outgoing tcp port 25 blocked? how to prove it?

Liste des GroupesRevenir à c misc 
Sujet : outgoing tcp port 25 blocked? how to prove it?
De : lesen (at) *nospam* wimezu.com (Lesley Esen)
Groupes : comp.unix.bsd.freebsd.misc comp.unix.programmer comp.misc
Suivi-à : comp.misc
Date : 18. Oct 2024, 15:03:40
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <87o73h4if7.fsf@tudado.org>
I've got a FreeBSD running as a Lightsail instance at AWS.  I asked AWS
to create a reverse dns for my host and also lift all restrictions on
port 25.  They did so: the reverse dns has been created and I can get
mails from the outside, but I can't seem to go out on TCP port 25.  That
still seems blocked at least as far as the hosts I've tried to reach.
This might not have anything to do with AWS.  AWS said that "[e]mail
sending limitations have also been removed for any resources for the
region your EIP is located in."  I believe them.

The host 69.164.210.174 can reach my host at mx.antartida.xyz just
fine.  The host mx.antartida.xyz is also named a.antartida.xyz.

%telnet mx.antartida.xyz 25
Trying 34.197.192.71...
Connected to mx.antartida.xyz.
Escape character is '^]'.
220 a.antartida.xyz ESMTP Sendmail 8.17.1/8.17.1; Fri, 18 Oct 2024 10:24:01 -0300 (-03)
help
214-2.0.0 This is sendmail version 8.17.1
214-2.0.0 Topics:
214-2.0.0       HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0       RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0       EXPN    VERB    ETRN    DSN     AUTH
214-2.0.0       STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0       http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
quit
221 2.0.0 a.antartida.xyz closing connection
Connection closed by foreign host.

The host 69.164.210.174 also runs an SMTP server, but someone seems to
block my path to it.  It might not AWS as I also can't reach it from my
personal computer (with a dynamic IP address).  Here's a tcpdump from
host mx.antartida.xyz while trying to telnet to 69.164.210.174 on port
25.

--8<-------------------------------------------------------->8---
# tcpdump -n port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ena0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:01:45.939473 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931741362 ecr 0], length 0
09:01:46.964516 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931742388 ecr 0], length 0
09:01:49.164532 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931744588 ecr 0], length 0
09:01:53.424248 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931748848 ecr 0], length 0
09:02:01.764542 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931757188 ecr 0], length 0
09:02:17.964527 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931773388 ecr 0], length 0
09:02:50.164521 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931805588 ecr 0], length 0
^C
7 packets captured
243 packets received by filter
0 packets dropped by kernel
--8<-------------------------------------------------------->8---

The view from host 69.164.210.174:

--8<-------------------------------------------------------->8---
# tcpdump -n host 34.197.192.71
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
--8<-------------------------------------------------------->8---

We can see TCP SYN packets being sent and none are acknowledged.

If I switch from port 25 to port 21, I can see my packets arrive (even
though there's no FTP server at 69.164.210.174).

From the Lightsail instance:

--8<-------------------------------------------------------->8---
%telnet 69.164.210.174 21
Trying 69.164.210.174...
telnet: connect to address 69.164.210.174: Connection refused
--8<-------------------------------------------------------->8---

The view from 69.164.210.174:

--8<-------------------------------------------------------->8---
# tcpdump -n port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:31:04.679931 IP 34.197.192.71.43674 > 69.164.210.174.21: Flags [S], seq 2257976044, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2164055307 ecr 0], length 0
13:31:04.679989 IP 69.164.210.174.21 > 34.197.192.71.43674: Flags [R.], seq 0, ack 2257976045, win 0, length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
--8<-------------------------------------------------------->8---

I get a TCP RST back as expected.  I get essentially the same output
from tcpdump at both hosts.  In other words, there's no connectivity
problem between the two.  It's really port 25 that's being filtered.
(Each host is also able to ping each other.)

In summary, I can get e-mails from the outside, but I can't deliver
e-mails or reach Google SMTP servers either from the host
mx.antartida.xyz.  So it's not just the host 69.164.210.174 that I can't
reach. 

If I try a random SMTP such as the ones for cnn.com, say, I can't reach
them from mx.antartida.xyz, but I can from host 69.164.210.174.  Host
69.164.210.174 is a personal mail server running netqmail, so I'm
getting the idea that host 69.164.210.174 has good reputation enough to
talk to, say, CNN's email servers, but not mx.antartida.xyz (which is an
newly-born SMTP, just starting out in life).

So I must be blacklisted?  I've looked around on the web and the queries
I've been able to issue say that I'm *not* blocked anywhere.

So I'm looking for advice on running my own mail server once again in
the complicated phase the Internet is going through.  If you have any
recommendations on this, I'd appreciate hearing about it.  Thank you.

Date Sujet#  Auteur
18 Oct 24 * outgoing tcp port 25 blocked? how to prove it?8Lesley Esen
18 Oct 24 `* Re: outgoing tcp port 25 blocked? how to prove it?7Marco Moock
18 Oct 24  `* Re: outgoing tcp port 25 blocked? how to prove it?6Lesley Esen
18 Oct 24   +* Re: outgoing tcp port 25 blocked? how to prove it?4Lesley Esen
18 Oct 24   i`* Re: outgoing tcp port 25 blocked? how to prove it?3Marco Moock
18 Oct 24   i `* Re: outgoing tcp port 25 blocked? how to prove it?2Lesley Esen
20 Oct 24   i  `- Re: outgoing tcp port 25 blocked? how to prove it?1Lesley Esen
19 Oct 24   `- Re: outgoing tcp port 25 blocked? how to prove it?1Scott Dorsey

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal