Mails stuck queued while trying to send using postfix

hello all
we need to send mail from a redhat 8.8 machine using postfix but the mails stucks in the queue, here below the settings
smtp server : 192.168.117.16
port : 587
authentification user: ENTERDA\notification.rep
account: notification.rep@XXXXXX
password : P@ssw0rd

traffic between the redhat machine and the smtp server 192.168.117.16 on port 587 is allowed.

both the redhat machine and the smtp server are in the same domain enterda.local

any help please :slight_smile:
thanks

1 Like

Hey @ria Welcome to the forums!

If your mails are getting stuck in the Postfix queue on RHEL 8.8 when trying to send via an internal SMTP relay (192.168.117.16:587), and the network connection is good, the issue is likely authentication or TLS-related.

Confirm your config:

Make sure these are in /etc/postfix/main.cf:

relayhost = [192.168.117.16]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

The sasl_passwd file should have:

[192.168.117.16]:587 ENTERDA\\notification.rep:P@ssw0rd

Then run:

postmap /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd*
chmod 600 /etc/postfix/sasl_passwd*

Check logs:

journalctl -xe | grep postfix
tail -f /var/log/maillog

Look for TLS handshake issues or auth errors there.

Test manually with openssl:

openssl s_client -connect 192.168.117.16:587 -starttls smtp

If you have smtp_tls_security_level = may, try changing it to encrypt.

Let us know what you see in the logs or from the openssl test.

Hello @ria thanks for the your request, we are here to help!
Another thing you can try is give a look into logs, they should be located in /var/log/mail or /var/log/maillog
let us know if you find something suspicious :smiley:

1 Like

Hi @hydn and @ricky89
Thank you so much for your answeres <3
in the redhat machine, i could not find /var/log/maillog , the only logs i found are with ```
journalctl -xe | grep postfix

2 Likes

Hey, no problem. RHEL 8.8 now just uses journalctl directly. You can still check the Postfix logs.

Try running this command to get the last 100 log lines for Postfix:

journalctl -u postfix -n 100 --no-pager

If you want to watch logs live while trying to send an email again, you can do:

journalctl -u postfix -f

That way, you’ll see exactly what’s happening when Postfix tries to connect and send.

What you want to look for are errors like:

  • authentication failures (for example ā€œSASL authentication failedā€)
  • connection timeouts
  • TLS handshake issues
  • ā€œrelay access deniedā€ errors
  • or any ā€œdeferredā€ messages about mail being stuck

You can also check what’s sitting in the queue right now with:

postqueue -p

If you want to clear the queue to start fresh, you can do:

postsuper -d ALL

Hello <3
Thank you for your efforts and help

i have tried again with other redhat machine which has /var/log/maillog but the issue persists

here attached the logs from maillog and my /etc/postfix/main.cf (main) and also my /etc/postfix/sasl_passwd (sasl_passwd)

