Suddenly can't connect to SMTP

a few days ago it worked fine but today I tried to send an email and I had a timeout.

I tried to reboot my server, asked google and some other things.

Even mail.log doesn't show me an error.

I don't know what I should do know….

22 Replies

Since you are not offering much information, it is impossible to help you.

unless you want some generalized help like…

why not grab a coffee and wait for smtp to work again?

maybe instead of asking google, ask bing? or yahoo?

I don't know what to tell you…

root@localhost:~# netstat -pantu | grep 587:

tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 5153/master
tcp6 0 0 :::587 :::* LISTEN 5153/master

–-------------------------------------------------


root@localhost:~# telnet mail.crdesigns.de 587

Trying 2a01:7e00::f03c:91ff:fee4:605a...
Connected to mail.crdesigns.de.
Escape character is '^]'.
220 hostname.crdesigns.de ESMTP Postfix (Ubuntu)
EHLO mail.crdesigns.de
250-hostname.crdesigns.de
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <info@crdesigns.de>Connection closed by foreign host.</info@crdesigns.de>

–-------------------------------------------------


mail.log after that:

Jan  5 23:01:12 localhost postfix/submission/smtpd[6057]: connect from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a]
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: SSL_accept error from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a]: -1
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:650:
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: lost connection after STARTTLS from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a]
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: disconnect from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a]

My english isnt that good, im from germany.

but help me, please. what can I check and do?

Did your SSL certificate expire?

Either way it looks like your TLS setup has gone awry somewhere.

It looks like SSL v3 has been disabled at one end, while the other end insists on connecting with that exact protocol.

Have you made any changes to the postfix configuration to limit protocols to TLS only? Because thats what it looks like from the above error.

edit

below is a typical configuration that disables the deprecated and old SSL v2/v3 and only allows TLS, but uses medium ciphers for compatibility.

if you can't connect with these settings, then your client is WAY TOO OLD and you should probably upgrade.

smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = medium
smtp_tls_mandatory_ciphers = medium

i didnt made any changes thats why i dont know whats going on haha :D

i try now to make a new ssl cert

Maybe you didn't make any changes to postfix, but maybe your client changed and no longer accepts SSL v2/v3??

Hmnm. and how can i fix that?

First, look at the above parameters and compare them with your own postfix, look for any differences.

Second, tell us what kind of email client (and version) you are using. Some email clients have an auto-update feature, which made it update itself to a new version that has SSL disabled.

I'm guessing one of the two sides no longer supports SSL and requires TLS only.

I only could find

smtpd_tls_auth_only = yes

in my main.cf, I tried to add the other parameters to the file, it didn't gave me any errors but it didn't work too.

I use the newest version of Mozilla Thunderbird. (45.6.0)

And I used telnet mail.crdesigns.de 587 on the server

i did setup my mail server from this tutorial:

https://www.linode.com/docs/email/email … -and-mysql">https://www.linode.com/docs/email/email-with-postfix-dovecot-and-mysql

edit

ohw…

i used now:

