Suddenly can't connect to SMTP

a few days ago it worked fine but today I tried to send an email and I had a timeout.

I tried to reboot my server, asked google and some other things.

Even mail.log doesn't show me an error.

I don't know what I should do know….

22 Replies

Since you are not offering much information, it is impossible to help you.

unless you want some generalized help like…

why not grab a coffee and wait for smtp to work again?

maybe instead of asking google, ask bing? or yahoo?

I don't know what to tell you…

root@localhost:~# netstat -pantu | grep 587:

tcp 0 0* LISTEN 5153/master
tcp6 0 0 :::587 :::* LISTEN 5153/master


root@localhost:~# telnet 587

Trying 2a01:7e00::f03c:91ff:fee4:605a...
Connected to
Escape character is '^]'.
220 ESMTP Postfix (Ubuntu)
250-SIZE 10240000
250 DSN
mail from: <>Connection closed by foreign host.</>


mail.log after that:

Jan  5 23:01:12 localhost postfix/submission/smtpd[6057]: connect from[2a01:7e00::f03c:91ff:fee4:605a]
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: SSL_accept error from[2a01:7e00::f03c:91ff:fee4:605a]: -1
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:650:
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: lost connection after STARTTLS from[2a01:7e00::f03c:91ff:fee4:605a]
Jan  5 23:01:53 localhost postfix/submission/smtpd[6057]: disconnect from[2a01:7e00::f03c:91ff:fee4:605a]

My english isnt that good, im from germany.

but help me, please. what can I check and do?

Did your SSL certificate expire?

Either way it looks like your TLS setup has gone awry somewhere.

It looks like SSL v3 has been disabled at one end, while the other end insists on connecting with that exact protocol.

Have you made any changes to the postfix configuration to limit protocols to TLS only? Because thats what it looks like from the above error.


below is a typical configuration that disables the deprecated and old SSL v2/v3 and only allows TLS, but uses medium ciphers for compatibility.

if you can't connect with these settings, then your client is WAY TOO OLD and you should probably upgrade.

smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = medium
smtp_tls_mandatory_ciphers = medium

i didnt made any changes thats why i dont know whats going on haha :D

i try now to make a new ssl cert

Maybe you didn't make any changes to postfix, but maybe your client changed and no longer accepts SSL v2/v3??

Hmnm. and how can i fix that?

First, look at the above parameters and compare them with your own postfix, look for any differences.

Second, tell us what kind of email client (and version) you are using. Some email clients have an auto-update feature, which made it update itself to a new version that has SSL disabled.

I'm guessing one of the two sides no longer supports SSL and requires TLS only.

I only could find

smtpd_tls_auth_only = yes

in my, I tried to add the other parameters to the file, it didn't gave me any errors but it didn't work too.

I use the newest version of Mozilla Thunderbird. (45.6.0)

And I used telnet 587 on the server

i did setup my mail server from this tutorial: … -and-mysql">



i used now:

openssl s_client -connect -starttls smtp

depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN =
verify return:1
Certificate chain
 0 s:/C=DE/ST=Germany/L=Wernau/O=CRDesigns/
Server certificate
No client certificate CA names sent
SSL handshake has read 2435 bytes and written 456 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4000 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D068C3B881EFB1A79675F2DB36865D9D163101E1AD20220BE19EED91518E3D36
    Master-Key: 23A683096984564FF29D55B8C3CF554553230203D2CA8FDBBFAEFA9ED83BFC04A49FFE2A6A73231B395C3951771054FD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 85 51 aa 46 63 39 bd 13-70 ca c6 6d 8f d4 55 0c   .Q.Fc9..p..m..U.
    0010 - a3 11 90 f8 30 47 e2 44-b3 94 b7 24 58 d0 51 32   ....0G.D...$X.Q2
    0020 - cd 05 3b 9f 07 20 a8 92-85 d5 aa 5a 32 23 9b 68   ..;.. .....Z2#.h
    0030 - 10 6a 27 8f 13 78 76 9b-b1 b4 8d 2c 65 6d 14 4d   .j'..xv....,em.M
    0040 - 75 ab 6a 25 4a 09 59 07-70 3a 1f 0a a8 37 01 61   u.j%J.Y.p:...7.a
    0050 - e6 71 4b 1a 61 c1 1b 5b-21 48 7c 53 7f ba 5a e3   .qK.a..[!H|S..Z.
    0060 - ca ed dd 17 07 3f d5 16-13 45 1f e0 a3 1f 51 8b   .....?...E....Q.
    0070 - da e6 c0 12 5f de ba ab-50 34 c4 18 ce 15 25 9f   ...._...P4....%.
    0080 - d6 0e 18 ee fc 23 c8 11-df 9e c3 46 16 6d 06 4f   .....#.....F.m.O
    0090 - 7a 83 67 2e 04 39 83 3d-ba ea ea d6 b1 61 d0 19   z.g..9.=.....a..

