View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Blocking Port 25? What's the deal?
Log in to Ask a Question

Blocking Port 25? What's the deal?

email dovecot

Hi Guys, I'm noob when it comes to email servers. But setup a linode a few weeks ago, installed Ubuntu 14.0.4 and VestaCP with Exim/Dovecot, Apache, Nginx etc.

The ip was blacklisted after about a week, on CBL, for sending spam emails or emails infected with a trojan.

I've got no idea how that happened… I haven't sent a lot of emails from it.

I installed Spam assassin and ClamAV, delisted the ip and hoped that that would fix the problem.

Yesterday the server was blacklisted again :( :|

I spend hours researching and figured I needed to block outgoing SMTP port 25 connections.

I tried a few different rules, not really knowing what I was doing. Anyhow, I've ended up blocking all port 25 connections, by simply not specifying any rules for port 25 and denying all by default in iptables.

But I'm puzzled. From what I read, this should stop all incoming and outgoing mail from my server? But it appears that the mail server is still working ok? I'm able to send and receive emails.

I'm just looking for a bit of advice… Am I doing the right thing by not allowing any port 25 connections? Or should I allow incoming and not outgoing, or vice versa? What other things could I be doing to try and stop spammers from taking advantage of my server?

Any help is muchly appreciated :D

Here's my iptables:

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 45.56.85.76/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8433 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8083 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 12000:12100 -j ACCEPT

17 Replies

CBL lists your Linode as a SPAM sending IP.

You need to block OUTGOING to port 25 (unless you are really running a mail server trying to communicate with other mail servers on port 25)

So appended to your rules is:

-A OUTPUT -p tcp -m tcp –dport 25 -j DROP

@Emmanuel2:

installed Ubuntu 14.0.4 and VestaCP with Exim/Dovecot, Apache, Nginx etc.
If you don't want email, why install Exim/Dovecot?

Thanks guys. Yes, I actually do run a mail server and want to be able to send emails from it.

I added these three rules:

> -A OUTPUT -s 45.56.85.76/32 -p tcp -m tcp –dport 25 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 25 -j LOG

-A OUTPUT -p tcp -m tcp --dport 25 -j DROP

Will that do the trick?

If I'm sending all my outgoing emails through port 587, then can just completely block all outgoing emails on port 25?

And yes, I figured that by blocking all incoming on port 25 I was stopping emails from coming in. Doh!

@Emmanuel2:

Thanks guys. Yes, I actually do run a mail server and want to be able to send emails from it.

I added these three rules:

> -A OUTPUT -s 45.56.85.76/32 -p tcp -m tcp –dport 25 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 25 -j LOG

-A OUTPUT -p tcp -m tcp --dport 25 -j DROP

Will that do the trick?

If I'm sending all my outgoing emails through port 587, then can just completely block all outgoing emails on port 25?

It will work if your mail server is operating in smart hub mode where all mail are just given to the 45.56.85.76 server for actual delivery.

That's what I did at home since I have a domain under Google apps, then all my mail gets sent/relayed through google's smtp server under 587. (my ISP actually blocks outgoing 25)

Now if all the mail servers you are talking to uses 587, then yes you can block off 25, but last I checked actual mail server to server intra communication still uses port 25 (ie gmail.com to outlook.com)

Hmmm… ok.

How could I test to see if that configuration I have is working properly?

I seem to be able to send and receive emails no problem at the moment.

We seem to have gone off track.

Since you need to have port 25 open as you are running a public mail server (you are sending mail to other domains directly)

You'll need to audit your server, as CBL is claiming that your IP is involved in some hanky panky.

This is the real challenge when you are running your own server and you have no idea what's wrong.

I'm actually out of ideas right now.

Ok… well that makes two of us!

Have you run an open relay test? Maybe you've got something misconfigured. Also check your mail logs for anything outbound that you didn't send yourself (or another valid account on the system).

As far as I know there is no open relay. I've tested it with mxtoolbox

If it's not an open relay, what else has the ability to send out emails? Something triggered the blacklists to label your IP a spammer.

Yeah, well that's the problem. Maybe there's some rogue php script?

I'm not sure what do to do try and troubleshoot it

You need to check your mail server logs; if you see a gazillion emails from (say) www-data then you know it's coming from a web site you're hosting. If you see a gazillion mails coming in, being relayed, going out then you have an smtp server config error.

@Emmanuel2:

I'm not sure what do to do try and troubleshoot it

@haus:

…check your mail logs for anything outbound that you didn't send yourself…

I don't remember where Exim keeps its logs, but I'll guess something like /var/log/exim4/ (been a long time since I used Exim, sorry)…you're going to need to roll up your sleeves and start investigating. Assuming log file name is "exim_mainlog" you could do:

more exim_mainlog (and page through the results looking for interesting things)

tail -f exim_mainlog (and just keep an eye on it for awhile, see if something pops up)

You could get a little more complicated and look for block messages, assuming it's a rogue script continuing to try to send to blacklisted IPs, but I personally try to start with a wide net when I'm not totally sure what's going on.

