How to debug postfix connection timeout

Question

I used this and this blog posts to configure postfix to relay mails to a specific server using authentication. The following settings have been made in main.cf:

# sender-dependent sasl authentication
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay

# default relayhost setting
relayhost = [fully.qualified.target.server]:587

# smtp authentication settings
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
smtp_tls_CAfile = /var/lib/ca-certificates/ca-bundle.pem
smtp_use_tls = yes
smtp_tls_security_level = encrypt

I created /etc/postfix/sender_relay with the following content:

sender1@mydomain.de    [fully.qualified.target.server]:587
sender2@mydomain.de    [fully.qualified.target.server]:587
sender3@mydomain.de   [fully.qualified.target.server]:587
sender4@mydomain.de     [fully.qualified.target.server]:587

and encoded it as lmdb by postmap sender_relay so that the sender_relay.lmdb was created in /etc/postfix/

I created /etc/postfix/sasl_passwd with the following content:

sender1@mydomain.de   sender1@mydomain.de:password1
sender2@mydomain.de   sender2@mydomain.de:password2
sender3@mydomain.de   sender3@mydomain.de:password3
sender4@mydomain.de   sender4@mydomain.de:password4

[fully.qualified.target.server]:587   default@mydomain.de:passwordDefault

and encoded it as well using postmap sasl_passwd.

Now when I try to send an email using that relay I get:

Jan 16 11:57:08 mail postfix/qmgr[12939]: 199FA1206D3: from=sender1@mydomain.de, size=454, nrcpt=1 (queue active)
Jan 16 11:57:38 mail postfix/smtp[12952]: connect to fully.qualified.target.server[ip.of.target.server]:587: Connection timed out
Jan 16 11:57:38 mail postfix/smtp[12952]: 199FA1206D3: to=externalrecipient@somewhere.com, relay=none, delay=1062, delays=1032/0.03/30/0, dsn=4.4.1, status=deferred (connect to fully.qualified.target.server[ip.of.target.server]:587: Connection timed out)

Although I edited master.cf to get debugging output, i do not get more information:

smtp      inet  n       -       n       -       -       smtpd -v

I checked certificates / connectivity using openssl:

openssl s_client -connect fully.qualified.target.server:587 -starttls smtp -crlf

and no problems where found. What else can I do to debug this situation?

Platform ist openSuse Leap 15.3

A timeout usually points toward a firewall issue. Many hosters block outgoing port 25 to prevent spam. — Gerald Schneider, Jan 16 '23 at 11:54
I can telnet to the server on the port and I can also connect using openssl... so most probably not a firewall issue.... — Tode, Jan 16 '23 at 11:56
Can you confirm your openssl test tried exactly the IP address (version) that postfix logs mention? Can you confirm that `iptables-save`/`ip6tables-save` dumps the stock empty/ACCEPT firewall policies? — anx, Jan 16 '23 at 13:08
I can confirm, that openssl used the exact IP address that postfix uses. And I successfully connected using telnet on that IP address as well... your command do not work unfortunately — Tode, Jan 16 '23 at 13:43
his issue may be caused by a number of factors, such as a network issue preventing the connection, a firewall blocking the connection at the destination, or an issue with the target server. — Zareh Kasparian, Jan 16 '23 at 16:09
The hard-and-dirty way is to capture traffic and see when packets go missing. If you can do this on both sides, you likely have enough power to fix the entire problem; if you don't, your best guess will be something like "it doesn't answer to my packets, all what I can suppose it's a firewall". Also check *all* logs; maybe SElinux permits your interactive telnet session, but doesn't permit Postfix smtp client to originate session, and it should write that into logs. — Nikita Kipriyanov, Jan 17 '23 at 05:09

score 1 · Answer 1 · answered Jan 17 '23 at 10:37

Just for somebody stumbling over this: It really was a firewall issue on another system. It blocked the mail communication.

As suggested by Nikita in the comments I used tcpdump to check the connection and found out, that telnet / openssl used the interface eth0 whereas postfix used the interface tun0 (there is a VPN tunnel on that machine).

And the "endpoint" of the VPN tunnel blocked all SMTP ports.

I made the traffic go through the right interface and now postfix does what it should and debugging works as well.

I was just confused as postfix does not show any debug output when the underlying tcpip connection is blocked. Because of that I thought that my debugging parameters were not used by postfix.

How to debug postfix connection timeout

1 Answers1