Can't send email to mail server


I have an email server running using postfix and dovecot. I am using for my mx record, and have different sites on and various other subdomains (using nginx to serve different services). I am able to send emails to my gmail, but I am unable to send emails from gmail to my mail server, and I don’t understand why. I generated the appropriate certifications for

Here is what my /stc/postfix/main.fc looks like:
myhostname =


Here is what my /etc/dovecot/dovecot.conf looks like:
ssl_cert = < /etc/letsencrypt/live/
ssl_key = < /etc/letsencrypt/live/

I have read through all of the posts similar to mine, and nothing worked so far. If anyone wants more information, I will gladly post it. Am I missing something?


if you included the real domain i could look at your server on port 25 to confirm/deny any of the below

mail should not ‘require’ ssl normally
its opportunistic ssl (starttls) on smtp port 25 if your server offers it as an option
ie if your server advertises tls is available, the connecting server will run the starttls command and upgrade the connection
but for it to work it has to always start the connection unencrypted to accept mail from public servers that will only work with standard servers that will expect the tls/ssl negotiation to work in this order

(later rules can decide to reject mail from certain fomains if the connecting server did not switch to tls before sending the mail) but even this should onlt be for domains where you have verified their systems can/will upgrade to tls normally
but as a non postfix user i couldnt tell you the specific issue with your config
but recommend you follow one of the excellent guides for enabling postfix to offer tls online


Yeah, my domain is

Also, my stmp port is on 587, not 25. And imap is on 143. My setup is for STARTTLS



The ssl=required was for Dovecot, an IMAP daemon :wink:


Port 587 is for ‘submission’, i.e., what “your clients” use to send e-mail to the big wide world. Everything what comes from that big bad world and uses the MX-record of your domain to find your mailserver, uses port 25.


simply put if you dont listen for inbound smtp on port 25 google and everyone else cant send you mail

as its the only port used for server<>server smtp
and the only one pointed to by mx records

25 accepts from any > to local only (should offer tls not auth)
587 accepts from local (if authenticated) > any (should require tls, then after tls offer/require auth)

port 597 is for submission (smtp via submission port) and only used for client>smart-host-server connections (outbound from your desktop to your server)

my mistake on the dovecot (i said i dont know postfix) but what has a pop3/imap config got to do with inbound mail issues?


Ah thanks for clearing up what port 25 is used for.

I used:
telnet 25

and I am able to make a successful connection. I think the issue leis in which ssl certs I am using. When I receive a mail in gmail, Google tells me “Gmail couldn’t actually verify that actually sent this message” I tried using the certification for instead, and restarted postfix/dovecot and I still get the same error.

Maybe I didn’t generate the certificates correctly? I generated them using “certonly --webroot”


I’d recommend using to test for other issues first.


I’d agree with @pfg I suspect this is related to SPF and DKIM rather than the SSL cert - see and


Using dkimvalidator, I got:

Message is NOT marked as spam
Points breakdown: 
0.0 HTML_MESSAGE           BODY: HTML included in message
0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

I setup DKIM and SPF, and the goodnews is that gmail no longer thinks I’m untrusted. However, I am still unable to send my server emails from gmail. Is this an SPF issue?


I am not:

─( 19:21:34 )─< ~ >───────────────────────────────────────────────────────[ 0 ]─
$ host -t MX mail is handled by 50
─( 19:21:36 )─< ~ >───────────────────────────────────────────────────────[ 0 ]─
$ nc 25
nc: unable to connect to address, service 25
─( 19:21:39 )─< ~ >───────────────────────────────────────────────────────[ 1 ]─

And using nmap to see around:

─( 19:21:39 )─< ~ >───────────────────────────────────────────────────────[ 1 ]─
admin@grenade $ nmap

Starting Nmap 6.47 ( ) at 2016-03-22 19:23 CET
Nmap scan report for (
Host is up (0.074s latency).
Not shown: 991 closed ports
22/tcp   open     ssh
80/tcp   open     http
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
587/tcp  open     submission
993/tcp  open     imaps
3000/tcp open     ppp
8081/tcp open     blackice-icecap

The port 25 is definitely not accessible from the internet.


Sending from gmail to your server isn’t an SPF issue, no.

This is ast @nit also said - your server isn’t accepting connections on port 25

$ telnet 25
telnet: Unable to connect to remote host: Connection refused


Does anyone know how exactly is that accomplished on latest Postfix?


I am also getting a “connection refused” error:

$ openssl s_client -starttls smtp -connect
connect: Connection refused


You could add
smtpd_tls_received_header = yes
to the postfix/

which will add a header showing that TLS was used - and you can then use that to sieve / filter


That’s strange, when I do

netstat -plnt |grep :25

I get:

tcp        0      0    *               LISTEN      27865/master    
tcp6       0      0 :::25                   :::*                    LISTEN      27865/master

I can’t telnet to my server either.

Now I can’t seem to send or receive mail either. I changed

smtp unix   -    -    -   -   - smtp


smtp inet   n    -    n   -   - smtp

In /etc/postfix/


Is there a firewall running somewhere that might be blocking inbound port 25 traffic?


Perhaps your ISP blocks it? Many do.