0

Using phpmailer I keep getting a 110 timeout and "Unable to connect to host" when sending email from my web server.

The authentication details are right and they work on another server I have (login, pwd, ports etc and gmail acct set up for SSL connections on 465), but it's failing on my new server.

FIREWALL: I allow related/established, port 80 and a port for SSH on INPUT, then this on OUTPUT: 

7906  474K DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp  
0     0 ACCEPT     tcp  --  any    any     localhost.localdomain  yw-in-f109.1e100.net tcp dpt:submission  
0     0 ACCEPT     tcp  --  any    any     localhost.localdomain  gx-in-f109.1e100.net tcp dpt:ssmtp  
0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:submission  
9   540 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:ssmtp

This output chain works on my other server and disabling it doesn't get mail delivered either.

WEB SERVER: Varnish (80) > Nginx (8088) > Drupal 7 > PHP5-FPM > APC > MySQL All works beautifully, except for outgoing email.

What else could it be?
I understand phpmailer does NOT require a local MTA or procmail (this is sort of the point - I don't want the security or admin overhead of a full blown MTA on my web server). Am I wrong? Do I need an MTA as well?

What local ports and programs are used to authenticate over SSL and route mail using phpmailer?

Any ideas at all greatly appreciated - wasted a day on this nonsense already!

Zoredache
  • 130,897
  • 41
  • 276
  • 420
Wobblefoot
  • 1
  • Where did you get the yw-in-f109.1e100.net and gx-in-f109.1e100.net entries? Can you give the output of iptables-save? – becomingwisest Mar 16 '11 at 03:33
  • Have you tried logging blocked packets to make sure there's no additional rules needed? – Mark Mar 16 '11 at 05:37
  • First, it would be more useful if you pass the `-n` option to iptables -L so we get numeric results. Second, I suggest you consider opening the firewall and running tcpdump while you send a message. – Zoredache Mar 16 '11 at 07:37

2 Answers2

0

Local mta is preferrable to queue the messages if the remote smtp is not available.

Restricting outgoing traffic is unusual. The security benefit is small: If the attacker has your local machine, he can switch off the firewall anyway. Even if you can control your applications so well, I wouldn't do it at all, since you never know which IPs gmail uses for submission. They can change without notification. So my advice is to at least open submission/ssmtp to all hosts.

AndreasM
  • 1,083
  • 8
  • 13
  • -0.1 :). If the attacker has the privileges of his web server, then outbound rules are good to have. – 3molo Mar 16 '11 at 08:30
0

I allow related/established, port 80 and a port for SSH on INPUT, then this on OUTPUT

No - port 80 is for web traffic - irrelevant to web traffic.

What local ports and programs are used to authenticate over SSL and route mail using phpmailer?

Client ports are selected at random.

What do your logs say is happenning?

Without knowing what your phpmailer settings are (or if you've got SSL support in PHP) its impossible to say what's really going on here.

And even if you've configured your machine and the code correctly, do you know what's inbetween this box and the gmail server?

Have you checked its resolving names correctly? That you can traceroute out of the local network in the general direction of smtp.gmail.com? (If a ping is successful it implies that there are no routing issues - but if it fails this does not necessarily mean that the routing is broken).

Try firing up stunnel with an SSL connection to smtp.gmail.com and see what happens when you connect via telnet.

symcbean
  • 21,009
  • 1
  • 31
  • 52