How can I enable SMTP receipt through firewalld on Linux?

Question

I've leased a dedicated, lightly-managed CentOS7 box from a hosting company. The host came with firewalld installed and running and with its iptables preferences pre-imposed.

I was not expecting this; I'm used to receiving unfirewalled boxes with no services running on them except the ones I turn on. I know little about firewalld and iptables and am struggling to get even basic external email traffic through port 25 and into postfix's queue. I believe it's the firewall that's blocking me because:

All my DNS records are set up properly. Those haven't changed in years; all I had to do was update the IP addresses to accommodate this new host.
netstat -ln confirms the port is listening; I can telnet localhost 25 and even negotiate EHLO, etc. just fine
My postfix configuration is probably correct but also irrelevant. I'm not testing features like aliases or virtual domains: I'm just sending to real-local-user@postfix-$mydestination-entry. And when I send the message from localhost, it gets delivered just fine.
I've upped the verbosity of the postfix qmgr daemon, and no matter how much mail I send from outside the machine, its logs never indicate that any messages are making it to the queue. All it reports is every 5 minutes waking up to do some routine actions.

The relevant zone of firewalld looked like this when I got the machine:

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: http ssh https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I have now managed to make it look like this (all hidden lines remain the same):

public
  target: default
  services: http ssh https smtp
  ports: 25/tcp

(I made the changes --permanent and --reloaded after each one.)

Unfortunately, I'm still unable to telnet host 25 from remote locations and remote mail still fails to reach my postfix queue. Any thoughts as to what I'm missing?

P.S. Notice that http is in the same firewalld zone and I've been able to telnet host 80 and connect via web browser since day 1.

P.P.S. I've avoided posting anything about iptables output here because I do not in fact know what portions of that are relevant. I'm hoping someone will be able to deduce my problem without that info, but if not then I can certainly dig it up ...

Could it be that the service provider is blocking port 25? What's in your contract? Is hosting an own SMTP server permitted? — Esa Jokinen, Jun 15 '18 at 19:54
Well, I'll ask them, but postfix was running when the box was handed over to me. — dg99, Jun 15 '18 at 20:39
Service provider confirms that they do not block anything at all at the data center level. The only firewall is the one running on the box (firewalld). There is a separate firewall that can be dropped around the box (by me) through a web management interface, but that is completely disabled. — dg99, Jun 15 '18 at 20:51

score 1 · Accepted Answer · answered Jun 16 '18 at 08:59

1

Since this is a VPS, many of them pre-configure Postfix to only listen to 127.0.0.1:25 rather than 0.0.0.0:25 which would prevent external access to the SMTP port - checking inet_interfaces in your main.cf would be a logical first step.

You said you used netstat to make sure the process was listening, perhaps double checking that it's actually binding to all interfaces would be revealing rather than just 127.0.0.1:25.

answered Jun 16 '18 at 08:59

Miuku

760
6
7

Yes, thanks. It's possible that this was the problem. I was reading [this question](https://serverfault.com/q/777770/353272) more carefully and noticed that I did indeed have my `inet_interfaces` not set to "all". I changed the setting and restarted postfix, but I didn't take a second look at `netstat` beforehand to know the answer to your query. But after several hours, I am now receiving mail. – dg99 Jun 16 '18 at 15:46

How can I enable SMTP receipt through firewalld on Linux?

1 Answers1