trouble with postfix install (timing out from client)

Question

I have just outfitted a basic server (Ubuntu 12.04 LTS /Precise Pangolin) and have installed Postfix and Dovecot, based on the Ubuntu manuals.

https://help.ubuntu.com/community/Dovecot

https://help.ubuntu.com/community/Postfix

Postfix gets mail out of the box to my gmail account, e.g.:

sendmail [redacted]@gmail.com < /etc/motd

Testing remote access with the open source client for Eudora, I can successfully download email, so Dovecot/POP3 seems to be functioning.

However, I cannot seem to get Eudora to send email from my local computer. Depending on the security/port config I use, it generally times out.

I seem to be able to get access via the local terminal, and remote shells, such as (from a remote server):

$ telnet lists.teachers.net 25
Trying 50.56.184.186...
Connected to lists.teachers.net.
Escape character is '^]'.
220 lists.teachers.net ESMTP Postfix (Ubuntu)
ehlo lists.teachers.net
250-lists.teachers.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

I tried setting Eudora to use STARTTLS, SSL/TLS, and none, but they all time out. When Eudora tries to connect, i don't see any activity in the /var/log/mail/log or /var/log/mail.err , which I guess means those aren't the relevant logs or there is no activity to report.

I haven't set up any firewall rules:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

netstat output:

$ sudo netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:submission            *:*                     LISTEN      4112/master
tcp        0      0 *:pop3                  *:*                     LISTEN      3210/dovecot
tcp        0      0 *:imap2                 *:*                     LISTEN      3210/dovecot
tcp        0      0 *:ssh                   *:*                     LISTEN      564/sshd
tcp        0      0 *:smtp                  *:*                     LISTEN      4112/master
tcp        0      0 *:imaps                 *:*                     LISTEN      3210/dovecot
tcp        0      0 *:pop3s                 *:*                     LISTEN      3210/dovecot
tcp        0    300 lists.teachers.net:ssh  99-95-169-159.lig:55464 ESTABLISHED 1433/sshd: listman
tcp6       0      0 [::]:submission         [::]:*                  LISTEN      4112/master
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      3210/dovecot
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      3210/dovecot
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      564/sshd
tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      4112/master
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      3210/dovecot
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      3210/dovecot

MX record:

$ dig mx lists.teachers.net

; <<>> DiG 9.8.1-P1 <<>> mx lists.teachers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22244
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;lists.teachers.net.            IN      MX

;; ANSWER SECTION:
lists.teachers.net.     300     IN      MX      100 lists.teachers.net.

;; AUTHORITY SECTION:
teachers.net.           2057    IN      NS      dns1.stabletransit.com.
teachers.net.           2057    IN      NS      dns2.stabletransit.com.

;; ADDITIONAL SECTION:
lists.teachers.net.     300     IN      A       50.56.184.186
dns1.stabletransit.com. 77665   IN      A       69.20.95.4
dns2.stabletransit.com. 77741   IN      A       65.61.188.4

;; Query time: 830 msec
;; SERVER: 72.3.128.241#53(72.3.128.241)
;; WHEN: Thu Jan 10 14:08:34 2013
;; MSG SIZE  rcvd: 155

How can I troubleshoot this, maybe from a remote machine? What logs might shed light? What other info would be helpful here? Thanks!

score 1 · Accepted Answer · answered Jan 11 '13 at 06:22

1

The connection attempt should be visible in /var/log/mail.log -> this sounds like a client side issue.

try telnetting the server on port 25 from the box where eudora is running. if that times out as well:

check if your provider blocks port 25 outgoing. if it does, enable the submission port (587) instead, it's a good practice anyway to separate MUA-MTA from MTA-MTA ports.
check if a locally installed firewall or antivirus software interferes with smtp traffic. I've seen AV software being the culprit of connection issues a lot.

answered Jan 11 '13 at 06:22

Gryphius

2,720
1
19
19

The local machine was apparently blocked on outgoing 25. So I greatly appreciate your fast and helpful answer, Gryph. – Bob SD Jan 11 '13 at 18:03
If I had said I was on SBC/U-Verse, maybe that answer would have been even more obvious. I didn't realize they blocked that, but apparently they do. I enabled port 587 by uncommenting the appropriate line in master.cf. Will that automatically block 25 from incoming access, or is that something that should be done in the iptable? Or do I not need to worry about that to harden my server? – Bob SD Jan 11 '13 at 18:11
only mail clients can use 587 (for outgoing mail), incoming mail (server-to-server) to your domain will always be sent to port 25, so this port should still be open and accept mail – Gryphius Jan 12 '13 at 06:26
Thanks. Mail server hardening is serious stuff, but I kinda got thrown into this so need to get it right. I'm scouring the tutorials and documentation (Ubuntu community pretty great for that). But would you recommend any specific critical tweaks to ensure my resources aren't commandeered by some shlub in Brazil, getting my whole domain blacklisted? – Bob SD Jan 12 '13 at 17:43
postfix's defaults are usually very good and secure, so the less you change the less you gotta worry on postfix being the attack vector. I'd recommend strong passwords and fail2ban on smtp auth and probably rate-limiting for the brazil shlub part :-). change your rdns to "lists.teachers.net", my mailserver would definitely block your current generic rackspacecloud rdns ;-) – Gryphius Jan 12 '13 at 18:59
Gryph, you rock. I was just trying to figure out the rdns stuff, because in fact AOL is already flagging my outgoing as "spam." I added a SPF rule (v=spf1 mx ~all) to the DNS, hoping that might make a difference, but nyet. Where is the rdns changed, my research suggested it was something only rackspace could change. – Bob SD Jan 13 '13 at 00:27
http://www.rackspace.com/knowledge_center/article/rackspace-cloud-essentials-6-creating-a-reverse-dns-record – Gryphius Jan 13 '13 at 06:28
That was a good link, but the documentation was for their cloud servers, and as support explained to me, "In next gen that is done via the API." They pointed me back to a server fault solution [link](http://serverfault.com/questions/451292/how-do-i-set-reverse-dns-for-rackspace-next-generation-cloud-servers) and to a script on github [link](https://github.com/cloudnull/ptrcreate). Both of which were either out of date or otherwise broken. They ultimately did the switch for me, but they linked me to the script they used [link](http://rudie.net/YaRrDNS.sh). Thanks again, Gryph! – Bob SD Jan 13 '13 at 19:34

trouble with postfix install (timing out from client)

1 Answers1