1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TIPS Gmail SMTP: connection refused

Discussion in 'General' started by broadcastguy, Sep 30, 2017.

  1. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    Hello,

    New 3CX user here. I've set up iptables as best I can by adding the relevant FQDN and IPs to the whitelist. I'm having difficulty connecting to Gmail while iptables is enable, despite allowing port 587 and adding smtp.gmail.com to the whitelist.

    It's probably a total newbie mistake, but can anyone offer any insight? It would be very much appreciated.
     
  2. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,819
    Likes Received:
    2,293
    You shouldn't need a whitelist entry to send outbound emails through Gmail. Are you attempting to use Gmail as a smarthost for your PBX? Did you follow the tutorial?

    Configuring Gmail as SMTP RelayHost for 3CX. 3CX has a detailed tutorial explaining how to set up your Gmail account as the SMTP relay host for 3CX. Be advised that there is one additional step before Google will authorize access from an IP address it doesn’t already have for your GMail account. In addition to Enabling Less Secure Apps (as covered in the 3CX tutorial), you also will need to activate the Google Reset Procedure while logged into your Gmail account. Otherwise, Google will block access. Once you have configured Gmail as your relay host and performed the two enabling steps above, immediately test email delivery within the 3CX GUI while Google security is relaxed: Settings → Email → TEST.
     
  3. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    Absolutely. I followed your instructions closely. The interesting thing is, when I uninstall iptables, Gmail works fine and sends all the notification emails. As soon as I re-install, I get the “Connection Refused” errors again - when I go to Settings, Email and Test.
     
    #3 broadcastguy, Oct 1, 2017
    Last edited: Oct 1, 2017
  4. kb9mwr

    kb9mwr Guru

    Joined:
    Jun 7, 2008
    Messages:
    121
    Likes Received:
    14
    Not sure how your firewall is configured exactly, but try white listing this google ip: 64.233.191.108
    If that allows email to work, I'd say you have something with the established related states of your firewall messed up.
     
  5. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    Thanks @kb9mwr.
    The firewall was installed with all the default rules as per Ward's instructions here: http://nerdvittles.com/?p=22469. The only thing I initially added to the white list was my home FQDN. As soon as it was installed, I started getting the "Connection refused 173.194.202.109:587" error.

    I did as you suggested and still receive the same error. Oddly enough, that's one of the Google IP addresses I have white listed. I'm at a loss.
     
  6. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,819
    Likes Received:
    2,293
    Did you whitelist it for full access? Otherwise TCP 587 is probably not authorized.
     
  7. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    I added this IP specifically, since it seems to be the problem. Below is the report back I get. My limited iptables understanding would say that all connections to this IP are allowed. Is this correct?

    The following iptables rules now are in effect for 173.194.202.***:
    ACCEPT all -- 173.194.202.*** 0.0.0.0/0
     
    #7 broadcastguy, Oct 2, 2017
    Last edited by a moderator: Oct 15, 2017
  8. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    I've exhausted my efforts trying to get this work. Can anyone else suggest a command that I might execute to allow connections to Gmail, Office 365, etc., on port 587? The only way I can get the SMTP relay to work is if I uninstall iptables, thus exposing my VPS to the world wide web. All other communication to/from the VPS works flawlessly. Any final thoughts before I totally abandon this otherwise awesome PBX would be greatly appreciated.
     
  9. pbxinaflash

    Joined:
    Jan 13, 2016
    Messages:
    36
    Likes Received:
    16
    Posting your current INPUT/OUTPUT rules would help us help you :)
     
  10. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    I suppose I should have done that in the first place. This is a clean install. I've tried about 4 times, thinking I messed something up with the 3CX installation. Still, no dice. According to Ward's tutorial, I shouldn't have to specifically allow Google's SMTP IP or port 587 after I've installed TM3 as per instructions here: http://nerdvittles.com/?p=22469

    Thanks in advance!

    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             anywhere             tcp flags:ACK/ACK
    ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere             state RELATED
    ACCEPT     all  --  loopback/8           anywhere
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
    ACCEPT     all  --  3CX IP         anywhere
    ACCEPT     all  --  Home Dynamic IP  anywhere
    ACCEPT     all  --  3CX IP         anywhere
    DROP       tcp  --  anywhere             anywhere             match-set china src
    DROP       tcp  --  anywhere             anywhere             match-set russia src
    DROP       tcp  --  anywhere             anywhere             match-set palestine src
    DROP       tcp  --  anywhere             anywhere             match-set nkorea src
    DROP       tcp  --  anywhere             anywhere             match-set ukraine src
    DROP       tcp  --  anywhere             anywhere             match-set moldavia src
    DROP       udp  --  anywhere             anywhere             match-set china src
    DROP       udp  --  anywhere             anywhere             match-set russia src
    DROP       udp  --  anywhere             anywhere             match-set palestine src
    DROP       udp  --  anywhere             anywhere             match-set nkorea src
    DROP       udp  --  anywhere             anywhere             match-set ukraine src
    DROP       udp  --  anywhere             anywhere             match-set moldavia src
    ACCEPT     udp  --  anywhere             anywhere             udp spt:domain dpt s:9999:65535
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:auth
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:32976
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4445
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:mdns
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5090
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:5090
    ACCEPT     all  --  10.0.0.0/8           anywhere
    ACCEPT     all  --  192.168.0.0/16       anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination
    REJECT     all  --  123.183.209.136      anywhere             reject-with icmp-port-unreachable
    RETURN     all  --  anywhere             anywhere
     
    #10 broadcastguy, Oct 12, 2017
    Last edited by a moderator: Oct 15, 2017
  11. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,819
    Likes Received:
    2,293
    FYI @broadcastguy: When I put your rules into a code block (above), I noticed there were all sorts of extraneous spaces in the middle of words. Do your actual rules look like that?? If so, that would certainly cause problems with the firewall.
     
  12. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    Sorry about that Ward. I merely copy/pasted the output of iptables -L (clearly not the right way, either). My bad.
     
    wardmundy likes this.
  13. broadcastguy

    broadcastguy New Member

    Joined:
    Jan 24, 2016
    Messages:
    17
    Likes Received:
    5
    Update: I installed the Beta version 15.5 Update 2 and none of the mail options worked (Office 365, Gmail, Outlook.com) but when I selected the 3CX SMTP server I was able to get notification emails to send. So bizarre. It's definitely something to do with the iptables default settings, but I could not figure out how to make it work. Not the perfect setup, but at least it works.
     

Share This Page