Outbound port 25 connections timing out all of a sudden: Centos 6.6 & postfix; hacked?

Question

I have been running a Centos email/web server for years, with a Linode Xen server the last 4 years with almost no trouble.

Since sometime yesterday I have not been able to connect to outbound email (port 25) servers. The mail queue is building up. Other weird things:

• I can traceroute on port 25 to gmail servers and complete, but time out when connecting outbound to these servers
• I just did yum update earlier this afternoon
• I was getting IPV6 connections trying to be set up until I turned off IPV6 in sysctl
• I can receive inbound mail on port 25 just fine, just can't forward it out.

• I'm getting dynamic changes in my iptables, for examples:

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         
  DROP       all  --  cpe-188-129-114-96.dynamic.amis.hr  anywhere            
  DROP       all  --  190.40.173.185       anywhere            
  DROP       all  --  5.200.193.129        anywhere            
  DROP       all  --  206.47.254.202       anywhere            
  
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  DROP       all  --  cpe-188-129-114-96.dynamic.amis.hr  anywhere            
  DROP       all  --  190.40.173.185       anywhere            
  DROP       all  --  5.200.193.129        anywhere            
  DROP       all  --  206.47.254.202       anywhere            
  
  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination
  

Any ideas? Have I been hacked?

Answer 1

Just a few things

1. Those are probably spammer addresses but what I think is weird is that the iptables are set to not connect, not to disallow the connection. Maybe you have some sort of security program/firewall/IDS blocking IP addresses?

2. Consider flushing your iptables and planning out what you think your firewall should look like. If you have a firewall program see if it's interfering. If a bunch of unsavory servers are trying to connect to yours, chances are your server is locking down. I don't see the real benefit in hackers taking out your functionality. Most use SMTP servers to send out spam so they benefit from it functioning.

EDIT: I say those are spammer addresses because the 206.x.x.x address is notorious.