Sending and receiving emails issue

zenny

Active Member
Jul 7, 2008
86
2
28
Hi,

I am running a mailserver (ISPConfig) in a proxmox lxc container which was working fine and stopped working recently all of a sudden.

All the ports necessary are open in the proxmox host:

Code:
# iptables -L | grep smtp
ACCEPT     tcp  --  anywhere             192.168.25.110        tcp dpt:smtp

I use shorewall for routing from the command line which shows all :

Code:
 # shorewall show -t nat
Shorewall 4.6.4.3 nat Table at server2 - Sat Jun 29 12:57:42 CEST 2019

Counters reset Sat Jun 29 09:58:06 CEST 2019

Chain PREROUTING (policy ACCEPT 7590 packets, 449K bytes)
 pkts bytes target     prot opt in     out     source               destination        
12161  763K net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          

Chain INPUT (policy ACCEPT 620 packets, 36290 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 983 packets, 67958 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 8086 packets, 535K bytes)
 pkts bytes target     prot opt in     out     source               destination        
 3466  218K eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0          

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 1625  116K SNAT       all  --  *      *       192.168.25.0/24       0.0.0.0/0            to:<PUBLIC_IP>

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    1    40 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20 to:192.168.25.110
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 to:192.168.25.110
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:192.168.25.110:22
 1382 82392 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:192.168.25.110
   36  1952 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.25.110
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:192.168.25.110
  676 27060 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:192.168.25.110
   67  3924 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.25.110
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:192.168.25.110
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:192.168.25.110
    4   240 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:192.168.25.110
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:192.168.25.110
    3   148 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306 to:192.168.25.110
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3306 to:192.168.25.110


In lxc host, 192.168.25.110, all ports are open too.

Telnet to all ports from the host machine to lxc container works without a problem.

However, telnet to other SMTPS ports (465 and 587) than 25 are accessible from outside to the public IP.

Code:
$ telnet <PUBLIC_IP> 465
Trying <PUBLIC_IP>..
Connected to <PUBLIC_IP>.
Escape character is '^]'.

^].

telnet> quit
Connection closed.

But telnet from outside does not connect to port 25. However The counter from the 'shorewall show -t nat' output shows there is exchange of packets at port 25. It could be reason that the emails could not be sent.

Also tried by running postfix in the host machine to listen to loopback-only (inet_interfaces = loopback-only) mode, but without success.

This has happened after recent upgrade (still in proxmox 4.4). There is no smtp filter applied by the webhost provider.

Any pointers appreciated.

Thanks and cheers.
/z
 
Last edited:

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,995
1,086
164
Hmm - if all other ports are configured as port 25 and they work I would guess that the problem is external to shorewall:
* do you have a packetfilter/iptables configured on 'ISPConfig'?
* is the pve-firewall enabled on the PVE-node?

in any case I would start looking at traffic with tcpdump at various points - the physical interface the packets arrive on, the bridge, the tap device of the shorewall (and the fw-device if you have pve-firewall), inside shorewall, outgoing interface of shorewall, tap-device of ISPConfig, interface of ISPConfig - that should show you where the packets get dropped.

I hope this helps!
 

zenny

Active Member
Jul 7, 2008
86
2
28
@Stoiko Ivanov Thanks for your input.

Although it has been a while, but the problem appears everytime I upgrade the system (ubuntu 18.04). This time, can send emails, but not receive!

Legends:
Proxmox host = server2.domain.tld
LXC mailserver = mail.domain.tld

From the proxmox host, it works fine:

Code:
root@server2:~# telnet mail.domain.tld 25
Trying <PUBLIC IP>...
Connected to mail.domain.tld.
Escape character is '^]'.
220 server2.domain.tld ESMTP Postfix (Debian/GNU)
^]
telnet> quit
Connection closed.


root@server2:~# telnet 192.168.25.110 25
Trying 192.168.25.110...
Connected to 192.168.25.110.
Escape character is '^]'.
220 mail.domain.tld ESMTP Postfix (Debian/GNU)
^]
telnet> quit
Connection closed.

