But these aren't SMTP connections. The source is port 25, but the destination is not. The mail server is running normally. I'm allowing new SMTP connections and traffic for established connections.
They are SMTP connections -- your server initiates a connection to port 25 on the remote server. Thus, when the connection is set up the remote server will be responding with source port 25 and destination port = source port of the initiated connection.
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
I think the ACCEPT all line should catch these, but you might try adding RELATED,ESTABLISHED specifically to the dpt:25 line.
# cat /proc/sys/net/ipv4/ip_conntrack_max 63480
Unless you're passing a lot of traffic, the conntrack_max looks okay.
Yet another possibility is that these are duplicated packets (for whatever reason) and the connection has already been closed out.
Possible, I guess, but I don't know what would be duplicating them.
This isn't as likely, but the remote sites could be duplicating them -- the only way to determine if that's the case would be to sniff the traffic and see if the remote site sends the same packet more than one.
M