All sent email being refused, stuck in que

Hi, all email via my server has suddenly refused and is stuck in the mailq:

2020-07-27 18:23:55 1k06qx-0004Sr-4S <= [email protected] ([]) [] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no SNI=“[email protected] S=747 [email protected]
2020-07-27 18:23:56 1k06qx-0004Sr-4S [] Connection refused
2020-07-27 18:23:57 1k06qx-0004Sr-4S [] Connection refused
2020-07-27 18:23:57 1k06qx-0004Sr-4S == [email protected] R=dnslookup T=remote_smtp defer (111): Connection refused

2020-07-27 18:25:11 1k06sA-0004aQ-Vf <= [email protected] H=localhost ( [] P=esmtp S=504 [email protected]
2020-07-27 18:25:11 1k06sA-0004aQ-Vf == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host for ‘

I have check if in block lists and have found only positive,

This comes up as an ancestor issue with no obvious means to removal.

Should not that domains the server that do not show in this list also fail to send?

2020-07-27 18:31:41 1k06yT-0004k4-KS <= [email protected] ([]) [] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no SNI=“” A=dovecot_plain:[email protected] S=650 [email protected]z
2020-07-27 18:31:41 1k06yT-0004k4-KS == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host for ‘

any pointers?


Just been having a look at one of my Russian test servers and it’s also struggling to email my own address. You gave me a light bulb moment - it won’t connect because I can’t set a rDNS/PTR yet with this specific hosting provider.

Poor pun?

When send email via console

echo “Test message from server” | mail -s “Test message from server” [email protected]

it works for receiving email domains on server, but not external emails such as gmail?


did you try to run a traceroute towards these yahoo IPs to see if you get blocked on the way already or if yahoo is rejecting your connection attempts because of other reasons?

piping some string into a mail command is not a reliable mail test in any way. rather try connecting to the destination mail server via telnet to see proper responses.

For gmail/hotmail, you need to get all your DNS records in order: rDNS, SPF, DKIM, DMARC
Then, maybe, just maybe the email will be accepted, unless you try to send via the muppets than run ATT, sbcglobal et al, group.

afaik @bubblecatcher server is with hetzner and has an rdns set, at least when I checked based on the domain names above.
that’s why I suggest to see if he even can make a connection to those IPs and especially port 25 etc.
I still think he is either blocked by his own firewall settings or maybe with those providers directly. for the latter however you normally get a proper 5.7.1 or something and not just connection refused…

1 Like

Thanks for reply

First off, all was working fine until recently so doubt it something i have done, possible an update?

Yes i did do traceroute and dig

traceroute to (, 30 hops max, 60 byte packets
1 ( 0.313 ms 0.482 ms 0.635 ms
2 * ( 1.537 ms ( 7.426 ms
3 ( 4.815 ms 4.952 ms ( 5.035 ms
4 ( 19.375 ms 18.834 ms 19.875 ms
5 ( 20.335 ms 19.933 ms 19.466 ms
6 ( 25.379 ms 27.604 ms 24.044 ms
7 ( 24.250 ms 25.258 ms 24.673 ms
8 ( 40.263 ms 39.991 ms 41.017 ms
9 ( 42.090 ms 41.365 ms ( 41.103 ms
10 ( 42.128 ms ( 41.887 ms ( 41.222 ms
11 ( 42.195 ms ( 41.109 ms ( 41.381 ms
12 ( 41.548 ms 40.999 ms 39.975 ms


; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39042
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
; IN A

. 1052 IN SOA 2020072800 1800 900 604800 86400

;; Query time: 0 msec
;; WHEN: Tue Jul 28 11:34:16 BST 2020
;; MSG SIZE rcvd: 117

Note this is not just yahoo or gmail, but any other email that sending is tried too, including

How can my own firewill be blocking me when it is turned off?

I need to configure DMARC, all others should be fine.

Could it be that Hetzner has decided to block port 25? Just a thought.
As per @Falzo try a telnet 25 test.

Hetzner usualy doesnt block any ports :slight_smile:.

1 Like

tried telnet from my laptop.

telnet 25
Connected to
Escape character is ‘^]’.
EHLO Hello []
250-SIZE 52428800
250 HELP
Mail FROM:[email protected]
250 OK
RCPT TO:[email protected]
550 smtp auth required


you should try telnet not into your own server but from your server to e.g. yahoos mailserver, because you can’t send mails there :wink:

edit: maybe also post the output of iptables -nL and csf -t and ipset -L to see what else could be going on… you are not using selinux, right?



Output as requested.
iptables -nl output

csf -t
csf: There are no temporary IP entries

ipset -L
ipset: command not found

I tried dropping all csf denied ips

csf -df

still mail stuck in que.

telnet yahoo

telnet 25
Connected to
Escape character is ‘^]’.
220 ESMTP ready
Connection closed by foreign host.

many thanks

So, it closed the connection before you could send a formatted test email?

( )

i tried exim -qf`


2020-07-28 19:13:15 1k06sA-0004aQ-Vf [] Connection refused
2020-07-28 19:13:15 1k06sA-0004aQ-Vf == [email protected] R=dnslookup T=remote_smtp defer (111): Connection refused

2020-07-28 19:13:20 1k0Kvb-0001TB-3c [] Connection refused
2020-07-28 19:13:21 1k0Kvb-0001TB-3c [] Connection refused
2020-07-28 19:13:21 1k0Kvb-0001TB-3c == [email protected] R=dnslookup T=remote_smtp defer (111): Connection refused

Note although the main server IP is not on any blacklist, one other IP in server is listed, though looks like this is to do with mail/dns setup which i am looking into.


that iptables listing tells a story. do you even know, what half of the rules you put in there are doing?

I suggest for a simple test to change the policies of INPUT and OUTPUT chain to ACCEPT and try sending a mail. if it works, you know what you messed up.

btw. that’s what ipset is for, hashing large lists of IPs and subnets instead having them ressource-hogging inside iptables. and on top of that you (want to) use csf? paranoid much?

anyway, this is far off from what Hestia sets or does at all so in no way related.

as said before, if you want to find what causes your troubles start from scratch. iptables+fail2ban which comes with hestia works out of the box.
if you change that dramatically by running scripts that implement large blocklist in a questionable way and on top put in a second firewall appliance in parallel, I am afraid no one can help you.

TL;DR; YOU are blocking yourself from sending mails to the outside world with installing/running too much stuff that you can’t properly debug yourself. and it’s not related to hestia.



1 Like

^ You’d cringe if you saw my complete blocklist (ipset/CSF). :wink:
Typically 12 countries, nearly all the csf.blocklists plus AWS and now DO, on some servers. Plus, of course the idiots who broadcast/scan on the local networks.
Ain’t nothing to do with HestiaCP though. :crazy_face:

No worries, I do use ipset myself with a few selected blocklists.

However I don’t think iptables is the right place for weird rules trying to match uids or gids trying to control whos allowed to send out mail … just sayin’ :man_shrugging:t2:

1 Like