On Mon, Jun 14, 2021 at 01:55:40PM -0500, Linda Pagillo wrote: > I have already verified and reverified with our server host that port 465 > is open on their main fw. However, when I do a port scan to 465 from the > outside it says it is closed. My server host did the same scan and said > that it's not them and it's a firewall on the server. I only have one > firewall on the server and it is completely disabled at this time. Since > the packets do get to the server we know it's not a firewall upstream. > > tcpdump shows the syn packets coming in -- but nothing going out.
Actually, the tcpdump program sees packets *before* they're dropped by the host (ipfilter or similar) firewall. So in fact, you're actually providing very strong evidence that there's a local firewall dropping the packets. Otherwise, the host would respond either with a SYN-ACK or with TCP RST packet. > The firewall (iptables) is empty. (fully cleared and flushed -- even > rebooted with no rules) Except that clearly there's a firewall in place, or the routing table has no routes to anything outside the local subset, so the host has no way to reply. > Postfix answers fine on all other ports and so do other apps on the > machine, so not likely to be routing unless something specific to postfix > on this port. This disproves the empty routing table hypothesis, making firewall rules all the more likely. > If something is blocking the response or the ingress it's not iptables. At > this point, I'm not sure what else it could be. Perhaps you have a different packet filter stack installed. -- Viktor.