我有一個在 kimsufi VPS 上運行的 postfix 伺服器,我在上面安裝了 roundcube,一切正常。問題是,當我嘗試從另一台伺服器連接時,出現逾時:
telnet whys.fr 25
Trying 5.196.66.189...
telnet: Unable to connect to remote host: Connection timed out
這是我的 netstat 輸出:
netstat -ntpul | grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 17643/master
tcp6 0 0 :::25 :::* LISTEN 17643/master
目前的 iptables 規則:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
來自本地主機的 telnet 運作良好:
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)
ehlo whys.fr
250-whys.fr
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
伺服器託管在 OVH 的資料中心,且連接埠 25 未被封鎖:
nmap -p 25 whys.fr
Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-20 15:16 CET
Nmap scan report for whys.fr (5.196.66.189)
Host is up (0.019s latency).
rDNS record for 5.196.66.189: ns330237.ip-5-196-66.eu
PORT STATE SERVICE
25/tcp filtered smtp
Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds
我還檢查了郵件垃圾郵件列表,看看我的 IP 是否在其中之一,但事實並非如此。
如何接受外部的 telnet 25?我現在不知道,已經在舊金山看到了有關它的所有問題,並且在互聯網上的其他地方看到了很多問題。
答案1
根據 nmap 文檔:
filtered
Nmap cannot determine whether the port is open because packet filtering prevents
its probes from reaching the port. The filtering could be from a dedicated
firewall device, router rules, or host-based firewall software. These ports
frustrate attackers because they provide so little information. Sometimes they
respond with ICMP error messages such as type 3 code 13 (destination unreachable:
communication administratively prohibited), but filters that simply drop probes
without responding are far more common. This forces Nmap to retry several times
just in case the probe was dropped due to network congestion rather than
filtering. This slows down the scan dramatically.
所以看起來你的連接埠只是被某處的防火牆阻止了。也許是您當地的 ISP?因為當我嘗試連接到它時,我得到了一個連接:
$ telnet whys.fr 25
Trying 5.196.66.189...
Connected to whys.fr.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)
遺憾的是,ISP 阻止與自己網路以外的連接埠 25 的直接連接的情況並不少見,以防止客戶端電腦上的機器人直接發送垃圾郵件。
答案2
在繼續之前我要做的第一件事是使用類似的工具端對端測試連接埠 25網貓。
該工具是大多數 Linux 發行版的標準配置。例如,在 CentOS 上,我會停止 postfix 以釋放連接埠 25。
# nc -l 25
然後在遠端客戶端上我會像這樣啟動它:
# nc {ip of remote server} 25
然後,您在兩端輸入的任何內容都應該在螢幕上反映/可見。如果不是,那麼您的連接埠沿途被封鎖。