Suddenly can't connect to SMTP
I tried to reboot my server, asked google and some other things.
Even mail.log doesn't show me an error.
I don't know what I should do know….
unless you want some generalized help like…
why not grab a coffee and wait for smtp to work again?
maybe instead of asking google, ask bing? or yahoo?
I don't know what to tell you…
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 5153/master tcp6 0 0 :::587 :::* LISTEN 5153/master
root@localhost:~# telnet mail.crdesigns.de 587
Trying 2a01:7e00::f03c:91ff:fee4:605a... Connected to mail.crdesigns.de. Escape character is '^]'. 220 hostname.crdesigns.de ESMTP Postfix (Ubuntu) EHLO mail.crdesigns.de 250-hostname.crdesigns.de 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: <email@example.com>Connection closed by foreign host.</firstname.lastname@example.org>
mail.log after that:
Jan 5 23:01:12 localhost postfix/submission/smtpd: connect from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a] Jan 5 23:01:53 localhost postfix/submission/smtpd: SSL_accept error from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a]: -1 Jan 5 23:01:53 localhost postfix/submission/smtpd: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:650: Jan 5 23:01:53 localhost postfix/submission/smtpd: lost connection after STARTTLS from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a] Jan 5 23:01:53 localhost postfix/submission/smtpd: disconnect from crdesigns.de[2a01:7e00::f03c:91ff:fee4:605a]
My english isnt that good, im from germany.
but help me, please. what can I check and do?
Either way it looks like your TLS setup has gone awry somewhere.
Have you made any changes to the postfix configuration to limit protocols to TLS only? Because thats what it looks like from the above error.
below is a typical configuration that disables the deprecated and old SSL v2/v3 and only allows TLS, but uses medium ciphers for compatibility.
if you can't connect with these settings, then your client is WAY TOO OLD and you should probably upgrade.
smtpd_tls_auth_only = yes smtpd_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = medium smtpd_tls_mandatory_ciphers = medium smtp_tls_security_level = may smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_ciphers = medium smtp_tls_mandatory_ciphers = medium
i try now to make a new ssl cert
Second, tell us what kind of email client (and version) you are using. Some email clients have an auto-update feature, which made it update itself to a new version that has SSL disabled.
I'm guessing one of the two sides no longer supports SSL and requires TLS only.
smtpd_tls_auth_only = yes
in my main.cf, I tried to add the other parameters to the file, it didn't gave me any errors but it didn't work too.
I use the newest version of Mozilla Thunderbird. (45.6.0)
And I used telnet mail.crdesigns.de 587 on the server
i did setup my mail server from this tutorial:
i used now:
openssl s_client -connect mail.crdesigns.de:587 -starttls smtp
