Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Postfix - Dovecot problem sending mail
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
NismoC32
Apprentice
Apprentice


Joined: 07 Apr 2003
Posts: 197

PostPosted: Thu Dec 21, 2017 6:58 pm    Post subject: Postfix - Dovecot problem sending mail Reply with quote

Hi I followed this guide to setup postfix and dovecot
https://forums.gentoo.org/viewtopic-t-1057474.html.

Reciving mail works fine bu sending is not perfect.
I can send mail from my workstation (Gentoo using kmail),
But using my Androis phone, Roudcube or Nextcloud mail does not work.

This is what tho log says when I try to send a mail from one of there clients:
Quote:
Dec 20 20:15:46 fserver postfix/smtp[1195]: 9D3995A700: to=<myaddress@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.162.27]:25, delay=0.37, delays=0.07/0.01/0.28/0.01, dsn=5.0.0, status=bounced (host gmail-smtp-in.l.google.com[64.233.162.27] said: 550 Relay not permitted (in reply to RCPT TO command)


This email is sendt to me from my mailserver:
Code:
This is the mail system at host mail.mydomain.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<myaddress@gmail.com>: host gmail-smtp-in.l.google.com[64.233.162.27] said: 550
    Relay not permitted (in reply to RCPT TO command)


I'm using the Bluemail Client on my Android Phone, but I also tried Sony's default mail client.

So what is it that makes kmail work and nothing else ?

Let me know if more info is needed.
Back to top
View user's profile Send private message
magic919
Advocate
Advocate


Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK

PostPosted: Fri Dec 29, 2017 10:18 am    Post subject: Reply with quote

That's the kind of error I'd expect if the client doesn't authenticate.
Back to top
View user's profile Send private message
NismoC32
Apprentice
Apprentice


Joined: 07 Apr 2003
Posts: 197

PostPosted: Fri Dec 29, 2017 11:19 pm    Post subject: Reply with quote

Ok but why ?

this is my Postfix configuration files:

main.cf
Code:
soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.mydomain.com
mydomain = mydomian.com
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
debug_peer_level = 2

debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man

readme_directory = no
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix/${mail_version}

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = may

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = mydomain.com
broken_sasl_auth_clients = yes

smtpd_sender_restrictions = reject_non_fqdn_sender
smtpd_reject_unlisted_sender = yes
smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_unauth_destination
   reject_invalid_helo_hostname
   reject_non_fqdn_recipient
   reject_unknown_recipient_domain
 
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 10800s

virtual_alias_maps   = mysql:/etc/postfix/sql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql_virtual_domain_maps.cf
virtual_mailbox_maps   = mysql:/etc/postfix/sql_virtual_mailbox_maps.cf
sample_directory   =/etc/postfix
message_size_limit   = 104857600
compatibility_level = 2


my master.cf:
Code:
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
smtps     inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
dovecot      unix  -       n       n       -       -       pipe
   flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}


And this is my Dovecot files:

10-auth.conf
Code:
disable_plaintext_auth = yes
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_mechanisms = plain login cram-md5
!include auth-sql.conf.ext


10-mail.conf
Code:
mail_location = maildir:/var/mail/%n/Maildir/:INDEX=/var/mail/%n/indexes

namespace inbox {
  # Namespace type: private, shared or public
  #type = private

  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
  #separator =

  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
  #prefix =

  # Physical location of the mailbox. This is in same format as
  # mail_location, which is also the default for it.
  #location =

  # There can be only one INBOX, and this setting defines which namespace
  # has it.
  inbox = yes

  # If namespace is hidden, it's not advertised to clients via NAMESPACE
  # extension. You'll most likely also want to set list=no. This is mostly
  # useful when converting from another server with different namespaces which
  # you want to deprecate but still keep working. For example you can create
  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
  #hidden = no

  # Show the mailboxes under this namespace with LIST command. This makes the
  # namespace visible for clients that don't support NAMESPACE extension.
  # "children" value lists child mailboxes, but hides the namespace prefix.
  #list = yes

  # Namespace handles its own subscriptions. If set to "no", the parent
  # namespace handles them (empty prefix should always have this as "yes")
  #subscriptions = yes

  # See 15-mailboxes.conf for definitions of special mailboxes.
}

  #type = shared
  #separator = /

  # Mailboxes are visible under "shared/user@domain/"
  # %%n, %%d and %%u are expanded to the destination user.
  #prefix = shared/%%u/

  # Mail location for other users' mailboxes. Note that %variables and ~/
  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
  # destination user's data.
  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

  # Use the default namespace for saving subscriptions.
  #subscriptions = no

  # List the shared/ namespace only if there are visible shared mailboxes.
  #list = children

mail_uid = 8
mail_gid = 12

first_valid_uid = 8
last_valid_uid = 8

first_valid_gid = 12
last_valid_gid = 12

mail_plugins = quota

protocol !indexer-worker {
  # If folder vsize calculation requires opening more than this many mails from
  # disk (i.e. mail sizes aren't in cache already), return failure and finish
  # the calculation via indexer process. Disabled by default. This setting must
  # be 0 for indexer-worker processes.
  #mail_vsize_bg_after_count = 0
}


10-master.conf
Code:
service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0600
    user = mail
    group = mail
  }

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  user = mail
}

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0660
    user = postfix
    group = postfix
 }
}
service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user =
    #group =
  }
}


dovecot.conf
Code:
protocols = imap lmtp
listen = *
dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

!include conf.d/*.conf
!include_try local.conf


auth.sql.conf.ext
Code:
passdb {
  driver = sql

  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

  #driver = static
  #args = uid=vmail gid=vmail home=/var/vmail/%u


KMail on my workstation works fine.
Roundcube who is installed on the same server as postfix/dovecot is not able to send emails.
BlueMail on my Android phone regardless of using IP address or domain address cant send mail ether
BluMail do a check when you configure the server settings and it does not complain that anything is wrong
All clinets gets access to mails just fine so i can read delete move etc.

This is my setting in kmail for sending e-mail:

Outgoing mail server: 192.168.1.101 (Works also when using domain name)
Login: ****@*****.com
Password: **********
Encryption: TLS
Port: 587
Authentication: CRAM-MD5 (PLAIN works fine too)

Bluemail:
SMTPServer: mydomain.com (192.168.1.101 while connected to my WLAN AP does not help)
Security: STARTTLS (Changing to SSL/TLS gives error(3011))
Port: 587
Autentication: Automatic
And username password stuff.

If more configuration or log info is need let me know.


Last edited by NismoC32 on Sat Dec 30, 2017 11:34 pm; edited 2 times in total
Back to top
View user's profile Send private message
magic919
Advocate
Advocate


Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK

PostPosted: Sat Dec 30, 2017 7:08 am    Post subject: Reply with quote

Run through the telnet testing in the source thread if you haven’t already. Check to see what Dovecot and Postfix are logging when it fails.

If you trust the 192.168.1.x network, then set mynetworks appropriately in Postfix and it’ll avoid the need for SASL on that network. By opening up the Postfix restrictions (if only whilst testing) you should be able to isolate the problem area. SASL and TLS are the likely bits if Dovecot SASL is fully working.

You might want to remove your domain name from those config files.
Back to top
View user's profile Send private message
NismoC32
Apprentice
Apprentice


Joined: 07 Apr 2003
Posts: 197

PostPosted: Sat Dec 30, 2017 6:38 pm    Post subject: Reply with quote

Tried out using telnet and this is the resault:

Code:
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.mydom.com ESMTP Postfix
ehlo mydom.com
250-mail.mydom.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
221 2.0.0 Bye


And:
Code:
Trying xx.126.xx.21x...
Connected to mydom.com.
Escape character is '^]'.
220 mail.mydom.com ESMTP Postfix
ehlo mydom.com
250-mail.mydom.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
221 2.0.0 Bye


So the question is why no 250-AUTH line?

I did add 192.168.1.0/24 to mynetworks line in postfix but it did not change anything
Code:
mynetworks = 192.168.1.0/24, 127.0.0.0/8


Last edited by NismoC32 on Sun Dec 31, 2017 1:05 am; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sat Dec 30, 2017 11:51 pm    Post subject: Reply with quote

Quote:
So the question is why no 250-AUTH line?

Because no TLS.
Postfix comes with a sane default that only allows authentication over secured connection.
Back to top
View user's profile Send private message
NismoC32
Apprentice
Apprentice


Joined: 07 Apr 2003
Posts: 197

PostPosted: Wed Jan 03, 2018 2:28 am    Post subject: Reply with quote

So how do I fix this, whats missing ?
I have followed the howto and I'm out of Ideas.

It's strange that KMail can send email without any problems.
The only differences is that KMail uses TLS and the other clients uses STARTTLS.

STARTTLS is not available in KMail, you have this choices: none,ssl and tsl.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Wed Jan 03, 2018 10:59 pm    Post subject: Reply with quote

Quote:
STARTTLS is not available in KMail, you have this choices: none,ssl and tsl.

I don't know kmail, I suppose "tls" means upgrading protocol to encrypted STARTTLS and "ssl" means opening connection that is already encrypted.
Also, you may see SMTP port change when you change the connection type.
You can expect AUTH to work on port 25 - smtp after starttls, and on port 465 -smtps (without starttls, you just open ssl connection up-front), and on port 587 - mail_submission, not sure whether is uses ssl or tls though.
Submission should not allow you send anything at all without providing your credentials, and unauthenticated smtp[s] should only allow local delivery.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum