The never-ending port 25 issue?

[atwskris]

I realize this must have been asked a thousand times, but so far from my google-fu I have not really gotten an answer about how to solve this or why I can't change it? Additionally, perhaps I am just misunderstanding the setup that should be in place.

We have multiple outgoing email servers that are sending to PMG:

Email Servers ( A,B,C ) -> PMG -> Hopefully the internet

The outgoing email servers are sending to PMG on port 26 internally and I can see the mail sitting in PMG.

The current configuration is:

Relaying Tab:

Relay Host: mx domain
Relay Port: 587
Relay Protocol: smtp
Disable MX Lookup: No
Smarthost: none

Ports

External: 587
Internal: 26

Transports:

mx domain 1 - internal IP - smtp - port 26 - Use MX: No

Trusted Network:

Internal IP of mx domain 1 server

TLS

Enable TLS: Yes
Logging: Yes
Add TLS received Header: Yes

No TLS Destination Policies

TLS Inbound Domains:
mx domain name 1

DKIM

Enable DKIM Signing: Yes
Selector: selector
Signing Domain Source: Envelope
Sign all outgoing Mail: Yes

Sign Domains:
mx domain 1

The error message while PMG is trying to send to the internet is:

mail-gateway-01 postfix/smtp[3082107]: B8F711ADA0: to=<email@domain.com>, relay=none, delay=23787, delays=23696/0.1/90/0, dsn=4.4.1, status=deferred (connect to xxxx-com.mail.protection.outlook.com[52.101.190.0]:25: Connection timed out)

• The IP is pingable so the connection timeout does not seem to be the issue.
• There are no FW rules blocking the outgoing connection.

So, am I missing the fact that I should have another mail server in front of PMG to act as the actual sending server? From what I understand PMG should be able to handle this role? Is it not possible to change the sending port from 25 to 587 for example? Which in my mind would make sense but it seems as though I am missing something.

Please let me know if you require more details!

Thanks!
Kris

 

[SteveITS]

So you are relaying out through 365?

Did you set up a connector for your IP?
https://learn.microsoft.com/en-us/e...plication-through-microsoft-365-or-office-365

Can you telnet to 52.101.190.0 on port 25?

 

[atwskris]

Thanks for the reply, Not relaying through 365... just happened to be the email address I was testing with was a 365 account.

 

[SteveITS]

Ah, I misunderstood. Can you telnet to it though? Just because pings work doesn't mean port 25 isn't blocked. Around here AT&T Business blocks 25 outbound by default, for example.

 

[atwskris]

Agreed and port 25 really is the main issue at the moment. I would prefer to send using 587.
We cannot telnet to that port 25 on that IP address ( however the IP address is for O365 servers ).

However, through all of this I found a FW rule that was blocking it and not logging!
So - it appears to be working now. ( .. insert embarrassed eyeroll here .. )

Thanks for your replies!
K

 

[SteveITS]

Sometimes it helps to talk through it.

Outgoing will be port 25 because that's the expected incoming on the other end. Unless you're using a Smart Host to relay, which is basically the KB I linked above.