OVH VPS can't connect to mail ports of external servers (Local Zone)

Posted by RevolutionaryTank631@reddit | linuxadmin | View on Reddit | 6 comments

I have an OVH VPS in Belgium (BE, Local Zone) and one in France (FR, regular zone).
The issue is that my BE VPS doesn't seem to be able to connect to mail ports of any external server.

Example:

$ telnet everest.mxrouting.net 587
Trying 135.181.228.117...

It doesn't connect (also tried Gmail + Outlook). My FR VPS has no issues, while both are Debian 13, no firewall installed, completely open iptables, no OVH dashboard firewall (isn't even possible for Local Zones), ...

Even stranger:
- Opening port 587 with netcat on FR VPS: my BE VPS can't connect to it.
- Opening port 587 with netcat on BE VPS: my FR VPS can connect to it.

So it's only outgoing 587 that's being blocked.
I asked OVH but they keep claiming that nothing is blocked on their side.
If you own a Local Zone VPS, please test this?

Proof of iptables rules and (the absence of) UFW:
https://pastebin.com/Z8VgWZ2Z

[-]

lathiat@reddit

It’s common to have email ports blocked by default and require a request to open to reduce spam. Fairly sure that is the case with OVH but their support articles seem to be missing.

In any case it’s highly likely so I’d contact them.

[-]

RevolutionaryTank631@reddit (OP)

I've tried telling them multiple times but they keep marking my ticket as resolved. I feel like this has something to do with the VPS being in a Local Zone...

It's not that I would block the one mail port I need per accident while keeping every single other port open 🤷

[-]

t0xic_sh0t@reddit

I have multiple OVH servers (dedicated + VPS) but don't use Public Cloud so I don't know if there's some extra setup for the network.

Do you use public or LAN IP?

Can you ping each other?

Have you tried any other port?

[-]

RevolutionaryTank631@reddit (OP)

It's actually not Public Cloud but VPS-1 Local Zone from their new line.

Using all public IPs (and also completely unrelated external providers like Gmail).

No problems with ping.

Other ports work (like 80, 588), but other mail ports don't (like 25).
And I surely did not explicitly block all these mail ports myself. Feels like a block on their side to me, since this is something that providers do more often.

[-]

t0xic_sh0t@reddit

Other ports work (like 80, 588), but other mail ports don't (like 25).
And I surely did not explicitly block all these mail ports myself. Feels like a block on their side to me, since this is something that providers do more often.

Yes, they have a system that block email ports if they detect suspicious activity. You can see if the IP is blocked in:

OVH Control Panel > Bare Metal Cloud > Network > IP

Check if there's any "Alert" for that IP address. If it is you can request unblock in the options or through the API.

[-]

RevolutionaryTank631@reddit (OP)

No alerts there. And I only have the VPS for about one day, so if it's blocked it might be from a previous customer.

I just sent them this tcpdump:

debian@vps-3e53b8c7:~$ sudo tcpdump -i any port 587
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
16:27:01.748224 enp6s16 Out IP vps-3e53b8c7.39904 > everest.mxrouting.net.submission: Flags [S], seq 4247535932, win 64240, options [mss 1460,sackOK,TS val 1249086371 ecr 0,nop,wscale 7], length 0
16:27:02.768513 enp6s16 Out IP vps-3e53b8c7.39904 > everest.mxrouting.net.submission: Flags [S], seq 4247535932, win 64240, options [mss 1460,sackOK,TS val 1249087392 ecr 0,nop,wscale 7], length 0
16:27:03.792533 enp6s16 Out IP vps-3e53b8c7.39904 > everest.mxrouting.net.submission: Flags [S], seq 4247535932, win 64240, options [mss 1460,sackOK,TS val 1249088416 ecr 0,nop,wscale 7], length 0
16:27:04.816528 enp6s16 Out IP vps-3e53b8c7.39904 > everest.mxrouting.net.submission: Flags [S], seq 4247535932, win 64240, options [mss 1460,sackOK,TS val 1249089440 ecr 0,nop,wscale 7], length 0
16:27:05.840517 enp6s16 Out IP vps-3e53b8c7.39904 > everest.mxrouting.net.submission: Flags [S], seq 4247535932, win 64240, options [mss 1460,sackOK,TS val 1249090464 ecr 0,nop,wscale 7], length 0

My egress SMTP traffic is silently being dropped somewhere. But since there's no ICMP unreachable, no RST, and no response at all, this strongly suggests provider-level filtering.