-b342-63b27706d53e-000000@eu-central-1.amazonses.com
2024-07-23 08:18:11 1sWET4-000x3D-7r => it <[email protected]> R=localuser T=local_delivery
2024-07-23 08:18:11 1sWET4-000x3D-7r Completed

2024-07-23 08:39:55 1sWEo7-000xgC-5p <= <> R=1sWEm0-000xcE-Rd U=Debian-exim P=local S=7121
2024-07-23 08:39:55 1sWEo7-000xgC-5p => it <[email protected]> R=localuser T=local_delivery
2024-07-23 08:39:55 1sWEo7-000xgC-5p Completed

2024-07-23 09:56:18 1sWG01-0010Zr-4o <= [email protected] H=mail-oo1-f42.google.com [209.85.161.42] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae K S=9948 DKIM=warmy.io id=CAH+CUVHSqNLQnEzy19pndW+ztNMvxXQJHVEp7GK5EQCFn8GFxg@mail.gmail.com
2024-07-23 09:56:18 1sWG01-0010Zr-4o => it <[email protected]> R=localuser T=local_delivery
2024-07-23 09:56:18 1sWG01-0010Zr-4o Completed

2024-07-23 23:00:03 1sWSEU-001XMD-N6 <= [email protected] H=static.33.230.109.65.clients.your-server.de (localhost) [65.109.230.33] P=esmtpsa X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no SNI=mail.advo-ak.ae A=dovecot_login:[email protected] S=32785 [email protected]
2024-07-23 23:00:03 1sWSEU-001XMD-N6 => it <[email protected]> R=localuser T=local_delivery
2024-07-23 23:00:03 1sWSEU-001XMD-N6 Completed

I see no errors for 26th July.

I will try to send email from “X” to it@advo-ak

Check manually the log /var/log/exim4/mainlog at 1:11 PM to see what it says.

2024-08-01 10:39:58 1sZTDy-007nih-25 <= jaap@xxxx H=localhost (xxxxxxx) [127.0.0.1] P=esmtpa A=dovecot_login:jaap@xxxxx S=517 [email protected]
2024-08-01 10:39:59 1sZTDy-007nih-25 => [email protected] R=dnslookup T=remote_smtp H=mail.advo-ak.ae [] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no K C="250- 535 byte chunk, total 535\\n250 OK id=1sZTDz-009mib-3N"
2024-08-01 10:39:59 1sZTDy-007nih-25 Completed

Was able to send an email without any issues

 The TLS connection was non-properly terminated.
2024-08-01 06:11:00 no host name found for IP address 194.169.175.47
2024-08-01 06:11:03 dovecot_login authenticator failed for (User) [194.169.175.47]: 535 Incorrect authentication data ([email protected])
2024-08-01 06:11:03 TLS error on connection from (User) [194.169.175.47] (recv): The TLS connection was non-properly terminated.
2024-08-01 06:11:41 no host name found for IP address 194.169.175.47
2024-08-01 06:11:43 dovecot_login authenticator failed for (User) [194.169.175.47]: 535 Incorrect authentication data ([email protected])
2024-08-01 06:11:43 TLS error on connection from (User) [194.169.175.47] (recv): The TLS connection was non-properly terminated.

yes but “X” when send from it Access denied’

I only see someone failing to login to your server.

Do you have any block list that could be blocking X (I suppose that is former Twitter) mail servers?

No, I didn’t block any one
is there any log can I review ?

If you can’t see any error on Exim’s logs is because the external mail server is not connecting to it and usually because a firewall is blocking them, you, your hosting provider, whatever.

Show the output of this command:

iptables -S

root@cloud:~# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-FTP
-N fail2ban-HESTIA
-N fail2ban-MAIL
-N fail2ban-RECIDIVE
-N fail2ban-SSH
-N fail2ban-WEB
-N hestia
-A INPUT -p tcp -m tcp --dport 2083 -j fail2ban-HESTIA
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 78.47.142.16/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3478 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A fail2ban-FTP -j RETURN
-A fail2ban-HESTIA -j RETURN
-A fail2ban-RECIDIVE -s 117.184.78.86/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 180.101.88.220/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 152.32.159.121/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 175.24.163.177/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 117.83.178.140/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 201.71.21.1/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 182.16.245.79/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 61.177.172.160/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 167.99.123.24/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 218.92.0.24/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -j RETURN

by the way the “X” domain is : eim.ae

And I trying to search info about the mail servers used by x.com
Well, I see nothing in your iptables rules, all seems ok, you are no using any ipset and the ips you are blocking currently doesn’t belong to the mail serves used by eim.ae

These are the ips I’ve found they are using to send mails:

