postfix timeout issue

[zfc-tinkerer]

I've been running a mailserver with the same basic setup for several years now. In the past few weeks I've been removed several times from mailing lists from one organization because of too many bounces. Today I didn't get any messages from any lists from that organization, and when I checked my mailserver's logs, I found that there were many entries similar to the following:

Feb 2 22:17:26 [postfix/smtpd] connect from nest.anthill.echidna.id.au[203.7.1$
Feb 2 22:18:57 [postfix/smtpd] initializing the server-side TLS engine
Feb 2 22:18:57 [postfix/smtpd] connect from nest.anthill.echidna.id.au[203.7.1$
Feb 2 22:21:23 [postfix/anvil] statistics: max connection rate 2/60s for (smtp$
Feb 2 22:21:23 [postfix/anvil] statistics: max connection count 2 for (smtp:20$
Feb 2 22:21:23 [postfix/anvil] statistics: max cache size 1 at Feb 2 22:11:23
Feb 2 22:22:27 [postfix/smtpd] timeout after EHLO from nest.anthill.echidna.id$
Feb 2 22:22:27 [postfix/smtpd] disconnect from nest.anthill.echidna.id.au[203.$
Feb 2 22:23:57 [postfix/smtpd] timeout after EHLO from nest.anthill.echidna.id$
Feb 2 22:23:57 [postfix/smtpd] disconnect from nest.anthill.echidna.id.au[203.$

I looked at the logs from a few days ago, and found that the same thing was happening intermittently before today, which was the reason I was being kicked off the mailing lists. I don't understand why I'm having this problem. Email from a mailing list from another organization comes through just fine, as do emails I send from other servers where I have an account.

I'm not sure about the exact timing, but I think that the problem started around the time I upgraded postfix to a 2.2 rather than 2.1 version. I tried going back to an old version, but this didn't help. I've run etc-update and carefully merged the files, so I don't think the problem is there. The config files and log files are quite long, so I'm not going to post them unless someone has a question, but I can tell you that I have TLS and SASL working for other emails. Turning off TLS does not seem to solve the problem. I think the problem must be on my side because the organization whose lists can't connect to mine contains a lot of very smart people (and linux aware people) so if the problem were there, people would be aware of it and fix it quickly.

Thanks in advance for your help.

[winston_nolan]

hi there bro,
please do me a favour and paste the output of

[zfc-tinkerer]

Thanks! here's the output you wanted:

default_transport = smtp
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_reuse_limit = 10
smtp_connection_cache_time_limit = 2s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_enforce_tls = no
smtp_generic_maps =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mx_address_limit = 0
smtp_mx_session_limit = 2
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_threshold_time = 500s
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_enable = no
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $var_smtp_sasl_opts
smtp_send_xforward_command = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_cipherlist =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_scert_verifydepth = 5
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = parpiped.geek-den.net ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = 20
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file = /etc/ssl/postfix/mail_signed_cert.pem
smtpd_tls_cipherlist =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_key_file = /etc/ssl/postfix/mailkey.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no

I wonder if loosening some of the limits on the number of connections or the amount of time allowed would help, since looking at the logs that seems like it might be the issue.

[langthang]

post your `postconf -n` and master.cf (without commented lines). Also try telnet to your mail server from inside to see if it is problem from outside connect to your mail server.
_________________
Gentoo users' map

[zfc-tinkerer]

output of postconf -n:

alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 2
home_mailbox = .maildir/
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, a few other domains
myhostname = here I have my hostname
mynetworks = localhost
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.19/readme
sample_directory = /usr/share/doc/postfix-2.0.19/sample
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = domain was here ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_cert_file = /etc/ssl/postfix/mail_signed_cert.pem
smtpd_tls_key_file = /etc/ssl/postfix/mailkey.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450

(I've removed the name of my domain everywhere, I've tried to make it clear where I did that, though.


master.cf (cleaned of all comments)

smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

not only can I telnet to the server and send email, but I'm able to receive email from a lot of sources just fine. It's just this one organization, but I think the problem is on my side, not theirs, or a lot of people would be yelling.

[langthang]

I try to subscribe to a couple ML of that list but confirm mails don't come from nest.anthill.echidna.id.au . Did they switch the mail server ?
_________________
Gentoo users' map