We have two facts here
- You are connect to bluehost via port 465
- Postfix reported an error message: lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting
One possible explanation is SMTP client in Postfix 2.11 or older doesn't support SSL.
Explanation
In SMTP, there are two encryptions scheme: STARTTLS and SMTPS. The difference is (1) SMTPS require SSL encryption from the first byte and (2) STARTTLS require plain text mode first and optionally client and server do SSL negotiation after STARTTLS command.
Postfix SMTP Server (smtpd) support both protocols. The problem is SMTP client (before postfix 3.0) - the one who sending email to remote server - doesn't support SMTPS connection. It only support plain text mode or STARTTLS mode.
What happens here is: Postfix SMTP client use plain text mode to connect to Bluehost because postfix want to established STARTTLS. But the Bluehost expect the first byte was SSL negotiation not plain text. This mismatch make Bluehost server silently discard the data and disconnect postfix. Postfix doesn't know what's going here, so it throws the error in maillog
Sep 27 16:31:51 TD1000 postfix/smtp[9757]: 1B2C357117: to=<me@mycompany.com>, relay=boxNNN.bluehost.com[a.b.c.d]:465, delay=5241, delays=5076/0.03/165/0, dsn=4.4.2, status=deferred (lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting)
Solution
Postfix TLS documentation provide a workaround to use stunnel here. So the solution from MrPhilTX was correct for Postfix < 3.0.
In postfix 3.0, Wietse Venema decided to give additional SMTPS feature for postfix SMTP client. With this feature, the stunnel solution doesn't needed here. There two variations here:
a) Enable SMTPS to all outgoing SMTP connection
Usually, in this case postfix has SMTPS-only relayhost
like OP's problem. So
# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
b) Enable SMTPS to several host
For other case, you need custom transport and transport_maps to selective turn on SMTPS
# /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
# /etc/postfix/transport:
example.com relay-smtps:example.com:465
#/etc/postfix/master.cf:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
Postfix currently supports only two SASL authentication methods. One of the is Dovecot, which you don't want. The other is Cyrus, which is about as close to what you want as it's possible to get without rewriting Postfix. It does involve running a separate authentication daemon (saslauthd
), but the authentication file is easy to edit and update.
The basics for using Cyrus SASL can be found at the postfix documentation site, but here's a short description. Please look at the link if anything's confusing in any way!
Start by installing Cyrus SASL with the plugin sasldb
. (How to do that is left as an exercise for the reader; presumably there's a package in whatever package system your brand of unix is using.) Since the communication between Postfix and SASL will take place via a unix domain socket, you may want to add postfix to the SASL group, and make sure that that group has read and execute permissions to the directory /var/run/saslauthd
.
Configure SASL
Configure SASL to use sasldb by editing /etc/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
The sasldb plugin means that sasl will use a Berkeley DB file for usernames and passwords. You add users with the command saslpasswd2
:
$ saslpasswd2 -c -u example.com username
Password:
Again (for verification):
Note that you specify a domain together with the username, and the user will need to use "username@example.com" rather than just "username" when authenticating.
You can verify what users have been entered by running sasldblistusers2
.
Start saslauthd, and verify that the authentication works by doing
testsaslauthd -u username@example.com -p password
Configure Postfix
Once that is done, tell Postfix to use SASL and to tell Cyrus that it's SMTP that it's authenticating, by editing /etc/postfix/main.cf to contain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
Then, reload postfix, and you should be set.
Best Answer
It sounds like you need greater concurrency.
First ensure that you aren't bound by disk activity.
atop
is a good interactive method for this.sar
and other tools are available as well. Given the ramdisk, this shouldn't be the major issue.If your queue is full of mail going to many different domains, that is a sign that you aren't running enough server processes. Bump the limit on how many smptd instances you spawn.
If your queue is full of mail to some of the big internet sites (tons of GMail, for example), you will need to tune your settings for single-host delivery. Postfix should ramp itself up if it has a lot of email to the same domain, though.
Investigate and let us know what you're seeing.