Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Vesta CP firewall blocks port 465- PHPMailer can't send mails
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Vesta CP firewall blocks port 465- PHPMailer can't send mails

On one of My Debian 7 installs, I'm not able to send mails through PHPMailer (PHP Class) which sends mails via Google SMTP (regardless of EXIM on server)

If I stop Firewall[/b] -- it sends through but NOT when Firewall is active.

I have a rule ACCEPT for 993,465,25,587 in the Rules.... Yet its not working.

I know Vesta is not good at handling Firewall rules, can you point me to what may be wrong?

iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-VESTA  tcp  --  anywhere             anywhere             tcp dpt:8083
fail2ban-MAIL  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,submission,2525,pop3,pop3s,imap2,imaps
fail2ban-SSH  tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9562
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5901
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2257
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9810
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports ftp-data,ftp,12000:12100
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,submission,2525
ACCEPT     tcp  --  anywhere             anywhere             multiport dports pop3,pop3s
ACCEPT     tcp  --  anywhere             anywhere             multiport dports imap2,imaps
DROP       tcp  --  anywhere             anywhere             multiport dports mysql,postgresql
DROP       tcp  --  anywhere             anywhere             tcp dpt:8083
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  127.0.0.2            anywhere
ACCEPT     all  --  rn2g                 anywhere
ACCEPT     all  --  localhost.localdomain  anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:smtp
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:pop3
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:mysql
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:postgresql
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:8433
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:8083
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp spt:domain state ESTABLISHED
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp spt:domain state ESTABLISHED
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp spt:domain state ESTABLISHED
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp spt:domain state ESTABLISHED

Comments

  • FaiziFaizi Member

    @mehargags said:

    If I stop Firewall[/b] -- it sends through but NOT when Firewall is active.

    By this you mean VestaCP > Services > IPTables/Firewall > Stop ?

  • mikhomikho Member, Host Rep

    The firewall rules only accepts IN rules.
    Your rule has to be defined in the custom.sh file.
    You can see my post about DNS issues that I had when firewall was active.
    Its the same thing. :)

    http://www.lowendguide.com/3/networking/iptables-and-vestacp-output-rules-to-allow-dns-lookups/

  • mehargagsmehargags Member
    edited March 2015

    @Faizi said:
    By this you mean VestaCP > Services > IPTables/Firewall > Stop ?

    Yes exactly.

    @Mikho,
    I was thinking to contact you... Yes it Seems like outgoing PORT is blocked.
    While DNS is working fine, Can you tell me what specifically to add in your Script for 465 to be explicitly open in and out ?

    I already have your Custom.sh in place !!

  • mikhomikho Member, Host Rep
    edited March 2015

    mehargags said: @Mikho, I was thinking to contact you... Yes it Seems like outgoing PORT is blocked. While DNS is working fine, Can you tell me what specifically to add in your Script for 465 to be explicitly open in and out ?

    If you are using my version of custom.sh ( found here) then add at the end of the file something like this:

    gmailip=$(resolveip -s smtp.gmail.com) $IPT -A OUTPUT -p tcp -d $gmailip --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -s $gmailip --sport 465 -m state --state ESTABLISHED -j ACCEPT

    I havent tested it so don't do this on a production site without testing it properly.

    I used resolveipto get the current ip since the command is included in the mysql package and smtp.gmail.com is a CNAME record.

  • @Mikho... This works! Thanks a TON brother.

    but don't you think IP for smtp.gmail.com keeps changing ?
    Also if I want to connect another External SMTP over p465, it won't work.

    What shall be changed in your script to open 465 to any IP (0.0.0./0).

    Thanks

    Thanked by 1netomx
  • mikhomikho Member, Host Rep

    My script resolved smtp.gmail.com so that should take care of ip updates.

    To allow everything:
    Remove gmailip=$(resolveip -s smtp.gmail.com)

    Change $gmailip to 0.0.0.0/0

    $IPT -A OUTPUT -p tcp -d $gmailip --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -s $gmailip --sport 465 -m state --state ESTABLISHED -j ACCEPT

    That should do it.

    Thanked by 1netomx
  • SplitIceSplitIce Member, Host Rep
    edited March 2015

    mikho said: Change $gmailip to 0.0.0.0/0

    or just remove -d * and -s *

    Thanked by 1mikho
  • @SplitIce said:
    or just remove -d * and -s *

    Just to confirm the final lines should be

    $IPT -A OUTPUT -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT 
    $IPT -A INPUT -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
    

    Good ??

  • SplitIceSplitIce Member, Host Rep
    edited March 2015

    Honestly speaking this firewall ruleset is a bit backwards, you should be doing DROP/ACCEPT filtering for NEW connections only.

    Then ACCEPT any ESTABLISHED, and DROP and INVALID.

    Less rules, less rule hits.

  • Honestly speaking this firewall ruleset is a bit backwards, you should be doing DROP/ACCEPT filtering for NEW connections only.

    Then ACCEPT any ESTABLISHED, and DROP and INVALID.

    Less rules, less rule hits.

    @SplitIce, I'd much appreciate if you can write the Exact full rules here. Will be much faster and better for me.
    thanks

Sign In or Register to comment.