CONNECTED(00000003) depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de verify error:num=18:self signed certificate verify return:1 depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de verify return:1 --- Certificate chain 0 s:/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de i:/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de --- Server certificate -----BEGIN CERTIFICATE----- MIIFGDCCAwwCCQDBVN8Futq4aTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJE RTEQMA4GA1UECAwHR2VybWFueTEPMA0GA1UEBwwGV2VybmF1MRIwEAYDVQQKDAlD UkRlc2lnbnMxFDASBgNVBAMMC2NyZGVzaWduLmRlMB4XDTE1MDgyNTExMzkxNloX DTI1MDgyMjExMzkxNlowWjELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0dlcm1hbnkx DzANBgNVBAcMBldlcm5hdTESMBAGA1UECgwJQ1JEZXNpZ25zMRQwEgYDVQQDDAtj cmRlc2lnbi5kZTCCAhYwDQYJKoZIhvcNAQEBBQADggIDADCCAf4CggH1AM/AhxVz VjzOuZ4rDVWQ+xJGokYS1oNa7DBMBDxd0rv44GnTuLov+Mp3RumupPpKOJVfTF1S sG7afBBuhoLhlbJ1pZ2e+g4pF0iV/dVFhjx1lb8RSLQPefzhUwpuUxLuae3j6abD NTD40rVK93m0ZEZyEfWRUuvKMxSDzPuRWPHLV592Z5RxCY/jD33y6ojeg4gWdlTi u/Ewjv/Tv0+hlHCihD+HqUEp5lIS0rfmfukxvSXSRhRaqyJ1rKPnyC1H0nmoHYAR NX6lQDE2So+tgLreEMQ330l2lrLvVmwb74YNsmnu5Bzz46O5p0y8Mm8zxWPwth31 pMSSeGE4lZUTySNyEKKjBCv48n76wLv3u2EGM8EYgnvi1LYHCIUcFHbikgnG4iwL ADfpD33qJBkT6olUEk0ogP9F9sCv/ji89OY/gTwVblsJNBiIveuiWcicXhGBPvU9 MwFOqNE6HL5thWUJlTz+3vwKQ84A070ChsXM/aJbqxrEVbS5od4vtFWfmt+LLQ8f 7RFkUNWt2wwxbIDzKeIAtaiDInKkhELfaib7SoyyisCZey8WOVzTohfIDvKgdaly Oqf5iXuI5MVAn3+PTxq06jbuls6Yphly4Kr0j2bqWmirWsmxycV1FwfjNBzGhWYA YItlDGngmdYGHfYzf513AgMBAAEwDQYJKoZIhvcNAQELBQADggH1ABSVocfGsnfu OMk+ygwTPaXETWZSQWF+LLwcpm2LQMwkSwugdL4r774V6x8OAl/KpORq69UJFW1Q 5FPz1PSSLNA2H+XbF8eMSYB+lq2T0UCL+MYJskaBay9jyK70Ttbtlh3a/KBG0h1X w4CIViRFdC3GA+38ONBjqLyOOrS9Qf52MrY7+DXzGs98fxBniVzGg7q4Ppv68T0A BFPu0Bz5cOHy46AZ4yO7MYv+m73kBkZ7UVUn9R9LUTIIWjEq98i90LvnMu/+uE93 KFoZxikKCMFUNit8Zd3dSQVwyVoHw6MZnqTn9oJXvVEwDhirvRjLngR3PHm9HzfG ywf+2PmR58/7oFynyHx7+YDARGn5vHp3EPT1pvr8K79sOdKYFWxgYkyNaQIItD+j YGwaVpyjmKchnuGZlFsPi5krh+cWH8ZJFgXhCuGy8e5am8eIFPf/5GlYMdbhu5bh pBX+cC8vRDPAQ4XDTH3BspBuaqRF0oWYn2BE29MYZqZ54yK8eFGXh2tkh5XPkjsW gOxfw8VCXzrZkCLUDayaYuyvAspdoYmOF5efM7qyKnxnOam+1tBHzKVdPiMSJZ4j Af88RtR1JlQRcIg0Y/majpVIcdOHctiCiZUodvwUjK+izc61BqNoUL3QkB/ei24Q nzewmdMkSf81NDmE -----END CERTIFICATE----- subject=/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de issuer=/C=DE/ST=Germany/L=Wernau/O=CRDesigns/CN=crdesign.de --- No client certificate CA names sent --- SSL handshake has read 2435 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4000 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: D068C3B881EFB1A79675F2DB36865D9D163101E1AD20220BE19EED91518E3D36 Session-ID-ctx: Master-Key: 23A683096984564FF29D55B8C3CF554553230203D2CA8FDBBFAEFA9ED83BFC04A49FFE2A6A73231B395C3951771054FD Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 85 51 aa 46 63 39 bd 13-70 ca c6 6d 8f d4 55 0c .Q.Fc9..p..m..U. 0010 - a3 11 90 f8 30 47 e2 44-b3 94 b7 24 58 d0 51 32 ....0G.D...$X.Q2 0020 - cd 05 3b 9f 07 20 a8 92-85 d5 aa 5a 32 23 9b 68 ..;.. .....Z2#.h 0030 - 10 6a 27 8f 13 78 76 9b-b1 b4 8d 2c 65 6d 14 4d .j'..xv....,em.M 0040 - 75 ab 6a 25 4a 09 59 07-70 3a 1f 0a a8 37 01 61 u.j%J.Y.p:...7.a 0050 - e6 71 4b 1a 61 c1 1b 5b-21 48 7c 53 7f ba 5a e3 .qK.a..[!H|S..Z. 0060 - ca ed dd 17 07 3f d5 16-13 45 1f e0 a3 1f 51 8b .....?...E....Q. 0070 - da e6 c0 12 5f de ba ab-50 34 c4 18 ce 15 25 9f ...._...P4....%. 0080 - d6 0e 18 ee fc 23 c8 11-df 9e c3 46 16 6d 06 4f .....#.....F.m.O 0090 - 7a 83 67 2e 04 39 83 3d-ba ea ea d6 b1 61 d0 19 z.g..9.