Postfix relay host connection fails: timed out while receiving initial server greeting

Solution 1:

We have two facts here

  • You are connect to bluehost via port 465
  • Postfix reported an error message: lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting

One possible explanation is SMTP client in Postfix 2.11 or older doesn't support SSL.

Explanation

In SMTP, there are two encryptions scheme: STARTTLS and SMTPS. The difference is (1) SMTPS require SSL encryption from the first byte and (2) STARTTLS require plain text mode first and optionally client and server do SSL negotiation after STARTTLS command.

Postfix SMTP Server (smtpd) support both protocols. The problem is SMTP client (before postfix 3.0) - the one who sending email to remote server - doesn't support SMTPS connection. It only support plain text mode or STARTTLS mode.

What happens here is: Postfix SMTP client use plain text mode to connect to Bluehost because postfix want to established STARTTLS. But the Bluehost expect the first byte was SSL negotiation not plain text. This mismatch make Bluehost server silently discard the data and disconnect postfix. Postfix doesn't know what's going here, so it throws the error in maillog

Sep 27 16:31:51 TD1000 postfix/smtp[9757]: 1B2C357117: to=<[email protected]>, relay=boxNNN.bluehost.com[a.b.c.d]:465, delay=5241, delays=5076/0.03/165/0, dsn=4.4.2, status=deferred (lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting)

Solution

Postfix TLS documentation provide a workaround to use stunnel here. So the solution from MrPhilTX was correct for Postfix < 3.0.

In postfix 3.0, Wietse Venema decided to give additional SMTPS feature for postfix SMTP client. With this feature, the stunnel solution doesn't needed here. There two variations here:

a) Enable SMTPS to all outgoing SMTP connection

Usually, in this case postfix has SMTPS-only relayhost like OP's problem. So

# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465

b) Enable SMTPS to several host

For other case, you need custom transport and transport_maps to selective turn on SMTPS

# /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport

# /etc/postfix/transport:
example.com  relay-smtps:example.com:465

#/etc/postfix/master.cf:
relay-smtps  unix  -       -       n       -       -       smtp
    # Client-side SMTPS requires "encrypt" or stronger.
    -o smtp_tls_security_level=encrypt
    -o smtp_tls_wrappermode=yes

Solution 2:

I'm not sure if this is where I should put this, but here is how I got it working.

So, kworr and befreeandgood put me on the right track. The smtp_sasl_* doesn't do anything with SSL, just with authentication.

I followed a combination of the instructions from the following links: This one got me close http://www.eglug.org/book/export/html/1923 but left out a few things to set. This one http://tech.surveypoint.com/blog/relay-mail-with-postfix-and-stunnel/ added inet_interfaces = loopback_only.

Those options got me to some problems with the mail server rejecting various header names, like "from" and "reply-to". I fixed those via some instructions that I found via googling, (but I'm not allowed to post those links as I have exceeded my link quota already).

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = loopback-only
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = my-office.local
myhostname = td1000.my-office.local
mynetworks = /etc/postfix/network_table
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relayhost = 127.0.0.1:5001
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = 60
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_type = cyrus
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_received_header = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains =
virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp

So the smtp_generic_maps was used to rename the various addresses that came up to some address that actually exists. I had to do that for two different names, that I found by looking in the /var/log/maillog file.

So, the summary to connect to Bluehost:

  • Enable smtp_sasl authentication
  • Use stunnel to create an SSL tunnel
  • Use smtp_generic_maps to map the non-existent usernames that asterisk is using.
  • Dinking around with the mydomain and such might get you around the generic maps requirement. I also saw someone reference $myorigin as a potential work around.