Connect to domain [IP Address]:25: Connection timed out

I seem to have a problem connecting to a speicifc IP address when sending through postfix.
I’m assuming this looks like trying to connect to port 25.

it is only happening on one domain
I’m not sure if its a problem on my server or the remote server.
I thought maybe it might be an SMTP Client Option.
“use TLS for SMTP connection” should be set to yes
there is a bit that says “if requested by client”. i tried to change this to ‘always’ but seems to keep getting back to “if requested by client”

would that help in this situation ?

I’ll dig a bit deeper.

thanks for any advice.

It would not help. That’s a brand new bug…that option shouldn’t even be there (you may note there is another identically labeled option a couple rows above which is the actual thing). You should not try to force encryption in SMTP client options, as it will break for a lot of recipients. And on the SMTP Server Side, you should leave it as “if requested by client”, for the same reasons…forcing encryption is a way to guarantee some mail fails.

Anyway, show us relevant mail log entries (try to make a connection while watching the log and grab the entries that appear related to that connection). We can’t even begin to guess without actual information about what’s going wrong.

1 Like

cheers Joe,
yea I thought I should leave that so thanks for confirmation.

I also appreciate its a needle in haystack with these kind of issues.
I’ll see what information I can find.
there are some issues with the remote hostname so these are being checked out too:

  1. Reverse DNS does not match SMTP Banner
  2. DMARC Quarantine/Reject policy not enabled
  3. Primary Name Server Not Listed At Parent

your help as always much appreciated


I do think it has something to do with port 25 at remote end.

perhaps I have a block at sending to port 25 from my server ? I’ll have a look to see if there is sime setting that I have. Its strange that I have had no problems sending email for quite some time and it has come to this one domain.

Doesn’t matter.

If you have a PTR and it resolves back your server, you’re done. Forget about PTR, once that works.

You can know if this matters for this connection if you’d look at the maillog. A recipient server can’t reject based on DMARC before if even accepts the connection.

I don’t know what this means. “Parent” what?

thanks again Joe.

points one and two are sometimes rejected by mail servers, as far as I’ve seen. but yes in this case the connection is before this would be checked.

The ‘primary name server is not listed at the parent’ is message from I think it means that a name server is defined in the DNS settings but when you look at the root name server it is not defined.

I only mention these points as I find that even if you have one tiny bit not right you will get an issue somewhere, so getting rid of any tiny error is the best thing to do.

with regard to my problem I think it is related to port 25 and whether it is on my side or the far side I have still to resolve.

No. If a server is rejecting on a valid PTR that resolves both ways, that’s fucked. It’s a misconfiguration on the part of the server and they’re going to be rejecting a large swath of incoming email. It should never happen and I’ve never seen it.

Please just read your maillog. It seems like you’re guessing and trying to find problems without looking at the one place that will tell you what’s happening.

the maillog is showing only the same info I passed earlier,
unless I’m looking in wrong place, I don’t want to post the actual details and IP address here.but the maillog looks like this

Oct 22 20:51:27 ns postfix/smtp[32979]: A67DF15A40126: to=, orig_to=enquiries@email, relay=none, delay=399094, delays=399064/0.02/30/0, dsn=4.4.1, status=deferred (connect to[IP address]:25: Connection timed out)

That port is closed to you, for whatever reason. It cannot be anything related to DNS or anything other than network. I don’t see how your configuration can have any affect on this.

thanks, that was what I was anticipating, it’s not an error at my end.

however, the support people at their domain are admament their end is fine.

You don’t have to take their word for it.

You can check connectivity with telnet, from a variety of hosts. smtp is a stupid protocol, you can type it out by hand. Since it is failing at connection you can at least find out with certainty whether and where it accepts connections.

I assume you’ve tested other mail servers and you can send elsewhere without trouble? Port 25 is often blocked by ISPs and hosting providers to prevent spam. In those cases you have to use a relay.

indeed, no problems elsewhere.
they tell me they have not blocked port 25.
though my question is why does it try and use port 25 instead of 587

Why would it use 587? That’s normally the authenticated submission port for clients of the server, not outside mail servers; it is intended for MUAs (mail user agents) to talk to. Port 25 is where mail between servers goes (with optional encryption via STARTTLS). If you don’t have port 25, you don’t have a mail server.

thanks Joe,

I’ll have a further look at telnet.

I will need to get someone more technical on this, as my terminology may not be correct and I thought I understood. (I just assumed the TLS part on 587 was used between servers without actually understanding the terminology)

You can become more technical. I have to search for answers a lot, too, and I’ve been doing this for decades. :wink:

Lots of people have the same misunderstanding about the submission port. But, if the submission port became “just another SMTP port” then ISPs and hosting providers would block it, too, and then we’d have to start over with another port for MUAs, or give up on having email that isn’t owned by the big three.

465 was, for a while, the “SMTP wrapped in SSL” port but it’s considered deprecated now that we have STARTTLS that servers (and clients) can negotiate for themselves. And, it never really took off as a general purpose SMTP port. Only some servers offered it, so you pretty much had to explicitly configure it for the servers you wanted to insure were encrypted.

1 Like

indeed, I use google to teach me a lot :o)

I’m still seeing this with one server but today I have one email in the outgoing server that says “connection timed out”.

I’ve explained that I believe it is an issue at their end, but we are in a stalemate.

I’ll keep you posted if I get any progress

thanks for your input.

I couldn’t get from the original message whether your postfix was a home server or in a hosted environment. You also mentioned sending to other domains were fine. Either way, could be that the receiver end is using a filtering that is auto blocking your IP or if home network a dynamic range. Or they might be using one of the public black lists that never gets updated/cleaned.

I am using a dedicated server in a data center. as you suggest home based servers are problematic in that it is difficult to get the Reverse Name set up.

As it transpires a few days ago I followed up (yet again) with the company that was blocking.
this time I got someone who understood and did some real investigation at their end.

as if by magic, emails from my server are now getting through. they decided to add the server IP to their whitelist.
and it’s been good all week so far.

I could go and use an email service provider but I should be able to send mail (as long as I have the right setup in Postfix and enure I am not on a blacklist ( is heavily used ;o) )

thanks for those that input to my question and offered help.