Firewall – Cannot connect to exim4 SMTP server

firewallsmtptcptcpdump

I have the problem that I cannot connect to my exim4 SMTP server from my home network:

$ telnet -4 example.com 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host

netstat on the server tells me that exim4 is listening on port 25, both IPv4 and IPv6. I started tcpdump on my server to check whether the request reaches the server, it shows nothing. I was puzzled and, as a last test, deleted all iptables rules as described here. Still, I am getting the Connection refused error.

Wireshark tells me that the server responds to my telnet request with RST/ACK, which implies that the port is closed. However, if I connect to the server from anywhere but my home network, it works without problems.

I have checked that the request leaves my local gateway and it does.

So now I am out of ideas. What could possibly lead to this request being rejected? Since tcpdump does not show anything and I get a RST/ACK, it must be at a very low level, but I cannot imagine what beyond iptables could block the incoming request – especially since this only seems to occur for packages from my home IP.

Best Answer

Be sure to check that the host on the other side is pingable. When you do that try to ping it and set up

tcpdump -ni any icmp

on the Exim server.

You should be able to confirm that the pings are traversing properly, and that the address in the iptables on the server side is correct.

If you have any other services on the Exim server then try to telnet to those too, like in example HTTP on port 80, or something similiar. When that succeeds you will know that you are getting closer, if it doesn't then double check the firewall rules and that they are inserted BEFORE the DROP (actually REJECT in this case as the telnet says) rules, otherwise they will never have a chance to work.

To put a rule in the iptables at 0 position use the 

iptables -I INPUT -p tcp --dport 25 -s 5.6.7.8 -j ACCEPT

instead of 

iptables -A INPUT -p tcp --dport 25 -s 5.6.7.8 -j ACCEPT

where the 5.6.7.8 should be the address that you saw on tcpdump with ICMP packets or any kind of whatsmyip site.

If other services work and the port 25 still doesn't then be aware that some ISP's block the tcp port 25 deliberately to reduce spam on the network, therefore you might be forced to either :

  • contact your ISP and request a ban lift from that port from your IP
  • configure Exim to work also on another port (I suggest port 465 with encryption, but unencrypted port 587 is very commonly used to circumvent such firewalls)
  • use VPN to set up a tunnel to the Exim server and route traffic through it
Related Topic