Linux - Postfix - Outgoing emails block on port 25 by ISP

I will start with the most important - I have read/watched tons of manuals, tutorials, forums and suggestions about this but still I have feeling that I do not understand something big about whole emailing system but at the same time - something very simple and little.

• I have bought a VPS server on Linode;
• I have installed and configured postfix, dovecot services for mailing system;
• I have configured DNS properly for sending and receiving mails (SPF, DKIM, DMARC, HELO, rDNS, server authorized to IP and hostname - all those are successfully configured and tests are passed);
• Server is not blacklisted by any email SPAM filter company.

Postfix configuration (main settings):

main.cf

mail_owner = postfix
myhostname = mail.mywebsite.com
mydomain = mywebsite.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
smtpd_banner = $myhostname ESMTP
sendmail_path = /usr/sbin/sendmail.postfix

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
broken_sasl_auth_clients = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /path/to/ssl/server.key
smtpd_tls_cert_file = /path/to/ssl/server.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
smtp_host_lookup = dns, native

I have not configured to use any of relay servers because I think that this server should be capable to send out emails by itself.

master.cf

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_auth_only=yes
  -o smtpd_tls_security_level=none
  -o smtpd_sasl_auth_enable=no

submission     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_tls_security_options=noanonymous
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o syslog_name=postfix/smtps
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
  -o milter_macro_daemon_name=ORIGINATING

policy unix - n n - 0 spawn user=nobody argv=/bin/python /usr/libexec/postfix/policyd-spf

The Problem -
I am facing that few of my outgoing emails are getting blocked on port 25 by ISP. And there are multiple things that I have to say about this case:

• I am using external software (Apple Mail) to connect to my SMTP server through mail.mywebsite.com and there I have specifically configured to use port 587 not 25 but still the return email which I receive states that email has been blocked on port 25 which I completely do not understand;
• I have tested that my server's firewalls are not blocking any of those ports;
• I have noticed that those outgoing emails are only blocked if I send them to one specific domain. For example, when I send emails to google mail servers (or others so far) then everything works fine - email sends out and it goes into inbox passing the SPAM box;
• I can see that the ISP company (which blocked the outgoing email) is the one where computer was at that moment located when email was sent and it was not the Linodes network provider which I can not understand as well - it feels like computer tries to send email out through computer's mail server and not through my Linode's VPS mail server;

The Question - How can I update my server and/or postfix service to prevent that my outgoing emails are getting blocked by ISPs?

Additional -

• I have read that this case is usually when mail server is home-based instead of VPS which is not my case. I am using the VPS.
• I know that this topic has been talked around multiple times on forums but still there are some issues with these configurations and not only to me but to a lot of guys in communities of developers. I hope that this post and correct answer will be simplier described and explained than others which will not make this question useless.

Update - Rejection letter example of returned email:

This is the mail system at host mail.mywebsite.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                  The mail system

<[email protected]>: connect to
   cluster5.eu.messagelabs.com[195.245.230.51]:25: Connection timed out
Reporting-MTA: dns; mail.mywebsite.com
X-Postfix-Queue-ID: 9004B2089
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Mon,  2 Oct 2017 11:14:25 +0200 (CEST)

Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 4.4.1
Diagnostic-Code: X-Postfix; connect to
   cluster5.eu.messagelabs.com[195.245.230.51]:25: Connection timed out
Return-Path: <[email protected]>
Received: from [10.25.80.102] (unknown [81.92.27.224])
    (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mail.mywebsite.com (Postfix) with ESMTPSA id 9004B2089
    for <[email protected]>; Mon,  2 Oct 2017 11:14:25 +0200 (CEST)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.mywebsite.com 9004B2089
Authentication-Results: mail.mywebsite.com; dmarc=fail (p=none dis=none) header.from=mywebsite.com
Authentication-Results: mail.mywebsite.com; spf=fail [email protected]
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mywebsite.com 9004B2089
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mywebsite.com;
    s=default; t=1506935665;
    bh=iIf8iBaIOhXI2dMpT9tm3bYRnKMjiK49NsVTB66/1aQ=;
    h=From:Subject:Date:References:To:In-Reply-To:From;
    b=hZFiYO9NE09XtWTa7mxOq+W8s9aajWQVV9e4SY8/XIv3qX9YjULv1rBqmyUfkqKz0
     L2q8GSXBJr6ipxQsnoPCKMp7yy05rOu6L5dMyh5XndvEve+w3YkHhisy+unCM69Dyh
     M6dPAebLlo1AcF/B0AHqmskqnjvLAj03aBtwF+5E=
From: "Mywebsite.com" <[email protected]>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E368298F-D51E-458B-AC0A-4284381C761C"
Message-Id: <[email protected]>
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
Date: Mon, 2 Oct 2017 11:14:24 +0200
References: <[email protected]>
To: Per Hildebrand <[email protected]>
In-Reply-To: <[email protected]>
X-Mailer: Apple Mail (2.3094)

Update 2 -

After going through multiple rejection letters of returned emails, I noticed that some lines of it changed at one moment (which was when I constantly added updates from forums to prevent blocking outgoing emails). From that moment on, the errors were stating that emails are blocked in cluster5.eu.messagelabs.com because of connection timeout.

Solution -

In order to fix issue with blocked emails on port 25 on VPS servers, just make sure that server is completely authorized, DNS are set properly and emails are signed with all neccessary certificates. Here is list of all necesarry tasks for healthy server with mail system:

• Add SPF records to your server's DNS;
• Add DKIM signature to outgoing mail;
• Add DMARC records to your server's DNS;
• Setup properly HELO, rDNS records;

You can check the results and progress for your implementation of those updates in different "mail spam test services", for example in mail-tester.com website.

Regarding the latest problem with outgoing emails blocked in cluster5.eu.messagelabs.com services:

Previously mentioned mail-tester.com website also provides checks for your server's hostname and IP in different mail spam services where the blacklists are checked. If these services tell you that your server is not blacklisted in any spam blacklist then it does not mean 100% truth. This was my case.

messagelabs.com (now: symantec.com) usually is not listed in those spam filter checks therefore your tester will tell you that emails will not be blocked in any spam filter. But apparently there are some mail companies that use this service (messagelabs.com) as a spam test before they let emails come into mailboxes. This means that you must be sure that your server's IP/hostname is not listen in their blackist. You can check it by entering your server through commandline and execute command:

telnet cluster5.eu.messagelabs.com 25

If you receive connection timeout then it means that your server might be blacklisted in their service.

To remove your server from messagelabs.com service blacklists you must do following steps:

• Make sure that your server's outgoing mails are not considered as spam (look at the beginning of this solution);
• Go to messagelabs.com (symantec.com) website and enter "IP Reputation Investigation" page to check if your server is still considered as sending spam. Do it by using the lookup form. Here is the link.
• If you found out that your server is considered as clear from spam, then write a post in their forum to remove your particular IP/hostname from their blacklistes.

Tip -

If you ever find yourself in problem like this then always start by instructions that were given by user's "barrycarter" answer in this post. It will help you to faster determine in which part mails are getting blocked. Thanks to his answer I faster managed to understand where the problem is actually hidden (therefore I mark his answer as the correct one).