I've setup a mail server according to this setup: https://thomas-leister.de/en/mailserver-debian-stretch/ The documentation itself looks quite good to me - is well explained and seems to work... almost.
setup
The server itself is a VM that runs on a that uses KVM/libvirt virtualization and port forwarding for the ports 25/993 using iptables rules.
virtual
- IP: 10.0.42.170 (NAT network)
- Debian 9
- Postfix 3.1.12
- Dovecot 2.2.27
- rspamd 2.1
host
- IP: (public IP)
- Debian 9
- libvirt
My mailserver can receive mails, but when I try to send a mail as one of the mail users (using Thunderbird), I experience this problem:
- Send mail to another self-hosted account: Mail gets marked as Spam
- Send mail to an external mail account: Mail gets rejected with
5.7.1 <externalemail@domain.tld>: Relay access denied.
I've set all of the DNS records for SPF, dmarc, ... as pointed out in the documentation, but still rspamd marks my mails either as spam, or doesn't allow sending them to external mail accounts.
here are some relevant mail headers. The actual domain / address / ip values have been changed, though: mail.MYDOMAIN.TLD, CLIENT_IP, user@MAILDOMAIN.TLD
ARC-Authentication-Results: i=1;
mail.MYDOMAIN.TLD;
dkim=none;
spf=neutral (mail.MYDOMAIN.TLD: CLIENT_IP is neither permitted nor denied by domain of user@MAILDOMAIN.TLD) smtp.mailfrom=user@MAILDOMAIN.TLD
X-Spamd-Bar: ++++++
X-Spam-Level: ******
Authentication-Results: mail.MYDOMAIN.TLD;
dkim=none;
dmarc=fail reason="No valid SPF, No valid DKIM" header.from=MAILDOMAIN.TLD (policy=reject);
spf=neutral (mail.MYDOMAIN.TLD: CLIENT_IP is neither permitted nor denied by domain of user@MAILDOMAIN.TLD) smtp.mailfrom=user@MAILDOMAIN.TLD
X-Spam: Yes
When searching for alike problems here on serverfault and on superuser.com, I found some posts that indicate that permit_sasl_authenticated has to be set accordingly (see https://superuser.com/questions/1395511/im-stuck-with-postfix-on-debian-554-5-7-1-relay-access-denied) , but in my case this seems to be achieved via the mua_client_restrictions and mua_relay_restrictions
DNS
main domain:
SPF:
MYDOMAIN.TLD. 3600 IN TXT "v=spf1 a:mail.MYDOMAIN.TLD ?all"
dmarc:
_dmarc.MYDOMAIN.TLD. 3600 IN TXT "v=DMARC1\; p=reject\;"
domainkey:
2019._domainkey.MYDOMAIN.TLD. 1417 IN TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyBjU5POfOMC0DdzxAeImIKYCWR3frj9jXD3IB7XWIYwV9CK3LP2s+gNxqffneygVPD+tvBZgHbG+kn7tQP1EtHpG0bg/KYrF09r5/f7/ilZflF9RE+t5GQkwAZCtgeZ1FWX8CEYq2kqHpGWhyhBd1l9idaqh97jk6NiuXOzrCZ9dIjoLQ2G8kAMdH7ade0/CT" "dEL4GX4Jzd8Jbb/eFXzM/2kCJ8v7lFUz5zLeMfdYvAto1U6yZ3cEYVjwpFQQZYJ77zq/eS8F/JAvJJWe5OzPnJe4V+i8hFVmsAYHpNysxUFW9KmR/LOYw8ouqpXoMMfOt3ilBLtZZO4n9Dms4iDNQIDAQAB"
mail domain:
SPF:
MAILDOMAIN.TLD. 3600 IN TXT "v=spf1 include:MYDOMAIN.TLD ?all"
dmarc:
_dmarc.MAILDOMAIN.TLD. 3600 IN TXT "v=DMARC1\; p=reject\;"
domainkey:
2019._domainkey.MAILDOMAIN.TLD. 1417 IN TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyBjU5POfOMC0DdzxAeImIKYCWR3frj9jXD3IB7XWIYwV9CK3LP2s+gNxqffneygVPD+tvBZgHbG+kn7tQP1EtHpG0bg/KYrF09r5/f7/ilZflF9RE+t5GQkwAZCtgeZ1FWX8CEYq2kqHpGWhyhBd1l9idaqh97jk6NiuXOzrCZ9dIjoLQ2G8kAMdH7ade0/CT" "dEL4GX4Jzd8Jbb/eFXzM/2kCJ8v7lFUz5zLeMfdYvAto1U6yZ3cEYVjwpFQQZYJ77zq/eS8F/JAvJJWe5OzPnJe4V+i8hFVmsAYHpNysxUFW9KmR/LOYw8ouqpXoMMfOt3ilBLtZZO4n9Dms4iDNQIDAQAB"
config
Here are some relevant config files:
/etc/hosts
127.0.0.1 localhost
127.0.1.1 mail.MYDOMAIN.TLD mail
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/etc/postfix/master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
/etc/postfix/main.cf
##
## Network settings
##
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, 10.0.42.170
myhostname = mail.MYDOMAIN.TLD
##
## Mail queue settings
##
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
##
## TLS settings
###
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
### Outbound SMTP connections (Postfix as sender)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
### Inbound SMTP connections
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.MYDOMAIN.TLD/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.MYDOMAIN.TLD/privkey.pem
##
## Local mail delivery to Dovecot via LMTP
##
virtual_transport = lmtp:unix:private/dovecot-lmtp
##
## Spam filter and DKIM signatures via Rspamd
##
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##
### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf
### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions = permit_mynetworks
check_client_access hash:/etc/postfix/without_ptr
reject_unknown_client_hostname
### Foreign mail servers must present a valid "HELO"
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining
##
## Restrictions for MUAs (Mail user agents)
##
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
##
## Postscreen Filter
##
### Postscreen Whitelist / Blocklist
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
# Drop connections if other server is sending too quickly
postscreen_greet_action = drop
### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2
zen.spamhaus.org*2
postscreen_dnsbl_action = drop
##
## MySQL queries
##
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps
##
## Miscellaneous
##
### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
### Do not notify system users on new e-mail
biff = no
### Users always have to provide full e-mail addresses
append_dot_mydomain = no
### Delimiter for "Address Tagging"
recipient_delimiter = +
Please help me, guys.
Cheers, Alexander.
