| View previous topic :: View next topic |
| Author |
Message |
NismoC32
Apprentice
Joined: 07 Apr 2003
Posts: 222
|
 Posted: Thu Dec 21, 2017 6:58 pm Post subject: Postfix - Dovecot problem sending mail |
 |
|
Hi I followed this guide to setup postfix and dovecot
https://forums.gentoo.org/viewtopic-t-1057474.html.
Reciving mail works fine bu sending is not perfect.
I can send mail from my workstation (Gentoo using kmail),
But using my Androis phone, Roudcube or Nextcloud mail does not work.
This is what tho log says when I try to send a mail from one of there clients:
| Quote: | | Dec 20 20:15:46 fserver postfix/smtp[1195]: 9D3995A700: to=<myaddress@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.162.27]:25, delay=0.37, delays=0.07/0.01/0.28/0.01, dsn=5.0.0, status=bounced (host gmail-smtp-in.l.google.com[64.233.162.27] said: 550 Relay not permitted (in reply to RCPT TO command) |
This email is sendt to me from my mailserver:
| Code: | This is the mail system at host mail.mydomain.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<myaddress@gmail.com>: host gmail-smtp-in.l.google.com[64.233.162.27] said: 550
Relay not permitted (in reply to RCPT TO command) |
I'm using the Bluemail Client on my Android Phone, but I also tried Sony's default mail client.
So what is it that makes kmail work and nothing else ?
Let me know if more info is needed. |
|
| Back to top |
|
 |
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Fri Dec 29, 2017 10:18 am Post subject: |
|
|
| That's the kind of error I'd expect if the client doesn't authenticate. |
|
| Back to top |
|
|
NismoC32
Apprentice
Joined: 07 Apr 2003
Posts: 222
|
| Posted: Fri Dec 29, 2017 11:19 pm Post subject: |
|
|
Ok but why ?
this is my Postfix configuration files:
main.cf
| Code: | soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.mydomain.com
mydomain = mydomian.com
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
readme_directory = no
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix/${mail_version}
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = mydomain.com
broken_sasl_auth_clients = yes
smtpd_sender_restrictions = reject_non_fqdn_sender
smtpd_reject_unlisted_sender = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_invalid_helo_hostname
reject_non_fqdn_recipient
reject_unknown_recipient_domain
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 10800s
virtual_alias_maps = mysql:/etc/postfix/sql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql_virtual_mailbox_maps.cf
sample_directory =/etc/postfix
message_size_limit = 104857600
compatibility_level = 2
|
my master.cf:
| Code: | smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
dovecot unix - n n - - pipe
flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
|
And this is my Dovecot files:
10-auth.conf
| Code: | disable_plaintext_auth = yes
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_mechanisms = plain login cram-md5
!include auth-sql.conf.ext
|
10-mail.conf
| Code: | mail_location = maildir:/var/mail/%n/Maildir/:INDEX=/var/mail/%n/indexes
