Mail from Gmail blocked

[MopeyGecko]

Hi all,

Mail to my server from gmail has recently started getting blocked. Google is reporting timeout errors.

The recipient server did not accept our requests to connect. For more information, go to https://support.google.com/mail/answer/7720[mail.millne.com. 78.141.234.188: timed out]

I'm struggling to find anything in CSF logs or anywhere else that would explain it but I don't really have any info on which server was trying to connect to search logs. Does anybody have any suggestions of how I can resolve?

Thanks

Andy

 

[ericosman]

Are you sure the problem is only from gmail to your server?

 

[MopeyGecko]

Thanks. It did seem to be that way although there do seem to be some other connectivity issues just discovered. There is a Wordpress site hosted on the server that is getting timeout errors when attempting to contact Wordpress.org. I'm wondering if we're on a blacklist but it seems to be coming back clear in blacklist checkers.

 

[ericosman]

Could you send me the link to your site (in PM) so i could have a look?

 

[Richard G]

the link to your site

It's in his first post.

As far as I can see everything is in good order.
So best is to check or tail your /var/log/exim/mainlog and see what exactly is going on.
Because the 7720 they are referring to is in good order for your domain as far as I can see.

You're not using Google to send mail from your server, right?

 

[ericosman]

It's in his first post.

lol i read over it

 

[ericosman]

His MX is setup like

Pref	Hostname	IP Address	TTL
10	mail.millne.com	78.141.234.188 Unknown (AS20473)	60 min

So he should send and receive mail on his own server, but does this problem only occur with one domain ?

 

[MopeyGecko]

It's multiple domains on that server. I'll check the exim log to see if anything shows up.

edit: it looks like the following logs are relevant but there is nothing in the mail queue

2024-03-25 16:12:36 1romw6-0000000615X-1r39 => ****@live.co.uk F=<******> R=lookuphost T=remote_smtp S=938 H=eur.olc.protection.outlook.com [104.47.18.225] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=15749645079648, Hostname=GV2P195MB1889.EURP195.PROD.OUTLOOK.COM] 8721 bytes in 0.243, 35.028 KB/sec Queued mail for delivery -> 250 2.1.5"


2024-03-25 16:12:41 1romw6-0000000615X-1r39 => ****@icloud.com F=<****@nettlofbedlington.co.uk> R=lookuphost T=remote_smtp S=938 H=mx02.mail.icloud.com [17.56.9.31] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 Ok: queued as 52F5DF00287"

 

[Richard G]

edit: it looks like the following logs are relevant but there is nothing in the mail queue

That's Microsoft and Apple. You have an issue with gMail so there should be something findable about Gmail.

 

[MopeyGecko]

I don't see anything in the exim log for the gmail examples. I've also tried watching the mainlog after sending a new mail and nothing gets logged.

 

[MopeyGecko]

I have flushed all csf blocks too so it doesn't appear to be the firewall. I'm thoroughly confused.

 

[ericosman]

Anti virus like ClamAV?

 

[MopeyGecko]

Hmmm. I disabled CSF entirely temporarily and they come through so it's something CSF related.

Adding Google's public IP ranges (nslookup -q=TXT _spf.google.com 8.8.8.8) to csf.allow also seems to let them through but ideally I'd like to avoid that.

 

[ericosman]

What could have happend is that somebody send a malware infected file with a Gmail adres to your server, and than ClamAV in combination with CSF blocked google after(?)

Not sure if that can happen tho

 

[Richard G]

Hmmm. I disabled CSF entirely temporarily and they come through so it's something CSF related.

Can you check these settings in the /etc/csf/csf.conf file?
SMTP_BLOCK = "1"
SMTP_ALLOWLOCAL = "1"

SMTP_PORTS = "25,465,587"

Are they the same in your case?

but ideally I'd like to avoid that.

You should indeed not do that indeed. Most likely as @ericosman said one or more of the ip's are blocked, but why....

I didn't experience something like that personally yet.
However, it migh be for some reason on of the ip's is blocked, best would be to investigate this.

I would first remove those again from the csf.allow file and restart csf.

After that, check if one of those ip's is present in the /etc/csf/csf.deny file. If yes, write down which one or which if there are multiple.
Mostly there is a reason behind the block, so with a bit of luck you will find it there.

Also check the temporary deny ip's, those are in the /var/lib/csf/csf.tempban file. They also contain causes like this:

1710325235|202.98.219.83||inout|1209600|lfd - (RCPT) RCPT NOT ALLOWED FROM  202.98.219.83 (CN/China/-): 5 in the last 900 secs

This way you might be able to find the cause.
Ofcourse if you find them in either of them, you have to remove the ip's from there and then see if/when it happens again.
I would suggest for the time being enabling the CSF notification options so you can see if an ip gets a per block.