I am trying to configure a Postfix SMTP relay to Mailgun services, but I keep getting a connection timeout error in my /var/log/mail.log when I try to send a test email. I used this step by step guide: https://restorebin.com/configure-postfix-smtp-relay/ , except I swapped Gmail SMTP with Mailgun SMTP. I am using Debian 10 on the problem vps, but on another server I am running Ubuntu and Mailgun SMTP is working fine, same configuration, outside of the host/DNS name etc.
Error from log: events postfix/smtp[4046]: connect to smtp.mailgun.org[44.231.238.210]:587: Connection timed out
And just as a side note, I have a lemp stack running on this vps with port 80 and 443 open and working without issue. The only filtering I am doing on the server today is: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker, but I am also running this on my Ubuntu server without issue along side the Mailgun relay.
I am running out of ideas and want to avoid switching back to Ubuntu if possible. Thanks all!
Best Answer
Many providers (typically consumer ISP’s but also some hosting providers) and most corporate networks have an anti-spam/email policy that is enforced by blocking outgoing mail in their firewall policies.
Typically they will block outgoing traffic on the default smtp port, tcp 25, but other common ports for sending mail such as tcp 587 can be blocked too.
Your options are usually:
don’t send mail directly from your server/application but use the smtp mail (relay) service that your provider/network offers (that will typically apply some sanity checks, anti virus and anti spam checks, do rate limiting, sender authentication maybe add your corporate disclaimers etc)
get an exception for your server / application in the firewall policy so that your valid email traffic won’t be blocked
in some cases: upgrade from a consumer subscription to a business subscription as that often does allow you to run your own services and send mail
In your particular case:
Mailgun offers their services also on another port, tcp 2525, which is typically not blocked for anti-spam reasons and you might be able to use that one instead of port 587 or 25.