Ingress-connection issues with some remote mailservers

t.a.s · Apr 10, 2026

We've recently switched from our old mail-gateway to PMG 9.0.6 and I noticed in the syslog that there are a few entries where remote mailservers seem to sucessfully connect to PMG and instantly disconnect again. The syslog always contains 4 lines for every connection attemp of this kind:

Code:

Apr 09 12:55:18 pmg postfix/postscreen[57708]: CONNECT from [a.b.c.d]:52688 to [x.y.z.v]:25
Apr 09 12:55:18 pmg postfix/postscreen[57708]: PASS OLD [a.b.c.d]:52688
Apr 09 12:55:18 pmg postfix/smtpd[57711]: connect from hostname.your-server.de[a.b.c.d]
Apr 09 12:55:18 pmg postfix/smtpd[57711]: disconnect from hostname.your-server.de[a.b.c.d] ehlo=1 quit=1 commands=2

where
a.b.c.d is the ip of the remote mailserver hostname.your-server.de
x.y.z.v is the private ip of PMG in our internal network
(I rendered the log-entries anonymous to protect privacy but provide an illustration at the end of my post that hopefully clarifies the situation. Apologies for the inconvenience.)

I tracked down one of these instances to someone we correspond with and emails we send are actually received. The corresponding syslogs are like so:

Code:

Apr 08 13:58:09 pmg postfix/smtpd[246891]: connect from unknown[p.q.r.s]
Apr 08 13:58:09 pmg postfix/smtpd[246891]: 654E921374: client=unknown[p.q.r.s]
Apr 08 13:58:09 pmg postfix/cleanup[246894]: 654E921374: message-id=<kcEE.PfsjA3/DRV+bo4tD+gVVng.gF6e907H3AE@internal>
Apr 08 13:58:09 pmg postfix/smtpd[246891]: disconnect from unknown[p.q.r.s] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 08 13:58:09 pmg postfix/qmgr[226611]: 654E921374: from=<someone@ourdomain.at>, size=14082, nrcpt=1 (queue active)
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2026/04/08-13:58:09 CONNECT TCP Peer: "[127.0.0.1]:34898" Local: "[127.0.0.1]:10023"
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2167869D642D1741CF: new mail message-id=<kcEE.PfsjA3/DRV+bo4tD+gVVng.gF6e907H3AE@internal>
Apr 08 13:58:09 pmg postfix/smtpd[246899]: connect from localhost.localdomain[127.0.0.1]
Apr 08 13:58:09 pmg postfix/smtpd[246899]: 820192167D: client=localhost.localdomain[127.0.0.1], orig_client=unknown[p.q.r.s]
Apr 08 13:58:09 pmg postfix/cleanup[246894]: 820192167D: message-id=<kcEE.PfsjA3/DRV+bo4tD+gVVng.gF6e907H3AE@internal>
Apr 08 13:58:09 pmg postfix/qmgr[226611]: 820192167D: from=<someone@ourdomain.at>, size=14292, nrcpt=1 (queue active)
Apr 08 13:58:09 pmg postfix/smtpd[246899]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2167869D642D1741CF: accept mail to <user@somedomain.at> (820192167D) (rule: default-accept)
Apr 08 13:58:09 pmg pmg-smtp-filter[245372]: 2167869D642D1741CF: processing time: 0.1 seconds (0, 0.033, 0)
Apr 08 13:58:09 pmg postfix/lmtp[246895]: 654E921374: to=<user@somedomain.at>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.17, delays=0.01/0.01/0.04/0.1, dsn=2.5.0, status=sent (250 2.5.0 OK (2167869D642D1741CF))
Apr 08 13:58:09 pmg postfix/qmgr[226611]: 654E921374: removed
Apr 08 13:58:18 pmg postfix/smtp[246900]: 820192167D: to=<user@somedomain.at>, relay=hostname.your-server.de[a.b.c.d]:25, delay=9.2, delays=0.04/0.01/3.3/5.9, dsn=2.0.0, status=sent (250 OK id=1wARY1-000HF5-3B)
Apr 08 13:58:18 pmg postfix/qmgr[226611]: 820192167D: removed

Where p.q.r.s is the private ip of our internal mailserver.

