# Postfix weirdness... timeout after DATA from [SOLVED]

## hanj

Hello Mail Gurus

I have a strange Postfix issue. I'm pretty sure it's on their end, since no one else seems to be giving me grief.

I have a user from another ISP not associated with my network what so ever. Their mailserver is using (ESMTP Postfix (2.3.3)) based off of telnet session. That user is trying to send two emails to two users on separate domains on my server. There is a PDF attachment that is 1.9MBs in size. The two users never get this email. Looking at the logs I see this...

```
Nov 27 14:49:52 comp postfix/smtpd[15930]: 410F28F42: client=gold.domainremoved.com[xxx.xxx.xxx.xxx]

Nov 27 14:49:52 comp postfix/cleanup[14680]: 410F28F42: message-id=<536d82f629c2c4c93c49742486931330@domainremoved.com>

Nov 27 14:52:13 comp postfix/smtpd[13643]: timeout after DATA from gold.domainremoved.com[xxx.xxx.xxx.xxx]

Nov 27 14:52:13 comp postfix/smtpd[13643]: disconnect from gold.domainremoved.com[xxx.xxx.xxx.xxx]

Nov 27 15:06:32 comp postfix/smtpd[18849]: connect from gold.domainremoved.com[xxx.xxx.xxx.xxx]

Nov 27 15:06:32 comp postfix/smtpd[18849]: setting up TLS connection from gold.domainremoved.com[xxx.xxx.xxx.xxx]

Nov 27 15:06:32 comp postfix/smtpd[18849]: TLS connection established from gold.domainremoved.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)

Nov 27 15:06:33 comp postfix/smtpd[18849]: CFCA66ADF: client=gold.domainremoved.com[xxx.xxx.xxx.xxx]

Nov 27 15:06:34 comp postfix/cleanup[15304]: CFCA66ADF: message-id=<d1b0dadcbb7906a4a171e8e7d03fcb43@domainremoved.com>

Nov 27 15:06:58 comp postfix/smtpd[15930]: timeout after DATA from gold.domainremoved.com[xxx.xxx.xxx.xxx]

Nov 27 15:06:58 comp postfix/smtpd[15930]: disconnect from gold.domainremoved.com[xxx.xxx.xxx.xxx]
```

So there is a timeout after DATA from their mailserver. This will continue to repeat itself since the mails are in their queue. The user from the other mailserver sent me a .jpg attachment and I got it fine, but I was unable to receive the .pdf.

Also during this, I see the following in my snort logs..

```
Nov 28 14:37:16 comp snort[6503]: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [Classification: Misc activity] [Priority: 3]: {ICMP} xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx

Nov 28 14:37:52 comp snort[6503]: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [Classification: Misc activity] [Priority: 3]: {ICMP} xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx

Nov 28 14:38:50 comp snort[6503]: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [Classification: Misc activity] [Priority: 3]: {ICMP} xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx

Nov 28 14:39:02 comp snort[6503]: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [Classification: Misc activity] [Priority: 3]: {ICMP} xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx

Nov 28 14:39:29 comp snort[6503]: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [Classification: Misc activity] [Priority: 3]: {ICMP} xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx

Nov 28 14:41:02 comp snort[6503]: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [Classification: Misc activity] [Priority: 3]: {ICMP} xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx

Nov 28 14:41:41 comp snort[6503]: [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [Classification: Misc activity] [Priority: 3]: {ICMP} xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
```

So it almost appears that out connection times out and breaks. I lose 'established/related' with their server and is returned with a destination unreachable packet by them? Anyone ever see this before? How can I rule out that I have the problem? Anything I can bring up with them to help fix the problem on their end.. if it's there?

My current configuration

```
mail-mta/postfix-2.4.5

mail-filter/amavisd-new-2.4.1

mail-filter/policyd-weight-0.1.14.5
```

I do have a few 'timeout after DATA' other than this host in the logs, but all appear to be spam networks, etc. I have not heard of any other clients complaining about lost mail, etc. and are few and far in between. This host is in the logs every few minutes for the last 2 days.

