SMTP not forwarded to external host

WindxwsXP · January 14, 2024, 7:52pm

I am using axigen to setup my own mailserver but trying to set it up I encountered a rather weird problem:

Using nmap -P0 0.0.0.0 on my Mailserver to check if all ports that are necessary for the server to work gives this output:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-14 16:35 CET
Nmap scan report for 0.0.0.0
Host is up (0.000022s latency).
Not shown: 986 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
993/tcp  open  imaps
995/tcp  open  pop3s
1443/tcp open  ies-lm
7000/tcp open  afs3-fileserver
8080/tcp open  http-proxy
9000/tcp open  cslistener

However, if I try to scan it from another device, again using nmap, that isn’t the Mailserver (any device, doesn’t matter if it is another server in the network of the Mailserver or my own PC) returns this:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-14 16:34 CET
Nmap scan report for my-domain.net (45.88.xxx.xxx)
Host is up (0.00069s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
993/tcp  open  imaps
995/tcp  open  pop3s
1443/tcp open  ies-lm
7000/tcp open  afs3-fileserver
8080/tcp open  http-proxy
9000/tcp open  cslistener

As seen above the ports 25 (smtp) and 465 (smtps) are both not showing as open on the external device which pretty much renders the whole Mailserver useless.

I use ufw as my firewall, the rules are pretty simple as of right now, none of the ports I need are blocked:

Status: active

To                         Action      From
--                         ------      ----
21                         ALLOW       Anywhere
22                         ALLOW       Anywhere
25                         ALLOW       Anywhere
80                         ALLOW       Anywhere
110                        ALLOW       Anywhere
143                        ALLOW       Anywhere
443                        ALLOW       Anywhere
465                        ALLOW       Anywhere
993                        ALLOW       Anywhere
995                        ALLOW       Anywhere
1443                       ALLOW       Anywhere
7000                       ALLOW       Anywhere
8080                       ALLOW       Anywhere
9000                       ALLOW       Anywhere
21 (v6)                    ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
25 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
110 (v6)                   ALLOW       Anywhere (v6)
143 (v6)                   ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
465 (v6)                   ALLOW       Anywhere (v6)
993 (v6)                   ALLOW       Anywhere (v6)
995 (v6)                   ALLOW       Anywhere (v6)
1443 (v6)                  ALLOW       Anywhere (v6)
7000 (v6)                  ALLOW       Anywhere (v6)
8080 (v6)                  ALLOW       Anywhere (v6)
9000 (v6)                  ALLOW       Anywhere (v6)

If I disable the firewall and scan the Mailserver from an external host again I get this output which basically tells me no service is listening on said filtered ports:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-14 16:13 CET
Nmap scan report for Array.living-bots.net (45.88.109.169)
Host is up (0.00067s latency).
Not shown: 985 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   open     http
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
465/tcp  filtered smtps
587/tcp  filtered submission
993/tcp  open     imaps
995/tcp  open     pop3s
1443/tcp open     ies-lm
7000/tcp open     afs3-fileserver
8080/tcp open     http-proxy
9000/tcp open     cslistener

And just to have everything that might be needed in here, this is the output of netstat -tuplen | grep axigen:

tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      220        9707034    467817/axigen
tcp        0      0 0.0.0.0:9443            0.0.0.0:*               LISTEN      220        9707044    467817/axigen
tcp        0      0 0.0.0.0:1443            0.0.0.0:*               LISTEN      220        9707038    467817/axigen
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      220        9707029    467817/axigen
tcp        0      0 0.0.0.0:9000            0.0.0.0:*               LISTEN      220        9707043    467817/axigen
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      220        9707028    467817/axigen
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      220        9707033    467817/axigen
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      220        9707039    467817/axigen
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      220        9707020    467817/axigen
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      220        9707048    467817/axigen
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      220        9707025    467817/axigen
tcp        0      0 127.0.0.1:8888          0.0.0.0:*               LISTEN      220        9707003    467830/axigen-tnef
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      220        9706040    467817/axigen
tcp6       0      0 :::993                  :::*                    LISTEN      220        9707036    467817/axigen
tcp6       0      0 :::9443                 :::*                    LISTEN      220        9707046    467817/axigen
tcp6       0      0 :::1443                 :::*                    LISTEN      220        9707040    467817/axigen
tcp6       0      0 :::995                  :::*                    LISTEN      220        9707031    467817/axigen
tcp6       0      0 :::9000                 :::*                    LISTEN      220        9707045    467817/axigen
tcp6       0      0 :::110                  :::*                    LISTEN      220        9707030    467817/axigen
tcp6       0      0 :::143                  :::*                    LISTEN      220        9707035    467817/axigen
tcp6       0      0 :::8080                 :::*                    LISTEN      220        9707041    467817/axigen
tcp6       0      0 :::465                  :::*                    LISTEN      220        9707022    467817/axigen
tcp6       0      0 :::7000                 :::*                    LISTEN      220        9707026    467817/axigen
tcp6       0      0 :::25                   :::*                    LISTEN      220        9707021    467817/axigen
udp        0      0 127.0.0.1:2000          0.0.0.0:*                           220        9707007    467817/axigen

I have been trying for an hour now so either it is something complicated or really simple that I overlooked, any suggestions how I can enable my other devices to be able to access the smtp/s ports?

I tried turning the firewall off, tried using another firewall (firewalld), tried clearing and reconfiguring the firewall and tried to reinstall axigen.

Trekkie · January 18, 2024, 12:36am

My first question is if the scan is from the external because I see you referencing a domain and public IP address? If so, could it be that your ISP is blocking ports 25 & 465? This is common for some ISPs if it’s not a business account.

One of the old-school methodologies I use to check to see if the service is responding is using a simple CLI instruction to see if the server is responding. If you can get to your server using the HELO command from a different local machine (using the private IP address) but can’t access the server from external, it might be your ISP blocking it. Alternatively, you can use the telnet command and specify port 25. When I use the telnet command from my workstation to my server (same network), Axigen responds with:

220 Server Axigen ESMTP ready

You can also check your server externally using the MXToolbox utility.