Packet capture to see what happens?
Brian
On 12/7/2025 9:28 PM, Viktor Dukhovni via Postfix-users wrote:
On Sun, Dec 07, 2025 at 03:16:28PM +0000, Linkcheck via Postfix-users wrote:
Some authoritative DNS servers have overly aggressive filters,
rate-limiting DNS queries from clients that at times block Google's
DNS from resolving the domain. So it is possible that the DNS issue
is client-netblock-specific.
I have passed this to my hosting provider for comment. Thanks.
Given the bounce message extract, the problem is not DNS. TCP
connections to the MX host on port 25 are failing. Perhaps you've block
part of Google's IP space, see the "gmail.com" SPF records for the
current list of IPs. And as mentioned by Randy, don't use iptables with
port 25 (perhaps partly as a result of fail2ban?)
smtpd_discard_ehlo_keywords = pipelining
This is not recommended.
I put this in a few years back on someone's recommendation. Now removed.
What about...
smtpd_forbid_unauth_pipelining = yes
That's not a problem.
This could be a bit too strict.
Possibly but it's worked for years. If gmail has upped its "security" is
there anything there that may affect things?
None of the rules matter until a TCP connection can be established.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
