Ingress-connection issues with some remote mailservers

T

t.a.s

New Member
Proxmox Subscriber
Mar 31, 2026
4
0
1
We've recently switched from our old mail-gateway to PMG 9.0.6 and I noticed in the syslog that there are a few entries where remote mailservers seem to sucessfully connect to PMG and instantly disconnect again. The syslog always contains 4 lines for every connection attemp of this kind:

Code: 
Apr 09 12:55:18 pmg postfix/postscreen[57708]: CONNECT from [a.b.c.d]:52688 to [x.y.z.v]:25
Apr 09 12:55:18 pmg postfix/postscreen[57708]: PASS OLD [a.b.c.d]:52688
Apr 09 12:55:18 pmg postfix/smtpd[57711]: connect from hostname.your-server.de[a.b.c.d]
Apr 09 12:55:18 pmg postfix/smtpd[57711]: disconnect from hostname.your-server.de[a.b.c.d] ehlo=1 quit=1 commands=2

where
a.b.c.d is the ip of the remote mailserver hostname.your-server.de
x.y.z.v is the private ip of PMG in our internal network
(I rendered the log-entries anonymous to protect privacy but provide an illustration at the end of my post that hopefully clarifies the situation. Apologies for the inconvenience.)

I tracked down one of these instances to someone we correspond with and emails we send are actually received. The corresponding syslogs are like so:

Code: 
Apr 08 13:58:09 pmg postfix/smtpd[246891]: connect from unknown[p.q.r.s]
Apr 08 13:58:09 pmg postfix/smtpd[246891]: 654E921374: client=unknown[p.q.r.s]
Apr 08 13:58:09 pmg postfix/cleanup[246894]: 654E921374: message-id=<kcEE.PfsjA3/DRV+bo4tD+gVVng.gF6e907H3AE@internal>
Apr 08 13:58:09 pmg postfix/smtpd[246891]: disconnect from unknown[p.q.r.s] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 08 13:58:09 pmg postfix/qmgr[226611]: 654E921374: from=<someone@ourdomain.at>, size=14082, nrcpt=1 (queue active)
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2026/04/08-13:58:09 CONNECT TCP Peer: "[127.0.0.1]:34898" Local: "[127.0.0.1]:10023"
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2167869D642D1741CF: new mail message-id=<kcEE.PfsjA3/DRV+bo4tD+gVVng.gF6e907H3AE@internal>
Apr 08 13:58:09 pmg postfix/smtpd[246899]: connect from localhost.localdomain[127.0.0.1]
Apr 08 13:58:09 pmg postfix/smtpd[246899]: 820192167D: client=localhost.localdomain[127.0.0.1], orig_client=unknown[p.q.r.s]
Apr 08 13:58:09 pmg postfix/cleanup[246894]: 820192167D: message-id=<kcEE.PfsjA3/DRV+bo4tD+gVVng.gF6e907H3AE@internal>
Apr 08 13:58:09 pmg postfix/qmgr[226611]: 820192167D: from=<someone@ourdomain.at>, size=14292, nrcpt=1 (queue active)
Apr 08 13:58:09 pmg postfix/smtpd[246899]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2167869D642D1741CF: accept mail to <user@somedomain.at> (820192167D) (rule: default-accept)
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2167869D642D1741CF: processing time: 0.1 seconds (0, 0.033, 0)
Apr 08 13:58:09 pmg postfix/lmtp[246895]: 654E921374: to=<user@somedomain.at>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.17, delays=0.01/0.01/0.04/0.1, dsn=2.5.0, status=sent (250 2.5.0 OK (2167869D642D1741CF))
Apr 08 13:58:09 pmg postfix/qmgr[226611]: 654E921374: removed
Apr 08 13:58:18 pmg postfix/smtp[246900]: 820192167D: to=<user@somedomain.at>, relay=hostname.your-server.de[a.b.c.d]:25, delay=9.2, delays=0.04/0.01/3.3/5.9, dsn=2.0.0, status=sent (250 OK id=1wARY1-000HF5-3B)
Apr 08 13:58:18 pmg postfix/qmgr[226611]: 820192167D: removed

Where p.q.r.s is the private ip of our internal mailserver.