openssl s_client -connect mail.crdesigns.de:587 -starttls smtp

CONNECTED(00000003)
depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de
   i:/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGDCCAwwCCQDBVN8Futq4aTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJE
RTEQMA4GA1UECAwHR2VybWFueTEPMA0GA1UEBwwGV2VybmF1MRIwEAYDVQQKDAlD
UkRlc2lnbnMxFDASBgNVBAMMC2NyZGVzaWduLmRlMB4XDTE1MDgyNTExMzkxNloX
DTI1MDgyMjExMzkxNlowWjELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0dlcm1hbnkx
DzANBgNVBAcMBldlcm5hdTESMBAGA1UECgwJQ1JEZXNpZ25zMRQwEgYDVQQDDAtj
cmRlc2lnbi5kZTCCAhYwDQYJKoZIhvcNAQEBBQADggIDADCCAf4CggH1AM/AhxVz
VjzOuZ4rDVWQ+xJGokYS1oNa7DBMBDxd0rv44GnTuLov+Mp3RumupPpKOJVfTF1S
sG7afBBuhoLhlbJ1pZ2e+g4pF0iV/dVFhjx1lb8RSLQPefzhUwpuUxLuae3j6abD
NTD40rVK93m0ZEZyEfWRUuvKMxSDzPuRWPHLV592Z5RxCY/jD33y6ojeg4gWdlTi
u/Ewjv/Tv0+hlHCihD+HqUEp5lIS0rfmfukxvSXSRhRaqyJ1rKPnyC1H0nmoHYAR
NX6lQDE2So+tgLreEMQ330l2lrLvVmwb74YNsmnu5Bzz46O5p0y8Mm8zxWPwth31
pMSSeGE4lZUTySNyEKKjBCv48n76wLv3u2EGM8EYgnvi1LYHCIUcFHbikgnG4iwL
ADfpD33qJBkT6olUEk0ogP9F9sCv/ji89OY/gTwVblsJNBiIveuiWcicXhGBPvU9
MwFOqNE6HL5thWUJlTz+3vwKQ84A070ChsXM/aJbqxrEVbS5od4vtFWfmt+LLQ8f
7RFkUNWt2wwxbIDzKeIAtaiDInKkhELfaib7SoyyisCZey8WOVzTohfIDvKgdaly
Oqf5iXuI5MVAn3+PTxq06jbuls6Yphly4Kr0j2bqWmirWsmxycV1FwfjNBzGhWYA
YItlDGngmdYGHfYzf513AgMBAAEwDQYJKoZIhvcNAQELBQADggH1ABSVocfGsnfu
OMk+ygwTPaXETWZSQWF+LLwcpm2LQMwkSwugdL4r774V6x8OAl/KpORq69UJFW1Q
5FPz1PSSLNA2H+XbF8eMSYB+lq2T0UCL+MYJskaBay9jyK70Ttbtlh3a/KBG0h1X
w4CIViRFdC3GA+38ONBjqLyOOrS9Qf52MrY7+DXzGs98fxBniVzGg7q4Ppv68T0A
BFPu0Bz5cOHy46AZ4yO7MYv+m73kBkZ7UVUn9R9LUTIIWjEq98i90LvnMu/+uE93
KFoZxikKCMFUNit8Zd3dSQVwyVoHw6MZnqTn9oJXvVEwDhirvRjLngR3PHm9HzfG
ywf+2PmR58/7oFynyHx7+YDARGn5vHp3EPT1pvr8K79sOdKYFWxgYkyNaQIItD+j
YGwaVpyjmKchnuGZlFsPi5krh+cWH8ZJFgXhCuGy8e5am8eIFPf/5GlYMdbhu5bh
pBX+cC8vRDPAQ4XDTH3BspBuaqRF0oWYn2BE29MYZqZ54yK8eFGXh2tkh5XPkjsW
gOxfw8VCXzrZkCLUDayaYuyvAspdoYmOF5efM7qyKnxnOam+1tBHzKVdPiMSJZ4j
Af88RtR1JlQRcIg0Y/majpVIcdOHctiCiZUodvwUjK+izc61BqNoUL3QkB/ei24Q
nzewmdMkSf81NDmE
-----END CERTIFICATE-----
subject=/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de
issuer=/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de
---
No client certificate CA names sent
---
SSL handshake has read 2435 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4000 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D068C3B881EFB1A79675F2DB36865D9D163101E1AD20220BE19EED91518E3D36
    Session-ID-ctx:
    Master-Key: 23A683096984564FF29D55B8C3CF554553230203D2CA8FDBBFAEFA9ED83BFC04A49FFE2A6A73231B395C3951771054FD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 85 51 aa 46 63 39 bd 13-70 ca c6 6d 8f d4 55 0c   .Q.Fc9..p..m..U.
    0010 - a3 11 90 f8 30 47 e2 44-b3 94 b7 24 58 d0 51 32   ....0G.D...$X.Q2
    0020 - cd 05 3b 9f 07 20 a8 92-85 d5 aa 5a 32 23 9b 68   ..;.. .....Z2#.h
    0030 - 10 6a 27 8f 13 78 76 9b-b1 b4 8d 2c 65 6d 14 4d   .j'..xv....,em.M
    0040 - 75 ab 6a 25 4a 09 59 07-70 3a 1f 0a a8 37 01 61   u.j%J.Y.p:...7.a
    0050 - e6 71 4b 1a 61 c1 1b 5b-21 48 7c 53 7f ba 5a e3   .qK.a..[!H|S..Z.
    0060 - ca ed dd 17 07 3f d5 16-13 45 1f e0 a3 1f 51 8b   .....?...E....Q.
    0070 - da e6 c0 12 5f de ba ab-50 34 c4 18 ce 15 25 9f   ...._...P4....%.
    0080 - d6 0e 18 ee fc 23 c8 11-df 9e c3 46 16 6d 06 4f   .....#.....F.m.O
    0090 - 7a 83 67 2e 04 39 83 3d-ba ea ea d6 b1 61 d0 19   z.g..9.=.....a..