tail -f /var/log/maillog

Apr 29 11:40:33 netbackup-scanner postfix/qmgr[235112]: D73DEB8: [email protected], size=705, nrcpt=1 (queue active)
Apr 29 11:40:33 netbackup-scanner postfix/smtpd[235168]: disconnect from localhost.localdomain[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 29 11:40:33 netbackup-scanner postfix/smtp[235173]: warning: 192.168.117.16[192.168.117.16]:587 offered no supported AUTH mechanisms: ā€˜GSSAPI NTLM’
Apr 29 11:40:39 netbackup-scanner postfix/smtp[235173]: D73DEB8: to=operator@xxxxxx, relay=192.168.117.16[192.168.117.16]:587, delay=5.1, delays=0.06/0.03/0.03/5, dsn=5.7.57, status=bounced (host 192.168.117.16[192.168.117.16] said: 530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM (in reply to MAIL FROM command))
Apr 29 11:40:39 netbackup-scanner postfix/cleanup[235172]: 0A26E103: [email protected]
Apr 29 11:40:39 netbackup-scanner postfix/bounce[235174]: D73DEB8: sender non-delivery notification: 0A26E103
Apr 29 11:40:39 netbackup-scanner postfix/qmgr[235112]: 0A26E103: from=<>, size=2994, nrcpt=1 (queue active)
Apr 29 11:40:39 netbackup-scanner postfix/qmgr[235112]: D73DEB8: removed
Apr 29 11:40:39 netbackup-scanner postfix/local[235175]: 0A26E103: [email protected], relay=local, delay=0.02, delays=0/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 29 11:40:39 netbackup-scanner postfix/qmgr[235112]: 0A26E103: removed
Apr 29 11:43:43 netbackup-scanner sendmail[235182]: 53TAhhkh235182: from=root, size=183, class=0, nrcpts=1, [email protected], relay=root@localhost
Apr 29 11:43:44 netbackup-scanner postfix/smtpd[235183]: connect from localhost.localdomain[127.0.0.1]
Apr 29 11:43:44 netbackup-scanner sendmail[235182]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Apr 29 11:43:44 netbackup-scanner postfix/smtpd[235183]: 0EC12B0: client=localhost.localdomain[127.0.0.1]
Apr 29 11:43:44 netbackup-scanner postfix/cleanup[235186]: 0EC12B0: message-id=202504291043.53TAhhkh235182@netbackup-scanner.localdomain
Apr 29 11:43:44 netbackup-scanner sendmail[235182]: 53TAhhkh235182: to=operator@xxxxx, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30183, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 0EC12B0)
Apr 29 11:43:44 netbackup-scanner postfix/qmgr[235112]: 0EC12B0: [email protected], size=738, nrcpt=1 (queue active)
Apr 29 11:43:44 netbackup-scanner postfix/smtpd[235183]: disconnect from localhost.localdomain[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 29 11:43:44 netbackup-scanner postfix/smtp[235187]: warning: 192.168.117.16[192.168.117.16]:587 offered no supported AUTH mechanisms: ā€˜GSSAPI NTLM’
Apr 29 11:43:49 netbackup-scanner postfix/smtp[235187]: 0EC12B0: to=operator@xxxxxx, relay=192.168.117.16[192.168.117.16]:587, delay=5.1, delays=0.06/0.03/0.02/5, dsn=5.7.57, status=bounced (host 192.168.117.16[192.168.117.16] said: 530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM (in reply to MAIL FROM command))
Apr 29 11:43:49 netbackup-scanner postfix/cleanup[235186]: 344BAB4: [email protected]
Apr 29 11:43:49 netbackup-scanner postfix/bounce[235188]: 0EC12B0: sender non-delivery notification: 344BAB4
Apr 29 11:43:49 netbackup-scanner postfix/qmgr[235112]: 344BAB4: from=<>, size=3058, nrcpt=1 (queue active)
Apr 29 11:43:49 netbackup-scanner postfix/qmgr[235112]: 0EC12B0: removed
Apr 29 11:43:49 netbackup-scanner postfix/local[235189]: 344BAB4: [email protected], relay=local, delay=0.02, delays=0/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 29 11:43:49 netbackup-scanner postfix/qmgr[235112]: 344BAB4: removed

Thanks in advance :blush:

1 Like

i forget to share also the /etc/postfix/main.cf

  1. /etc/postfix/main.cf (i have removed all lines started with #)

debug_peer_level = 2

debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix/samples

readme_directory = /usr/share/doc/postfix/README_FILES

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem

smtpd_tls_key_file = /etc/pki/tls/private/postfix.key

smtpd_tls_security_level = may

smtp_tls_CApath = /etc/pki/tls/certs

relayhost = [192.168.117.16]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

  1. /etc/postfix/sasl_passwd is as you mentioned
1 Like

Hey, thanks for sharing all the details, that helps a lot.

The issue is on the SMTP server side (192.168.117.16). It’s only offering GSSAPI and NTLM for authentication. Looking at the logs you posted, the important part is this:

warning: 192.168.117.16[192.168.117.16]:587 offered no supported AUTH mechanisms: ā€˜GSSAPI NTLM’

and

530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM

You need to enable Basic Authentication on the SMTP server for port 587. Without that, Postfix can’t authenticate and the mails will bounce.

If it’s Exchange, it’s usually a setting under the Receive Connector properties. Once that’s fixed, your current Postfix config should work fine.

it’s Microsoft-based mail system behind that IP. The username format: ENTERDA\notification.rep — that backslash style (DOMAIN\username) is typical for Active Directory and Windows environments.

Thank you so much for the help.

I will check with windows team for the exchange configuration and give feedback here

1 Like

Hi again :))
Windows team say that the basic authentication on the SMTP server is already enabled. and they could not disable the authentication.
@hydn , i think the issue is with the AUTH mechanisms: ā€˜GSSAPI NTLM.
is there other way to avoid this , maybe to use other tool in redhat than postfix or how to avoid this problem by using postfix.
do you have any solution for this :frowning:
Thank you a lot for your efforts

No, should never do that. Surprised that would even come up in conversation.

Alternatives, try Exim.

Compare based on your needs here: