Postfix Please try again later

[marly]

I have a Zimbra server and I was using one external spam filtering provider. I wanted to switch providers so I did.

The problem I’m running into is that my postfix is reporting “451 Please try again later” when the external mail server is connecting to the Zimbra mail server.
My postconf mynetworks has the correct IP addresses listed. If I do a zmprov gs mailserver zimbraMtaMyNetworks the correct servers are listed.

In my ZimbraMtaMyNetworks I have my local 192.168.x.x/24 networks listed, so I decided to telnet to port 25 and send a test e-mail message. The test e-mail message goes through fine. In an act of desperation, I deleted everything out of my ZimbraMtaMyNetworks and my postconf mynetworks I only left 127.0.0.0/8 the MtaMyNetworks & mynetworks. I telented to port 25 from one of my 192.168.x.x hosts and the e-mail message still went through fine from the 192.168.x.x host.

So with that, I’m thinking that it’s not updating my configuration some place to add in my new external host IP addreses, but I’m at a lost of to where to look any further. I’ve also rebooted the server each time I’ve made configuration changes just make sure they were updating. So there must be some place else that I can tell it to allow the connection.

[marly]

In in act of desperation, knowing that it accepted connections just fine from my 192.168.x.x subnet, I got a TCP port redirector and started redirecting from one PC to another PC, making the Postfix/Zimbra server think the incoming were coming from 192.168.x.x. I got the same issue!

In act of further desperation, I went back to the old spam filtering company and I got the same issue I’m having above!

After much struggling over the past 12 hours and going bald in the process, I got an idea that maybe the firewall was filtering it. So I told my external spam/virus company to use a different TCP port and redirected my firewall to use those ports and bingo, it’s now working.

I guess the Cisco PIX is filtering port 25, even though everything in the configuration file is set to do no such thing. I haven’t a clue why the Cisco PIX decided to start doing some type of filtering suddenly. It’s just not the new IP’s from the new spam/virus company, it’s doing it to the old one too. Now I know why I hate Cisco PIX’s so much.

[phoenix]

So with that, I’m thinking that it’s not updating my configuration some place to add in my new external host IP addreses, but I’m at a lost of to where to look any further. I’ve also rebooted the server each time I’ve made configuration changes just make sure they were updating. So there must be some place else that I can tell it to allow the connection.

I'm glad you've fixed this. This is a well known problem with these firewalls and comments all over the internet and even some in these forums.

I don't know if you manage the firewall or someone else has made changes to it but this is most likely the problem you're seeing: https://social.technet.microsoft.com/Fo ... ginglegacy

[marly]

I was getting exactly what was explained in the article that you posted and that was the first thing I went to disable when I started having the problem. I’ve known about that issue with PIXs for many, many years. When I disabled it I telneted in and was able to do a telnet to test SMTP communication. Everything looked good until the last part when I hit the “.” to end the message and it said please try again later, so I thought it was the Zimbra server, because I disabled it on the pix.

Only after I changed the inbound SMTP port did it start working again. What tipped me off to that it’s being filtered was that I setup a redirect on my Linux box to take anything coming in and make it think like it’s coming from 127.0.0.1, which should allow anything to go through and it still reported back with “please try again later”. So I thought, it *HAS* to be filtered some place.

My hope is, if anyone comes across this, try changing the SMTP port if you can and see if it works.