A CentOS 7 web server has postfix, dovecot, and mailx installed. I have been able to make an IMAP connection to the server in order to read inbox mail using a remote Thunderbird client, but I am not able to make an SMTP connection to send email from Thunderbird. When I do forensics, I discover that the attempted SMTP connection times out. How can I resolve this problem of the connection timing out, so that I can send email from Thunderbird through the server?
My forensics so far have resulted in:
Typing hostname in the terminal at the server returns mydomain.com.
nano /usr/lib/firewalld/services/smtp.xml indicates the smtp port is 25
The smtp service is activated in the public zone because firewall-cmd --list-all results in:
public (default, active)
interfaces: enp3s0
sources:
services: dhcpv6-client imaps openvpn smtp
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
But when I try to telnet from my devbox to the remote CentOS 7 server, I get the following results. Typing telnet mydomain.com 25 resulted in:
Trying my.SERVER.ip.addr...
telnet: connect to address my.SERVER.ip.addr: Connection timed out
Then typing telnet smtp.mydomain.com 25 resulted in:
Trying my.SERVER.ip.addr...
telnet: connect to address my.SERVER.ip.addr: Connection timed out
Also, typing openssl s_client -CApath /etc/ssl/certs -starttls smtp -port 25 -host smtp.mydomain.com results in:
socket: Connection timed out
connect:errno=110
Similarly, typing openssl s_client -CApath /etc/ssl/certs -starttls smtp -port 25 -host mydomain.com also resulted in:
socket: Connection timed out
connect:errno=110
I typed nano /etc/postfix/main.cf to start to examine the config, but did not find anything related to ports.
EDIT:
As per FaheemMitha's advice, I tried telnet mydomain.com 587 from the client, and got No route to host in reply. I think this is because only port 25 is open in firewalld for smtp.
I therefore thought to try telnet from within the remote server mydomain.com. When I logged on to my remote server via ssh and typed telnet localhost 25, the result was:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mydomain.com ESMTP Postfix
This causes me to suspect that postfix is running on port 25, but that somehow it is not able to accept outside connections.
EDIT#2
As per @RedCricket's suggestion, I ran iptables -L. Since the results were verbose, I uploaded them to a file sharing site, which you can view by clicking on this link.
I also tried iptables --flush followed by firewall-cmd --reload, and then repeated the telnet and thunderbird tests from above, but I am still getting the connection timed out error.
What else can I try?
I uploaded the entire /etc/postfix/main.cf to a file sharing site. You can read it by clicking on this link.
EDIT#3
A valid email address someone.else@some_other_domain.com sends email to me@mydomain.com without problems. Therefore, as a test, I had my remote Thunderbird client try to send email to that someone.else@some_other_domain.com as part of the work documented above in this OP. This morning, I received a return to sender message in my Thunderbird as a result of the test email. I interpret this returned message to mean that at least one of my test messages from Thunderbird got into the SMTP on mydomain.com, but that mydomain.com was not able to look up or otherwise connect to some_other_domain.com. Here is the message:
This is the mail system at host mydomain.com.
I'm sorry to have to someone.elserm you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<someone.else@some_other_domain.com>: Host or domain name not found. Name service error for
name=some_other_domain.com type=MX: Host not found, try again
Reporting-MTA: dns; mydomain.com
X-Postfix-Queue-ID: 2C915811BD1C
X-Postfix-Sender: rfc822; me@mydomain.com
Arrival-Date: Mon, 23 Feb 2015 16:46:34 -0500 (EST)
Final-Recipient: rfc822; someone.else@some_other_domain.com
Action: failed
Status: 4.4.3
Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
for name=some_other_domain.com type=MX: Host not found, try again
ForwardedMessage.eml
Subject: key enclosed
From: me@mydomain.com
Date: 02/23/2015 01:46 PM
To: someone.else@some_other_domain.com
this is the body of the email
Thus, it seems that sometimes the connection from my remote devbox to mydomain.com is closed, and at other times, the connection from mydomain.com to the rest of the internet is closed.
EDIT#4
Following @derobert's advice, I first tried the two telnet commands from the devbox to the server, then I tried to send an email from me@mydomain.com using the Thunderbird client on my devbox, and then I ran the tcpdump command on both the devbox and on the server. Typing tcpdump port 25 in the devbox terminal resulted in the following:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Next, typing tcpdump on the server resulted in so much output that the results scrolled endlessly until I typed Ctrl-C. So I then typed tcpdump port 25 and got the following results:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
As a curiosity, I then typed tcpdump port 25 again on both the devbox and the server simultaneously and left it open without typing Ctrl-C, and I tried to manually send an email from me@mydomain.com using Thunderbird client on my devbox. I still got the same Connection timeout failure, but there was no activity reported by the open tcpdump port 25 commands. And the totals also came up to zero when I typed Ctrl-C on both terminals afterwards.
Best Answer
After much troubleshooting, we determined that the ISP on the client side is blocking outgoing port 25 (SMTP). That was confirmed by using a random mail server test site on the Internet and finding that it could connect to the mail server fine. SMTP packets from the client machine did not arrive at all (confirmed via
tcpdump).Solution is to reconfigure SMTP listener on a different port. 465 (SMTP over SSL) and 587 (mail submission, RFC6409) are common options.