=.....a.. Start Time: 1483693936 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 DSN mail from: <email@example.com>250 2.1.0 Ok RCPT TO: <firstname.lastname@example.org>RENEGOTIATING depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de verify error:num=18:self signed certificate verify return:1 depth=0 C = DE, ST = Germany, L = Wernau, O = CRDesigns, CN = crdesign.de verify return:1 DATA 554 5.5.1 Error: no valid recipients rcpt to: <email@example.com>554 5.7.1 <zerony.crdesigns.de[126.96.36.199]>: Client host rejected: Access denied rcpt to: <firstname.lastname@example.org>554 5.7.1 <zerony.crdesigns.de[188.8.131.52]>: Client host rejected: Access denied</zerony.crdesigns.de[184.108.40.206]></email@example.com></zerony.crdesigns.de[220.127.116.11]></firstname.lastname@example.org></email@example.com></firstname.lastname@example.org>
1) your postfix accepts TLS v1.2 connections, thats good.
2) your client openssl can connect fine, thats good! (no, telnet won't work of course)
3) the "Access denied" that you got from the "RCPT TO" command is because you haven't authenticated with an email/password, this is good and prevents replaying.
4) either Thunderbird is broken or you have some broken anti-virus that tries to get between Thunderbird and postfix, this broken anti-virus doesn't support TLS.
i only use windows defender, i try to reinstall thunderbird later.
smtp doesn't just break out of the blue, something must have changed recently…
thunderbird smtp settings:
when I use telnet on the windows cmd it gives me a timeout for mail.crdesigns.de 587
220 mail.whatever.com ESMTP Postfix
If connection times out, then something is blocking you! But I can't know if its something in your computer, or your network, or even your ISP. But something is definitely blocking you.
Are you sure your mail server isn't blocking you? maybe you have something like "fail2ban" enabled? just in case its that simple…
Can you maybe try to telnet mail.crdesigns.com?
$ telnet mail.crdesigns.com 587
telnet: mail.crdesigns.com: No address associated with hostname
mail.crdesigns.com: Unknown host
$ telnet crdesigns.com 587
telnet: connect to address 18.104.22.168: Connection refused
It seems like the domain crdesigns.com has an MX at mx1.mcgelec.com
Maybe the problem isn't at the server or your Thunderbird, maybe the problem is a badly configured DNS ???
$ telnet mail.crdesigns.de 587 Trying 22.214.171.124... Connected to mail.crdesigns.de. Escape character is '^]'. 220 hostname.crdesigns.de ESMTP Postfix (Ubuntu)
Based on some "dig" output, I think there is something wrong with your MX records, you have two:
;; ANSWER SECTION: crdesigns.de. 86400 IN MX 10 mail.crdesigns.de. crdesigns.de. 86400 IN MX 10 crdesigns.de.
and they point to the same IP address. Just one of the above should be enough.
can something of that be the reason for my problem?
edit I tried telnet from my girlfriend's wifi with my smartphone and telnet worked.
But at home, it doesn't work, I'm not sure but can it be that my router blocks it?
facepalm… I looked at my router logs and it seems like the last firmware update (that i didn't recognize) did reset my list for "secure email server"
Haha… man omg
The warnings reported by tests are not serious and you may ignore them. For example the banner can be fixed by modifying the following (in main.cf):
smtpd_banner = $myhostname ESMTP
Personally, I've solved all my configuration problems by using