Firewall not keeping relay attempts from reaching postfix

Question

I have a centos-based vps managed with webmin and every once in a while I get a few hundred emails like this one:

From: MAILER-DAEMON@mail.<redacted>.com
To: postmaster@<redacted>.com
Subject: Postfix SMTP server: errors from unknown[20.229.210.160]

Transcript of session follows.

 Out: 220 mail.<redacted>.com ESMTP Postfix
 In:  EHLO yupk81.domain
 Out: 250-mail.<redacted>.com
 Out: 250-PIPELINING
 Out: 250-SIZE 30720000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  STARTTLS
 Out: 454 4.7.0 TLS not available due to local problem
 Out: 421 4.4.2 mail.<redacted>.com Error: timeout exceeded

Session aborted, reason: timeout

For other details, see the local mail logfile

Here's what I believe are the log entries related to one such email:

Jun 10 19:20:46 fla postfix/qmgr[931]: 9CFCD40033: removed
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: connect from unknown[20.229.210.160]
Jun 10 19:21:54 fla postfix/submission/smtpd[29389]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: timeout after STARTTLS from unknown[20.229.210.160]
Jun 10 19:22:07 fla postfix/cleanup[30329]: E0A0840033: message-id=<20220610232207.E0A0840033@mail.<redacted>.com>
Jun 10 19:22:07 fla postfix/qmgr[931]: E0A0840033: from=<double-bounce@mail.<redacted>.com>, size=914, nrcpt=1 (queue active)
Jun 10 19:22:07 fla postfix/submission/smtpd[29551]: disconnect from unknown[20.229.210.160]
Jun 10 19:22:09 fla postfix/smtp[30336]: E0A0840033: to=<my_personal_email>, orig_to=<postmaster>, relay=mail.<redacted>.com [<IP address redacted>]:25, delay=2, delays=0.01/0/0.76/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4LKcS06tJyz9vNQY)
Jun 10 19:22:09 fla postfix/qmgr[931]: E0A0840033: removed
Jun 10 19:22:18 fla postfix/postfix-script[30470]: warning: not owned by root: /etc/postfix/dump
Jun 10 19:22:18 fla postfix/postfix-script[30471]: warning: not owned by root: /etc/postfix/dump.txt

I set the Linux IPTables Firewall to drop packets coming from the abocve IP address, but postfix keeps sending me those emails from the postmaster account, so the attempts are still reaching postfix. It's driving me mad. Isn't the firewall supposed to stop traffic originating from tha IP address? Why isn't it doing its job?

Thanks!

Edit 2022-06-10 21:25 - Added iptables here (unclear on why the dates listed in the file are all from 2015, as it shows the changes I made today):

# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*security
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*raw
:PREROUTING ACCEPT [28036:5505542]
:OUTPUT ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*nat
:PREROUTING ACCEPT [1490:86220]
:INPUT ACCEPT [1490:86220]
:OUTPUT ACCEPT [4732:332455]
:POSTROUTING ACCEPT [4732:332455]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*mangle
:PREROUTING ACCEPT [28036:5505542]
:INPUT ACCEPT [28036:5505542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27892:10681911]
:POSTROUTING ACCEPT [27892:10681911]
COMMIT
# Completed on Sat Nov 28 22:24:57 2015
# Generated by iptables-save v1.4.21 on Sat Nov 28 22:24:57 2015
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Drop packets from 31.210.20.235
-A INPUT -s 20.229.210.160 -j DROP
-A INPUT -i eth0 -j LOG  --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m state -m icmp --icmp-type 8 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 80 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 443 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -j LOG  --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG  --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -m limit --limit 5/min -j LOG  --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A OUTPUT -o eth0 -j LOG  --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A INPUT -m limit --limit 5/min -j LOG  --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 465 --state NEW -j ACCEPT
# test
-A INPUT
COMMIT
# Completed on Sat Nov 28 22:24:57 2015

Edit 2022-06-10 22:05 - /var/log/maillog after shutting down and restarting postfix:

Jun 10 22:03:23 fla postfix/postfix-script[4257]: stopping the Postfix mail system
Jun 10 22:03:23 fla postfix/master[3818]: terminating on signal 15
Jun 10 22:03:24 fla postfix/postfix-script[4321]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:03:24 fla postfix/postfix-script[4322]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:03:24 fla postfix/postfix-script[4323]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:03:24 fla postfix/postqueue[4341]: warning: Mail system is down -- accessing queue directly
Jun 10 22:03:36 fla dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=<redacted_ip_address>, lip=<redacted_ip_address>, session=<itN0diLhLABqS77J>
Jun 10 22:04:00 fla postfix/postfix-script[4488]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:00 fla postfix/postfix-script[4489]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:00 fla postfix/postfix-script[4490]: warning: not owned by root: /etc/postfix/<redacted>.pem
Jun 10 22:04:00 fla postfix/postfix-script[4507]: starting the Postfix mail system
Jun 10 22:04:00 fla postfix/master[4509]: daemon started -- version 2.10.1, configuration /etc/postfix
Jun 10 22:04:01 fla postfix/postfix-script[4567]: warning: not owned by root: /etc/postfix/dump
Jun 10 22:04:01 fla postfix/postfix-script[4568]: warning: not owned by root: /etc/postfix/dump.txt
Jun 10 22:04:01 fla postfix/postfix-script[4569]: warning: not owned by root: /etc/postfix/<redacted>.pem

Answer 1

1. You have configured a Milter and failed to ensure it is running and accessible, Postfix complains that it cannot connect connect to Milter service inet:127.0.0.1:8891: Connection refused. This could be a mistake in your firewall configuration as well, as the connection to the Milter is subject to packet filtering.

2. You do not have rules in place to restrict IPs that can be used to access your submission service. This may be because you mistakenly only restricted access for first smtp port (25), missing out other ports (465 and/or 587, most likely) you are exposing additional SMTP services on.

3. You have opted in to receive error notifications to the postmaster box, but seem to focus on the connection attempt. I would not worry much about someone connecting (and presumably ordinarily being refused service as unauthorized anyway), as I would about that attempt just happening to be the occasion for Postfix to notice a configuration problem. This could be separate (from 1.) problem in your Postfix configuration that Postfix would have logged on startup. Restart Postfix and read the logs.