Thanks!

hanji

----------

## steveb

Maybe something on you or their network with TCP is not okay. Try switching window scaling and sack on/off.

Off:

```
echo 0 > /proc/sys/net/ipv4/tcp_sack

echo 0 > net.ipv4.tcp_window_scaling
```

On:

```
echo 1 > /proc/sys/net/ipv4/tcp_sack

echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
```

Depending on your network on or off could work better.

Try as well to turn off TCP time stamps:

```
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
```

Did that help?

// SteveB

----------

## hanj

I'm wondering if it's them.. since they're the ones having the trouble. I'm a little hesitant to change the scaling on my end. Is there anything else I can do to gather any more information?

Thanks for the reply!

hanji

----------

## steveb

 *hanj wrote:*   

> Is there anything else I can do to gather any more information?

 Yes!

1) Run Postfix in more verbose mode and log the conversation.

2) Try to reduce the complexity of the connection.

 2.1) Advise Postfix to not offer/allow them to use TLS/SSL with your server.

 2.2) If you have any firewall rules try to whitelist or disable them for their IP.

 2.3) etc

// SteveB

----------

## hanj

 *steveb wrote:*   

>  *hanj wrote:*   Is there anything else I can do to gather any more information? Yes!
> 
> 1) Run Postfix in more verbose mode and log the conversation.
> 
> 2) Try to reduce the complexity of the connection.
> ...

 

Hello Steveb

1) Working on the log capture now with this host.

2.1) Is it possible to not allow tls/ssl to a certain host? Or do I have to set smptd_use_tls = no? It would be great if I could shut it just for them.

2.2) I'm allowing port 25 from anyone already.. not sure what else I would need to do.

Thanks!

hanji

----------

## hanj

I found this.. applied now and watching the logs...

```
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
```

hanji

UPDATE

weird... when I set smtp_tls_policy_maps or stmpd_tls_policy_maps, with values of mail.badhost.com none, it still creates a TLS session. I tested with other hosts as well, and it seems like this setting is not being set ot none with the specific hosts.

Here is a example of my tls_policy

```
gold.domainremoved.com   none

mail.testhost.com      none
```

Here is my tls section

```
smtpd_tls_policy_maps = hash:/etc/postfix/tls_policy

smtpd_use_tls = yes

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache

smtpd_tls_key_file = /etc/postfix/certs/newreq.pem

smtpd_tls_cert_file = /etc/postfix/certs/newcert.pem

smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
```

Any ideas?

----------

## hanj

Steveb

Here is a sanitized debug mail.log output for the problem domain. Basically the information I have looks to be still TCP related..

[removed]

At the bottom...

```
Nov 29 07:39:52 comp postfix/smtpd[18933]: < gold.domainremoved.com[xxx.xxx.xxx.xxx]: DATA

Nov 29 07:39:52 comp postfix/smtpd[18933]: > gold.domainremoved.com[xxx.xxx.xxx.xxx]: 354 End data with <CR><LF>.<CR><LF>

Nov 29 07:48:57 comp postfix/smtpd[18933]: > gold.domainremoved.com[xxx.xxx.xxx.xxx]: 421 4.4.2 comp Error: timeout exceeded
```

So 10 minutes after DATA, my server never gets anything, then times out. 

Late lastnight I received one of the plugged attachments.. so some how the TCP session worked on one. I can still see there is another one plugged up out there though. The email I received was sent 07/11/27(Tue)14:24 and I received it 07/11/29(Thu)02:29.

Thanks for your help

hanji

----------

## magic919

You might want to remove the reversed octet version of the IP too.

----------

## hanj

Hello All

I was finally able to talk to the sysadmin at the ISP. He said that they've been seeing this problem on their end and suspect that their PIX is the problem. So I think we're good.

Thanks!

hanji

----------

