I don't seem to be able to access port 25 on an instance on Amazon EC2. I have opened the port in the security group and in the iptables firewall. I have opened other ports (including 22 and 80) the same way and they work.
On the instance, I can telnet to port 25 and see the output from postfix. From outside EC2 I can telnet to port 22 or port 80 and see the output from the SSH server and the web server. But when I telnet to port 25 from outside EC2 it just sits waiting.
I have filled in the form to be able to send email and had confirmation that that has been done. And I've checked and outgoing email works fine. (All be it through a relay to avoid IP blacklists).
So does Amazon treat incoming traffic to port 25 differently? Does it work fine for other people? Any help appreciated.
As an alternative source of trouble I am using postfix on SUSE Linux (SLES 10) and I am wondering if either of those have some hidden settings that mean they won't respond to port 25 from off the machine. I have checked the iptables settings with iptables -L -nvv and iptables -t nat -L -nvv and I can't see any rules that would get in the way. And postfix does respond to telnet on the localhost.
Edit: When I turn iptables off completely, telnet returns immediately with
telnet: Unable to connect to remote host: Connection refused
As requested by an answer, the contents of master.cf are:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
#tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#localhost:10025 inet n - n - - smtpd -o content_filter=
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} {recipient}
and grep -v '#' /etc/sysconfig/postfix:
POSTFIX_RELAYHOST="[mail.domain.com]"
POSTFIX_MASQUERADE_DOMAIN=""
POSTFIX_LOCALDOMAINS="\$myhostname"
POSTFIX_NULLCLIENT="no"
POSTFIX_DIALUP="no"
POSTFIX_NODNS="no"
POSTFIX_CHROOT="no"
POSTFIX_UPDATE_CHROOT_JAIL=no
POSTFIX_LAPTOP=no
POSTFIX_UPDATE_MAPS=yes
POSTFIX_MAP_LIST="virtual transport access canonical sender_canonical relocated sasl_passwd:600 relay_ccerts"
POSTFIX_RBL_HOSTS=""
POSTFIX_BASIC_SPAM_PREVENTION=off
POSTFIX_MDA=local
POSTFIX_SMTP_AUTH_SERVER=no
POSTFIX_SMTP_AUTH=no
POSTFIX_SMTP_AUTH_OPTIONS=""
POSTFIX_SMTP_TLS_SERVER=no
POSTFIX_SMTP_TLS_CLIENT="no"
POSTFIX_SSL_PATH="/etc/postfix/ssl"
POSTFIX_TLS_CAFILE="cacert.pem"
POSTFIX_TLS_CERTFILE="certs/postfixcert.pem"
POSTFIX_TLS_KEYFILE="certs/postfixkey.pem"
POSTFIX_SSL_COUNTRY="XX"
POSTFIX_SSL_STATE="Some state"
POSTFIX_SSL_LOCALITY="Some locality"
POSTFIX_SSL_ORGANIZATION="Some Organization"
POSTFIX_SSL_ORGANIZATIONAL_UNIT="Some Organizational Unit"
POSTFIX_SSL_COMMON_NAME="A common name"
POSTFIX_SSL_EMAIL_ADDRESS="postmaster"
POSTFIX_ADD_MAILBOX_SIZE_LIMIT=0
POSTFIX_ADD_MESSAGE_SIZE_LIMIT=10240000
POSTFIX_REGISTER_SLP="yes"
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
I've changed the domain at the top, but it is otherwise the same.
Best Answer
When you change a security group of an instance that is already running, it can literally take ages until the changes are applied. Ages means, anything between instantly and hours!
I'd double check your iptables setup:
If all is well and it still doesn't work, just relaunch the instance.