$ for i in 1 2 3;do dig _spf$i.emirates.net.ae txt +short | sed 's/ /\n/g' | grep -E '^ip4|^include';done | cut -d ':' -f2 | sort -Vu
5.195.192.5
5.195.192.6
5.195.192.7
5.195.192.45
5.195.192.46
5.195.192.49
5.195.192.54
5.195.192.55
5.195.192.133
5.195.192.151
5.195.192.163
5.195.192.168
5.195.192.169
5.195.198.108
5.195.199.97
5.195.199.98
5.195.200.66
5.195.200.68
5.195.200.69
86.96.131.216
86.96.131.217
86.96.131.218
86.96.131.224
86.96.131.225
86.96.131.226
86.96.226.149
86.96.226.150
86.96.226.151
86.96.227.136
86.96.227.137
86.96.227.138
86.96.229.234
86.96.229.235
86.96.229.236
194.170.201.252
195.229.241.59
195.229.241.84
195.229.241.85
213.42.1.76
217.165.208.11
217.165.208.15
217.165.208.71
217.165.208.72
217.165.210.246

As I said, I think they didn’t reach your mail server, something blocked it.

Just in case, show the output of this command:

nft list ruleset

It’s ok if the above command doesn’t work.

sorry for late it’s 5:42 AM now in my country

root@cloud:~# nft list ruleset
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                meta l4proto tcp tcp dport 2083 counter packets 934823 bytes 50100903 jump fail2ban-HESTIA
                meta l4proto tcp tcp dport 21 counter packets 12087 bytes 754366 jump fail2ban-FTP
                meta l4proto tcp tcp dport 22 counter packets 2532338 bytes 1065509598 jump fail2ban-SSH
                meta l4proto tcp tcp dport { 80,443} counter packets 102682321 bytes 13222780845 jump fail2ban-WEB
                meta l4proto tcp tcp dport { 25,465,587,110,995,143,993} counter packets 9440559 bytes 2752375926 jump fail2ban-MAIL
                meta l4proto tcp tcp dport 1-65535 counter packets 267169295 bytes 83094321065 jump fail2ban-RECIDIVE
                ct state related,established counter packets 252208114 bytes 82441632654 accept
                ip saddr 78.47.142.16 counter packets 8383794 bytes 503027640 accept
                ip saddr 127.0.0.1 counter packets 1784871 bytes 133576434 accept
                meta l4proto tcp tcp dport 3478 counter packets 856 bytes 55794 accept
                meta l4proto tcp tcp dport 22 counter packets 334378 bytes 35214367 accept
                meta l4proto tcp tcp dport { 80,443} counter packets 6806352 bytes 406366905 accept
                meta l4proto tcp tcp dport { 21,12000-12100} counter packets 10009 bytes 506611 accept
                meta l4proto udp udp dport 53 counter packets 8282 bytes 713815 accept
                meta l4proto tcp tcp dport 53 counter packets 3189 bytes 175635 accept
                meta l4proto tcp tcp dport { 25,465,587} counter packets 299982 bytes 17687420 accept
                meta l4proto tcp tcp dport { 110,995} counter packets 196828 bytes 10129940 accept
                meta l4proto tcp tcp dport { 143,993} counter packets 59263 bytes 3534959 accept
                meta l4proto tcp tcp dport 2083 counter packets 11000 bytes 636941 accept
                meta l4proto icmp counter packets 58169 bytes 4346098 accept
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }

        chain fail2ban-MAIL {
                ip saddr 217.164.68.122 counter packets 0 bytes 0 reject
        }

        chain fail2ban-RECIDIVE {
                ip saddr 117.184.78.86 counter packets 927 bytes 48204 reject
                ip saddr 180.101.88.220 counter packets 1969 bytes 118140 reject
        }

        chain fail2ban-WEB {
        }

        chain hestia {
        }

        chain fail2ban-SSH {
                ip saddr 89.144.202.125 counter packets 4 bytes 240 reject
                ip saddr 144.217.13.134 counter packets 21 bytes 1668 reject
                ip saddr 101.126.69.104 counter packets 13 bytes 920 reject
                ip saddr 1.55.33.86 counter packets 20 bytes 1604 reject
                ip saddr 101.32.128.77 counter packets 17 bytes 948 reject
                ip saddr 139.59.245.64 counter packets 26 bytes 1920 reject
                ip saddr 165.227.9.20 counter packets 9 bytes 540 reject
                ip saddr 105.28.108.165 counter packets 19 bytes 1452 reject
                counter packets 2403792 bytes 1056571960 return
        }

        chain fail2ban-FTP {
                counter packets 8839 bytes 586262 return
        }

        chain fail2ban-HESTIA {
                counter packets 934823 bytes 50100903 return
        }
}

All ok. If you don’t have an external firewall, I see no problem on your side.

no I don’t have extrnal Firewall, Thank you bro alot,
now I believe the support of eim won’t solve it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.