Google Compute Engine will not allow incoming smtp connections

1
votes

I have a virtual machine (CentOS) running on Google's Compute Engine and everything seems pretty straight forward, have read all the documentation I can find, but this one thing is hanging me up. I know outbound SMTP connections are blocked by the GCE, but incoming should be no problem from what I've read. However, I've configured the server correctly (I think) and added the firewall for SMTP through gcutil, but still no dice:

gcutil addfirewall smtp --description="Incoming smtp allowed." --allowed="tcp:smtp"

This adds the rule to allow SMTP connections.

gcutil listfirewalls

    +------------------------+---------------------------------------+---------+------------+-------------+-------------+
    |          name          |              description              | network | source-ips | source-tags | target-tags |
    +------------------------+---------------------------------------+---------+------------+-------------+-------------+
    | default-allow-internal | Internal traffic from default allowed | default | 10.0.0.0/8 |             |             |
    | default-ssh            | SSH allowed from anywhere             | default | 0.0.0.0/0  |             |             |
    | http2                  | Incoming http allowed.                | default | 0.0.0.0/0  |             |             |
    | pop3                   | Incoming pop3 allowed.                | default | 0.0.0.0/0  |             |             |
    | smtp                   | Incoming smtp allowed.                | default | 0.0.0.0/0  |             |             |
    +------------------------+---------------------------------------+---------+------------+-------------+-------------+

SMTP rule is listed. Other ports work fine, I can get into ports 80, 22, and 110. But when trying to get into port 25:

telnet nextcore.com 25
Trying 173.255.112.1...

It will not connect.

Connecting to localhost port 25 on the virtual machine works just fine:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 nextcore.localdomain ESMTP Postfix

What am I missing?

2
smtpgoogle-compute-engine

2 Answers

4
votes

I'm not sure what you have listening on port 25 (e.g. sendmail, postfix, etc). I can confirm that I also can't connect to your VM on port 25, though I can connect on port 80.

You can check which programs are listening on which ports with sudo netstat -lpn -A inet, e.g.

$ sudo netstat -lpn -A inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2691/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      15845/nc
udp        0      0 0.0.0.0:23153           0.0.0.0:*                           2291/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           2291/dhclient
udp        0      0 10.87.233.49:123        0.0.0.0:*                           2566/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           2566/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           2566/ntpd

You might discover that your mail program is only listening on localhost (127.0.0.1), or that you are missing an entry in /etc/hosts.allow or have an entry in '/etc/hosts.deny` that blocks requests from outside your local network.

1
votes

You can take a look at this: https://developers.google.com/compute/docs/networking#mailserver You will see that Google Compute Engine blocks outbound connections on ports 25, 465, and 587. The instruction for setting up postfix to work with GCE is available on that page as well.