My Postfix server is running on Debian Stretch. It is able to send emails to a GMail address without problems which are not considered as spam. At the DNS level I configured DKIM, SPF and DMARC and GMail informs me of the "Pass" value for all three. Messages are also encrypted by my domain name (Google does NOT put the red padlock indicating that the message is not encrypted). I use Let's Encrypt to encrypt my domain. I need only Postfix in my case, only for send mail from the server.
The logs are ok when I send mail to a Gmail adress and show :
Jul 1 11:46:25 mydomain-linux postfix/smtp[16054]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c07::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Jul 1 11:46:25 mydomain-linux postfix/smtp[16054]: 35AB4600BB6: to=<myadress@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c07::1a]:25, delay=0.81, delays=0.12/0.01/0.38/0.29, dsn=2.0.0, status=sent (250 2.0.0 OK 1593085583 r2si6295852wrp.70 - gsmtp)
On the other hand, mails intended for other couriers such as Protonmail or GMX are not received. I have always this error message status=deferred
in my logs file /Var/log/mail.log
:
Jul 1 18:36:28 mydomain-linux postfix/error[13029]: 28F18600BF6: to=<myadress@protonmail.com>, relay=none, delay=23, delays=0.13/23/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mailsec.protonmail.ch[185.70.40.102]:25: Connection timed out)
Jul 1 18:36:31 mydomain-linux postfix/smtp[12946]: connect to mailsec.protonmail.ch[185.70.40.102]:25: Connection timed out
Jul 1 18:36:31 mydomain-linux postfix/smtp[12946]: DAFA8600BF2: to=<myadress@protonmail.com>, relay=none, delay=60, delays=0.12/0.03/60/0, dsn=4.4.1, status=deferred (connect to mailsec.protonmail.ch[185.70.40.102]:25: Connection timed out)
And I don't find the problem.
Here my Postfix configuration :
The /etc/postfix/main.cf
file :
# ----------------------------------------------------------
# - General Settings
# ----------------------------------------------------------
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
delay_warning_time = 4h
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
myhostname = mydomain-linux.fr
myorigin = mydomain-linux.fr
mydestination = localhot localhost.$myhostname
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# ----------------------------------------------------------
# - TLS parameters
# ----------------------------------------------------------
tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
broken_sasl_auth_clients = yes
lmtp_tls_session_cache_database = btree:${data_directory}/lmtp_scache
# SMTPD
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_authenticated_header = yes
smtpd_tls_CAfile = $smtp_tls_CAfile
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/dh512.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtpd_tls_CApath = /etc/letsencrypt/live/mydomain-linux.fr/fullchain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain-linux.fr/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain-linux.fr/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/dh512.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# SMTP ( INCOMING / Client )
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca.cert.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, 3DES, RC2, RC4, MD5, PSK, SRP, DSS, AECDH, ADH
# ----------------------------------------------------------
# - OpenDKIM
# ----------------------------------------------------------
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 6
The /etc/postfix/master.cf
file :
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o content_filter=spamassassin
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem
-o content_filter=spamassassin
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}