Postfix – Ubuntu 20.04 Server Ignores Incoming Postfix Connections on IPv4, Accepts IPv6

postfixubuntu-20.04ufw

I've hacked my server to bits and now I need help.
Everything was working, but I think these issues started when I tried to add a VPN server to this server to test some items at work. That process added fail2ban and a few other things.

When I check the mail error logs at /var/log/mail.err I see nothing at all. (the logs are blank)
/var/log/mail.log is writing, but I never see anything relevant to the emails that are being sent.
This is on all hosted domains.

I can not telnet to port 25 from outside the server, but I can telnet from the server to itself on port 25. Postfix is listening on 25.

UFW has allow rules to allow 25/tcp and to allow Postfix on both IPv4 and IPv6.

This is a VPS running Ubuntu 20.04 and is regularly updated.

What can I supply to figure out where the problem is?

Update 1:
Results of iptables-save: https://pastebin.com/REywGKsq

Update 2:
I have found that test emails work if I connect via IPv6, but fail with IPv4.

Update 3:

results of postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 51200000
milter_default_action = accept
milter_protocol = 6
mydestination = domain1.com, localdomain, localhost, localhost.localdomain, domain2.com, domain3.com, domain4.com
myhostname = box.domain1.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
virtual_alias_domains = domain5.com domain2.com domain3.com domain4.com domain1.com
virtual_alias_maps = hash:/etc/postfix/virtual

Results of netstat -rn (IP addresses masked)

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         AAA.BBB.CCC.1    0.0.0.0         UG        0 0          0 ens3
10.8.2.0        0.0.0.0         255.255.255.0   U         0 0          0 br-5e7471c33f48
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
AAA.BBB.CCC.0    0.0.0.0         255.255.255.0   U         0 0          0 ens3

Best Answer

You have an iptables chain FILTERS


-A INPUT -p tcp -j f2b-sshd
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -j FILTERS
-A FILTERS -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FILTERS -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
-A FILTERS -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FILTERS -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A FILTERS -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FILTERS -j REJECT --reject-with icmp-host-prohibited

It allows only TCP ports 22,80 and 443 and rejects all other packets. All your ufw chains on INPUT are inactive.

Related Topic