TIPS Gmail SMTP: connection refused

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
Hello,

New 3CX user here. I've set up iptables as best I can by adding the relevant FQDN and IPs to the whitelist. I'm having difficulty connecting to Gmail while iptables is enable, despite allowing port 587 and adding smtp.gmail.com to the whitelist.

It's probably a total newbie mistake, but can anyone offer any insight? It would be very much appreciated.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,067
Reaction score
2,597
You shouldn't need a whitelist entry to send outbound emails through Gmail. Are you attempting to use Gmail as a smarthost for your PBX? Did you follow the tutorial?

Configuring Gmail as SMTP RelayHost for 3CX. 3CX has a detailed tutorial explaining how to set up your Gmail account as the SMTP relay host for 3CX. Be advised that there is one additional step before Google will authorize access from an IP address it doesn’t already have for your GMail account. In addition to Enabling Less Secure Apps (as covered in the 3CX tutorial), you also will need to activate the Google Reset Procedure while logged into your Gmail account. Otherwise, Google will block access. Once you have configured Gmail as your relay host and performed the two enabling steps above, immediately test email delivery within the 3CX GUI while Google security is relaxed: Settings → Email → TEST.
 

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
Absolutely. I followed your instructions closely. The interesting thing is, when I uninstall iptables, Gmail works fine and sends all the notification emails. As soon as I re-install, I get the “Connection Refused” errors again - when I go to Settings, Email and Test.
 
Last edited:

kb9mwr

Guru
Joined
Jun 7, 2008
Messages
133
Reaction score
18
Not sure how your firewall is configured exactly, but try white listing this google ip: 64.233.191.108
If that allows email to work, I'd say you have something with the established related states of your firewall messed up.
 

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
Thanks @kb9mwr.
The firewall was installed with all the default rules as per Ward's instructions here: http://nerdvittles.com/?p=22469. The only thing I initially added to the white list was my home FQDN. As soon as it was installed, I started getting the "Connection refused 173.194.202.109:587" error.

I did as you suggested and still receive the same error. Oddly enough, that's one of the Google IP addresses I have white listed. I'm at a loss.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,067
Reaction score
2,597
Did you whitelist it for full access? Otherwise TCP 587 is probably not authorized.
 

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
I added this IP specifically, since it seems to be the problem. Below is the report back I get. My limited iptables understanding would say that all connections to this IP are allowed. Is this correct?

The following iptables rules now are in effect for 173.194.202.***:
ACCEPT all -- 173.194.202.*** 0.0.0.0/0
 
Last edited by a moderator:

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
I've exhausted my efforts trying to get this work. Can anyone else suggest a command that I might execute to allow connections to Gmail, Office 365, etc., on port 587? The only way I can get the SMTP relay to work is if I uninstall iptables, thus exposing my VPS to the world wide web. All other communication to/from the VPS works flawlessly. Any final thoughts before I totally abandon this otherwise awesome PBX would be greatly appreciated.
 

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
I suppose I should have done that in the first place. This is a clean install. I've tried about 4 times, thinking I messed something up with the 3CX installation. Still, no dice. According to Ward's tutorial, I shouldn't have to specifically allow Google's SMTP IP or port 587 after I've installed TM3 as per instructions here: http://nerdvittles.com/?p=22469

Thanks in advance!

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp flags:ACK/ACK
ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED
ACCEPT     all  --  loopback/8           anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  3CX IP         anywhere
ACCEPT     all  --  Home Dynamic IP  anywhere
ACCEPT     all  --  3CX IP         anywhere
DROP       tcp  --  anywhere             anywhere             match-set china src
DROP       tcp  --  anywhere             anywhere             match-set russia src
DROP       tcp  --  anywhere             anywhere             match-set palestine src
DROP       tcp  --  anywhere             anywhere             match-set nkorea src
DROP       tcp  --  anywhere             anywhere             match-set ukraine src
DROP       tcp  --  anywhere             anywhere             match-set moldavia src
DROP       udp  --  anywhere             anywhere             match-set china src
DROP       udp  --  anywhere             anywhere             match-set russia src
DROP       udp  --  anywhere             anywhere             match-set palestine src
DROP       udp  --  anywhere             anywhere             match-set nkorea src
DROP       udp  --  anywhere             anywhere             match-set ukraine src
DROP       udp  --  anywhere             anywhere             match-set moldavia src
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain dpt s:9999:65535
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:32976
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4445
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:mdns
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5090
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5090
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  192.168.0.0/16       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
REJECT     all  --  123.183.209.136      anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
 
Last edited by a moderator:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,067
Reaction score
2,597
FYI @broadcastguy: When I put your rules into a code block (above), I noticed there were all sorts of extraneous spaces in the middle of words. Do your actual rules look like that?? If so, that would certainly cause problems with the firewall.
 

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
Sorry about that Ward. I merely copy/pasted the output of iptables -L (clearly not the right way, either). My bad.
 
  • Like
Reactions: wardmundy

broadcastguy

New Member
Joined
Jan 24, 2016
Messages
17
Reaction score
5
Update: I installed the Beta version 15.5 Update 2 and none of the mail options worked (Office 365, Gmail, Outlook.com) but when I selected the 3CX SMTP server I was able to get notification emails to send. So bizarre. It's definitely something to do with the iptables default settings, but I could not figure out how to make it work. Not the perfect setup, but at least it works.
 

Members online

No members online now.

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,314
Messages
136,938
Members
14,539
Latest member
andrewbyrd70