Host postconf unchanged:

Code:
root@server2:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all  # also tried with loopback-only
mailbox_size_limit = 0
mydestination = domain.tld, server2.domain.tld, localhost.domain.tld, localhost
myhostname = server2.domain.tld
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

TCPdump inside proxmox outputs shows no dropped packets:

Code:
root@server2:~# tcpdump -i vmbr0 -nn -s0 -v port 25
....
99 packets captured
99 packets received by filter
0 packets dropped by kernel

root@server2:~# tcpdump -i eth0 -nn -s0 -v port 25
...
151 packets captured
151 packets received by filter
0 packets dropped by kernel

The smtp port is DNATted to 192.168.25.110:

Code:
root@server2:~# iptables -L | grep smtp
ACCEPT     tcp  --  anywhere             192.168.25.110        tcp dpt:smtp

Inside the lxc container with IP:192.168.25.110 running mailserver, the mailserver gets resolved and the smtp port open, too:

Code:
root@mail:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.domain.tld ESMTP Postfix (Debian/GNU)
^]
telnet> quit
Connection closed.

root@mail:~# telnet mail.domain.tld 25
Trying 192.168.25.110...
Connected to mail.domain.tld.
Escape character is '^]'.
220 mail.domain.tld ESMTP Postfix (Debian/GNU)
^]
telnet> quit
Connection closed.

'postconf -n' output of the lxc guest running mailserver:

Code:
root@mail:~# postconf -n
address_verify_negative_refresh_time = 60s
address_verify_sender_ttl = 15686s
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
content_filter = lmtp:[127.0.0.1]:10024
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
greylisting = check_policy_service inet:127.0.0.1:10023
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = mail.domain.tld, localhost, localhost.localdomain
myhostname = mail.domain.tld
mynetworks = 127.0.0.0/8 [::1]/128
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_dns_support_level = dnssec
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining , permit
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, ,reject_unknown_helo_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_restriction_classes = greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf

The tcpdump inside the linux guest (192.168.25.110) shows no dropped packets, either:

Code:
root@mail:~# tcpdump -i eth0 -nn -s0 -v port 25
...
154 packets captured
154 packets received by filter
0 packets dropped by kernel

Yet, when I try to telnet to smtp port of the mailserver from outside:

Code:
$ telnet mail.tld.net 25
Trying <PUBLIC IP>...
telnet: Unable to connect to remote host: No route to host

Thus, I can send emails, but not receive! I either get "The recipient server did not accept our requests to connect. FAILED_PRECONDITION: connect error (113): No route to host]:" or the mail.log shows:

Code:
 NOQUEUE: reject: RCPT from mail-ej1-f50.google.com[209.85.218.50]: 451 4.3.5 : Recipient address rejected: Server configuration problem

pve-firewall for the lxc guest mailserver is disabled both via proxmox gui as well as ufw inside the guest (`ufw disable`) because even allowing all ports (ufw allow smtp) didn't make any changes.

Code:
root@mail:~# ufw status
Status: inactive

The proxmox host's pve-firewall is disabled to replace with shorewall which clearly DNATed port 25 to the 192.168.25.110, but telnetting port 25 from outside is not accessible. The iptables-save output is pasted in http://ix.io/3pQ6 for your perusal.


Appreciate if anyone help me figure out the bottleneck. Thanking you in advance.


Cheers and stay safe,
/z
 
Last edited:

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,995
1,086
164
The smtp port is DNATted to 192.168.25.110:

Code:
root@server2:~# iptables -L | grep smtp
ACCEPT tcp -- anywhere 192.168.25.110 tcp dpt:smtp
That's just the ACCEPT rule - not the portforward/NAT - but the iptables-save output (from a very quick glance) indicates that you do have some DNAT rules in place..

telnet: Unable to connect to remote host: No route to host
this usually means that there is no answer from that host - since you tried and can reach it from inside your network - I'd suggest to ask your ISP, maybe they have some blocks in place?

Else - can you connect (via telnet) from the PVE-node to port 25 on your container?
 
  • Like
Reactions: zenny

zenny

Active Member
Jul 7, 2008
86
2
28
That's just the ACCEPT rule - not the portforward/NAT - but the iptables-save output (from a very quick glance) indicates that you do have some DNAT rules in place..


this usually means that there is no answer from that host - since you tried and can reach it from inside your network - I'd suggest to ask your ISP, maybe they have some blocks in place?

Else - can you connect (via telnet) from the PVE-node to port 25 on your container?
Thanks for your input.

1. I guess I already have the DNAT rule in place in line 34 in http://ix.io/3pUe

2. telnet to port 25 of the mailserver (lxc guest) from proxmox host is reachable:

Code:
root@server2:~# telnet 192.168.25.110 25
Trying 192.168.25.110...
Connected to 192.168.25.110.
Escape character is '^]'.
220 mail.domain.tld ESMTP Postfix (Debian/GNU)
^]
telnet> quit
Connection closed.

Or did I miss something?

Cheers.
/z
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!