Linux - Postfix - Outgoing emails block on port 25 by ISP
It's hard to understand what you are saying. There's only so much I can offer.
- Get yourself a particular repeatable example of your problem.
- Trace it through the various steps of delivery to identify exactly when it fails.
- Use your server logs.
- If you are getting an error sent to you in email, it will have been sent to you by a mail server. Was that your mail server?
If your mail server is unable to settings on port 25, to just one domain, maybe you are blocked by the receiving end's firewall?
EDIT:
OK, so the copy of the message from your mail server makes it clear that the connection which is failing is the one from your server to cluster5.eu.messagelabs.com[195.245.230.51]:25: and that the connection is timing out.
FWIW, I can telnet to 195.245.230.51 port 25 from my mail server. That might mean that there was a temporary problem at the remote end, in which case your mail has likely gone through by now. Alternatively, there may be a firewall rule blocking your connection.
- You might want to double-check firewall rules at your server.
- You say that you are able to deliver to other destinations, so I think we can assume that linode isn't blocking this.
- Chances are that the issue is at the remote end.
It might be worth checking whether your mail server has found its way into any of the major RBL blacklists. You should also look in your mail logs to see if you always fail to connect to the remote mail host. If you have attempted deliveries which have triggered spam rules, or been for non-existent users, the remote end may have some system for automatically blocking your IP, probably temporarily, since that strategy lightens the load on their servers, while keeping administrative requirements low.
There's some confusion in the domains I see in your email headers. The To
header seems to agree with the IP you are actually delivering to. I expect the various receiveremail.com
references are from you partially sanitising what you posted? Otherwise you'd be looking for some translation of the target address before attempting delivery (e.g. through aliases).
Related videos on Youtube
Toms Bugna
"Self-education is, I firmly believe, the only kind of education there is." ― Isaac Asimov
Updated on September 18, 2022Comments
-
Toms Bugna over 1 year
I will start with the most important - I have read/watched tons of manuals, tutorials, forums and suggestions about this but still I have feeling that I do not understand something big about whole emailing system but at the same time - something very simple and little.
- I have bought a VPS server on Linode;
- I have installed and configured postfix, dovecot services for mailing system;
- I have configured DNS properly for sending and receiving mails (SPF, DKIM, DMARC, HELO, rDNS, server authorized to IP and hostname - all those are successfully configured and tests are passed);
- Server is not blacklisted by any email SPAM filter company.
Postfix configuration (main settings):
main.cfmail_owner = postfix myhostname = mail.mywebsite.com mydomain = mywebsite.com myorigin = $mydomain inet_interfaces = all inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mynetworks = 127.0.0.0/8 smtpd_banner = $myhostname ESMTP sendmail_path = /usr/sbin/sendmail.postfix smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination broken_sasl_auth_clients = yes smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_key_file = /path/to/ssl/server.key smtpd_tls_cert_file = /path/to/ssl/server.crt smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893 non_smtpd_milters = $smtpd_milters milter_default_action = accept smtp_host_lookup = dns, native
I have not configured to use any of relay servers because I think that this server should be capable to send out emails by itself.
master.cfsmtp inet n - n - - smtpd -o smtpd_tls_auth_only=yes -o smtpd_tls_security_level=none -o smtpd_sasl_auth_enable=no submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_enforce_tls=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_tls_security_options=noanonymous -o smtpd_sasl_security_options=noanonymous,noplaintext -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous -o milter_macro_daemon_name=ORIGINATING policy unix - n n - 0 spawn user=nobody argv=/bin/python /usr/libexec/postfix/policyd-spf
The Problem -
I am facing that few of my outgoing emails are getting blocked on port 25 by ISP. And there are multiple things that I have to say about this case:- I am using external software (Apple Mail) to connect to my SMTP server through mail.mywebsite.com and there I have specifically configured to use port 587 not 25 but still the return email which I receive states that email has been blocked on port 25 which I completely do not understand;
- I have tested that my server's firewalls are not blocking any of those ports;
- I have noticed that those outgoing emails are only blocked if I send them to one specific domain. For example, when I send emails to google mail servers (or others so far) then everything works fine - email sends out and it goes into inbox passing the SPAM box;
- I can see that the ISP company (which blocked the outgoing email) is the one where computer was at that moment located when email was sent and it was not the Linodes network provider which I can not understand as well - it feels like computer tries to send email out through computer's mail server and not through my Linode's VPS mail server;
The Question - How can I update my server and/or postfix service to prevent that my outgoing emails are getting blocked by ISPs?
Additional -- I have read that this case is usually when mail server is home-based instead of VPS which is not my case. I am using the VPS.
- I know that this topic has been talked around multiple times on forums but still there are some issues with these configurations and not only to me but to a lot of guys in communities of developers. I hope that this post and correct answer will be simplier described and explained than others which will not make this question useless.
