Mail Can Be Received, but Sending Fails¶
One of the most common reasons that mail may not be able to be sent from the server is that port 25 is blocked. This may be due to internal, or external firewall settings, or a limitation by the VPS provider (for example, Digital Ocean disables port 25 by default). Azure is also known to block port 25.
This can also be caused by the receiving server rate limiting the sending IP, or that IP having been put on an RBL or internal blacklist.
Contents
To Check If Port 25 Is Disabled¶
Using Telnet¶
Telnet is a tool that can be used to check the ability for one server to communicate with another over a specific port. If the connection times out, it may be an indication that the port is blocked, or disabled.
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, use the
telnetcommand to attempt to connect to an outside mail server over port 25, replacing {mail.server.com} and {port} with the corresponding informationtelnet {mail.server.com} {port}
Example, using the mail server for gmail:
[root@server ~]# telnet smtp.gmail.com 25 Trying 142.251.4.108... telnet: connect to address 142.251.4.108: Connection timed out [root@server ~]#
Example of a successful connection, using the mail server for gmail:
[root@server ~]# telnet smtp.gmail.com 25 Trying 142.251.4.109... Connected to smtp.gmail.com. Escape character is '^]'. 220 smtp.gmail.com ESMTP g1sm659533iob.34 - gsmtp ^] telnet> quit Connection closed. [root@server ~]#
Using SWAKS¶
SWAKS is a command line tool that can be used test email connectivity. If there is an error connecting, it may be an indication that the port is disabled or blocked.
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, use the
swakscommand to send a test message, replacing {remote email address}, and {local email address} with the corresponding information. (In the following examples, the email addresses were replaced with dummy accounts, just for the purpose of demonstration. Real accounts should be used for this troubleshooting step).swaks --to {remote email address} --from {local email address}
Example, using attempting to send to gmail:
[root@server ~]# swaks --to [email protected] --from [email protected] perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "C.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). === Trying gmail-smtp-in.l.google.com:25... *** Error connecting to gmail-smtp-in.l.google.com:25 *** IO::Socket::INET6: connect: Connection timed out [root@server ~]#
Example of a successful test message:
[root@server ~]# swaks --to [email protected] --from [email protected] perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "C.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). === Trying gmail-smtp-in.l.google.com:25... === Connected to gmail-smtp-in.l.google.com. <- 220 mx.google.com ESMTP w142si10376273ybe.323 - gsmtp -> EHLO server <- 250-mx.google.com at your service, [3.134.79.100] <- 250-SIZE 157286400 <- 250-8BITMIME <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-PIPELINING <- 250-CHUNKING <- 250 SMTPUTF8 -> MAIL FROM:<user@testaccount.com> <- 250 2.1.0 OK w142si10376273ybe.323 - gsmtp -> RCPT TO:<user@gmail.com> <- 250 2.1.5 OK w142si10376273ybe.323 - gsmtp -> DATA <- 354 Go ahead w142si10376273ybe.323 - gsmtp -> Date: Thu, 27 Jan 2022 16:54:23 -0500 -> To: user@gmail.com -> From: user@testaccount.com -> Subject: test Thu, 27 Jan 2022 16:54:23 -0500 -> Message-Id: <20220127165423.030941@rctest.jenna> -> X-Mailer: swaks v20170101.0 jetmore.org/john/code/swaks/ -> -> This is a test mailing -> -> . <- 250 ok 1643320025 qp 4063 -> QUIT <- 221 gmail-smtp-in.l.google.com === Connection closed with remote host. [root@server ~]#
Using Traceroute¶
Traceroute is a command line tool that can be used to check for connectivity over a specific port. If it does not report any traffic, the port may be disabled or blocked.
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, use the
traceroutecommand to attempt to connect to an outside mail server over port 25, replacing {mail.server.com} and {port} with the corresponding informationtraceroute {mail.server.com} {port}
Example, using the mail server for gmail:
[root@server ~]# traceroute smtp.gmail.com 25 traceroute to smtp.gmail.com (74.125.71.108), 30 hops max, 52 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * [root@server ~]#
Example of a successful connection, using the mail server for gmail:
[root@server ~]# traceroute smtp.gmail.com 25 traceroute to smtp.gmail.com (142.251.4.108), 30 hops max, 52 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 241.0.12.203 (241.0.12.203) 0.252 ms 241.0.12.195 (241.0.12.195) 0.180 ms 241.0.12.203 (241.0.12.203) 0.234 ms 6 243.254.8.13 (243.254.8.13) 0.202 ms * * 7 108.166.252.63 (108.166.252.63) 0.171 ms * * 8 242.0.107.85 (242.0.107.85) 0.300 ms 242.0.107.65 (242.0.107.65) 0.408 ms 242.0.106.85 (242.0.106.85) 0.263 ms 9 * 15.230.135.105 (15.230.135.105) 0.564 ms * 10 * * * 11 52.95.2.155 (52.95.2.155) 0.399 ms * * 12 * * * 13 * * * 14 * * * 15 * * * 16 100.92.49.107 (100.92.49.107) 10.655 ms * * 17 52.93.132.62 (52.93.132.62) 10.874 ms * * 18 100.91.163.4 (100.91.163.4) 10.854 ms * 100.91.163.120 (100.91.163.120) 10.561 ms 19 * * 100.91.163.85 (100.91.163.85) 10.799 ms 20 * * * 21 * * * 22 * 100.91.177.159 (100.91.177.159) 10.636 ms * 23 * * 100.100.6.121 (100.100.6.121) 106.973 ms 24 * 100.100.88.134 (100.100.88.134) 10.987 ms 100.100.92.6 (100.100.92.6) 10.923 ms 25 * * * 26 * 100.100.2.46 (100.100.2.46) 10.551 ms * 27 100.95.7.1 (100.95.7.1) 10.695 ms * * 28 * * * 29 * 108.170.240.97 (108.170.240.97) 11.820 ms 99.82.181.25 (99.82.181.25) 10.917 ms 30 * 108.170.240.98 (108.170.240.98) 11.578 ms * [root@server ~]#
To Check For Rate Limiting¶
If there is a larger than normal number of messages that are being sent from the server,
remote servers may temporarily rate limit the sending IP as a spam prevention
method. Indication of this can often be found in the qmail send log.
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, navigate to
/var/log/send/The
currentlog includes the most recent mail traffic, though it may be necissary to investigate the rotated logs, as well. Messages that have been rate limited will have logging similar to the following (spaces added for readability):Our_system_has_detected_an_unusual_rate_of/421-4.7.0_unsolicited_mail_originating_from_your_IP_address. _To_protect_our/421-4.7.0_users_from_spam,_mail_sent_from_your_IP_address_has_been_temporarily/421-4.7.0_rate_limited. _Please_visit_http://www.google.com/mail/help/bulk_mail./421_4.7.0_html_to_review_our_Bulk_Email_Senders_Guidelines._mx10si15710063icb.32_-_gsmtp/
To Check If the IP is Blacklisted¶
If a server has been compromised or there have been reports of spam made against the IP address, that IP may be added to an RBL or Remote Block List (also known as a Realtime Blackhole List).
If the sending IP is blacklisted, and there is more than one IP on the server, it is possible to change the IP that mail is sent from. Information on how to do so can be found here.
There are many websites that can be used to check the RBL status of an IP or domain, such as:
Many email providers will check against an internal black list. It is recommended to contact their support directly, if possible, to check the IP or domain’s potential blacklist status.