Let me preface with "long term reader but first-time poster"... please be
gentle! :)
I faced an interesting challenge years ago in an environment where the activity
used various degrees of encryption and/or encapsulation in the path, along with
suppressing ICMP "Fragmentation Needed" messages at their respective firewalls.
This prevented MTU adjustment during normal Path MTU Discovery (PMTUD). As a
result, small email succeeded until the point that exceeded the configured
MTUs. In this case, the usual "telnet host 25" stuff seemed to work perfectly
well, but real world messages routinely either dropped silently or (in my
environment) creating retransmit loops.
Doesn't sound exactly like what you're seeing, but I wanted to throw it out
there. Most other protocols are more resilient (and use smaller individual
packets) to avoid the problem between the sites.
Frank
-----Original Message-----
From: Curtis Vaughan via Postfix-users <postfix-users@postfix.org>
Sent: Tuesday, July 15, 2025 11:37 AM
To: postfix-users@postfix.org
Subject: [pfx] sending emails times out
We've been postfix pretty much forever, but suddenly a new problem has
arisen, for which I haven't been able to find a solution. The postfix
server is located in the USA. A lot of mail goes to Russian addresses
and it is to those addresses that the issue is arising. The biggest
problem is to a mail server at 83.222.5.141, which may actually be in
Uzbekistan, although it is for a Russian company.
Here's the error, which started about a week ago. This is for outgoing
mail, btw.
status=deferred (conversation with satcomdv.ru[83.222.5.141] timed out
while receiving the initial server greeting)
However, if I telnet on port 25 from the postfix server I can send a
message. The responses are quite slow, but works.
In case this helps:
postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 3.6
content_filter = smtp-amavis:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf
-m "${EXTENSION}"
mailbox_size_limit = 20971520000
mailq_path = /usr/bin/mailq.postfix
message_size_limit = 10737418240
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = ******.com
myhostname = mail.******.com
mynetworks = 10.0.1.0/24, 127.0.0.1/32, [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = $mydomain, $mydestination, $virtual_alias_maps
setgid_group = postdrop
smtp_connect_timeout = 120s
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_milters = inet:localhost:8891
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/sender_access, check_sender_access
regexp:/etc/postfix/sender_access_regexp, permit_mynetworks,
check_client_access hash:/etc/postfix/blacklist_malware_patrol,
check_client_access cidr:/etc/postfix/client_checks,
reject_unauth_pipelining, permit_sasl_authenticated,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, reject_rhsbl_helo dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org, check_policy_service
inet:127.0.0.1:10023, check_policy_service unix:private/policyd-spf, permit
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
smtpd_timeout = 900
smtpd_tls_CAfile = /etc/ssl/certs/smtp.*****.com.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/server.pem
smtpd_tls_key_file = /etc/ssl/private/domain.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
Curtis Vaughan
IT Administrator/Director of Communications & Purchasing
North Pacific Corporation
Phone: 206-423-6979 ▪ Web: www.npc-usa.com
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