At first I thought putting a.b.c.d and somedomain.at on the welcomelists:
Mail Filter -> Who Objects -> Welcomelist
Configuration -> Mail Proxy -> Welcomelist

would remedy the situation. But this only changed the syslog entry from postfix/postscreen: PASS OLD to postfix/postscreen: ALLOWLISTED:

Code: 
Apr 09 13:22:47 pmg postfix/postscreen[58786]: CONNECT from [a.b.c.d]:58160 to [x.y.z.v]:25
Apr 09 13:22:47 pmg postfix/postscreen[58786]: ALLOWLISTED [a.b.c.d]:58160
Apr 09 13:22:47 pmg postfix/smtpd[58787]: connect from hostname.your-server.de[a.b.c.d]
Apr 09 13:22:47 pmg postfix/smtpd[58787]: disconnect from hostname.your-server.de[a.b.c.d] ehlo=1 quit=1 commands=2

If I read the logs correctly hostname.your-server.de connects to PMG and tries to initiate esmtp protocol by sending an ehlo command and then immediately sends a quit command. How can I go about debugging this problem?

With our previous mail gateway (trendmicro imsva) sending/receiving these mails worked flawlessly, so I have to assume that something is not right with my PMG configuration.

Additional information:
The mx record of somedomain.at is:
Bash: 
me@mylaptop:~$ dig +short mx somedomain.at
10 hostname.your-server.de.

Where both names resolve to the same ip:
Bash: 
me@mylaptop:~$ dig +short somedomain.at
a.b.c.d
me@mylaptop:~$ dig +short hostname.your-server.de
a.b.c.d

And hostname.your-server.de is hosted at Hetzner and I don't have access to that server.

Here's an illustration of the situation:
pmg.jpg
 
t.a.s said:
How can I go about debugging this problem?
Click to expand...
Hi, @t.a.s

https://www.postfix.org/DEBUG_README.html#debug_peer

Verbose logging for specific SMTP connections

In /etc/postfix/main.cf, list the remote site name or addressin the debug_peer_list parameter. For example, in order to make the software log a lot of information to the syslog daemon for connections from or to the loopback interface:

/etc/postfix/main.cf:
debug_peer_list = 127.0.0.1
Click to expand...

You can specify one or more hosts, domains, addresses or net/masks. To make the change effective immediately, execute the command "postfix reload".


Record the SMTP session with a network sniffer

This example uses tcpdump. In order to record a conversation you need to specify a large enough buffer with the "-s" option or else you will miss some or all of the packet payload.

# tcpdump -w /file/name -s 0 host example.com and port 25
Click to expand...

Older tcpdump versions don't support "-s 0"; in that case,use "-s 2000" instead.

Run this for a while, stop with Ctrl-C when done. To view the data use a binary viewer, ethereal, or good old less.
---------------------------------------------------------------------------------------------

https://www.postfix.org/postconf.5.html#debug_peer_list

debug_peer_list (default: empty)
Optional list of nexthop destination, remote client or server name or network address patterns that, if matched, cause the verbose logging level to increase by the amount specified in $debug_peer_level.

Per-nexthop debug logging is available in Postfix 3.6 and later.

Specify domain names, network/netmask patterns, "/file/name"patterns or "type:table" lookup tables. The right-hand side result from "type:table" lookups is ignored. An IPv6 address must be enclosedin [].

Pattern matching of domain names is controlled by the presence or absence of "debug_peer_list" in the parent_domain_matches_subdomains parameter value.

Examples:

debug_peer_list = 127.0.0.1
debug_peer_list = example.com
 
You must log in or register to reply here.
Top Bottom
Back