When a mail server stops accepting connections or mail flow becomes intermittent, the problem can come from many layers:
DNS, network, firewall, mail server software (Zimbra, Postfix), TLS certificates, or even system resources. This guide walks through practical, step-by-step troubleshooting techniques for Zimbra and Postfix connection issues, shows commands you can run immediately.
This blog gives you a detailed guide to troubleshoot similar issues.
If facing trouble in receiving mail from outside, you need to find out where the message is failing. While sending test message, you need to check the Log Files, in /var/log/zimbra.log, on your MTA server. You can use “tail” command to the logs on the server.
1) Initial checks to perform –
You need to check if can reach the TCP ports below –
As mail servers commonly use Ports
25 – Standard SMTP for sending emails
587 – SMTP Submission (used for sending mail securely)
465 – SMTPS (less common, secure SMTP)
143 / 993 – IMAP (143 is standard, 993 is secure)
110 / 995 – POP3 (110 is standard, 995 is secure)
From a remote host:
telnet: telnet mail.domain_name 25
nc: nc -vz mail.domain_name 25
openssl for TLS: openssl s_client -connect mail.domain:465 -crlf
Check whether local services are running:
– For Zimbra: sudo su – zimbra -c “zmcontrol status”
– For Postfix (standalone): systemctl status postfix
If you discover that a port is closed, there could be a few reasons behind it. One common cause is a firewall , either on the server or somewhere in the network , that’s blocking traffic to that port. Another possibility is packet filtering, like rules set up with iptables, firewalld, or even an upstream router, which may be stopping connections from getting through. Additionally, the service expected to handle traffic on that port, such as Zimbra or Postfix for mail-related ports, may not actually be running or listening on the interface.
In such cases, it’s important you need to verify whether the service is active on the server ,and service is properly bound to the correct IP address, and configured to accept incoming connections.
2) Check listening sockets and bound addresses
First, make sure your server is actually listening on the correct ports and addresses.
Use commands below to check :
#ss -tlnp | egrep ‘(:25|:465|:587|:993|:143)’
#netstat -tlnp | grep :25
If you notice that Postfix is only bound to localhost (127.0.0.1) but you want it to accept mail from outside, then take a look at the inet_interfaces setting in main.cf and update it accordingly.
3) Logs – We need to check these below logs paths on the server below for zimbra and postfix base service –
Zimbra: /var/log/zimbra.log
If your mail is delivered to the MTA, but not to the mailbox and if you are seeing below in the logs /var/log/zimbra.log
postfix/lmtp … deferred … connection refused
So as per the above error, there is no connection with port 7025 in order to perform the local mail transfer protocol for the delivery.
As this issue mostly cause with the host those are configured on private IP and those does not have public IP interface on the server,
so we can fix this issue by using native IP address lookup for lmtp instead of DNS.
– /opt/zimbra/log/mailbox.log
– /opt/zimbra/log/zmconfigd.log
– Postfix:
– /var/log/maillog
– /var/log/mail.log
You can look for connection attempts, TLS errors, and “lost connection” or “connection timed out”.
4) Firewall and network rules
– On the server:
– iptables -L -n -v
– firewall-cmd –list-all (CentOS/RHEL with firewalld)
– ufw status (For Ubuntu base OS )
– In cloud environments, we need to verify security groups / network ACLs allow inbound on ports 25, 587, 465 as needed
5) DNS and reverse DNS
– Many remote MTAs will reject or delay mail if rDNS is missing or mismatched.
– dig mx domainame
– dig +short PTR <public-ip>
You need to check and ensure the MX records point to the correct host and that that host’s A record and PTR resolve properly . If not need to add the rDNS on the server.
6) Certificates and TLS handshake problems
Expired or misconfigured certs will break SMTPS and submission with STARTTLS.
openssl s_client -starttls smtp -connect mail.domain:587 -showcerts
Look for “verify return code” and certificate chain problems in logs and openssl output.
7) Zimbra-specific checks
– zmcontrol status (run as zimbra user)
– zmlogger and mailboxd logs for exceptions
– Check /opt/zimbra/conf for any custom TLS settings
– If upgrades were done recently, verify Zimbra services were started and correct ports bound.
8) Postfix-specific checks
– postconf -n to see active configuration
– Check smtpd_bind_address / inet_interfaces settings
– postconf | egrep ‘myhostname|mydomain|inet_interfaces|smtpd_tls_cert_file’
– postfix check for configuration issues
– systemctl restart postfix or service postfix restart after changes.
9) SELinux
SELinux can block network bindings or file reads for certs: – getenforce
10) use below commands to perform the few checks
Run the following commands –
To check the listening ports
#ss -tlnp | egrep ‘(:25|:465|:587)’
In order for testing SMTP TLS handshake with openssl
#openssl s_client -starttls smtp -crlf -connect mail.domainame:587
Use below to check the Zimbra service status
#sudo su – zimbra -c “zmcontrol status”
11) Check for Disk Space
You need to check and make sure there is sufficient disk space is free on the server, as disk full can also lead the emails issues.
12) Common fixes based on findings
– Port blocked by firewall: open 25/587/465 and reload firewall.
– Service not listening externally: set inet_interfaces = all (Postfix) or adjust Zimbra bind settings and restart.
– TLS cert expired: replace certs and restart relevant daemons; for Zimbra use the zimbra certificate replacement process.
– DNS/PTR wrong: work with your DNS provider or cloud provider to correct A/MX/PTR.
– SELinux denials: create proper policy or set permissive temporarily for testing.
If you manage Zimbra or Postfix, you’ve probably seen situations where everything seems fine, yet mail just won’t move. However, our expert team can help you with this in a blink.
Partner with SupportPRO for 24/7 proactive cloud support that keeps your business secure, scalable, and ahead of the curve.
