> But these aren't SMTP connections. The source is port 25, but the > destination is not. The mail server is running normally. I'm allowing > new SMTP connections and traffic for established connections. They are SMTP connections -- your server initiates a connection to port 25 on the remote server. Thus, when the connection is set up the remote server will be responding with source port 25 and destination port = source port of the initiated connection. > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW > tcp dpt:25 I think the ACCEPT all line should catch these, but you might try adding RELATED,ESTABLISHED specifically to the dpt:25 line. > # cat /proc/sys/net/ipv4/ip_conntrack_max > 63480 Unless you're passing a lot of traffic, the conntrack_max looks okay. > >> Yet another possibility is that these are duplicated packets (for >> whatever reason) and the connection has already been closed out. >> > > Possible, I guess, but I don't know what would be duplicating them. This isn't as likely, but the remote sites could be duplicating them -- the only way to determine if that's the case would be to sniff the traffic and see if the remote site sends the same packet more than one. M