2

I'm trying to set up a mail server on Ubuntu 16.04.5 LTS with Postfix and Dovecot.

I can send out email without any problem and mail sent from localhost also finds its way into the inbox. However, email sent from outside (say, Gmail) is not showing up.

There are a lot of similar questions on serverfault and other sites, however I'm still unable to make it work.

My main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/MYDOMAIN.FI/fullchain.pem
smtpd_tls_key_file =/etc/letsencrypt/live/MYDOMAIN.FI/privkey.pem
smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.MYDOMAIN.FI
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.MYDOMAIN.FI, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

As you can see I use an SSL certificate from letsencrypt.

I have replaced my actual domain with MYDOMAIN.FI in case there are some horrible holes I've left in my config by mistake.

Ouput of sudo lsof -iTCP -sTCP:LISTEN -P:

COMMAND     PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
systemd       1     root   29u  IPv4 2041021      0t0  TCP *:143 (LISTEN)
systemd       1     root   44u  IPv6 2041022      0t0  TCP *:143 (LISTEN)
systemd       1     root   56u  IPv4 2041023      0t0  TCP *:993 (LISTEN)
systemd       1     root   59u  IPv6 2041024      0t0  TCP *:993 (LISTEN)
sshd       1589     root    3u  IPv4   14438      0t0  TCP *:22 (LISTEN)
sshd       1589     root    4u  IPv6   14448      0t0  TCP *:22 (LISTEN)
mysqld     1870    mysql   22u  IPv4   16248      0t0  TCP mail.MYDOMAIN.FI:330                                                                      6 (LISTEN)
apache2    1876     root    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    1876     root    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
miniserv.  2050     root    5u  IPv4   16967      0t0  TCP *:10000 (LISTEN)
apache2    3762 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    3762 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
apache2    3763 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    3763 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
apache2    3766 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    3766 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
apache2    3767 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    3767 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
apache2    3771 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    3771 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
apache2    3842 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    3842 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
apache2    3843 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    3843 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
apache2    4465 www-data    4u  IPv6   16115      0t0  TCP *:80 (LISTEN)
apache2    4465 www-data    6u  IPv6   16119      0t0  TCP *:443 (LISTEN)
master    20916     root   13u  IPv4 2039338      0t0  TCP *:25 (LISTEN)
master    20916     root   14u  IPv6 2039339      0t0  TCP *:25 (LISTEN)
master    20916     root   28u  IPv4 2044183      0t0  TCP *:465 (LISTEN)
master    20916     root  111u  IPv6 2044184      0t0  TCP *:465 (LISTEN)
master    20916     root  114u  IPv4 2044888      0t0  TCP *:587 (LISTEN)
master    20916     root  115u  IPv6 2044889      0t0  TCP *:587 (LISTEN)
dovecot   21229     root    3u  IPv4 2041021      0t0  TCP *:143 (LISTEN)
dovecot   21229     root    4u  IPv6 2041022      0t0  TCP *:143 (LISTEN)
dovecot   21229     root    5u  IPv4 2041023      0t0  TCP *:993 (LISTEN)
dovecot   21229     root    6u  IPv6 2041024      0t0  TCP *:993 (LISTEN)

It does list the port 25's command as "master" rather than "postfix". Not sure if that's relevant.

I've also just now noticed that there's the mysqld command listening on mail.MYDOMAIN.FI:330. Is this normal?

Output of netstat -tulpn:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1870/mysqld
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      20916/master
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      1/init
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      2050/perl
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      20916/master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1589/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      20916/master
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1/init
tcp6       0      0 :::587                  :::*                    LISTEN      20916/master
tcp6       0      0 :::143                  :::*                    LISTEN      1/init
tcp6       0      0 :::80                   :::*                    LISTEN      1876/apache2
tcp6       0      0 :::465                  :::*                    LISTEN      20916/master
tcp6       0      0 :::22                   :::*                    LISTEN      1589/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      20916/master
tcp6       0      0 :::443                  :::*                    LISTEN      1876/apache2
tcp6       0      0 :::993                  :::*                    LISTEN      1/init
udp        0      0 0.0.0.0:10000           0.0.0.0:*                           2050/perl
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1195/dhclient

Domain should be properly set up. I can use online services like https://www.adminkit.net/telnet.aspx and https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap to check the ports and all connect OK.

