MCQ (as does all the servers mentioned) have a internal IP (192 rnage) through
a NAT server to different public IP’s. They also have VPN static ip’s.
So, I changed the relay from Mcq’s pubic ip (to internal ip) to it’s VPN ip,
which by passes the firewall.
chain filter_IN_FedoraServer_allow {
ip6 daddr fe80::/64 udp dport 546 accept
tcp dport 9090 accept
tcp dport 80 accept
tcp dport 443 accept
tcp dport 143 accept
tcp dport 993 accept
tcp dport 25 accept
tcp dport 465 accept
tcp dport 587 accept
tcp dport 53 accept
udp dport 53 accept
tcp dport 5555 accept
tcp dport 992 accept
tcp dport 1194 accept
udp dport 1194 accept
udp dport 500 accept
udp dport 4500 accept
tcp dport 3306 accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 accept
udp dport 138 accept
tcp dport 139 accept
tcp dport 445 accept
}
I only connect to NAS via the VPN, as it’s router doesn’t have any wholes in
the firewall for packets to directly forward to it. The VPN bypasses the
firewall.
From: BetaRays <[email protected]>
Sent: Thursday, April 24, 2025 3:08 PM
To: Wayne Spivak <[email protected]>
Cc: [email protected]
Subject: Re: MTA stopped connecting to Postfix server on 587
On 2025-04-24, at 20:36 +0200, Wayne Spivak wrote:
To Mark and BetaRays
Ran tcpdump -n host sbanetweb.com and port 587 on both NAS and Joe
Then ran telent Sbanetweb.com 587
NASs response:
tcpdump -n -v host sbanetweb.com and port 587 tcpdump: listening on eth0,
link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:31:39.595597 IP
(tos 0x0, ttl 64, id 29332, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.173.53334 > 96.224.250.24.587: Flags [S], cksum 0x1d7d (incorrect
-> 0x996f), seq 3501996066, win 64240, options [mss 1460,sackOK,TS val
192786259 ecr 0,nop,wscale 7], length 0
Joe's Response
tcpdump -n host sbanetweb.com and port 587
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:33:19.775678 IP 192.168.0.93.37764 > 96.224.250.24.587: Flags [S], seq
3335906493, win 64240, options [mss 1460,sackOK,TS val 2857439758 ecr
0,nop,wscale 7], length 0
14:33:19.794348 IP 96.224.250.24.587 > 192.168.0.93.37764: Flags [S.], seq
3900869960, ack 3335906494, win 65160, options [mss 1460,sackOK,TS val
270255731 ecr 2857439758,nop,wscale 7], length 0
[…]
This proves there is nothing wrong with Mcq (Sbanetweb.com).
As far as fail2ban, none of the ip addresses are blocked.
Wayne
It could be useful to see whether a tcpdump on Mcq sees the SYN packet sent by
NAS, and whether it tries to respond, so whether the issue is with the sent
packet or its response.
What kind of internet service provider are you using on your different
machines? Could it be that there is a firewall between NAS and Mcq that is out
of your control?
On 2025-04-24, at 20:43 +0200, Wayne Spivak wrote:
BTW,
I changed the relay address from my domain/public address to my VPN ip
address and mail was sent.
What does that say?
Wayne
I’m not sure if that means NAS has a different source IP address or it sends to
a different IP address for Mcq.
