No SSL for SMTP? happening on new server

General Discussion
1

I have the same issue as this post.
apparently (?) server is setup with correct SSL/Dovecot/Postfix/Firewall
and compared all against a working server.

Operating system Ubuntu Linux 24.04.2
Virtualmin version 7.30.8.pro-1
Kernel and CPU Linux 6.8.0-64-generic on x86_64
Cyrus SASL Authentication Server is running
Dovecot and Postfix running

the connection to Postfix is not being accepted, Dovecot appears fine.

using mxtoolbox/telnet gives this:

Connecting to 195.154.254.138
SendSMTPCommand: Timeout waiting for response after 15 seconds.

  • LookupServer [smtp:195.154.254.138] 15993ms

I’ve a feeling there may be a clue in here:
master.cf

1000121760
10001217601920×3410 442 KB

2

Most likely a firewall issue. Are you running the server behind a router?
Check your mail server log to see if you see any connections server side.
Virtualmin install scripts installed every to work out of the box, please don’t go around and play with postfix configuration.

3

Thanks
It might be an issue with firewall but think its SSL or SASL issue.

The email configuration shows no SSL enabled for 587 and the logs say SASLauth not enabled.

I’ve not had any issues setting up other servers so i may have selected a wrong parameter when installing. Dovecot works so checking the postfix configuration. Agree a little knowledge is dangerous :grin:

4

Not sure what you mean there, what parameter options would have during install, in the post install config after the port 10000 login?

You do have mail ticked

image
image961×319 36.6 KB

5

I forget what options :man_facepalming: just a guess i may have mis typed.
Yes Mail is ticked.

Its a dedicated server and have setup previously

Wondered if it was Ubuntu issue as its a new version

6

I think it has something to do with this setting in SHow Email Client Settings.
somehow it doesn’t think SSL is enabled for outgoing mail ?

SMTP server hostname mail.fife.uk
SMTP server port 587
Use SSL for SMTP? No
SMTP password encryption type Plaintext
SMTP encryption type STARTTLS

my other question is that I don’t know the difference between SSL and SASLauthd, so I’ll read up more. is SASL setup anything to do with the error ?

7

Thats a port 25 connection (for mail transfer), a client connection is port 587 and need authentication. So it reallly does sound like firewall.
Maybe check with you provider for port blocking.

1 Like
8

Thanks, I’ll double check again.
There is a value in firewall table for port 587.

I could disable firewall for a moment to double check I guess

Brian

9

Absolutely (it really sounds like a port 25 blocked by your provider - this is so common these days due to the number of spammers in the wild)

10

I have a number of dedicated servers from the provider, so not sure its blocked, will check

I see this in the log

Jul 29 15:37:35 postfix/master[136680]: warning: process /usr/lib/postfix/sbin/smtpd pid 180665 exit status 1
Jul 29 15:37:35 postfix/master[136680]: warning: process /usr/lib/postfix/sbin/smtpd pid 180664 exit status 1
Jul 29 15:37:35 postfix/master[136680]: warning: process /usr/lib/postfix/sbin/smtpd pid 180663 exit status 1
Jul 29 15:37:35 postfix/master[136680]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup – throttling
Jul 29 15:37:35 postfix/master[136680]: warning: process /usr/lib/postfix/sbin/smtpd pid 180662 exit status 1

11

Im still scratching my head with these settings

POP3 shows, SSL

while 587 shows no SSL, is that why it fails the connection? Rather than port blocked?

POP3 server hostname mail.fife.uk
POP3 server port 995
Use SSL for POP3? Yes
SMTP server hostname mail.fife.uk
SMTP server port 587
Use SSL for SMTP? No
SMTP password encryption type Plaintext
SMTP encryption type STARTTLS
12

The post you’ve linked is showing a system that is configured correctly and would work fine if the client is configured correctly. STARTTLS is the recommended encryption for the submission port.

SMTP is port 25, and is not used by your mail clients, in general.

Dovecot has nothing to do with SMTP. It is not an SMTP server.

I think this indicates you don’t have have port 25. If you don’t have port 25, you don’t have a mail server. It has nothing to do with SSL, and you cannot force every mail server in the world to use SSL; you can allow STARTTLS and the sending mail server can negotiate an encrypted connection, but you cannot forced SSL if you want to be able to receive mail from everywhere.

