Score:0

Server

How to debug postfix connection timeout

Tode

1/16/24, 11:27 AM

I used this and this blog posts to configure postfix to relay mails to a specific server using authentication. The following settings have been made in main.cf:

# sender-dependent sasl authentication
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay

# default relayhost setting
relayhost = [fully.qualified.target.server]:587

# smtp authentication settings
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
smtp_tls_CAfile = /var/lib/ca-certificates/ca-bundle.pem
smtp_use_tls = yes
smtp_tls_security_level = encrypt

I created /etc/postfix/sender_relay with the following content:

[email protected]    [fully.qualified.target.server]:587
[email protected]    [fully.qualified.target.server]:587
[email protected]   [fully.qualified.target.server]:587
[email protected]     [fully.qualified.target.server]:587

and encoded it as lmdb by postmap sender_relay so that the sender_relay.lmdb was created in /etc/postfix/

I created /etc/postfix/sasl_passwd with the following content:

[email protected]   [email protected]:password1
[email protected]   [email protected]:password2
[email protected]   [email protected]:password3
[email protected]   [email protected]:password4

[fully.qualified.target.server]:587   [email protected]:passwordDefault

and encoded it as well using postmap sasl_passwd.

Now when I try to send an email using that relay I get:

Jan 16 11:57:08 mail postfix/qmgr[12939]: 199FA1206D3: [email protected], size=454, nrcpt=1 (queue active)
Jan 16 11:57:38 mail postfix/smtp[12952]: connect to fully.qualified.target.server[ip.of.target.server]:587: Connection timed out
Jan 16 11:57:38 mail postfix/smtp[12952]: 199FA1206D3: [email protected], relay=none, delay=1062, delays=1032/0.03/30/0, dsn=4.4.1, status=deferred (connect to fully.qualified.target.server[ip.of.target.server]:587: Connection timed out)

Although I edited master.cf to get debugging output, i do not get more information:

smtp      inet  n       -       n       -       -       smtpd -v

I checked certificates / connectivity using openssl:

openssl s_client -connect fully.qualified.target.server:587 -starttls smtp -crlf

and no problems where found. What else can I do to debug this situation?

Platform ist openSuse Leap 15.3

303

1 + 7

postfix

opensuse

Gerald Schneider

1/16/24, 11:54 AM

A timeout usually points toward a firewall issue. Many hosters block outgoing port 25 to prevent spam.

Tode

1/16/24, 11:56 AM

I can telnet to the server on the port and I can also connect using openssl... so most probably not a firewall issue....

anx

1/16/24, 1:08 PM

Can you confirm your openssl test tried exactly the IP address (version) that postfix logs mention? Can you confirm that `iptables-save`/`ip6tables-save` dumps the stock empty/ACCEPT firewall policies?

Tode

1/16/24, 1:43 PM

I can confirm, that openssl used the exact IP address that postfix uses. And I successfully connected using telnet on that IP address as well... your command do not work unfortunately

Zareh Kasparian

1/16/24, 4:09 PM

his issue may be caused by a number of factors, such as a network issue preventing the connection, a firewall blocking the connection at the destination, or an issue with the target server.

Tode

1/16/24, 4:11 PM

That's my question: How do I debug this...

Nikita Kipriyanov

1/17/24, 5:09 AM

The hard-and-dirty way is to capture traffic and see when packets go missing. If you can do this on both sides, you likely have enough power to fix the entire problem; if you don't, your best guess will be something like "it doesn't answer to my packets, all what I can suppose it's a firewall". Also check *all* logs; maybe SElinux permits your interactive telnet session, but doesn't permit Postfix smtp client to originate session, and it should write that into logs.

Score:1

Server

Tode

1/17/24, 10:37 AM

Just for somebody stumbling over this: It really was a firewall issue on another system. It blocked the mail communication.

As suggested by Nikita in the comments I used tcpdump to check the connection and found out, that telnet / openssl used the interface eth0 whereas postfix used the interface tun0 (there is a VPN tunnel on that machine).

And the "endpoint" of the VPN tunnel blocked all SMTP ports.

I made the traffic go through the right interface and now postfix does what it should and debugging works as well.

I was just confused as postfix does not show any debug output when the underlying tcpip connection is blocked. Because of that I thought that my debugging parameters were not used by postfix.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to debug postfix connection timeout

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.