Error Medic

Postfix Mail Not Sending: How to Fix 'Connection timed out' and Relay Errors

Fix Postfix mail not sending errors. Step-by-step troubleshooting for connection timeouts, DNS issues, and relay access denied errors in Linux.

Last updated:
Last verified:
1,216 words
Key Takeaways
  • Check Postfix mail queue with mailq or postqueue -p to identify stuck messages.
  • Verify DNS resolution and MX records for the destination domain using dig.
  • Ensure outbound port 25 is open, as many cloud providers block it by default.
  • Examine /var/log/mail.log or /var/log/maillog for specific SMTP error codes.
Fix Approaches Compared
IssueDiagnostic CommandTypical FixDowntime Risk
Blocked Port 25telnet alt1.gmail-smtp-in.l.google.com 25Request port unblock or use Smart Host relay (SendGrid/Mailgun)Low
DNS Resolution Failuredig MX example.comFix /etc/resolv.conf or Postfix chroot DNS settingsLow
Relay Access Deniedgrep 'Relay access denied' /var/log/mail.logAdd IP to mynetworks or configure SASL authMedium
Untrusted TLS Certificateposttls-client ...Update CA certificates or adjust smtp_tls_security_levelLow

Understanding the Error: Postfix Mail Not Sending

When Postfix fails to send outbound email, the symptoms can range from messages quietly queuing up to immediate bouncebacks with cryptic SMTP error codes. Because email delivery relies on a complex chain of DNS lookups, network connectivity, authentication, and reputation checks, a failure at any point will stop mail flow.

Common error messages you might encounter in your logs include:

  • Connection timed out (Network or port 25 block)
  • Relay access denied (Configuration issue)
  • Host or domain name not found (DNS issue)
  • 554 5.7.1 Service unavailable; Client host [IP] blocked using... (Blacklist/Reputation)

Step 1: Diagnose the Mail Queue and Logs

The first step in any Postfix troubleshooting session is to check the mail queue and the mail logs.

Check the Queue

Run mailq or postqueue -p to see if messages are stuck. If the queue is full of deferred messages, you can view a specific message's details (including why it was deferred) using: postcat -q <Queue-ID>

Inspect the Logs

Postfix logs everything to /var/log/mail.log (Debian/Ubuntu) or /var/log/maillog (RHEL/CentOS). Use tail or grep to find the exact error. Look for status=deferred, status=bounced, or Connection timed out.

Step 2: Verify Network Connectivity (Port 25)

The most common reason for Postfix not sending mail on modern cloud infrastructure (AWS, DigitalOcean, Google Cloud, Linode) is that outbound port 25 is blocked by default to prevent spam.

Test connectivity to an external mail server (like Google's):

telnet alt1.gmail-smtp-in.l.google.com 25
# or using nc
nc -vz alt1.gmail-smtp-in.l.google.com 25

If this times out, your provider is blocking port 25. The Fix: You must either request your cloud provider to unblock port 25 (often requires a history of good billing and a justification) or configure Postfix to use a "Smart Host" (an SMTP relay service like SendGrid, Mailgun, Amazon SES, or your ISP's SMTP server) using a different port (typically 587).

To configure a Smart Host, add the following to /etc/postfix/main.cf:

relayhost = [smtp.sendgrid.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Step 3: Check DNS Resolution

Postfix must look up the MX (Mail Exchange) records of the recipient's domain to know where to deliver the email. If DNS resolution fails, mail will be deferred.

Error in log: Host or domain name not found. Name service error for name=example.com type=MX: Host not found, try again

Test DNS resolution from the server: dig +short MX example.com

If it fails, check your /etc/resolv.conf. Note that if Postfix is running in a chroot jail (common on Debian/Ubuntu), it might not be able to read /etc/resolv.conf. You may need to copy it into the chroot environment: cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf Then restart Postfix.

