HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Postfix Connection Timed Out (http://www.howtoforge.com/forums/showthread.php?t=41132)

kamp 18th November 2009 18:36

Postfix Connection Timed Out
 
Hello all,
I have 2 mail servers that have worked perfectly well for quite some time, until the past few days or so. My main server that has a lot more traffic ended up getting blacklisted because my isp didn't follow-through on my request to update the ptr record so that it wasn't generic. That has since been resolved, and the server is no longer blacklisted (as of a week and a half ago).

However, since 11/16, I have been unable to send mail from my main server to my second server. My mail.log on the server being blocked shows:

Nov 18 11:57:03 mail postfix/qmgr[22349]: AB2EF507A84F: from=<me@mainserver.com>, size=11561, nrcpt=1 (queue active)
Nov 18 11:57:33 mail postfix/smtp[1936]: connect to mail.myotherserver.com[aa.bb.cc.dd]:25: Connection timed out
Nov 18 11:57:33 mail postfix/smtp[1936]: AB2EF507A84F: to=<me@myotherserver.com>, relay=none, delay=165659, delays=165629/0.01/30/0, dsn=4.4.1, status=deferred (connect to mail.myotherserver.com[aa.bb.cc.dd]:25: Connection timed out)

On my other server, I modified my main.cf so that the rbls were commented out, in hopes that this would allow for traffic from my main server to pass through without an issue. Here's how it is configured at this moment (the file is identical on both servers):

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.myotherserver.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command =
mailbox_size_limit = 0
message_size_limit = 102400000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names

smtpd_sender_restrictions =
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# reject_rbl_client b.barracudacentral.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client sbl-xbl.spamhaus.org,
# reject_rbl_client zen.spamhaus.org,
permit_mynetworks,reject_unauth_destination

smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# reject_rbl_client b.barracudacentral.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client sbl-xbl.spamhaus.org,
# reject_rbl_client zen.spamhaus.org,
permit_mynetworks,reject_unauth_destination


So the question is - is there something in these configurations that could possibly still be blocking my server, or do I simply have to wait a while longer for the blacklist to propogate so that it no longer shows me? Both servers still send and receive mail just fine from any other legitimate source, and I can send from me@myotherserver.com to me@mainserver.com.

I have seen some other threads with similar issues, but the steps taken in there still didn't resolve what I'm experiencing.

Thanks,
Kamp

till 19th November 2009 07:41

Most likely provider is blocking connections on port 25 or you configured a firewall to block port 25.

kamp 19th November 2009 14:50

Port 25
 
Till,
Thanks for the reply - port 25 is open - I'm still getting traffic from elsewhere without any issues, and I tested with telnet and dnsreport to ensure that the port is open. Any other possibilities?

Thanks,
Kamp

till 19th November 2009 14:55

You tested with telnet on the shell of the server were you got the error messages in the log to connect to mail.myotherserver.com? All other tests mean nothing as they will not give you an answer if port 25 is blocked on the way between these two servers.

kamp 19th November 2009 21:10

Till,
Yes, I ran the telnet session from the server being blocked to see if it will connect to the other server:

telnet aa.bb.cc.dd 25
Trying aa.bb.cc.dd...
Connected to aa.bb.cc.dd.
Escape character is '^]'.
220 mail.myotherserver.com ESMTP Postfix (Debian/GNU)

falko 20th November 2009 13:36

Do you use fail2ban? Maybe fail2ban is blocking your server.

kamp 2nd December 2009 18:00

I do use fail2ban, but I have had both IP addresses in the ignoreip listing because I ran into issues before with users blocking themselves out by not remembering their passwords.

kamp 2nd December 2009 18:27

I've been trying to think of configuration changes that may have contributed to my current predicament... The only thing I can think of beyond the modifications of the main.cf that I posted is that I changed the ban time on fail2ban to be -1. This has resulted in a lot of banned ip addresses at a given time, but they are all legitimate bans (i.e. spammers and brute force attacks). Would the sheer number of banned ip addresses mess with anything? I rather enjoy having these all permanently banned because it has been a significant difference, but I don't want it to be at the expense of other functionality.

falko 3rd December 2009 17:23

Quote:

Originally Posted by kamp (Post 212542)
Would the sheer number of banned ip addresses mess with anything?

I don't think so.

kamp 3rd December 2009 18:21

Is there any other configuration info that you need that would assist with this?


All times are GMT +2. The time now is 15:45.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.