namespace inbox {
# Namespace type: private, shared or public
#type = private
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
#prefix =
# Physical location of the mailbox. This is in same format as
# mail_location, which is also the default for it.
#location =
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
# If namespace is hidden, it's not advertised to clients via NAMESPACE
# extension. You'll most likely also want to set list=no. This is mostly
# useful when converting from another server with different namespaces which
# you want to deprecate but still keep working. For example you can create
# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
#hidden = no
# Show the mailboxes under this namespace with LIST command. This makes the
# namespace visible for clients that don't support NAMESPACE extension.
# "children" value lists child mailboxes, but hides the namespace prefix.
#list = yes
# Namespace handles its own subscriptions. If set to "no", the parent
# namespace handles them (empty prefix should always have this as "yes")
#subscriptions = yes
# See 15-mailboxes.conf for definitions of special mailboxes.
}
#type = shared
#separator = /
# Mailboxes are visible under "shared/user@domain/"
# %%n, %%d and %%u are expanded to the destination user.
#prefix = shared/%%u/
# Mail location for other users' mailboxes. Note that %variables and ~/
# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
# destination user's data.
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
# Use the default namespace for saving subscriptions.
#subscriptions = no
# List the shared/ namespace only if there are visible shared mailboxes.
#list = children
mail_uid = 8
mail_gid = 12
first_valid_uid = 8
last_valid_uid = 8
first_valid_gid = 12
last_valid_gid = 12
mail_plugins = quota
protocol !indexer-worker {
# If folder vsize calculation requires opening more than this many mails from
# disk (i.e. mail sizes aren't in cache already), return failure and finish
# the calculation via indexer process. Disabled by default. This setting must
# be 0 for indexer-worker processes.
#mail_vsize_bg_after_count = 0
}
|
10-master.conf
| Code: | service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
#port = 993
#ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service lmtp {
unix_listener lmtp {
#mode = 0666
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
# get the results of everyone's userdb lookups.
#
# The default 0666 mode allows anyone to connect to the socket, but the
# userdb lookups will succeed only if the userdb returns an "uid" field that
# matches the caller process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
#
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
mode = 0600
user = mail
group = mail
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
# Auth process is run as this user.
#user = $default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
user = mail
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0660
user = postfix
group = postfix
}
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
|
dovecot.conf
| Code: | protocols = imap lmtp
listen = *
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
!include conf.d/*.conf
!include_try local.conf
|
auth.sql.conf.ext
| Code: | passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
#driver = static
#args = uid=vmail gid=vmail home=/var/vmail/%u
|
KMail on my workstation works fine.
Roundcube who is installed on the same server as postfix/dovecot is not able to send emails.
BlueMail on my Android phone regardless of using IP address or domain address cant send mail ether
BluMail do a check when you configure the server settings and it does not complain that anything is wrong
All clinets gets access to mails just fine so i can read delete move etc.
This is my setting in kmail for sending e-mail:
Outgoing mail server: 192.168.1.101 (Works also when using domain name)
Login: ****@*****.com
Password: **********
Encryption: TLS
Port: 587
Authentication: CRAM-MD5 (PLAIN works fine too)
Bluemail:
SMTPServer: mydomain.com (192.168.1.101 while connected to my WLAN AP does not help)
Security: STARTTLS (Changing to SSL/TLS gives error(3011))
Port: 587
Autentication: Automatic
And username password stuff.
If more configuration or log info is need let me know.
Last edited by NismoC32 on Sat Dec 30, 2017 11:34 pm; edited 2 times in total |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Sat Dec 30, 2017 7:08 am Post subject: |
|
|
Run through the telnet testing in the source thread if you haven’t already. Check to see what Dovecot and Postfix are logging when it fails.
If you trust the 192.168.1.x network, then set mynetworks appropriately in Postfix and it’ll avoid the need for SASL on that network. By opening up the Postfix restrictions (if only whilst testing) you should be able to isolate the problem area. SASL and TLS are the likely bits if Dovecot SASL is fully working.
You might want to remove your domain name from those config files. |
|
| Back to top |
|
|
NismoC32
Apprentice
Joined: 07 Apr 2003
Posts: 222
|
| Posted: Sat Dec 30, 2017 6:38 pm Post subject: |
|
|
Tried out using telnet and this is the resault:
| Code: | Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.mydom.com ESMTP Postfix
ehlo mydom.com
250-mail.mydom.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
221 2.0.0 Bye
|
And:
| Code: | Trying xx.126.xx.21x...
Connected to mydom.com.
Escape character is '^]'.
220 mail.mydom.com ESMTP Postfix
ehlo mydom.com
250-mail.mydom.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
221 2.0.0 Bye |
So the question is why no 250-AUTH line?
I did add 192.168.1.0/24 to mynetworks line in postfix but it did not change anything
| Code: | | mynetworks = 192.168.1.0/24, 127.0.0.0/8 |
Last edited by NismoC32 on Sun Dec 31, 2017 1:05 am; edited 1 time in total |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3445
|
| Posted: Sat Dec 30, 2017 11:51 pm Post subject: |
|
|
| Quote: | | So the question is why no 250-AUTH line? |
Because no TLS.
Postfix comes with a sane default that only allows authentication over secured connection. |
|
| Back to top |
|
|
NismoC32
Apprentice
Joined: 07 Apr 2003
Posts: 222
|
| Posted: Wed Jan 03, 2018 2:28 am Post subject: |
|
|
So how do I fix this, whats missing ?
I have followed the howto and I'm out of Ideas.
It's strange that KMail can send email without any problems.
The only differences is that KMail uses TLS and the other clients uses STARTTLS.
STARTTLS is not available in KMail, you have this choices: none,ssl and tsl. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3445
|
| Posted: Wed Jan 03, 2018 10:59 pm Post subject: |
|
|
| Quote: | | STARTTLS is not available in KMail, you have this choices: none,ssl and tsl. |
I don't know kmail, I suppose "tls" means upgrading protocol to encrypted STARTTLS and "ssl" means opening connection that is already encrypted.
Also, you may see SMTP port change when you change the connection type.
You can expect AUTH to work on port 25 - smtp after starttls, and on port 465 -smtps (without starttls, you just open ssl connection up-front), and on port 587 - mail_submission, not sure whether is uses ssl or tls though.
Submission should not allow you send anything at all without providing your credentials, and unauthenticated smtp[s] should only allow local delivery. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