At first I thought putting a.b.c.d and somedomain.at on the welcomelists:
Mail Filter -> Who Objects -> Welcomelist
Configuration -> Mail Proxy -> Welcomelist

would remedy the situation. But this only changed the syslog entry from postfix/postscreen: PASS OLD to postfix/postscreen: ALLOWLISTED:

Code:

Apr 09 13:22:47 pmg postfix/postscreen[58786]: CONNECT from [a.b.c.d]:58160 to [x.y.z.v]:25
Apr 09 13:22:47 pmg postfix/postscreen[58786]: ALLOWLISTED [a.b.c.d]:58160
Apr 09 13:22:47 pmg postfix/smtpd[58787]: connect from hostname.your-server.de[a.b.c.d]
Apr 09 13:22:47 pmg postfix/smtpd[58787]: disconnect from hostname.your-server.de[a.b.c.d] ehlo=1 quit=1 commands=2

If I read the logs correctly hostname.your-server.de connects to PMG and tries to initiate esmtp protocol by sending an ehlo command and then immediately sends a quit command. How can I go about debugging this problem?

With our previous mail gateway (trendmicro imsva) sending/receiving these mails worked flawlessly, so I have to assume that something is not right with my PMG configuration.

Additional information:
The mx record of somedomain.at is:

Bash:

me@mylaptop:~$ dig +short mx somedomain.at
10 hostname.your-server.de.

Where both names resolve to the same ip:

Bash:

me@mylaptop:~$ dig +short somedomain.at
a.b.c.d
me@mylaptop:~$ dig +short hostname.your-server.de
a.b.c.d

And hostname.your-server.de is hosted at Hetzner and I don't have access to that server.

Here's an illustration of the situation:

Onslow · Apr 10, 2026

t.a.s said:
How can I go about debugging this problem?

Hi, @t.a.s

https://www.postfix.org/DEBUG_README.html#debug_peer

Verbose logging for specific SMTP connections

In /etc/postfix/main.cf, list the remote site name or address in the debug_peer_list parameter. For example, in order to make the software log a lot of information to the syslog daemon for connections from or to the loopback interface:

/etc/postfix/main.cf:
debug_peer_list = 127.0.0.1

You can specify one or more hosts, domains, addresses or net/masks. To make the change effective immediately, execute the command "postfix reload".

Record the SMTP session with a network sniffer

This example uses tcpdump. In order to record a conversation you need to specify a large enough buffer with the "-s" option or else you will miss some or all of the packet payload.

# tcpdump -w /file/name -s 0 host example.com and port 25

Older tcpdump versions don't support "-s 0"; in that case,use "-s 2000" instead.

Run this for a while, stop with Ctrl-C when done. To view the data use a binary viewer, ethereal, or good old less.
---------------------------------------------------------------------------------------------

https://www.postfix.org/postconf.5.html#debug_peer_list

debug_peer_list (default: empty)
Optional list of nexthop destination, remote client or server name or network address patterns that, if matched, cause the verbose logging level to increase by the amount specified in $debug_peer_level.

Per-nexthop debug logging is available in Postfix 3.6 and later.

Specify domain names, network/netmask patterns, "/file/name"patterns or "type:table" lookup tables. The right-hand side result from "type:table" lookups is ignored. An IPv6 address must be enclosed in [].

Pattern matching of domain names is controlled by the presence or absence of "debug_peer_list" in the parent_domain_matches_subdomains parameter value.

Examples:

debug_peer_list = 127.0.0.1
debug_peer_list = example.com

t.a.s · Apr 13, 2026

Hi @Onslow, thanks for your answer and apologies for the long time before my reply.

I added debug_peer_list = a.b.c.d to my main.cf and issued a postfix reload command. Then I managed to reach the remote user who kindly sent a test email. Here's the corresponding syslog snippet:

Code:

Apr 13 16:36:06 pmg postfix/postscreen[36661]: CONNECT from [a.b.c.d]:60598 to [x.y.z.v]:25
Apr 13 16:36:06 pmg postfix/postscreen[36661]: ALLOWLISTED [a.b.c.d]:60598
Apr 13 16:36:06 pmg postfix/smtpd[36662]: connect from hostname.your-server.de[a.b.c.d]
Apr 13 16:36:06 pmg postfix/smtpd[36662]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostname: smtpd_client_event_limit_exceptions: hostname.your-server.de ~? 127.0.0.0/8
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostaddr: smtpd_client_event_limit_exceptions: a.b.c.d ~? 127.0.0.0/8
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostname: smtpd_client_event_limit_exceptions: hostname.your-server.de ~? x.y.z.v
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostaddr: smtpd_client_event_limit_exceptions: a.b.c.d ~? x.y.z.v
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_list_match: hostname.your-server.de: no match
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_list_match: a.b.c.d: no match
Apr 13 16:36:06 pmg postfix/smtpd[36662]: send attr request = connect
Apr 13 16:36:06 pmg postfix/smtpd[36662]: send attr ident = smtpd:a.b.c.d
Apr 13 16:36:06 pmg postfix/smtpd[36662]: private/anvil: wanted attribute: status
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute name: status
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute value: 0
Apr 13 16:36:06 pmg postfix/smtpd[36662]: private/anvil: wanted attribute: count
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute name: count
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute value: 1
Apr 13 16:36:06 pmg postfix/smtpd[36662]: private/anvil: wanted attribute: rate
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute name: rate
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute value: 1
Apr 13 16:36:06 pmg postfix/smtpd[36662]: private/anvil: wanted attribute: (list terminator)
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute name: (end)
Apr 13 16:36:06 pmg postfix/smtpd[36662]: name_mask: silent-discard
Apr 13 16:36:06 pmg postfix/smtpd[36662]: name_mask: dsn
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 220 pmg.ourdomain.at ESMTP Proxmox
Apr 13 16:36:06 pmg postfix/smtpd[36662]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0
Apr 13 16:36:06 pmg postfix/smtpd[36662]: watchdog_pat: 0x5cdc990f2d30
Apr 13 16:36:06 pmg postfix/smtpd[36662]: < hostname.your-server.de[a.b.c.d]: EHLO hostname.your-server.de
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_list_match: hostname.your-server.de: no match
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_list_match: a.b.c.d: no match
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-pmg.ourdomain.at
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-PIPELINING
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-SIZE 31457280
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-VRFY
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-ETRN
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-ENHANCEDSTATUSCODES
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-8BITMIME
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-SMTPUTF8
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250 CHUNKING
Apr 13 16:36:06 pmg postfix/smtpd[36662]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0
Apr 13 16:36:06 pmg postfix/smtpd[36662]: watchdog_pat: 0x5cdc990f2d30
Apr 13 16:36:06 pmg postfix/smtpd[36662]: < hostname.your-server.de[a.b.c.d]: QUIT
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 221 2.0.0 Bye
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostname: smtpd_client_event_limit_exceptions: hostname.your-server.de ~? 127.0.0.0/8
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostaddr: smtpd_client_event_limit_exceptions: a.b.c.d ~? 127.0.0.0/8
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostname: smtpd_client_event_limit_exceptions: hostname.your-server.de ~? x.y.z.v
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_hostaddr: smtpd_client_event_limit_exceptions: a.b.c.d ~? x.y.z.v
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_list_match: hostname.your-server.de: no match
Apr 13 16:36:06 pmg postfix/smtpd[36662]: match_list_match: a.b.c.d: no match
Apr 13 16:36:06 pmg postfix/smtpd[36662]: send attr request = disconnect
Apr 13 16:36:06 pmg postfix/smtpd[36662]: send attr ident = smtpd:a.b.c.d
Apr 13 16:36:06 pmg postfix/smtpd[36662]: private/anvil: wanted attribute: status
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute name: status
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute value: 0
Apr 13 16:36:06 pmg postfix/smtpd[36662]: private/anvil: wanted attribute: (list terminator)
Apr 13 16:36:06 pmg postfix/smtpd[36662]: input attribute name: (end)
Apr 13 16:36:06 pmg postfix/smtpd[36662]: disconnect from hostname.your-server.de[a.b.c.d] ehlo=1 quit=1 commands=2
Apr 13 16:36:06 pmg postfix/smtpd[36662]: name_mask: no_address_mappings

I've also received the error-mail the remote user has got from their mailserver (the dates dont't match with those in the syslog snippet I've posted because this was their mailserver's response to the first mail they tried to send):

Von: Mail Delivery System <Mailer-Daemon@hostname.your-server.de>
Datum: 10. April 2026 um 06:40:18 MESZ
An: user@somedomain.at
Betreff: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

someone@ourdomain.at
all hosts for 'ourdomain.at' have been failing for a long time (and retry time not reached)

----------------------------------------------------------------------------------------------
Return-path: Received: from sslproxy05.your-server.de ([78.46.172.2]) by hostname.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1wAgy5-0009mD-0S for someone@ourdomain.at; Thu, 09 Apr 2026 06:26:13 +0200 Received: from localhost ([127.0.0.1]) by sslproxy05.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wAgy5-000Pwu-1S for someone@ourdomain.at; Thu, 09 Apr 2026 06:26:12 +0200 Content-Type: multipart/alternative; boundary=Apple-Mail-63BB1B0E-03E5-4947-ACF7-BB722732BB13 Content-Transfer-Encoding: 7bit From: Firstname Lastname Mime-Version: 1.0 (1.0) Date: Thu, 9 Apr 2026 06:26:01 +0200 Subject: Fwd: Originalsubject Message-Id: <4C3B67FF-F54C-4B2D-8227-67061B42D4F0@somedomain.at> References: To: "Recipient (at our place)" X-Mailer: iPhone Mail (23D127) X-Authenticated-Sender: firstname.lastname@somedomain.at X-Virus-Scanned: Clear (ClamAV 1.4.3/27965/Wed Apr 8 08:24:37 2026) X-Exim-DSN-Information: Due to administrative limits only headers are returned

The mail also contained an attachement:

Reporting-MTA: dns; hostname.your-server.de

Action: failed
Final-Recipient: rfc822;someone@ourdomain.at
Status: 5.0.0

From the syslog it seems like something is not matching in the communication of the two servers but I' m having a hard time pinpointing the issue. Maybe you see the problem here and know how to solve it?

Onslow · Apr 13, 2026

t.a.s said:
From the syslog it seems like something is not matching in the communication of the two servers

If you mean those "match_..." lines, I'm not convinced they are about non matching communication.
From what I understand (unless I'm wrong), I think those are about not matching any particular special cases or exceptions. Which is rather OK.

In the SMTP dialogue there are not any rejections nor errors.
Your server is greeting with 220, the connecting client is introducing itself correctly, you servers is presenting the features it supports and the client is just quitting without a cause.

Maybe the culprit is sending Exim's configuration (see https://www.exim.org/exim-html-current/doc/html/spec_html/ch-retry_configuration.html) or something has changed in your firewall?... I have no other ideas at the moment :-(.

t.a.s · Tuesday at 10:50

Our firewall has not changed at all. I simply replaced the old mail-gateway by the new one (same ip). And almost all mailservers have no problem communicating with pmg except a few...

Onslow · Tuesday at 13:10

I see.
It could be interesting to see if all those problematic clients are Exim.
Of course there's no guarantee that those (sending) clients are themselves as well servers (do accept connections), but it won't hurt to try:
telnet ip.ad.dre.ss 25
and see the banner.

Stoiko Ivanov · Tuesday at 13:21

t.a.s said:
Our firewall has not changed at all. I simply replaced the old mail-gateway by the new one (same ip). And almost all mailservers have no problem communicating with pmg except a few...

did you restore a backup from your old gateway - or set it up freshly?

one guess based on the debug-output:

t.a.s said:
Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-pmg.ourdomain.at Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-PIPELINING Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-SIZE 31457280 Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-VRFY Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-ETRN Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-ENHANCEDSTATUSCODES Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-8BITMIME Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250-SMTPUTF8 Apr 13 16:36:06 pmg postfix/smtpd[36662]: > hostname.your-server.de[a.b.c.d]: 250 CHUNKING

- your PMG does not seem to have TLS enabled - maybe the sending servers are configured to not send mails over the internet without TLS.

I'd try enabling TLS in the PMG GUI (and rebooting)

I hope this helps!

t.a.s · Tuesday at 18:29

Hi @Stoiko Ivanov, thank you for your reply. You nailed it. Of course I was too dense to enable TLS and now that it's on, the mails go through in both directions... I'm facepalming real hard right now. I have a handful of other servers in my logs that showed the same behaviour, so I will exchange testmails with users from those sites in the next days before I mark the thread as solved.

Thank you again, you're my hero.

Search

Search

Ingress-connection issues with some remote mailservers

t.a.s

New Member

Onslow

Active Member

t.a.s

New Member

Onslow

Active Member

t.a.s

New Member

Onslow

Active Member

Stoiko Ivanov

Proxmox Staff Member

t.a.s

New Member

We value your privacy