I've leased a dedicated, lightly-managed CentOS7 box from a hosting company. The host came with firewalld installed and running and with its iptables preferences pre-imposed.
I was not expecting this; I'm used to receiving unfirewalled boxes with no services running on them except the ones I turn on. I know little about firewalld and iptables and am struggling to get even basic external email traffic through port 25 and into postfix's queue. I believe it's the firewall that's blocking me because:
-
All my DNS records are set up properly. Those haven't changed in years; all I had to do was update the IP addresses to accommodate this new host.
-
netstat -lnconfirms the port is listening; I cantelnet localhost 25and even negotiateEHLO, etc. just fine -
My postfix configuration is probably correct but also irrelevant. I'm not testing features like aliases or virtual domains: I'm just sending to real-local-user@postfix-$mydestination-entry. And when I send the message from localhost, it gets delivered just fine.
-
I've upped the verbosity of the postfix qmgr daemon, and no matter how much mail I send from outside the machine, its logs never indicate that any messages are making it to the queue. All it reports is every 5 minutes waking up to do some routine actions.
The relevant zone of firewalld looked like this when I got the machine:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: http ssh https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I have now managed to make it look like this (all hidden lines remain the same):
public
target: default
services: http ssh https smtp
ports: 25/tcp
(I made the changes --permanent and --reloaded after each one.)
Unfortunately, I'm still unable to telnet host 25 from remote locations and remote mail still fails to reach my postfix queue. Any thoughts as to what I'm missing?
P.S. Notice that http is in the same firewalld zone and I've been able to telnet host 80 and connect via web browser since day 1.
P.P.S. I've avoided posting anything about iptables output here because I do not in fact know what portions of that are relevant. I'm hoping someone will be able to deduce my problem without that info, but if not then I can certainly dig it up …
Best Answer
Since this is a VPS, many of them pre-configure Postfix to only listen to 127.0.0.1:25 rather than 0.0.0.0:25 which would prevent external access to the SMTP port - checking inet_interfaces in your main.cf would be a logical first step.
You said you used netstat to make sure the process was listening, perhaps double checking that it's actually binding to all interfaces would be revealing rather than just 127.0.0.1:25.