Postfix + Dovecot + AWS + CloudFlare + SquirrelMail Unable to receive messages

Question

Set this thing up awhile ago, and it sends messages Just fine, However I wanted to start being able to receive messages.

Iv tried telneting into port 25, and nothing.

dig dzwxgames.com mx:

dzwxgames.com.          60      IN      MX      10 34.210.135.57.

Now, AWS requires usage of SES relaying to send messages which works fine. But when I try to receive them, it acts like all the ports are blocked.

netstat -lntu

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp6       0      0 :::25                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
tcp6       0      0 :::110                  :::*                    LISTEN
tcp6       0      0 :::143                  :::*                    LISTEN

But netstat reports they are being listened too.

So I checked my Security group Rules on AWS Console:

SMTP TCP 25 0.0.0.0/0
SMTPS TCP 465 0.0.0.0/0
POP3 TCP 110 0.0.0.0/0

Seems fine. Ok... perhaps Postfix is not working?

postfix -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, dzwxgames.com, localhost, localhost.localdomain, localhost
myhostname = DZWXGamesWeb.dzwxgames.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [email-smtp.us-west-2.amazonaws.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Ok... So postfix is only listeneing on localhost?

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

I did some googling and it says that dovecot might need to be enabled?

Ok so added that to postfix master config

/etc/postfix/master.cf:

ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver
  -f ${sender} -d ${recipient}

Ok still nothing. Maybe dovecot is not listening to the correct ports?

# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:103: 'imaps' protocol is no longer necessary, remove it
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:103: 'pop3s' protocol is no longer necessary, remove it
# OS: Linux 4.4.0-45-generic x86_64 Ubuntu 16.04.5 LTS ext3
mail_location = maildir:/home/%u/Maildir
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = pop3 imap
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service imap {
  process_limit = 1024
}
service pop3-login {
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
service pop3 {
  process_limit = 1024
}
ssl = no
userdb {
  driver = passwd
}

Yea I don't understand this. The tutorial I used to set this up seems to be long gone. And alot of questions still remain.

Where did I go wrong in this configuration?
How do I fix it?
If I use Cloudflare to mask my Server IPs will that break my MX records?
Why does my netstat show port 25 is being listen too but I cant talk to it?

I know that amazon blocks alot of communication from port 25 but there does not seem to be any information that says they block communication TO that port. I also set up sending limits already.

And the logs don't even report that they got a message.

MX records cannot point to an IP address. – Michael Hampton Feb 13 '19 at 03:21 — Michael Hampton, Feb 13 '19 at 03:21

score 0 · Answer 1 · answered Feb 13 '19 at 03:16

0

Does your security policy allow outside connections to port 25? This could be the problem.

When on the machine, can you telnet to 127.0.0.1 25 ?

answered Feb 13 '19 at 03:16

CDO DevOps

151
5

Yes. Inbound rules is: tcp 25 ::0 – Steven Venham Apr 25 '19 at 04:26

score 0 · Answer 2 · answered Apr 26 '19 at 12:27

FINALY figured it out.

This is the full Checklist: Ensure Postfix/dovecot/squrrelmail/mailbox is set up. Once it is, you should see. NOTE: This is only receiving emails. Sending is another hell.

sudo netstat -plnt
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1612/master

You must see 0.0.0.0 and not 127.0.0.1 or 192.0.0. ext.

Ensure the security group on your amazon is enabling port 25. and the ssl/tls ports.

Next check /etc/postfix/master.cf has:

smtp       inet  n       -       n       -       -       smtpd

Where its not private, its on inet, and its not chrooted. Don't know why. Sometimes helps. Just ensure you have proper permissions on your folders.

Next ensure your ufc allows connection to 25.

sudo ufw status
25/tcp                     ALLOW       Anywhere

ifnot:

sudo ufw allow 25/tcp

EVEN if netstat shows 25 is being listen too, it may be blocked by the firewall.

FINALY check to make sure you have a ACCEPT in iptables.

sudo iptables -I INPUT -p tcp -m tcp --dport 25 -j ACCEPT

Now Preform an EXTERNAL port test: https://www.yougetsignal.com/tools/open-ports/

Most ISP block port communications from homes on port 25. Period. All of it. You may not even be able to ping the server. Yes, That bad.

If all is said and done, you should be good. Check your mail logs.

sudo tail -f /var/log/mail.log

Apr 26 07:43:05 DZWXGamesWeb postfix/qmgr[6257]: 87EEE400EC: from=<deathmock@gmail.com>, size=3266, nrcpt=1 (queue active)
Apr 26 07:43:05 DZWXGamesWeb postfix/local[27250]: 87EEE400EC: to=<deem@dzwxgames.com>, relay=local, delay=0.37, delays=0.36/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)

Shows a correctly routed letter. If there is any problems, check /var/log/mail.err

Postfix + Dovecot + AWS + CloudFlare + SquirrelMail Unable to receive messages

2 Answers2