Postfix relay host connection fails: timed out while receiving initial server greeting

postfixsmtp

I have an Elastix server box that I want to send email notifications of voice mails from. I'd like to send them through our company email (hosted by shared web host provider Bluehost). I have followed instructions on how to use Postfix as a relay server. Emails don't go out tho. I get the following in the logs (slightly obfuscated):

Sep 27 16:31:51 TD1000 postfix/smtp[9757]: 1B2C357117: to=<me@mycompany.com>, relay=boxNNN.bluehost.com[a.b.c.d]:465, delay=5241, delays=5076/0.03/165/0, dsn=4.4.2, status=deferred (lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting)

Various places suggest that it might be a blacklisting issue. However, it seems like that would be an issue for my outlook running on my PC also. What I am trying to do is get the postfix to act like Outlook, and send through Bluehost, using SSL. (my outlook settings: boxNNN.bluehost.com:465, SSL, authentication required)

When I up the debugging level, I get the following message:

dns_query: boxNNN.bluehost.com (MX): Host found but no data record of requested type

But since the ultimate message is no response, and it finds an IP address for the server, I don't the DNS issues are the problem.

postconf -n reveals:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 5
debug_peer_list = boxNNN.bluehost.com
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = cenginc-office.local
myhostname = td1000.my-office.local
mynetworks = /etc/postfix/network_table
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relayhost = boxNNN.bluehost.com:465
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = 300
smtp_enforce_tls = yes
smtp_helo_name = my-phone-system
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains =
virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp

(we are using Postifix 2.3.3 according to the Elastix UI, so I'm not sure why the samples say 2.5.6)

When I telnet to the bluehost box and port, the connection remains open for a short time, and then closes, I think because I'm not coming in as SSL.

I used this site (among others) for the configuration, but I don't see what I'm missing. https://www.zulius.com/how-to/set-up-postfix-with-a-remote-smtp-relay-host/

Any ideas on what I'm doing wrong? My theory is that postfix isn't doing something that bluehost expects in the initial connection, but I have no idea what. Thanks for your help.

Best Answer

We have two facts here

  • You are connect to bluehost via port 465
  • Postfix reported an error message: lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting

One possible explanation is SMTP client in Postfix 2.11 or older doesn't support SSL.

Explanation

In SMTP, there are two encryptions scheme: STARTTLS and SMTPS. The difference is (1) SMTPS require SSL encryption from the first byte and (2) STARTTLS require plain text mode first and optionally client and server do SSL negotiation after STARTTLS command.

Postfix SMTP Server (smtpd) support both protocols. The problem is SMTP client (before postfix 3.0) - the one who sending email to remote server - doesn't support SMTPS connection. It only support plain text mode or STARTTLS mode.

What happens here is: Postfix SMTP client use plain text mode to connect to Bluehost because postfix want to established STARTTLS. But the Bluehost expect the first byte was SSL negotiation not plain text. This mismatch make Bluehost server silently discard the data and disconnect postfix. Postfix doesn't know what's going here, so it throws the error in maillog

Sep 27 16:31:51 TD1000 postfix/smtp[9757]: 1B2C357117: to=<me@mycompany.com>, relay=boxNNN.bluehost.com[a.b.c.d]:465, delay=5241, delays=5076/0.03/165/0, dsn=4.4.2, status=deferred (lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting)

Solution

Postfix TLS documentation provide a workaround to use stunnel here. So the solution from MrPhilTX was correct for Postfix < 3.0.

In postfix 3.0, Wietse Venema decided to give additional SMTPS feature for postfix SMTP client. With this feature, the stunnel solution doesn't needed here. There two variations here:

a) Enable SMTPS to all outgoing SMTP connection

Usually, in this case postfix has SMTPS-only relayhost like OP's problem. So

# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465

b) Enable SMTPS to several host

For other case, you need custom transport and transport_maps to selective turn on SMTPS

# /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport

# /etc/postfix/transport:
example.com  relay-smtps:example.com:465

#/etc/postfix/master.cf:
relay-smtps  unix  -       -       n       -       -       smtp
    # Client-side SMTPS requires "encrypt" or stronger.
    -o smtp_tls_security_level=encrypt
    -o smtp_tls_wrappermode=yes
Related Topic