Update - Rejection letter example of returned email:This is the mail system at host mail.mywebsite.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <[email protected]>: connect to cluster5.eu.messagelabs.com[195.245.230.51]:25: Connection timed out Reporting-MTA: dns; mail.mywebsite.com X-Postfix-Queue-ID: 9004B2089 X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Mon, 2 Oct 2017 11:14:25 +0200 (CEST) Final-Recipient: rfc822; [email protected] Original-Recipient: rfc822;[email protected] Action: failed Status: 4.4.1 Diagnostic-Code: X-Postfix; connect to cluster5.eu.messagelabs.com[195.245.230.51]:25: Connection timed out Return-Path: <[email protected]> Received: from [10.25.80.102] (unknown [81.92.27.224]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.mywebsite.com (Postfix) with ESMTPSA id 9004B2089 for <[email protected]>; Mon, 2 Oct 2017 11:14:25 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.mywebsite.com 9004B2089 Authentication-Results: mail.mywebsite.com; dmarc=fail (p=none dis=none) header.from=mywebsite.com Authentication-Results: mail.mywebsite.com; spf=fail [email protected] DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mywebsite.com 9004B2089 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mywebsite.com; s=default; t=1506935665; bh=iIf8iBaIOhXI2dMpT9tm3bYRnKMjiK49NsVTB66/1aQ=; h=From:Subject:Date:References:To:In-Reply-To:From; b=hZFiYO9NE09XtWTa7mxOq+W8s9aajWQVV9e4SY8/XIv3qX9YjULv1rBqmyUfkqKz0 L2q8GSXBJr6ipxQsnoPCKMp7yy05rOu6L5dMyh5XndvEve+w3YkHhisy+unCM69Dyh M6dPAebLlo1AcF/B0AHqmskqnjvLAj03aBtwF+5E= From: "Mywebsite.com" <[email protected]> Content-Type: multipart/alternative; boundary="Apple-Mail=_E368298F-D51E-458B-AC0A-4284381C761C" Message-Id: <[email protected]> Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\)) Date: Mon, 2 Oct 2017 11:14:24 +0200 References: <[email protected]> To: Per Hildebrand <[email protected]> In-Reply-To: <[email protected]> X-Mailer: Apple Mail (2.3094)
Update 2 -After going through multiple rejection letters of returned emails, I noticed that some lines of it changed at one moment (which was when I constantly added updates from forums to prevent blocking outgoing emails). From that moment on, the errors were stating that emails are blocked in cluster5.eu.messagelabs.com because of connection timeout.
Solution -In order to fix issue with blocked emails on port 25 on VPS servers, just make sure that server is completely authorized, DNS are set properly and emails are signed with all neccessary certificates. Here is list of all necesarry tasks for healthy server with mail system:
- Add SPF records to your server's DNS;
- Add DKIM signature to outgoing mail;
- Add DMARC records to your server's DNS;
- Setup properly HELO, rDNS records;
You can check the results and progress for your implementation of those updates in different "mail spam test services", for example in mail-tester.com website.
Regarding the latest problem with outgoing emails blocked in cluster5.eu.messagelabs.com services:Previously mentioned mail-tester.com website also provides checks for your server's hostname and IP in different mail spam services where the blacklists are checked. If these services tell you that your server is not blacklisted in any spam blacklist then it does not mean 100% truth. This was my case.
messagelabs.com (now: symantec.com) usually is not listed in those spam filter checks therefore your tester will tell you that emails will not be blocked in any spam filter. But apparently there are some mail companies that use this service (messagelabs.com) as a spam test before they let emails come into mailboxes. This means that you must be sure that your server's IP/hostname is not listen in their blackist. You can check it by entering your server through commandline and execute command:
telnet cluster5.eu.messagelabs.com 25
If you receive connection timeout then it means that your server might be blacklisted in their service.
To remove your server from messagelabs.com service blacklists you must do following steps:
- Make sure that your server's outgoing mails are not considered as spam (look at the beginning of this solution);
- Go to messagelabs.com (symantec.com) website and enter "IP Reputation Investigation" page to check if your server is still considered as sending spam. Do it by using the lookup form. Here is the link.
- If you found out that your server is considered as clear from spam, then write a post in their forum to remove your particular IP/hostname from their blacklistes.
Tip -
If you ever find yourself in problem like this then always start by instructions that were given by user's "barrycarter" answer in this post. It will help you to faster determine in which part mails are getting blocked. Thanks to his answer I faster managed to understand where the problem is actually hidden (therefore I mark his answer as the correct one).
-
Admin over 6 yearsIt sounds like you have a residential ISP. It is common for residential ISPs to block servers on the attached networks because residential contracts forbid running services to the Internet.
-
Admin over 6 yearsWhat is the best solution for cases like that?
-
Admin over 6 yearsYou get a business account.
-
Admin over 6 yearsYou need to talk to Linode, your provider.
-
Toms Bugna over 6 yearsThe received error email is sent by our server - From: [email protected] (Mail Delivery System).
-
Toms Bugna over 6 yearsUpdated with rejection letter example of returned email.