View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Postfix not handling external client connections
Log in to Ask a Question

Postfix not handling external client connections

email

Hello folks. I really hope someone has a new idea on this …

I followed the how to at ~~[http://library.linode.com/email-guides/postfix/postfix-courier-mysql-ubuntu-9.10-karmic" target="_blank">](http://library.linode.com/email-guides/ … .10-karmic">http://library.linode.com/email-guides/postfix/postfix-courier-mysql-ubuntu-9.10-karmic]( in the hopes of correcting my configuration, but no luck.

Here's what I have:

Courier-imap, authenticating to MySQL. Postfix delivering through Amavisd-new, Spamassassin, etc. Saslauthd authenticating to the same MySQL db via libpam_mysql.

I am NOT using virtual users (I only have 5 or 6) and I'm not implementing quotas. All the rest is pretty much my config to a T.

What works:

Courier, authentication, etc. works fine. Incoming mail is handled correctly, including the spam processing. Sending mail from within the host via Squirrelmail works fine. Saslauthd authentication to MySQL through the libpam_mysql plugin - verified via testsaslauthd.

What doesn't work:

External clients trying to send mail via postfix.

I've tried boosting the logging verbosity, but I see nothing in the logs. I've tried the telnet to port 25 test, and it works perfectly from the host, but times out from outside the host. The firewall is open on port 25, and I've verified with tcpdump that there are packets coming through - usually 28 or 29 altogether, going both ways.

I've checked the mail.log, mail.info, mail.err, auth.log, and the mysql logs - both by way of straight vi editing and tail -f. Nothing is happening with these failed connections.

I've probably read 350 pages on postfix configuration, sasl configuration, ubuntu firewalls, apparmor (which is definitely not installed) and libpam_mysql. I cannot find anything that helps. I've rewritten my configs no less than 15 times in the last week, and nothing helps.

I've also reinstalled postfix after moving the original main.cf and master.cf to another location, then reconfigured them according to the how to. This of course broke incoming email because I forgot to add the transport config in master.cf, but after that was resolved, I was back where I started.

I'm at the end of my rope with this. Any suggestions would be greatly appreciated.

Lou

9 Replies

Most likely, port 25 is being blocked by your local ISP, since MUAs shouldn't be sending mail that way anyway. Try using port 587, which you can enable by uncommenting the "submission" lines in master.cf.

@hoopycat:

Most likely, port 25 is being blocked by your local ISP, since MUAs shouldn't be sending mail that way anyway. Try using port 587, which you can enable by uncommenting the "submission" lines in master.cf.

I wouldn't think that was the case, because the telnet test from my laptop to port 25 on my linode does appear to get packets across. Also, it's not just my ISP. I have users in MA, AR, and NM, often connecting through coffee house hotspots.

I'll try the configuration though. And I'll remember to open up the submission port in ufw …

Thanks for the suggestion!

Cheers!

Well, frankly I'm appalled that this never occurred to me.

Hoopycat, you were exactly right about the port being blocked. The reason I didn't believe it initially was that I never noticed it after switching ISPs - I'd gotten into the habit of using webmail. By the time I noticed it, I was past associating the problem with the ISP change.

Thinking back, my brother only started experiencing the problem after he got home to our parents' and he was connecting through our mother's ISP. She started noticing it as soon as her ISP started blocking the port.

So, things I had to remember:

  • Open the submission port in the firewall.

  • Update the Squirrelmail configuration to use the correct port.

  • Set the -o smtpdtlssecurity_level=may in the master.cf submission config to allow Squirrelmail to connect without TLS, as well as external clients that may not be able to use it.

  • Add the following to the master.cf submission:

-o mynetworks=127.0.0.0/8

  • And change the smtpdclientrestrictions setting to include mynetworks.

Without these changes, I'd have had to jump through hoops to get Squirrelmail to go through the SMTP authentication as well as the IMAP authentication. Didn't seem worthwhile.

So, now I'm on to the next problem. It seems the postfix - sasl - pam - mysql authentication chain is not quite right. But at least I'm actually getting useful information there. If I can't find the solution to this one I'll post another thread.

Thank you Hoopycat! :D

Lou

@keyslapper:

Well, frankly I'm appalled that this never occurred to me.

Hoopycat, you were exactly right about the port being blocked. The reason I didn't believe it initially was that I never noticed it after switching ISPs - I'd gotten into the habit of using webmail. By the time I noticed it, I was past associating the problem with the ISP change.

If you're on Verizon then note that they're changing their systems; previously they didn't block port 25, now they're rolling it out and blocking direct SMTP access (although they haven't blocked me, yet :-))

Well, bookmark this page and you'll know just how to fix it when they do! :D

If they start blocking 587, I'm gonna have to switch to Comcast. If they do it, I'm back to using Cloud9 - more expensive, but it's a static IP and their reliability record over the 5 years I used them puts both Verizon and Comcast to utter shame. I've had more downtime in the last 3 months with Verizon than I had in a full 5 years with Cloud9 - which is actually a Verizon network reseller.

As for Linode, I signed up as a way to reduce my costs when I switched to Verizon, but even if I do have to go back to Cloud9, I'm sticking around here. The pros far outweigh the expense.

Cheers!

Oh, I don't care about SMTP. My email from my home to my linode is done using UUCP over SSL. Why, yes, I am quite mad :-)

I doubt Verizon will block the submission port because this port typically requires authentication and so is less likely to be used for zombie spamming (which is the main reason port 25 is being blocked).

For your own personal use, you can run an SMTP server on any port you like and configure your clients to use that port :-)

@sweh:

For your own personal use, you can run an SMTP server on any port you like and configure your clients to use that port :-)

True, but more ISPs are defaulting to blocking privileged ports (<1024) by default and only allowing those they deem legitimate. Sad, really. And most annoying.

@keyslapper:

@sweh:

For your own personal use, you can run an SMTP server on any port you like and configure your clients to use that port :-)

True, but more ISPs are defaulting to blocking privileged ports (<1024) by default and only allowing those they deem legitimate. Sad, really. And most annoying.

And also one of the reasons I've grown into the habit of having two alternate ports for SMTP; port 587 (submission) and port 2525 (which is above the privileged port range, and easy enough to remember).

@keyslapper:

@sweh:

For your own personal use, you can run an SMTP server on any port you like and configure your clients to use that port :-)

True, but more ISPs are defaulting to blocking privileged ports (<1024) by default and only allowing those they deem legitimate. Sad, really. And most annoying.
Thanks to people getting infected by viruses and trojans and having their PCs turned into spamming botnet nodes.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct