Help needed for best practice for SMTP for blocked outgoing port 25

Discussion in 'Server Operation' started by intrinsic, May 5, 2023.

  1. intrinsic

    intrinsic New Member

    Hello ISP team, I have successfully installed ISPConfig 3 onto a Debian 10 linux VPS with a domain that is functioning.
    I have followed this tutorial throughly:

    I currently have two VPS, both are webservers with full LEMP stack:
    1. VPS #1 full webserver (ISP 3, Debian 10)
    2. VPS #2 full webserver (ISP 3, Debian 10) but port 25 outgoing is blocked
    May 5 VPS1000 postfix/smtp[8179]: connect to[]:25: Connection timed out
    May 5 VPS1000 postfix/smtp[8179]: 8AF2D1C1078: to=<[email protected]>, relay=none, delay=1513, delays=1362/0.03/151/0, dsn=4.4.1, status=deferred (connect to[]:25: Connection timed out)

    Port 587 in postfix has been enabled in /etc/postfix/master.cfnano
    smtp inet n - y - - smtpd
    #smtp inet n - y - 1 postscreen
    #smtpd pass - - y - - smtpd
    #dnsblog unix - - y - 0 dnsblog
    #tlsproxy unix - - y - 0 tlsproxy
    submission inet n - y - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o syslog_name=postfix/submission
    # -o smtpd_tls_security_level=encrypt
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_tls_auth_only=yes
    # -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    # -o smtpd_recipient_restrictions=
    # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    smtps inet n - y - - smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

    But testing in Roundcube to a gmail still fails with connection timed out on port 25.

    I would like to use the relay function on VPS #2 to VPS #1 so all outbound emails can function. I understand that there is an "mail relay" functionality in ISPconfig under Settings > System > Server Config > Mail > Relayhost
    Relayhost User
    Relayhost Password

    So I created an email account using the primary domain.tdl on VPS #1 and fill out the information. However in /var/log/mail.log on VPS #1, it shows no activity when sending out emails from VPS #2.

    Is there a clear tutorial or more information on how I can set this up? For example:
    1. Do I disable mailserver on VPS #2? To have this function correctly?
    2. Do I need to disable mail and MX DNS records in VPS #2?
    3. Is there another option such as using two servers in a multiserver setup similar to the tutorial found here:

    I am getting very close to a perfect server. Thank you for your time and help.
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    usually just set relayhost to the fqdn name or ip of vps1..
    you can set relayhost user and relayhost password, but obviously, that will try to authenticate, which won't happen on port 25.

    for authentication, the entry in /etc/postfix/ to relayhost = [hostname.domainname.tld]:587 or [ip]:587 (or 465 depending on server config)
    i don't know if setting the relayhost username and password in ispconfig automatically adds the port number to the relayhost config line it configures in or not, so you may need to include the port number in the relayhost field.

    if you want to use port 25 to relay without authentication, just set the relayhost without the port number, and leave the username and password fields emtpy.
    then in /etc/postfix/ on vps1, edit the mynetworks line. add the ip of vps2 to this line... [ip]/32 for the individual ip, or the subnet [ip]/24 for the whole class c subnet (probably not a good idea.. especially if using a hosting providers vps's. )

    so far, changing the mynetworks line appears to be update save, in the future you might need to create a custom-conf file to make postfix manual changes update safe.
    ahrasis and till like this.
  3. intrinsic

    intrinsic New Member

    Thank you for the reply and response- ideally I can use VPS#2 with port 587 instead of port 25. Adding an account to gmail's interface "send as" feature allows connection to VPS #2 but the email account still cannot send.

    I can see in /var/log/mail.log that connections are timing out from Gmail port 25...
    May 5 18:02:16 1000 postfix/smtp[672]: connect to[]:25: Connection timed out
    May 5 18:02:16 1000 postfix/smtp[671]: connect to[]:25: Connection timed out
    May 5 18:02:46 1000 postfix/smtp[672]: connect to[]:25: Connection timed out
    May 5 18:02:46 1000 postfix/smtp[671]: connect to[]:25: Connection timed out

    Am I mistaken on configuring postfix? Ideally, I can use VPS#2 as a standalone and not use a relay, but the issue continues.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    did you restart postfix?
    those logs may have been for a re-try for an earlier email.. i'm not sure it changes the routing for anything that's already in the mail queue.
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Port 25 is still needed though, so no, it is not possible to have a proper mail server without it. However, your attempt to send email via relay is very much possible as explained earlier.
  6. intrinsic

    intrinsic New Member

    Hi folks, thank you for the responses, they have been very helpful thus far. Although I got the relay working, I decided to go with a two server multi-server setup so accounts only need to be created on one interface. (from what I understand, if using a relay, you will need to have two separate instances and create client/web accounts on one, and emails on another).

    So the topology of the multi-server setup is as follows:
    1. VPS#1 - Master server, ISPConfig, DNS, mail
    2. VPS#2 - Web server, web, database

    Migration was successful and both servers are working well. There is one last question which I could not troubleshoot, and that is phpmailer PHPMailer, specially wp_mail() in the case of WordPress. VPS#2 is hosting the websites, database, php, but the mail server is on VPS#1.

    Submitting a web form on websites does not allow the emails to be sent, which is a problem for clients who wish to use forms. I have tried using the same relayhost settings as before, but results in several errors in /var/log/mail.log.

    Do I use relayhost settings in VPS#2 with the login/info of VPS#1, or is there a more permanent setting on VPS#2 under /etc/postfix/ that should be setup? (such as relayhost = [IP]:port for PHPMailer to function. Does VPS#2 require postfix for phpmailer?

    My apologizes for all the questions, but the server is almost setup, and glad to be part of the ISP community.
    Last edited: May 9, 2023
  7. intrinsic

    intrinsic New Member

    Yes, postfix was restarted each time any config or account was updated or created. The logs were pulled live using tail -f /var/log/mail.log to monitor if the changes has made any impact.
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If I understood the situation properly, you do not need e-mail relay in this case. It is quite common in ISPConfig multiserver setups to have separate e-mail server. Websites are configured normally, and they send e-mail as usual, the sending e-mail server is the dedicated e-mail server in the setup.
    So do not set up e-mail relay. If sending e-mail still does not work, examine how you have set up e-mail on the web server and how is the form set up to send the e-mail?
  9. intrinsic

    intrinsic New Member

    Thank you for your reply, I will illustrate the server setup:

    1. - ISPConfig Master server with DNS and Mail
    2. - ISPConfig Slave server with Web, Fileserver and Database

    Clients are setup with an account, and create a website, database, ftp, and DNS. They typically install a CMS such as drupal or wordpress, which has build-in pages for "contact us" forms and whatnot. When these forms are submitted, the emails do not send to notify the website owner that a submission form has been submitted. Therefore, an external script, such as an SMTP settings manager for the CMS has to be installed to manually input with a username/password for this functionality to work.

    I believe it is as simple as adding and credentials to or in postfix in, however, I do not want to make any changes until I received some better and smarter insight from the ISP team.
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    On my CMS systems I have not installed external scripts. I configure the SMTP host, user, password and it sends e-mails logging in as that user on the smtp host.
    ahrasis likes this.
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    installing ispconfig multi-server with one dedicated to mail and the other dedicated to websites will work fine.. i do that myself.

    the webserver host should receive mail submitted locally via php and try to send it out directly (it still has postfix installed for this), it just doesn't host mailboxes, or receive external mail itself.

    however, i use iptables rules to block my webserver from making any connections to external servers with a destination port of 25.
    since a compromised site may install it's own hidden mail sender to post loads of spam without getting logged in apache, php, or mail logs, making it bloody hard to find, and getting the ip blacklisted.
    blocking external connections to port 25 stops this, , it can only connect to the dedicated ispconfig mailserver on port 25.

    you could configure a php smtp sender for each site, that authenticates with, and sends via another mailserver, or on wordpress, joomla etc, install and configure a plugin on the cms to perform this function and have sites send mail via one of their domains own mailboxes. or configure postfix on the webserver to relay through the dedicated mailserver on port 25 as i described in post #2

    personally, i would want each hosted site to send mail via their own authenticated smtp account. it's much easier to track, troubleshoot, and block whenever they have any issues.
    ahrasis likes this.

Share This Page