    Start Time: 1483693936
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
250 DSN
mail from: <>250 2.1.0 Ok
depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN =
verify return:1
554 5.5.1 Error: no valid recipients
rcpt to: <>554 5.7.1 <[]>: Client host rejected: Access denied
rcpt to: <>554 5.7.1 <[]>: Client host rejected: Access denied</[]></></[]></></></> 

From the above, I can see that:

1) your postfix accepts TLS v1.2 connections, thats good.

2) your client openssl can connect fine, thats good! (no, telnet won't work of course)

3) the "Access denied" that you got from the "RCPT TO" command is because you haven't authenticated with an email/password, this is good and prevents replaying.

4) either Thunderbird is broken or you have some broken anti-virus that tries to get between Thunderbird and postfix, this broken anti-virus doesn't support TLS.

Okay Thanks, so i can stop searching on the server.

i only use windows defender, i try to reinstall thunderbird later.

Do you have some kind of firewall device? maybe that tries to take over the connection in order to run its own anti-virus.

smtp doesn't just break out of the blue, something must have changed recently…

I'm 100% sure i didn't install an antivirus or firewall software, but how can i check it if something is blocking it?

thunderbird smtp settings: … 9204dd.png">

when I use telnet on the windows cmd it gives me a timeout for 587

You SHOULD be able to telnet to port 587 and see the "banner", something like:

220 ESMTP Postfix

If connection times out, then something is blocking you! But I can't know if its something in your computer, or your network, or even your ISP. But something is definitely blocking you.

Are you sure your mail server isn't blocking you? maybe you have something like "fail2ban" enabled? just in case its that simple…

Hmn.. im back at Home tomarrow but i didnt enable or Installed fail2ban o.o

Can you maybe try to telnet

$ telnet 587
telnet: No address associated with hostname Unknown host

$ telnet 587
telnet: connect to address Connection refused

It seems like the domain has an MX at

Maybe the problem isn't at the server or your Thunderbird, maybe the problem is a badly configured DNS ???

Sorry not .com it is

That worked better :)

$ telnet 587
Connected to
Escape character is '^]'.
220 ESMTP Postfix (Ubuntu)

Here is a little tip, if you want to do some remote tests yourself, this place has a very good collection of testing tools (lots about email, dns, etc services):

Based on some "dig" output, I think there is something wrong with your MX records, you have two:

;; ANSWER SECTION:        86400   IN  MX  10        86400   IN  MX  10

and they point to the same IP address. Just one of the above should be enough.

I deleted the MX Record but you know it takes some time, but this is what it gives me: … 483e27.png">

can something of that be the reason for my problem?

edit I tried telnet from my girlfriend's wifi with my smartphone and telnet worked.

But at home, it doesn't work, I'm not sure but can it be that my router blocks it?


facepalm… I looked at my router logs and it seems like the last firmware update (that i didn't recognize) did reset my list for "secure email server"

Haha… man omg

I'm glad you solved it!

The warnings reported by tests are not serious and you may ignore them. For example the banner can be fixed by modifying the following (in

smtpd_banner = $myhostname ESMTP

Personally, I've solved all my configuration problems by using this script, which generates all the correct configuration files, including virutal hosts.

I think your SSL certificate has expired.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct