Can't connect with telnet from external ip

Question

I have a postfix server running on a kimsufi VPS, i installed roundcube on it, and everything is ok. The problem is, when i try to connect from another server, i have a timeout :

telnet whys.fr 25
Trying 5.196.66.189...
telnet: Unable to connect to remote host: Connection timed out

here is my netstat output :

netstat -ntpul | grep 25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      17643/master    
tcp6       0      0 :::25                   :::*                    LISTEN      17643/master

And the current iptables rules :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

telnet from localhost is working great :

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)
ehlo whys.fr
250-whys.fr
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

The server is hosted at OVH's datacenter, and port 25 is not blocked :

nmap -p 25 whys.fr

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-20 15:16 CET
Nmap scan report for whys.fr (5.196.66.189)
Host is up (0.019s latency).
rDNS record for 5.196.66.189: ns330237.ip-5-196-66.eu
PORT   STATE    SERVICE
25/tcp filtered smtp

Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds

I also checked in mail SPAM lists to see if my ip was in one of those, and it isn't.

How can i do to accept telnet 25 from outside? i have no idea now, already saw every questions about it on SF and a lot of them on the rest of the internet.

Answer 1

According to the nmap docs:

filtered

Nmap cannot determine whether the port is open because packet filtering prevents
its probes from reaching the port. The filtering could be from a dedicated
firewall device, router rules, or host-based firewall software. These ports
frustrate attackers because they provide so little information. Sometimes they
respond with ICMP error messages such as type 3 code 13 (destination unreachable:
communication administratively prohibited), but filters that simply drop probes
without responding are far more common. This forces Nmap to retry several times
just in case the probe was dropped due to network congestion rather than
filtering. This slows down the scan dramatically.

So it looks like your port is simply blocked by a firewall somewhere. Maybe your local ISP? Because when I try to connect to it, I get a connection:

$ telnet whys.fr 25
Trying 5.196.66.189...
Connected to whys.fr.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)

Sadly, it's not uncommon for ISP to block direct connection to port 25 outside of their own network, to prevent bots on client machines from sending spam directly.

Answer 2

The first thing I would do before proceeding further would be to test port 25 end to end with a tool like netcat.

The tool comes standard with most linux distros. For example on CentOS I would stop postfix to release port 25. Then I would start netcat like this:

# nc -l 25

Then on the remote client I would start it like this:

# nc {ip of remote server} 25

Then anything you type on either end should be reflected/visible on the screen. If its not then your port is being blocked along the way.