Port blocked even though its in the incoming/outgoing allow

[kisonay]

I am having trouble sending email from my server using CSF to a third party email provider.

I need to connect to the third party via port 587. I have confirmed that this port is added TCP_IN and TCP_OUT list (was there by default) saved and restarted but the connection times out.

If I disable CSF it can connect and send email without a problem.

What would cause this to be blocked even though it is in the IN/OUT list?

[chatwizrd]

What happens when you telnet to port 587? Do you see any blocked lines in /var/log/messages

[kisonay]

Code: Select all

rMBP:~$ telnet 174.xx.xx.xxx 587
Trying 174.136.14.97...
telnet: connect to address 174.xx.xx.xxx: Connection refused
telnet: Unable to connect to remote host

Nothing appears in /var/log/messages

But taking that a step further, when I try to sent the email I see the following in /var/log/messages

Code: Select all

May 16 15:21:53 s1 suhosin[26482]: ALERT - configured request variable name length limit exceeded - dropped variable 'moodle/.../formchangechecker-min_js' (attacker '74.xxx.xxx.xxx', file '/home/...yui_combo.php')

So it looks like it is suhosin combined with csf may be causing the problem.

[kisonay]

OK so I was able to modify the suhosin.ini file and was able prevent the item showing in messages but csf is still blocking the connection.
Looking at the output when csf is starting I see the following related to 587

Code: Select all

ACCEPT  tcp opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:587 
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state NEW tcp dpt:587 
ACCEPT  tcp opt    in !lo out *  ::/0  -> ::/0  state NEW tcp dpt:587
ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  state NEW tcp dpt:587 
ACCEPT  tcp opt    in * out !lo  ::/0  -> ::/0  state NEW tcp dpt:587 
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:587 
ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:587 owner UID match 0 
DROP  tcp opt    in * out *  ::/0  -> ::/0  tcp dpt:587 
ACCEPT  tcp opt    in * out *  ::/0  -> ::/0  tcp dpt:587 owner UID match 0 
ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:587 owner UID match 32001 
ACCEPT  tcp opt    in * out *  ::/0  -> ::/0  tcp dpt:587 owner UID match 32001 
ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:587 owner GID match 12 
ACCEPT  tcp opt    in * out *  ::/0  -> ::/0  tcp dpt:587 owner GID match 12 
ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:587 owner GID match 32006 
ACCEPT  tcp opt    in * out *  ::/0  -> ::/0  tcp dpt:587 owner GID match 32006 
ACCEPT  tcp opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:587 

does that look correct?

[Sergio]

Is port 587 added on the SMTP_PORTS in CSF?

Like:
SMTP_PORTS = 25,26,465,587

[kisonay]

Is port 587 added on the SMTP_PORTS in CSF?

Like:
SMTP_PORTS = 25,26,465,587

Yes it is listed, so that is the problem.

If I turn off SMTP_BLOCK it sends fine. If I leave it on and remove port 587, change and restart, my connection is still blocked. I would rather not turn it off.

[kisonay]

I was able to fix it. In my troubleshooting I changed the mailing app to use port 25 rather than 587. Once I changed it back to 587 and made sure that it was removed from SMTP_PORTS all started working correctly.

Thank you both for your help!