Any particular reason for using Exim? Most people use PostFix, so there are probably more how-to's and help for that application.

Thanks for the help guys. I'm using Exim because that's just what VestaCP installed automatically. I've generated some exim stats from my log files. Here is some excerpts. One of you guys might be able to understand it better than me.

Exim statistics from 2015-02-15 06:49:26 to 2015-02-26 03:25:34

Grand total summary
-------------------
                                                                  At least one address
  TOTAL               Volume   Messages Addresses     Hosts      Delayed       Failed
  Received              54MB        971                 458       7  0.7%     42  4.3%
  Delivered             84MB       1229      1245        20
  Rejects                          4247                1355
  Temp Rejects                    20181                 134

Deliveries by transport
-----------------------
                      Volume    Messages
  local_delivery        48MB         850
  local_spam_delivery   355KB          36
  remote_smtp           36MB         343

And a bit more

Top 50 mail rejection reasons by message count
----------------------------------------------
  Messages   Mail rejection reason
      1237   Dropped: too many nonmail commands
      1100   Rejected RCPT: relay not permitted
       289   Connection refused: too many connections
       116   Rejected MAIL: Access denied - Invalid HELO name (See RFC2821 4.1.3)
        83   Rejected RCPT: Unrouteable address
        79   Rejected RCPT: Sender verify failed
        15   Rejected RCPT: Rejected because 178.32.47.104 is in a black list at bl.spamcop.net
        13   SMTP protocol synchronization error
         9   Rejected RCPT: Rejected because 118.97.175.114 is in a black list at bl.spamcop.net
         7   Rejected MAIL: Helo name contains a ip address (HELO was [192.168.1.8]) and not is valid
         6   Rejected HELO/EHLO: syntactically invalid argument
         6   Rejected MAIL: Helo name contains a ip address (HELO was [192.168.1.5]) and not is valid
         5   Rejected RCPT: Rejected because 46.21.182.74 is in a black list at bl.spamcop.net
         5   Rejected RCPT: Rejected because 89.215.72.239 is in a black list at bl.spamcop.net
         4   Rejected MAIL: Helo name contains a ip address (HELO was [192.168.1.3]) and not is valid  .....

Top 50 sending hosts by message count
-------------------------------------
  Messages      Bytes    Average   Sending host
        75      578KB       7891   local
        61     5303KB       87KB   (Asus15)
        26     5087KB      196KB   server502.webhostingpad.com
        26       74KB       2914   mail2.linode.com
        13      585KB       45KB   sv2.elanceonline.com
        10      125KB       13KB   mail.elecelite.eu
         8      246KB       31KB   kjmx009.kijiji.com
         8      202KB       25KB   smtp.netregistry.net
         8       40KB       5120   a27-38.smtp-out.us-west-2.amazonses.com
         7     2056KB      294KB   pa49-183-93-104.pa.vic.optusnet.com.au
         7      483KB       69KB   nskntmtas04p.mx.bigpond.com
         7      300KB       43KB   mail-pa0-f52.google.com
         7      218KB       31KB   mail.coresoft.com.au
         7       97KB       14KB   mail-pa0-f46.google.com
         7       24KB       3510   a27-116.smtp-out.us-west-2.amazonses.com
         6      272KB       45KB   nskntmtas05p.mx.bigpond.com
         6      124KB       21KB   nschwmtas04p.mx.bigpond.com
         6       68KB       11KB   mail-pa0-f51.google.com
         6       59KB       10KB   do158-81.mailgun.net
         6       26KB       4437   a27-115.smtp-out.us-west-2.amazonses.com
         5      697KB      139KB   mail-pd0-f169.google.com
         5      138KB       28KB   mail-pd0-f181.google.com
         5      111KB       22KB   mail-pa0-f41.google.com
         5      107KB       21KB   mail-pa0-f49.google.com
         5       90KB       18KB   mail-pa0-f48.google.com
         5       72KB       14KB   nskntmtas06p.mx.bigpond.com

Top 50 local senders by message count
-------------------------------------
  Messages      Bytes    Average   Local sender
        27      451KB       17KB   Debian-exim
        25       72KB       2949   root
        21       53KB       2584   admin

Top 50 host destinations by message count
-----------------------------------------
  Messages  Addresses      Bytes    Average   Host destination
       886        886       48MB       55KB   local
       311        327       26MB       86KB   gmail-smtp-in.l.google.com
         4          4     2629KB      657KB   mx3.netregistry.net
         4          4      748KB      187KB   mx4.hotmail.com
         3          3      737KB      246KB   mx3.hotmail.com
         2          2     1998KB      999KB   mx2.hotmail.com

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct