1

I've been searching for a couple days now if it aren't weeks. Well, I tried to configure Postfix (what failed) with the purpose of sending mails without using external relay services like Gmail and configure a (local?) relay server which will be used over port 587.

Correct me if I'm wrong, this project is my first one becoming familiar with email type servers.

Before any explanation, this environment will be configured for a production type server. The configuration will also take place in a Docker image eventually, but I try to learn every step by building everything on multiple VMs (This one is in HyperV)

I followed this tutorial in the last past days and successfully completed the setup. Next, I created a Client, a (website), and an email domain with mailbox. Which caused that I can request a successfully login at Roundcube. Where the issue involves is when I try to send emails from Roundcube, I checked the logfiles, tried to reconfigure Postfix parts (main.cf, master.cf and dpkg-reconfigure postfix followed by service postfix restart of course)

Here are examples of my setup:

  • I've set a MX record in the domain dns which has as example the value "subdomain.domain.ext"
  • I followed the same hostname and/or /etc/hosts steps as tutorial:

Following examples are according to above MX value:

  • hostname (according to example) subdomain
  • cat /etc/hosts:
127.0.0.1       localhost.localdomain   localhost
local_ip        subdomain.domain.ext    subdomain
    
The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Postfix main.cf:

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = subdomain.domain.ext
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
#mydestination = subdomain.domain.ext, localhost, localhost.localdomain
mydestination = localhost, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = 
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Postfix master.cf:

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o smtp_bind_address=


127.0.0.1:10025 inet n - n - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes


127.0.0.1:10027 inet n - n - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtp_send_xforward_command=yes
        -o milter_default_action=accept
        -o milter_macro_daemon_name=ORIGINATING
        -o disable_dns_lookups=yes
  • tail -f /var/log/mail.log:
postfix/smtpd[30136]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jul 20 08:40:50 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30156, secured, session=<1yIO0d6qMroAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:40:50 echo dovecot: imap(colin@domain.ext)<30156><1yIO0d6qMroAAAAAAAAAAAAAAAAAAAAB>: Logged out in=1128 out=1056 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:40:50 echo postfix/smtpd[30159]: connect from localhost.localdomain[127.0.0.1]
Jul 20 08:40:50 echo postfix/smtpd[30159]: C36A7E08A8: client=localhost.localdomain[127.0.0.1]
Jul 20 08:40:50 echo postfix/cleanup[30094]: C36A7E08A8: message-id=<c6552f40a3f0416d675b24ae6a8e99b5@domain.ext>
Jul 20 08:40:50 echo postfix/smtpd[30159]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jul 20 08:40:50 echo postfix/qmgr[27585]: C36A7E08A8: from=<colin@domain.ext>, size=1656, nrcpt=1 (queue active)
Jul 20 08:40:50 echo amavis[23070]: (23070-16) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [::1]:34068 <colin@domain.ext> -> <originaladdress@hidden.ext>, Queue-ID: 48F7EE089B, Message-ID: <c6552f40a3f0416d675b24ae6a8e99b5@domain.ext>, mail_id: ZkrJmYfgX0Jz, Hits: 0.213, size: 1191, queued_as: C36A7E08A8, 464 ms
Jul 20 08:40:50 echo postfix/smtp[30097]: 48F7EE089B: to=<originaladdress@hidden.ext>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.54, delays=0.07/0/0.01/0.46, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as C36A7E08A8)
Jul 20 08:40:50 echo postfix/qmgr[27585]: 48F7EE089B: removed
Jul 20 08:40:50 echo postfix/smtp[30141]: C36A7E08A8: to=<originaladdress@hidden.ext>, relay=mx.tb.mail.iss.as9143.net[212.54.42.8]:25, delay=0.14, delays=0.02/0/0.12/0, dsn=4.0.0, status=deferred (host mx.tb.mail.iss.as9143.net[212.54.42.8] refused to talk to me: 550 mx5.tb.mail.iss.as9143.net mx5.tb.mail.iss.as9143.net MXIN102 Your IP {HIDDEN_IP} is in RBL. Please see https://www.spamhaus.org/query/ip/{HIDDEN_IP}  ;id=xV6AjHSqSlfIA;sid=xV6AjHSqSlfIA;mta=mx5.tb;d=20200720;t=144050[CET];ipsrc={HIDDEN_IP};)
Jul 20 08:40:51 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30162, secured, session=<Z0UZ0d6qOroAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:40:51 echo dovecot: imap(colin@domain.ext)<30162><Z0UZ0d6qOroAAAAAAAAAAAAAAAAAAAAB>: Logged out in=70 out=654 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:40:51 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30165, secured, session=<WPIc0d6qPLoAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:40:51 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30166, secured, session=<KRId0d6qProAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:40:51 echo dovecot: imap(colin@domain.ext)<30166><KRId0d6qProAAAAAAAAAAAAAAAAAAAAB>: Logged out in=119 out=787 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:40:51 echo dovecot: imap(colin@domain.ext)<30165><WPIc0d6qPLoAAAAAAAAAAAAAAAAAAAAB>: Logged out in=317 out=6562 deleted=0 expunged=0 trashed=0 hdr_count=14 hdr_bytes=2388 body_count=0 body_bytes=0
Jul 20 08:40:52 echo postfix/qmgr[27585]: B9038E08FB: from=<colin@domain.ext>, size=1042, nrcpt=1 (queue active)
Jul 20 08:40:53 echo postfix/smtp[30141]: B9038E08FB: to=<originaladdress@hidden.ext>, relay=mx.tb.mail.iss.as9143.net[212.54.42.8]:25, delay=5170, delays=5170/0/0.16/0, dsn=4.0.0, status=deferred (host mx.tb.mail.iss.as9143.net[212.54.42.8] refused to talk to me: 550 mx2.tb.mail.iss.as9143.net mx2.tb.mail.iss.as9143.net MXIN102 Your IP {HIDDEN_IP} is in RBL. Please see https://www.spamhaus.org/query/ip/{HIDDEN_IP}  ;id=xV6DjCowJQsUv;sid=xV6DjCowJQsUv;mta=mx2.tb;d=20200720;t=144053[CET];ipsrc={HIDDEN_IP};)
Jul 20 08:40:54 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30168, secured, session=<B99J0d6qQroAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:40:54 echo dovecot: imap(colin@domain.ext)<30168><B99J0d6qQroAAAAAAAAAAAAAAAAAAAAB>: Logged out in=32 out=506 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:40:54 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30170, secured, session=<UgNL0d6qRLoAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:40:54 echo dovecot: imap(colin@domain.ext)<30170><UgNL0d6qRLoAAAAAAAAAAAAAAAAAAAAB>: Logged out in=44 out=613 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:41:15 echo postfix/smtpd[30136]: connect from localhost[::1]
Jul 20 08:41:15 echo postfix/smtpd[30136]: NOQUEUE: filter: RCPT from localhost[::1]: <colin@domain.ext>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<colin@domain.ext> to=<originaladdresshidden@gmail.com> proto=ESMTP helo=<_>
Jul 20 08:41:15 echo postfix/smtpd[30136]: 71BA4E08A3: client=localhost[::1], sasl_method=LOGIN, sasl_username=colin@domain.ext
Jul 20 08:41:15 echo postfix/cleanup[30094]: 71BA4E08A3: message-id=<7a8438b0a5859779009d2e9d74f9e91e@domain.ext>
Jul 20 08:41:15 echo postfix/qmgr[27585]: 71BA4E08A3: from=<colin@domain.ext>, size=595, nrcpt=1 (queue active)
Jul 20 08:41:15 echo postfix/smtpd[30136]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jul 20 08:41:15 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30187, secured, session=<zC2O0t6qSroAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:41:15 echo dovecot: imap(colin@domain.ext)<30187><zC2O0t6qSroAAAAAAAAAAAAAAAAAAAAB>: Logged out in=460 out=670 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:41:15 echo postfix/smtpd[30159]: connect from localhost.localdomain[127.0.0.1]
Jul 20 08:41:15 echo postfix/smtpd[30159]: AEDF6E08A2: client=localhost.localdomain[127.0.0.1]
Jul 20 08:41:15 echo postfix/cleanup[30094]: AEDF6E08A2: message-id=<7a8438b0a5859779009d2e9d74f9e91e@domain.ext>
Jul 20 08:41:15 echo postfix/smtpd[30159]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jul 20 08:41:15 echo postfix/qmgr[27585]: AEDF6E08A2: from=<colin@domain.ext>, size=1070, nrcpt=1 (queue active)
Jul 20 08:41:15 echo amavis[27021]: (27021-05) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [::1]:34094 <colin@domain.ext> -> <originaladdresshidden@gmail.com>, Queue-ID: 71BA4E08A3, Message-ID: <7a8438b0a5859779009d2e9d74f9e91e@domain.ext>, mail_id: yi2HrBVrV9H1, Hits: 0.213, size: 595, queued_as: AEDF6E08A2, 211 ms
Jul 20 08:41:15 echo postfix/smtp[30097]: 71BA4E08A3: to=<originaladdresshidden@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.29, delays=0.07/0/0.01/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as AEDF6E08A2)
Jul 20 08:41:15 echo postfix/qmgr[27585]: 71BA4E08A3: removed
Jul 20 08:41:16 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30190, secured, session=<pjKZ0t6qULoAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:41:16 echo dovecot: imap(colin@domain.ext)<30190><pjKZ0t6qULoAAAAAAAAAAAAAAAAAAAAB>: Logged out in=70 out=654 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:41:16 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30193, secured, session=<wB6e0t6qUroAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:41:16 echo dovecot: imap-login: Login: user=<colin@domain.ext>, method=PLAIN, rip=::1, lip=::1, mpid=30194, secured, session=<u2ie0t6qVLoAAAAAAAAAAAAAAAAAAAAB>
Jul 20 08:41:16 echo dovecot: imap(colin@domain.ext)<30194><u2ie0t6qVLoAAAAAAAAAAAAAAAAAAAAB>: Logged out in=119 out=795 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jul 20 08:41:16 echo dovecot: imap(colin@domain.ext)<30193><wB6e0t6qUroAAAAAAAAAAAAAAAAAAAAB>: Logged out in=317 out=6982 deleted=0 expunged=0 trashed=0 hdr_count=15 hdr_bytes=2563 body_count=0 body_bytes=0
Jul 20 08:41:45 echo postfix/smtp[30141]: connect to gmail-smtp-in.l.google.com[74.125.143.27]:25: Connection timed out
Jul 20 08:41:45 echo postfix/smtp[30141]: connect to gmail-smtp-in.l.google.com[2a00:1450:4013:c04::1a]:25: Network is unreachable

However, I saw in this log that the email has been send to the recipient successfully (not received from external address), but why does it keep trying over port 25? My ISP blocked it and I wanted to force port 587 because of that it will work in every environment, multiple services/isp's. Also, I see results like Network is unreachable and Connection timed out a lot for Gmail based services, is this solved when it connects through the right port?

I can't receive any mails on this server with Dovecot either. Is there another way to fix this since I couldn't find any false responses about why it is not working?

I've also got a diagnostic-Code from Roundcube about sending if it makes sense:

smtp; 554 5.7.1 <unknown[192.168.1.1]>: Client host rejected:
    Access denied

It is much appriciated if anybody could help me out with this

Colin
  • 13
  • 1
  • 4
  • You can't really "force" your mailserver to send mails not on port 25. It has to take what the target mailserver is configured to use. You could configure your postfix to only use TLS for mail transfer (not even StartSSL), which would effectively send mails only to port 587, but the downside is that you won't be able to send mails to every mailserver. If a mailserver simple is not configured to use TLS, you won't be able to reach it. – Gerald Schneider Jul 21 '20 at 09:44
  • To set up a proper mail service you either have to ask your hoster to allow port 25 for your server, or switch to a hoster that doesn't block the port. – Gerald Schneider Jul 21 '20 at 09:45
  • Understandable, I test my mailserver first on a local desktop via static portforwarding before creating a live version of it which will be used in production. I checked, but seems like that port 25 is accessible trough telnet -> isp? However, is the example that you've explained almost the same situation as http vs https? 25 is a default for Postfix and 587 is just the encryption - but the default is always required for it to work? – Colin Jul 21 '20 at 14:28
  • 587 is not "just the encryption". It's for authenticated connections only. Connections on port 25 may be encrypted, but are not authenticated, which is why many residential ISPs and some hosting providers block it. – Michael Hampton Jul 21 '20 at 14:50

2 Answers2

4

Hope this helps you: ex. You have:

  • domain: mydomain.com
  • mail domain : mail.mydomain.com
  • Static IP: 123.123.123.123
  • MTA: postfix

a little bit more effort is required here:

- ISPs

  • Ask your ISP for reverse record (PTR) of the ip ie 123.123.123.123 to mail.mydomain.com
  • Ask your ISP to open the smtp port for the IP 123.123.123.123 (also dns port if you want fail over with multiple ips)

- CPANEL

  • add A Records: Type: A TTL: 3600 Host: mail.mydomain.com Points To: 123.123.123.123

  • Add MX Record: Type: MX TTL: 3600 Host: mydomain.com Priority: 10 Points To: mail.mydomain.com

  • Add MX Record: Type: MX TTL: 3600 Host: mydomain.com Priority: 20 Points To: mydomain.com

  • Configure SPF + DKIM + DMARC Record IN cPANEL ( dkim + dmarc generator)

  • Check and remove your IP 123.123.123.123 from blacklist sites .

- Mail Server

  • hostname: mail.mydomain.com

  • firewall open ports: 80,443,25,143,587,993,995 for email

  • add packages fail2ban (protects from external attack), policyd (limits incoming and outgoing email), claimav(Virus-Scanning)

MY MAILSERVER WORKING conf (for centos7):

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_notice_recipient = postmaster@mydomain.com
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 30
default_destination_rate_delay = 5s
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
fast_flush_domains = $mydomain
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 5242880
milter_default_action = accept
mydestination = $myhostname
mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = cidr:/etc/postfix/network_table
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name. Send us your mail..not your spam!!
smtpd_client_connection_count_limit = 30
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_limit = 30
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, check_recipient_access hash:/etc/postfix/protected_destinations, hash:/etc/postfix/bad_recipients, check_sender_access hash:/etc/postfix/sender_access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, permit
smtpd_reject_footer = \c. For assistance, Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
smtpd_restriction_classes = insiders_only
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031, reject_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mydomain.com.crt
smtpd_tls_key_file = /etc/pki/tls/private/mydomain.com.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:12
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 150
virtual_transport = dovecot
virtual_uid_maps = static:150

doveconf -n

# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:30: 'imaps' protocol is no longer necessary, remove it
doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:30: 'imaps' protocol is no longer necessary, remove it
doveconf: Warning: service auth { client_limit=3000 } is lower than required under max. load (4000)
doveconf: Warning: service anvil { client_limit=3000 } is lower than required under max. load (3003)
# OS: Linux 3.10.0-693.21.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 (Core)  xfs
# Hostname: mail.mydomain.com
auth_default_realm = mydomain.com
auth_failure_delay = 5 secs
auth_mechanisms = plain login
auth_realms = mydomain.com
auth_verbose = yes
default_client_limit = 3000
default_process_limit = 1000
dict {
  sqldomainquota = mysql:/etc/dovecot/dovecot-sql-domain.conf
  sqluserquota = mysql:/etc/dovecot/dovecot-dict-sql-user.conf
}
first_valid_gid = 12
first_valid_uid = 150
last_valid_gid = 12
last_valid_uid = 150
listen = *,::
log_path = /var/log/dovecot.log
mail_debug = yes
mail_gid = mail
mail_location = maildir:/home/vmail/%d/%n
mail_plugins = " quota"
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  quota = dict:User Quota::proxy::sqluserquota
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/sieve/default.sieve
  sieve_dir = ~/.sieve
  sieve_global_dir = /var/lib/dovecot/sieve/
}
postmaster_address = postmaster@mydomain.com
protocols = imap sieve
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service dict {
  unix_listener dict {
    mode = 0600
    user = vmail
  }
}
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
ssl_cert = </etc/pki/tls/certs/mydomain.com.crt
ssl_key =  # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
verbose_proctitle = yes
protocol lda {
  mail_plugins = " quota sieve quota"
}
protocol imap {
  mail_plugins = " quota imap_quota"
}
protocol pop3 {
  mail_plugins = " quota quota"
}

Roundcube Config

<?php

    $config['db_dsnw'] = 'mysql://user:password@localhost/database';

    $config['default_host'] = 'imaps://localhost';
    
    $config['smtp_server'] = 'tls://localhost';

    $config['smtp_user'] = '%u';

    $config['smtp_pass'] = '%p';

    $config['support_url'] = '';

    $config['des_key'] = '5d4eed1d4eddizHjz6i6GTLb';

    $config['username_domain'] = 'mydomain.com';

    $config['product_name'] = 'Roundcube WebMail';

    $config['plugins'] = array('archive','filters', 'globaladdressbook', 'hide_blockquote', 'identicon', 'jqueryui', 'markasjunk', 'new_user_identity', 'newmail_notifier', 'show_additional_headers','managesieve', 'zipdownload');

    //clears trash when user logs out (if true)
    #$config['logout_purge'] = true;

    $config['default_port'] = 993;

    $config['max_message_size'] = '5M';

This link might be a little help if you are working with debian.

Ratan Thapa
  • 68
  • 1
  • 7
  • That's quite a thorough example, but it would be more helpful and preferable if you would take a look at the configuration from the OP and suggest helpful modifications instead. – Gerald Schneider Jul 21 '20 at 09:47
  • Thank you for your answer Ratan Thapa, I will try this and follow the tutorials according to the link you provided, and yes I am working with Debian 10. After reading this, I tested a telnet request to the smtp server of my ISP with port 25 and it has been successfully accepted. Does that mean that it was not the issue? And I think that I need to dig deeper into DNS because of probably missing things there, are there any important steps for that not to forget or dependent for email? – Colin Jul 21 '20 at 14:39
  • Hi @Colin, request you to remove your public ip from blacklist from RBL. you can check your log "Your IP {HIDDEN_IP} is in RBL. Please see https://www.spamhaus.org/query/ip/{HIDDEN_IP}". The above links were for reference. You can find more useful links on Google. – Ratan Thapa Jul 21 '20 at 16:16
  • Almost solved my issue completely, and yes requested a RBL removeal. It has been common for a while that I could receive mail from every external or internal service. I've solved the issue about sending just today by removing the ip from Spamhaus, that was the problem. However, I read the description before that's written on their page that says that RBL is not a block list so I thought earlier that it was not involved with my environment.. but I still have the cannot send to Gmail error logs (Time out - connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25: Network is unreachable) – Colin Jul 29 '20 at 16:29
  • Responding to my comment for adding some info, I can send to my providers address (that is with @home.nl), but the others like Gmail and Outlook.com are just the same as that error above. I have also set the SPF record, DKIM and DMARC today. – Colin Jul 29 '20 at 16:39
0

At first a couple days ago I did some research at dns since I was not familiar with it. I came to the conclusion after that to add SPF records, DKIM and DMARC. Also, since my logs called that my ip was in RBL which I didn't think was the issue because their RBL explaination. But I did a request for removing that ip, and it has been solved since then from mailing between my mail server and ISP.

Since there are more email providers which all showed the same message each other:

connect to gmail-smtp-in.l.google.com[74.125.143.27]:25: Connection timed out

Jul 20 08:41:45 echo postfix/smtp[30141]: connect to gmail-smtp-in.l.google.com[2a00:1450:4013:c04::1a]:25: Network is unreachable

This type of issue seems like to have one common solution that is been answerred a lot;

• Change inet_protocols = all into inet_protocols = ipv4 within your /etc/postfix/main.cf

The test fails again after restarting, reloading and flushing Postfix, one more time the same error by sending to Gmail.

Then, I came to another possible solution by this post https://superuser.com/questions/1069049/postfix-problems-sending-mail-to-gmail-addresses

• Changing relayhost = to relayhost = smtp.myisp.ext:25

I tested again with sending mail to multiple addresses of mine; ISP, Gmail, Outlook, Yahoo and it successfully came through!

Colin
  • 13
  • 1
  • 4