Page 1 of 2

Non root user using telnet refused

Posted: 2019/04/11 04:01:29
by rezashamdani
Hi,

I'm trying to send email but without using the root account, but failed as shown below;
Using root account

Code: Select all

[root@XXXXXX ~]# telnet XXXXXX.mail.protection.outlook.com 25
Trying XXX.XX.XXX.XX...
Connected to XXXXXX.mail.protection.outlook.com.
Escape character is '^]'.
220 XXXXXX.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 11 Apr 2019 03:53:53 +0000
Using non root account

Code: Select all

[nonroot@XXXXXX ~]$ telnet XXXXXX.mail.protection.outlook.com 25
Trying XXX.XX.XXX.XX...
telnet: connect to address XXX.XX.XXX.XX: Connection refused
Trying XXX.XX.XXX.XX...
telnet: connect to address XXX.XX.XXX.XX: Connection refused
I have spent a week trying to figure it out, but still failed. We have another server with Centos6, but the non root account can use the telnet.
I have disabled the SElinux as others have suggest on similiar question, but still failed.
Please help, i have another 7 other Centos6 server need to be upgraded to Centos7 until next year, this issue might hold that back.

This is my server current configuration;
Linux howdensg2.howdensolutions.com 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux.
SElinux disabled.
firewalld.service inactive.
iptables -L -n --line-numbers. without the INPUT section.

Code: Select all

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    cpanel-dovecot-solr  all  --  0.0.0.0/0            0.0.0.0/0

Chain cpanel-dovecot-solr (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 988
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 0
3    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 reject-with icmp-port-unreachable

Chain cphulk (1 references)
num  target     prot opt source               destination

Re: Non root user using telnet refused

Posted: 2019/04/11 05:34:09
by avij
I see you have CPanel installed. Whatever restriction there may be has probably been configured through CPanel. So ask them, maybe?

Re: Non root user using telnet refused

Posted: 2019/04/15 03:47:10
by hunter86_bg
SELINUX disabled ... That's like shooting a pigeon with a tank.
Just set it to permissive and if SELINUX is the problem - you will have the info in /var/log/audit/audit.log

Re: Non root user using telnet refused

Posted: 2019/04/15 13:56:12
by TrevorH
It isn't the problem. The problem is the output iptables lines that restrict output packets to only traffic that comes from source ports 8984 and 7984 for the root user or for uid 988.

Re: Non root user using telnet refused

Posted: 2019/04/22 03:26:32
by rezashamdani
sorry for late reply

thanks @TrevorH, i have allowed the request before the reject line as seen below;

Code: Select all

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            xx.xxx.xx.xx        tcp dpt:25 state NEW,ESTABLISHED
2    cpanel-dovecot-solr  all  --  0.0.0.0/0            0.0.0.0/0

Chain cpanel-dovecot-solr (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 988
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 0
3    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 reject-with icmp-port-unreachable
but the telnet with non root user still failed, please help

Re: Non root user using telnet refused

Posted: 2019/04/22 11:25:08
by TrevorH
If you mean you added the line to allow port 25 then that is for sending mail not for telnet. Telnet itself uses port 23 not 25.

Re: Non root user using telnet refused

Posted: 2019/04/23 02:46:19
by rezashamdani
hi @TrevorH, i have added the port 23 as below output;

Code: Select all

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            xx.xxx.xx.xxx        tcp dpt:25 state NEW,ESTABLISHED
2    ACCEPT     tcp  --  0.0.0.0/0            xx.xxx.xx.xxx        tcp dpt:23 state NEW,ESTABLISHED
3    cpanel-dovecot-solr  all  --  0.0.0.0/0            0.0.0.0/0

Chain cpanel-dovecot-solr (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 988
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 0
3    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 reject-with icmp-port-unreachable

Chain cphulk (1 references)
num  target     prot opt source               destination
[root@XXXXXX ~]# su nonroot
[nonroot@ XXXXXX ~]$ telnet XXXXXX.mail.protection.outlook.com 25
Trying xx.xxx.xx.xxx...
telnet: connect to address xx.xxx.xx.xxx: Connection refused
Trying xx.xxx.xx.xxx...
telnet: connect to address xx.xxx.xx.xxx: Connection refused
[nonroot@ XXXXXX ~]$ exit
exit
[root@ XXXXXX ~]# telnet XXXXXX.mail.protection.outlook.com 25
Trying xx.xxx.xx.xxx...
Connected to XXXXXX.mail.protection.outlook.com.
Escape character is '^]'.
220 XXXXXXXXXX.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 23 Apr 2019 02:41:32 +0000

Re: Non root user using telnet refused

Posted: 2019/04/23 10:26:01
by TrevorH
You know that mail.protection.outlook.com is a dns entry that resolves to about 100 different ip addresses and that you're very likely to get a different one each time you do a lookup?

Re: Non root user using telnet refused

Posted: 2019/04/25 04:45:14
by rezashamdani
it was not mail.protection.outlook.com, instead mycompany.mail.protection.outlook.com. everytime i check the ip via dig/ping it always return the same ip address. please help me to resolve this.

my other server the centos6 was not having this issue.

Re: Non root user using telnet refused

Posted: 2019/04/25 18:41:31
by aks
everytime i check the ip via dig/ping it always return the same ip address
That's often called caching (or maybe not, you don't say).
please help me to resolve this.
Well there' are many stories that can get in the way, preserve I say.

Just switch off the firewall (assuming that's appropriate), at both ends (if possible). You are getting "connection denied - which suggests you are getting ICMP messages - classic/good citizen messages IMO. Does it work without the firewall(s)? If so, that's likely the firewall(s) are the problem (and no, don't do anything else, literally stop iptables/firewalld and that is all - I can't tell you how many times people do other things and "pretend" they've only one the one thing - be 100% sure.)

Packets (at the network and lower layer and below) do NOT carry the context of who did what. If the application involved does then, change the application(s).