postfix smtp connection timed out, why?
After much troubleshooting, we determined that the ISP on the client side is blocking outgoing port 25 (SMTP). That was confirmed by using a random mail server test site on the Internet and finding that it could connect to the mail server fine. SMTP packets from the client machine did not arrive at all (confirmed via tcpdump
).
Solution is to reconfigure SMTP listener on a different port. 465 (SMTP over SSL) and 587 (mail submission, RFC6409) are common options.
Related videos on Youtube
RabT
Updated on September 18, 2022Comments
-
RabT over 1 year
A CentOS 7 web server has postfix, dovecot, and mailx installed. I have been able to make an IMAP connection to the server in order to read inbox mail using a remote Thunderbird client, but I am not able to make an SMTP connection to send email from Thunderbird. When I do forensics, I discover that the attempted SMTP connection times out. How can I resolve this problem of the connection timing out, so that I can send email from Thunderbird through the server?
My forensics so far have resulted in:
Typing
hostname
in the terminal at the server returnsmydomain.com
.nano /usr/lib/firewalld/services/smtp.xml
indicates the smtp port is 25The smtp service is activated in the public zone because
firewall-cmd --list-all
results in:public (default, active) interfaces: enp3s0 sources: services: dhcpv6-client imaps openvpn smtp ports: masquerade: yes forward-ports: icmp-blocks: rich rules:
But when I try to telnet from my devbox to the remote CentOS 7 server, I get the following results. Typing
telnet mydomain.com 25
resulted in:Trying my.SERVER.ip.addr... telnet: connect to address my.SERVER.ip.addr: Connection timed out
Then typing
telnet smtp.mydomain.com 25
resulted in:Trying my.SERVER.ip.addr... telnet: connect to address my.SERVER.ip.addr: Connection timed out
Also, typing
openssl s_client -CApath /etc/ssl/certs -starttls smtp -port 25 -host smtp.mydomain.com
results in:socket: Connection timed out connect:errno=110
Similarly, typing
openssl s_client -CApath /etc/ssl/certs -starttls smtp -port 25 -host mydomain.com
also resulted in:socket: Connection timed out connect:errno=110
I typed
nano /etc/postfix/main.cf
to start to examine the config, but did not find anything related to ports.EDIT:
As per FaheemMitha's advice, I tried
telnet mydomain.com 587
from the client, and gotNo route to host
in reply. I think this is because only port 25 is open in firewalld for smtp.I therefore thought to try telnet from within the remote server mydomain.com. When I logged on to my remote server via ssh and typed
telnet localhost 25
, the result was:Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mydomain.com ESMTP Postfix
This causes me to suspect that postfix is running on port 25, but that somehow it is not able to accept outside connections.
EDIT#2
As per @RedCricket's suggestion, I ran
iptables -L
. Since the results were verbose, I uploaded them to a file sharing site, which you can view by clicking on this link.I also tried
iptables --flush
followed byfirewall-cmd --reload
, and then repeated the telnet and thunderbird tests from above, but I am still getting the connection timed out error.What else can I try?
I uploaded the entire
/etc/postfix/main.cf
to a file sharing site. You can read it by clicking on this link.EDIT#3
A valid email address someone.else@some_other_domain.com sends email to [email protected] without problems. Therefore, as a test, I had my remote Thunderbird client try to send email to that someone.else@some_other_domain.com as part of the work documented above in this OP. This morning, I received a return to sender message in my Thunderbird as a result of the test email. I interpret this returned message to mean that at least one of my test messages from Thunderbird got into the SMTP on mydomain.com, but that mydomain.com was not able to look up or otherwise connect to some_other_domain.com. Here is the message:
This is the mail system at host mydomain.com. I'm sorry to have to someone.elserm you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <someone.else@some_other_domain.com>: Host or domain name not found. Name service error for name=some_other_domain.com type=MX: Host not found, try again Reporting-MTA: dns; mydomain.com X-Postfix-Queue-ID: 2C915811BD1C X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Mon, 23 Feb 2015 16:46:34 -0500 (EST) Final-Recipient: rfc822; someone.else@some_other_domain.com Action: failed Status: 4.4.3 Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error for name=some_other_domain.com type=MX: Host not found, try again ForwardedMessage.eml Subject: key enclosed From: [email protected] Date: 02/23/2015 01:46 PM To: someone.else@some_other_domain.com this is the body of the email
Thus, it seems that sometimes the connection from my remote devbox to mydomain.com is closed, and at other times, the connection from mydomain.com to the rest of the internet is closed.
EDIT#4
Following @derobert's advice, I first tried the two telnet commands from the devbox to the server, then I tried to send an email from [email protected] using the Thunderbird client on my devbox, and then I ran the tcpdump command on both the devbox and on the server. Typing
tcpdump port 25
in the devbox terminal resulted in the following:tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel
Next, typing
tcpdump
on the server resulted in so much output that the results scrolled endlessly until I typed Ctrl-C. So I then typedtcpdump port 25
and got the following results:tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel
As a curiosity, I then typed
tcpdump port 25
again on both the devbox and the server simultaneously and left it open without typingCtrl-C
, and I tried to manually send an email from [email protected] using Thunderbird client on my devbox. I still got the same Connection timeout failure, but there was no activity reported by the opentcpdump port 25
commands. And the totals also came up to zero when I typedCtrl-C
on both terminals afterwards. -
RabT about 9 yearsThank you and +1 for taking the time to help me figure out that this is a port issue. For other readers of this, please note that the SMTP listener question is still not resolved, and is in this other question: unix.stackexchange.com/questions/187807/…