Mail server in LAN - connection timeout to SOME MXes

[maxxer]

Hi.
We replaced a pfSense installation with a freshly installed 22.1.8_1. The mailserver in LAN is unable to contact some remote MX, specifically Gmail / Outlook, but also some other minor providers.
The configuration is pretty simple, there are no LAN rules except the default ones allowing all traffic. No QoS  configured.

Weird enough, telnetting to these hosts work, but mail delivery won't. Can be something related to TLS connections?

The WAN has a 192.168.20.1 address, the modem is 192.168.20.2. Block of private and bogon networks is disabled. This was erroneously enabled, and while web navigation was fine we had another issue: ssh'ing outside from the server was working, but scp didn't. Now scp works, but email still won't get delivered.

What could be blocking these connections?
thanks

Code: [Select]

Jun  3 14:57:12 srv02 postfix/smtp[19722]: 79CA91E33BC3: to=<a.b@domain.it>, relay=mail.register.it[195.110.124.132]:25, delay=3428, delays=3282/0.21/1.2/145, dsn=4.4.2, status=deferred (lost connection with mail.register.it[195.110.124.132] while sending message body)
Jun  3 14:57:49 galasrv02 postfix/smtp[19683]: AA78E1E33CC9: conversation with ASPMX.L.GOOGLE.com[108.177.126.27] timed out while sending message body

EDIT: forgot to say the firewall is running in as a Proxmox VM, network driver virtio

[maxxer]

It looks like email with attachments (even >= 20KB) are impacted by the issue. Text only emails are delivered.

[defaultuserfoo]

It's probably not gona work unless you have a static IP and reverse DNS entries for the FQDN that resolves to that IP address.

[bartjsmit]

What is your spf record? Is your IP address in Spamhaus? https://check.spamhaus.org/

Can you only send purely on MX or does your provider operate a smarthost?

Bart...

[maxxer]

Thanks for the feedback but it's not a deliverability issue, we've been running a mailserver here for ages with no problems. The issue is with OPNsense upload performances, which unfortunately we weren't able to solve. We tried changing interface type to vmx3 or e1000 but we still had less than 0.5Mbps of upload. We switched to pfSense and now upload is 2.5MBps, which is in line with connection performance.

[franco]

Didn't someone say recently that enabling hardware offloading settings may be required for kvm on FreeBSD 13?

[maxxer]

Didn't someone say recently that enabling hardware offloading settings may be required for kvm on FreeBSD 13?

All the flags were enabled = feature disabled.

[franco]

try to disable flags to enable features is what I meant... Most importantly "Hardware CRC"


Cheers,
Franco