Ubuntu 18.04 on Google Compute Dovecot + postfix
I figure I should be able to connect to a port other than 465/587, and since I can relay all email through google there should be no issue with this method for an email server. Also Google says they put in a setting to allow connection to 465/587 so I should have no issues at all
when I try to telnet to the 2 ports I have postfix listening on (5001 & 8080, 8080 is only for testing) this is what I get in tcpdump
21:42:02.843771 IP h***-***-***-***.wtfrwi.dsl.dynamic.tds.net.46208 > mailserv1.c.enterprise-210914.internal.urd: Flags [S], seq 1961371525, win 29200, options [mss 1460,sackOK,TS val 240062507 ecr 0,nop,wscale 7], length 0
21:42:02.843831 IP mailserv1.c.enterprise-210914.internal.urd > h***.***.***.***.wtfrwi.dsl.dynamic.tds.net.46208: Flags [R.], seq 0, ack 1961371526, win 0, length 0
mail.log does not show anything for smtp connection on either port
The server can send email just fine, it is simply a matter of other applications connecting to this server to send email through the relay
master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#587 inet n - y - - smtpd
8080 inet n - y - - smtpd
#smtps inet n - n - - smtpd
5001 inet n - n - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
5001 inet n - n - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = webserver.com
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
### https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ ### Guide for below
smtpd_tls_cert_file=/etc/letsencrypt/live/webserver.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/webserver.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = webserver.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = [smtp-relay.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
# Force ehlo behavior
smtp_always_send_ehlo = yes
smtp_helo_name = webserver.com
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
local_recipient_maps = $virtual_mailbox_maps
inet_interfaces was set to loopback only, changing that to all allows me to telnet to the port with successful connection. Trying to connect to my server on that port times out now.
output of ss -l
udp UNCONN 37632 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 10.128.0.2%ens4:bootpc 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 0 100 0.0.0.0:imaps 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:5572 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:http-alt 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 [::]:ssh [::]:*
tcp LISTEN 0 128 *:https *:*
tcp LISTEN 0 100 [::]:imaps [::]:*
tcp LISTEN 0 128 *:http *:*
netstat -lpn -A inet
root@mail:~# netstat -lpn -A inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1060/sshd
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 573/dovecot
tcp 0 0 127.0.0.1:5572 0.0.0.0:* LISTEN 623/rclone
tcp 0 0 127.0.0.1:5001 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 703/mysqld
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 954/master
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 424/systemd-resolve
udp 40704 0 127.0.0.53:53 0.0.0.0:* 424/systemd-resolve
udp 0 0 10.128.0.2:68 0.0.0.0:* 405/systemd-network
udp 0 0 127.0.0.1:323 0.0.0.0:* 628/chronyd
iptables
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
sshguard all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sshguard (1 references)
target prot opt source destination
UFW is not installed
I am also able to do a "telnet localhost 8080 or 5001" and I am able to connect, which initially had me thinking it was a firewall issue. Although seeing tcpdump receive a packet on my tests to telnet or nmap from the outside world made me think the firewall was not an issue.
Although this is google VPC network firewall, yes I do have rules in to allow 465,587,5001,8080 for tcp and udp. I can confirm that it effects the instance by going in to the specific firewall rule to see which instances are being affected by that rule. This is done utilizing the smtp tag for reference. Firewall rules are as follows
allow-smtp
Description
smtp ports
Network
default
Priority
1000
Direction
Ingress
Action on match
Allow
Targets
Target tags
smtp
Source filters
IP ranges
0.0.0.0/0
Protocols and ports
tcp:587
udp:587
tcp:465
udp:465
tcp:5001
udp:5001
tcp:8080
udp:8080
Enforcement
Enabled
Applicable to instances
Name Internal IP Tags Service accounts Project Network details
mailserv1 10.128.0.2 http-server, https-server,
Any help would be greatly appreciated. Seeing the packets come in tells me the port is open, even though telnet and nmap say it is blocked.
It appears the ack packet is unable to return, in whichcase I was thinking a static route may be needed, although I have not been able to succeed just yet. Thank you for any help.
EDIT
changing "inet_interfaces" to all, allowed me to telnet in from the outside world and verify the port is open.
Now when connecting to my server via outlook I am receiving an SSL_accept error.
EDIT2
last issue was only due to using automatic for security type instead of ssl/tls. This is resolved
