Postfix Connection Timed Out

Discussion in 'Installation/Configuration' started by kamp, Nov 18, 2009.

  1. kamp

    kamp New Member

    Hello all,
    I have 2 mail servers that have worked perfectly well for quite some time, until the past few days or so. My main server that has a lot more traffic ended up getting blacklisted because my isp didn't follow-through on my request to update the ptr record so that it wasn't generic. That has since been resolved, and the server is no longer blacklisted (as of a week and a half ago).

    However, since 11/16, I have been unable to send mail from my main server to my second server. My mail.log on the server being blocked shows:

    Nov 18 11:57:03 mail postfix/qmgr[22349]: AB2EF507A84F: from=<[email protected]>, size=11561, nrcpt=1 (queue active)
    Nov 18 11:57:33 mail postfix/smtp[1936]: connect to mail.myotherserver.com[aa.bb.cc.dd]:25: Connection timed out
    Nov 18 11:57:33 mail postfix/smtp[1936]: AB2EF507A84F: to=<[email protected]>, relay=none, delay=165659, delays=165629/0.01/30/0, dsn=4.4.1, status=deferred (connect to mail.myotherserver.com[aa.bb.cc.dd]:25: Connection timed out)

    On my other server, I modified my main.cf so that the rbls were commented out, in hopes that this would allow for traffic from my main server to pass through without an issue. Here's how it is configured at this moment (the file is identical on both servers):

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = no

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = mail.myotherserver.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_command =
    mailbox_size_limit = 0
    message_size_limit = 102400000
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/

    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = /etc/postfix/local-host-names

    smtpd_sender_restrictions =
    permit_sasl_authenticated,
    reject_unknown_sender_domain,
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    # reject_rbl_client b.barracudacentral.org,
    # reject_rbl_client bl.spamcop.net,
    # reject_rbl_client sbl-xbl.spamhaus.org,
    # reject_rbl_client zen.spamhaus.org,
    permit_mynetworks,reject_unauth_destination

    smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    reject_unknown_sender_domain,
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    # reject_rbl_client b.barracudacentral.org,
    # reject_rbl_client bl.spamcop.net,
    # reject_rbl_client sbl-xbl.spamhaus.org,
    # reject_rbl_client zen.spamhaus.org,
    permit_mynetworks,reject_unauth_destination


    So the question is - is there something in these configurations that could possibly still be blocking my server, or do I simply have to wait a while longer for the blacklist to propogate so that it no longer shows me? Both servers still send and receive mail just fine from any other legitimate source, and I can send from [email protected] to [email protected].

    I have seen some other threads with similar issues, but the steps taken in there still didn't resolve what I'm experiencing.

    Thanks,
    Kamp
     
    Last edited: Nov 18, 2009
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely provider is blocking connections on port 25 or you configured a firewall to block port 25.
     
  3. kamp

    kamp New Member

    Port 25

    Till,
    Thanks for the reply - port 25 is open - I'm still getting traffic from elsewhere without any issues, and I tested with telnet and dnsreport to ensure that the port is open. Any other possibilities?

    Thanks,
    Kamp
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You tested with telnet on the shell of the server were you got the error messages in the log to connect to mail.myotherserver.com? All other tests mean nothing as they will not give you an answer if port 25 is blocked on the way between these two servers.
     
  5. kamp

    kamp New Member

    Till,
    Yes, I ran the telnet session from the server being blocked to see if it will connect to the other server:

    telnet aa.bb.cc.dd 25
    Trying aa.bb.cc.dd...
    Connected to aa.bb.cc.dd.
    Escape character is '^]'.
    220 mail.myotherserver.com ESMTP Postfix (Debian/GNU)
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Do you use fail2ban? Maybe fail2ban is blocking your server.
     
  7. kamp

    kamp New Member

    I do use fail2ban, but I have had both IP addresses in the ignoreip listing because I ran into issues before with users blocking themselves out by not remembering their passwords.
     
  8. kamp

    kamp New Member

    I've been trying to think of configuration changes that may have contributed to my current predicament... The only thing I can think of beyond the modifications of the main.cf that I posted is that I changed the ban time on fail2ban to be -1. This has resulted in a lot of banned ip addresses at a given time, but they are all legitimate bans (i.e. spammers and brute force attacks). Would the sheer number of banned ip addresses mess with anything? I rather enjoy having these all permanently banned because it has been a significant difference, but I don't want it to be at the expense of other functionality.
     
  9. falko

    falko Super Moderator ISPConfig Developer

    I don't think so.
     
  10. kamp

    kamp New Member

    Is there any other configuration info that you need that would assist with this?
     
  11. falko

    falko Super Moderator ISPConfig Developer

    Can you switch off all firewalls (including fail2ban) for testing purposes? Does it work then?
     
  12. kamp

    kamp New Member

    I turned off the firewalls and tested - it went through. I have another firewall that had my other ip still flagged because it was on the rbl from before. I added it to the safe networks list, and all seems to be fully functioning again. I can't believe I didn't check the other firewall before - I only bothered with fail2ban and my configuration of main.cf because the issues started around the time I was messing with those.

    Thanks - I appreciate your help, and all the work that has gone into ISPConfig. It's been a great help managing my sites.
     

Share This Page