/etc/dovecot.conf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb {
  driver = passwd
}
passdb {
  args = %s
  driver = pam
}
protocols = " imap"

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

ssl=required
ssl_cert = </etc/letsencrypt/live/MYDOMAIN.fi/fullchain.pem
ssl_key = </etc/letsencrypt/live/MYDOMAIN.fi/privkey.pem

log_path = /var/log/dovecot/dovecot.log
# Debug
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

master.cfg:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
submission inet n       -       -       -       -       smtpd -v
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
smtp      inet  n       -       y       -       -       smtpd -v
smtps     inet  n       -       y       -       -       smtpd -v
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

Some log output with verbose enabled:

Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 250 DSN
Oct 30 11:21:08 mail postfix/smtpd[15895]: < mail-qt1-f180.google.com[209.85.160.180]: STARTTLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 220 2.0.0 Ready to start TLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr size = 32
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 3dBahrjW0vbosyTKvktYBqwgAeKFMcaSFZXzLuCQJE8=
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = tktkey
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr keyname = [data 0 bytes]
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: dyOgaB79c3WwkEvn7j2vy4l+BbNCdTfeefaIo1tc0RCukA/4SsmzUQMfefep4DH4T15cOEPT6EcbQ8Bvs9otmDdVPIJ0zxeiQUZqefefeSiabN9hbAAAAAA==
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_create: SASL service=smtp, realm=mail.MYDOMAIN.fi
Oct 30 11:21:08 mail postfix/smtpd[15895]: name_mask: noanonymous
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_connect: Connecting
Oct 30 11:21:08 mail postfix/smtpd[15895]: warning: SASL: Connect to private/dovecot-auth failed: Connection refused
Oct 30 11:21:08 mail postfix/smtpd[15895]: fatal: no SASL authentication mechanisms
Mauri
  • 23
  • 3
  • The most interesting part would be the relevant entries from your mail log files. – Gerald Schneider Oct 30 '18 at 07:25
  • I have added logs from /var/log/mail.log to the original post – Mauri Oct 30 '18 at 07:31
  • I see your /etc/hosts file contents. Why? I assume you’ve serup your DNS correctly (MX and relevant A records)? – Tommiie Oct 30 '18 at 07:37
  • 1
    There are [40 questions about the SASL authentication mechanism error message](https://serverfault.com/search?q=fatal%3A+no+SASL+authentication+mechanisms+is%3Aquestion) on SF. I suggest you look at them, most probably this can be closed as a duplicate to one of them. – Gerald Schneider Oct 30 '18 at 07:38

2 Answers2

4

You have:

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_recipient_restrictions = 
    reject_unknown_sender_domain, 
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_unauth_destination

As these are missing the final permit in the end, only mynetworks and SASL authenticated are allowed to use the server. This limitation affects all mail including the messages having this server as the final destination. This gives the fatal: no SASL authentication mechanisms error.

If you wish to have different settings for SASL authenticated users, enable submission. That's another instance of SMTPd listening on TCP/587 for the outbound mail of your own users. Following the examples in Postfix and Dovecot SASL HowTo you'll configure your Postfix exactly that way (see the example in Using SASL with Postfix submission port).

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thank you for the answer. I tried the example given in your link and even tried setting `smtpd_recipient_restrictions = permit` but to no avail. – Mauri Oct 30 '18 at 09:45
  • 1
    You should add the `permit` in the end of both lists (`smtpd_sender_restrictions` & `smtpd_recipient_restrictions`). Alone it would permit too much. – Esa Jokinen Oct 30 '18 at 09:46
  • My settings are now `smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit` and `smtpd_sender_restrictions = reject_unknown_sender_domain, permit` – Mauri Oct 30 '18 at 10:06
0

1) The Mysqld listening port 3306, so you must have a database installed? should not interfere with the mail service.

2) The /master process listening on port 25 is the Postfix Mail Transport Agent. Looks normal

3)Try testing your mail server externally using https://mxtoolbox.com/NetworkTools.aspx

Do the MX check, https://mxtoolbox.com/MXLookup.aspx (to see that Your DNS is correctly configured) and the SMTP tests https://mxtoolbox.com/diagnostic.aspx

4) The message warning: SASL: Connect to private/dovecot-auth failed: Connection refused points to a misconfigured docecot ( /etc/dovecot/dovecot.conf ). You need to add the SSL cert here as well + a number of other settings worth checking. One hint is to add DEBUG switches.

Change the default settings to something usefull in dovecot.conf

#log_path = /var/log/dovecot/dovecot.log
# Debug
#mail_debug = yes
# auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes

In /etc/postfix/master.cf, add debug/verbose logging as follows

smtp      inet  n       -       n       -       -       smtpd -v

Se also http://www.postfix.org/DEBUG_README.html

Ingvar J
  • 481
  • 2
  • 7
  • For point 3: first test gives error `No DMARC Record found`. Second test gives me warning `Reverse DNS does not match SMTP Banner` Everything else is in the green. For point 4) I have included my dovecot.conf in the original post – Mauri Oct 30 '18 at 09:57
  • So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog – Ingvar J Oct 30 '18 at 10:18
  • I have added the log output to the original post. I also included my master.cfg, which I noticed has a `smtpd_sasl_path=private/auth` in the submission part, where as the main.cfg has `smtpd_sasl_path = private/dovecot-auth`. Is this relevant? – Mauri Oct 30 '18 at 10:28
  • The submission service (listening on port 587) is intended to allow authenticated users (SASL login), i.e. you local users connecting with smtp with their mail client like Thunderbird. Any settings here would not make any difference for clients connecting to port 25. – Ingvar J Oct 30 '18 at 16:07
  • . So the smtpd will try to find private/dovecot-auth, but apparently it can't. - Check that the dovecot service is started - Check that the file /var/spool/postfix/private/dovevcot-auth is created (automatically when starting dovecot) If it doesn't, then there is a missmatch between dovcot and postfix config. Check the dovcot logfile. 1) to test: disable #smtpd_sasl_auth_enable = yes in main.cf (since You have submision running on port 587) – Ingvar J Oct 30 '18 at 16:08
  • There was indeed a dovecot-auth file but it wasn't re-created when starting the service again. I edited dovecot.conf from `unix_listener /var/spool/postfix/private/auth` to `unix_listener /var/spool/postfix/private/dovecot-auth` after which it was created and now I'm able to receive emails from Gmail. However now I'm no longer able to _send_ emails from Thunderbird (connection times out). – Mauri Oct 30 '18 at 18:24
  • since you have Submision defined, thunderbird users should use port 587, not 25 when connecting to the mailserver. A proper AUTH should be in place for submision SASL login. The SMTPD (listening on port 25) does not need AUTH defined in that case. So you changed the AUTH statement to unix_listener for the SMTPD, and the Submision does not get any service. Remove AUTH for SMTPD, match the unix_listener with the Submision settings. – Ingvar J Oct 31 '18 at 08:11
  • This is an excellent source for understanding the SASL implementation http://www.postfix.org/SASL_README.html#server_sasl_enable. Dovecot or Cyrus flavour. – Ingvar J Oct 31 '18 at 08:47
  • Thank you to Ingvar J and everyone else for their help. Indeed the problem was incorrect SASL config. The link provided by Ingvar J (http://www.postfix.org/SASL_README.html#server_sasl_enable) was the key. – Mauri Oct 31 '18 at 10:10