    Start Time: 1483693936
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN
mail from: <info@crdesigns.de>250 2.1.0 Ok
RCPT TO: <user@example.com>RENEGOTIATING
depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de
verify return:1
DATA
554 5.5.1 Error: no valid recipients
rcpt to: <info@crdesigns.de>554 5.7.1 <zerony.crdesigns.de[139.162.212.140]>: Client host rejected: Access denied
rcpt to: <test@crdesigns.de>554 5.7.1 <zerony.crdesigns.de[139.162.212.140]>: Client host rejected: Access denied</zerony.crdesigns.de[139.162.212.140]></test@crdesigns.de></zerony.crdesigns.de[139.162.212.140]></info@crdesigns.de></user@example.com></info@crdesigns.de> 

From the above, I can see that:

1) your postfix accepts TLS v1.2 connections, thats good.

2) your client openssl can connect fine, thats good! (no, telnet won't work of course)

3) the "Access denied" that you got from the "RCPT TO" command is because you haven't authenticated with an email/password, this is good and prevents replaying.

4) either Thunderbird is broken or you have some broken anti-virus that tries to get between Thunderbird and postfix, this broken anti-virus doesn't support TLS.

Okay Thanks, so i can stop searching on the server.

i only use windows defender, i try to reinstall thunderbird later.

Do you have some kind of firewall device? maybe that tries to take over the connection in order to run its own anti-virus.

smtp doesn't just break out of the blue, something must have changed recently…

I'm 100% sure i didn't install an antivirus or firewall software, but how can i check it if something is blocking it?

thunderbird smtp settings: http://image.prntscr.com/image/f5a1039c … 9204dd.png">http://image.prntscr.com/image/f5a1039c980042d5a465a91bb49204dd.png

when I use telnet on the windows cmd it gives me a timeout for mail.crdesigns.de 587

You SHOULD be able to telnet to port 587 and see the "banner", something like:

220 mail.whatever.com ESMTP Postfix

If connection times out, then something is blocking you! But I can't know if its something in your computer, or your network, or even your ISP. But something is definitely blocking you.

Are you sure your mail server isn't blocking you? maybe you have something like "fail2ban" enabled? just in case its that simple…

Hmn.. im back at Home tomarrow but i didnt enable or Installed fail2ban o.o

Can you maybe try to telnet mail.crdesigns.com?

````
$ telnet mail.crdesigns.com 587
telnet: mail.crdesigns.com: No address associated with hostname
mail.crdesigns.com: Unknown host


$ telnet crdesigns.com 587
Trying 63.230.201.250…
telnet: connect to address 63.230.201.250: Connection refused
````

It seems like the domain crdesigns.com has an MX at mx1.mcgelec.com

Maybe the problem isn't at the server or your Thunderbird, maybe the problem is a badly configured DNS ???

Sorry not .com it is crdesigns.de

That worked better :)

$ telnet mail.crdesigns.de 587
Trying 139.162.212.140...
Connected to mail.crdesigns.de.
Escape character is '^]'.
220 hostname.crdesigns.de ESMTP Postfix (Ubuntu)

Here is a little tip, if you want to do some remote tests yourself, this place has a very good collection of testing tools (lots about email, dns, etc services): http://mxtoolbox.com/NetworkTools.aspx

Based on some "dig" output, I think there is something wrong with your MX records, you have two:

;; ANSWER SECTION:
crdesigns.de.        86400   IN  MX  10 mail.crdesigns.de.
crdesigns.de.        86400   IN  MX  10 crdesigns.de.

and they point to the same IP address. Just one of the above should be enough.

I deleted the MX Record but you know it takes some time, but this is what it gives me:

http://image.prntscr.com/image/641c70a7 … 483e27.png">http://image.prntscr.com/image/641c70a7828d406895e28ddea7483e27.png

can something of that be the reason for my problem?

edit I tried telnet from my girlfriend's wifi with my smartphone and telnet worked.

But at home, it doesn't work, I'm not sure but can it be that my router blocks it?

edit

facepalm… I looked at my router logs and it seems like the last firmware update (that i didn't recognize) did reset my list for "secure email server"

Haha… man omg

I'm glad you solved it!

The warnings reported by tests are not serious and you may ignore them. For example the banner can be fixed by modifying the following (in main.cf):

smtpd_banner = $myhostname ESMTP

Personally, I've solved all my configuration problems by using this script, which generates all the correct configuration files, including virutal hosts.

I think your SSL certificate has expired.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct