Firewall do CentOS 7: Como permitir emails de saída SMTP com IPTables?

Estou executando um aplicativo Spring-Boot Java dentro de um contêiner Docker em um servidor executando CentOS 7 .

[root@dev-machine ~]# rpm --query centos-release
centos-release-7-5.1804.4.el7.centos.x86_64

Eu gostaria de enviar e-mails no registro do usuário, mas ele só funciona localmente e não no servidor. Então, acho que pode haver algo faltando ou errado com as regras do firewall.

Aqui está a saída de iptables -S :

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-f0479a22f469 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f0479a22f469 -j DOCKER
-A FORWARD -i br-f0479a22f469 ! -o br-f0479a22f469 -j ACCEPT
-A FORWARD -i br-f0479a22f469 -o br-f0479a22f469 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-3d65bc697485 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-3d65bc697485 -j DOCKER
-A FORWARD -i br-3d65bc697485 ! -o br-3d65bc697485 -j ACCEPT
-A FORWARD -i br-3d65bc697485 -o br-3d65bc697485 -j ACCEPT
-A FORWARD -o br-e9afb76ffa7a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e9afb76ffa7a -j DOCKER
-A FORWARD -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j ACCEPT
-A FORWARD -i br-e9afb76ffa7a -o br-e9afb76ffa7a -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-e9afb76ffa7a -o br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8761 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-f0479a22f469 ! -o br-f0479a22f469 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-3d65bc697485 ! -o br-3d65bc697485 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-f0479a22f469 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e9afb76ffa7a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-3d65bc697485 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

e esta a saída de iptables-save -C

[root@dev-machine ~]# iptables-save -c
# Generated by iptables-save v1.4.21 on Sat Sep 15 13:38:03 2018
*nat
:PREROUTING ACCEPT [19421:2552711]
:INPUT ACCEPT [18758:2423782]
:OUTPUT ACCEPT [39206:2367366]
:POSTROUTING ACCEPT [39206:2367366]
:DOCKER - [0:0]
[39177:2349612] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[44:2790] -A POSTROUTING -s 172.20.0.0/16 ! -o br-f0479a22f469 -j MASQUERADE
[2396:157880] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[62:3999] -A POSTROUTING -s 172.19.0.0/16 ! -o br-3d65bc697485 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-e9afb76ffa7a -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 8761 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.5/32 -d 172.20.0.5/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
[0:0] -A DOCKER -i br-f0479a22f469 -j RETURN
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-e9afb76ffa7a -j RETURN
[0:0] -A DOCKER -i br-3d65bc697485 -j RETURN
[0:0] -A DOCKER ! -i br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.18.0.2:9000
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.2:5000
[0:0] -A DOCKER ! -i br-f0479a22f469 -p tcp -m tcp --dport 8761 -j DNAT --to-destination 172.20.0.2:8761
[0:0] -A DOCKER ! -i br-f0479a22f469 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.20.0.5:8080
COMMIT
# Completed on Sat Sep 15 13:38:03 2018
# Generated by iptables-save v1.4.21 on Sat Sep 15 13:38:03 2018
*filter
:INPUT ACCEPT [495382:341584285]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [448313:353150279]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[1853096:1761639004] -A FORWARD -j DOCKER-USER
[1853096:1761639004] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[82:10098] -A FORWARD -o br-f0479a22f469 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-f0479a22f469 -j DOCKER
[116:11141] -A FORWARD -i br-f0479a22f469 ! -o br-f0479a22f469 -j ACCEPT
[0:0] -A FORWARD -i br-f0479a22f469 -o br-f0479a22f469 -j ACCEPT
[4610393:6820102985] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[2710958:152407715] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[186:20837] -A FORWARD -o br-3d65bc697485 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-3d65bc697485 -j DOCKER
[248:27845] -A FORWARD -i br-3d65bc697485 ! -o br-3d65bc697485 -j ACCEPT
[0:0] -A FORWARD -i br-3d65bc697485 -o br-3d65bc697485 -j ACCEPT
[0:0] -A FORWARD -o br-e9afb76ffa7a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-e9afb76ffa7a -j DOCKER
[0:0] -A FORWARD -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j ACCEPT
[0:0] -A FORWARD -i br-e9afb76ffa7a -o br-e9afb76ffa7a -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.2/32 ! -i br-e9afb76ffa7a -o br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.2/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8761 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.5/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8080 -j ACCEPT
[116:11141] -A DOCKER-ISOLATION-STAGE-1 -i br-f0479a22f469 ! -o br-f0479a22f469 -j DOCKER-ISOLATION-STAGE-2
[2710958:152407715] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j DOCKER-ISOLATION-STAGE-2
[152:17009] -A DOCKER-ISOLATION-STAGE-1 -i br-3d65bc697485 ! -o br-3d65bc697485 -j DOCKER-ISOLATION-STAGE-2
[7321815:6972561781] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-f0479a22f469 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-e9afb76ffa7a -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-3d65bc697485 -j DROP
[2711226:152435865] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[16330669:15452836360] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Sep 15 13:38:03 2018
[root@dev-machine ~]#

O contêiner envolvido no envio de e-mails está sendo executado em 172.20.0.5 8080:8080

Encontrei algumas perguntas semelhantes:

• link
• Como permitir SMTP de saída no iptables Debian Linux

Estas perguntas sugeriram ativar o tráfego de saída, mas no meu caso parece já estar aberto. Há algo faltando ou errado?

Aqui, a propriedade Spring-Boot , se necessário (por enquanto, é específica do gmail, mas no futuro deve ser configurável para todo SMTP via variáveis env):

mail:
    host: smtp.gmail.com
    port: 587
    username: ${EMAIL_USERNAME}
    password: ${EMAIL_PASSWORD}
    protocol: smtp
    tls: true
    auth: true
    properties.mail.smtp:
        auth: true
        starttls.enable: true
        ssl.trust: smtp.gmail.com