Step 4: Address "Relay Access Denied"

If you see 554 5.7.1 <user@example.com>: Relay access denied, it means Postfix received an email from a client, but it refuses to forward (relay) it to the destination because the client is not trusted.

The Fix:

  1. Check your mynetworks setting in /etc/postfix/main.cf. It defines which IP addresses are allowed to relay mail through this server without authentication. postconf mynetworks Ensure the IP of your web application or client is included.
  2. If clients are connecting from dynamic IPs, you must configure SMTP Authentication (SASL) so users can authenticate before sending.

Step 5: Reputation and Blacklists (SPF, DKIM, DMARC, rDNS)

If your mail leaves your server but is rejected by the recipient (e.g., Gmail, Outlook) with a 550 or 554 error regarding spam or policy, your server's reputation is the issue.

Error in log: 550-5.7.1 This message does not have authentication information or fails to pass authentication checks.

The Fix:

  1. Reverse DNS (PTR): Ensure the IP address of your mail server resolves back to its hostname. Use dig -x <Your-IP>.
  2. SPF (Sender Policy Framework): Add a TXT record to your domain's DNS explicitly authorizing your server's IP to send mail for your domain.
  3. DKIM (DomainKeys Identified Mail): Install and configure OpenDKIM to cryptographically sign outgoing emails.
  4. DMARC: Add a DMARC record to instruct receivers on how to handle mail that fails SPF or DKIM.
  5. Check Blacklists: Use tools like MXToolbox to check if your server's IP is on any DNSBLs (DNS Blacklists) like Spamhaus and request delisting if necessary.

Conclusion

Resolving "Postfix mail not sending" requires methodically tracing the path of the email from submission to delivery. By checking the queue, logs, network connectivity, DNS, and reputation records, you can quickly isolate and resolve the bottleneck.

Frequently Asked Questions

bash
# 1. Check the mail queue
postqueue -p

# 2. View details of a specific stuck message
postcat -q 1A2B3C4D5E

# 3. Check for obvious errors in the mail log
tail -n 50 /var/log/mail.log | grep status=

# 4. Test outbound port 25 connectivity
nc -vz alt1.gmail-smtp-in.l.google.com 25

# 5. Flush the queue (force retry)
postqueue -f
E

Error Medic Editorial

The Error Medic Editorial team consists of senior Site Reliability Engineers and Linux Systems Administrators with decades of experience maintaining high-availability infrastructure and diagnosing complex network and application failures.

Sources

Related Articles in Postfix

How to Fix 'Postfix Connection Refused' and Slow Delivery Issues
Resolving Postfix connection refused errors by checking port 25 bindings, firewall rules (iptables/ufw), and master.cf configurations for mail delivery.
How to Fix Postfix 'Connection Refused' (Port 25/587 Error)
Fix Postfix 'Connection Refused' errors quickly. Learn how to diagnose port 25/587 issues, firewall rules, master.cf misconfigurations, and resolve slow deliver
Postfix 'Connection Refused' Error: Complete Troubleshooting Guide
Fix Postfix 'connection refused' errors step by step: check service status, inet_interfaces, firewall rules, and port conflicts to restore mail delivery.

Explore More Linux Sysadmin Guides

Apache Crash & Not Working: Complete Troubleshooting Guide (Connection Refused, OOM, Core Dump)
Fix Apache crashes, connection refused errors, and OOM kills in minutes. Step-by-step diagnostic commands, MPM tuning, and core dump analysis included.
AWS Redis Connection Refused: Troubleshooting ECONNREFUSED and tcp 127.0.0.1:6379
Fix 'Redis connection refused' errors in AWS, Kubernetes, Laravel, and WSL. Learn how to diagnose binding issues, security groups, and network configurations.
Comprehensive Guide to Fixing Nginx 502 Bad Gateway, 504 Timeouts, and Core Crashes
Diagnose and resolve Nginx 502 Bad Gateway, 504 Timeouts, connection refused errors, out-of-memory crashes, and permission denied issues with this SRE guide.