If port 25 times out, means your hosting provider blocks port 25, as many do.

That said, I’d recommend you test yourself rather than relying on a website with confusing error messages.

I can see port 25 open on that IP.

$ nmap 195.154.254.138
Starting Nmap 7.92 ( https://nmap.org ) at 2025-07-29 12:17 CDT
Nmap scan report for ns3.fife.biz (195.154.254.138)
Host is up (0.13s latency).
Not shown: 908 filtered tcp ports (no-response), 10 filtered tcp ports (host-unreach), 67 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
465/tcp   open  smtps
587/tcp   open  submission
993/tcp   open  imaps
995/tcp   open  pop3s
2222/tcp  open  EtherNetIP-1
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 5.96 seconds

But, when I telnet to port 25, the connection closes.

$ telnet 195.154.254.138 25
Trying 195.154.254.138...
Connected to 195.154.254.138.
Escape character is '^]'.
Connection closed by foreign host.

Which is not what I would expect, unless you’ve already broken it by trying to force the world to use SSL, though that doesn’t appear to be so:

$ openssl s_client -connect 195.154.254.138:25
Connecting to 195.154.254.138
CONNECTED(00000003)
80A2AE7FC17F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

To be clear, you should not try to enable SSL on the SMTP port if you want to run a general-purpose mail server. I don’t know where anyone got the idea you should. You can allow STARTTLS, but lack of SSL is not the problem you should be trying to solve here.

13

To be clear: if you think you need to change anything in master.cf for basic mail functionality, you’re barking up the wrong tree. Basic mail functionality all works out of the box on a default installation of Virtualmin. There may be things you want to change for additional spam or auth or whatever features, but “my server can’t receive mail” is not a thing you need changes for.

14

Joe thank you.
I thought Port 25 was only used for POP3 (non secure) so not bothered about that port.
yes understand, Dovecot is for incoming mail not outgoing.
this is a dedicated server so I have control of Firewall, and port 25 and others should be open.
Thanks for the nmap command, i forgot about that.

I;ve not tried to hack or change anything apart from through the web interface. (honest ;o) )
I only mention the master.cf file as someone may spot a setting that is wrong. :o)
As I mention any server I setup before I’ve not had any issues and I didn’t think I’d tried to change the default settings for mail.

my working server sending and receiving email has this:

POP3 server hostname mail.fife.co.uk
POP3 server port 995
SMTP server hostname mail.fife.co.uk
SMTP server port 587
Use SSL for SMTP? Yes
SMTP password encryption type Plaintext
SMTP encryption type STARTTLS

but the new server is like this:

POP3 server hostname mail.fife.uk
POP3 server port 995
Use SSL for POP3? Yes
SMTP server hostname mail.fife.uk
SMTP server port 587
Use SSL for SMTP? No
SMTP password encryption type Plaintext
SMTP encryption type STARTTLS

and that’s why I was mentioning SSL.
I’m obviously confused :o)

15

Port 25 is not used for POP3.

16

yea sorry, got wrong term, it’s basically an insecure/old smtp for sending

17

Well that is not reaaly correct either. As I understand it, port 25 is used for the communication between email servers. Without 25 no emails can be sent or received between email servers.

18

have a confession
an error by me, seems to have been the SMTP Greeting banner, somehow it was set to $hostname instead of $myhostname ESMTP $mail_name

mxtoolbox shows as good now.
however, the emails are being placed in the queue but not sending.

so it’s a different problem. apologies for the confusion.

19

That’s probably outgoing port 25 is unavailable. If they’re timing out, it’s definitely that.

You should check to see if you can make an outgoing connection on port 25 from your server.

e.g.

$ telnet mail.virtualmin.com 25
Trying 45.76.233.251...
Connected to mail.virtualmin.com.
Escape character is '^]'.
220 n1.virtualmin.com ESMTP Postfix

If this times out, you don’t have port 25, and you don’t have a mail server. You’ll either need to use a relay service or talk to your hosting provider.

1 Like
20

Joe
thanks

telnet ns3.fife.biz 25
Trying 195.154.254.138

Connected to ns3.fife.biz.
Escape character is ‘^]’.
220 ns3.fife.biz ESMTP Postfix

it is not timing out