postfix sends but does not receive email

1

0

I am running postfix on a Raspberry Pi behind a home router with dynamic DNS configured. postfix can send email just fine, but it does not seem to receive.

I think the home router and dynamic DNS are fine, I'm hosting a website on the Raspberry Pi, it works fine and is publicly accessible. So either my MX record is not configured properly or postfix isn't (I think).

(I've redacted my hostname below).

Configuration dynamic DNS for myhostname.ddns.net

  • IPv4 address: the IP address of my Raspberry Pi
  • MX Record: myhostname.ddns.net, Priority 1

Port Forwarding configuration on the home router

D   Service Port    Internal Port   IP Address  Protocol
1   80      80      192.168.0.10    ALL     # web server
2   22      22      192.168.0.10    ALL     # ssh
3   25      25      192.168.0.10    TCP     # mail server

on a 3rd computer not the Raspberry Pi

  • ping myhostname.ddns.net: works, I see the IP address of my Raspberry Pi responding.
  • pointing a browser to http://myhostname.ddns.net: works, I see the root of the website. This confirms the dynamic DNS is working and the home router forwarding is working.
  • on a gmail account, sending mail to pi@myhostname.ddns.net fails after about 24 hours with "delivery incomplete, the recipient server did not accept our requests to connect. timed out". If you know a faster way to test that does not require waiting 24 hours, please let me know.

on the Raspberry Pi, logged in as "pi"

$ mail
No mail for pi

$ dig myhostname.ddns.net MX +short
1 myhostname.ddns.net

$ sudo postfix status
postfix/postfix-script: the Postfix mail system is running: PID: 16232

$ sudo netstat -plutn | grep 25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      16232/master

$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

$ cat /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Raspbian)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination
smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    defer_unauth_destination
myhostname = myhostname.ddns.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = myhostname.ddns.net, myhostname, localhost.localdomain, 
localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
mailbox_command =
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

$ cat /etc/mailname
myhostname.ddns.net

Update

Comcast blocks port 25, see https://www.xfinity.com/support/articles/email-port-25-no-longer-supported

mipnw

Posted 2018-05-03T05:41:16.167

Reputation: 113

You may already be aware of this, but there are a good number of services that will accept mail on port 25 on your behalf (you put their servers in your MX records) and they will forward the mail to an unblocked alternate port on your home connection, which your mail server is listening on (port forwarding on your local router obviously still applies). The only drawback is that the majority want a decent amount of money for these services. The cheapest I have personally found is https://mxguarddog.com/. They actually can be free if you can live with just using postmaster@yourdomain.com.

– Anaksunaman – 2018-05-04T08:25:40.263

1@Anaksunaman I wasn't aware of these services, thanks! Looks like mxguarddog.com is now $0.25/user/mth, not bad, althought that's to be added to the cost of hosting a mail server since all they do is relay. Still it's a nice option! – mipnw – 2018-05-04T08:35:23.010

Answers

1

There are few things here which you need to check.

  1. I guess Google can't send an email to you because you don't have MX record. But let's pretend that's not an issue for a moment and let's trouble shoot other issues. (No, DDNS will not give you MX for many good reasons)

  2. make sure that you are allowed to connect to your port 25 from the Internet. I guess you will not be able to but to test it please do following:

    nc -vv myhostname.ddns.net 25

or

telnet myhostname.ddns.net 25

That should show if you are allowed to connect to port 25 - mind you, some ISPs might block incoming connections to port 25. Of course you need to check your internal firewall on your pi (what Linux distro do you run?)

  1. As soon as you are connected to your server you will be able to send an email using telnet/nc.

    EHLO myhostname.ddns.net

(you should get here few lines starting with 250)

mail from: your@myhostname.ddns.net
rcpt to: email@to_send_it_to.com
subject: Test email

and then start tyoping tyour email. End with single "." in the last line, like that:

Test email from my server.
.

Then you should see that email was sent over or at least accepted. No need to wait 24h :)

  1. I really doubt that you will be able to use your Pi email server for anything but few tests. To begin with you have no MX records and no control over DKIM, PTR and SPF... In other words it will not be production ready nor people would accept emails from your server. And the fact that you are on dynamic IP means that your IP is blocked by 99% spam filters. yes, just because it's not static.

Chris

Posted 2018-05-03T05:41:16.167

Reputation: 1 766

>

  • Actually my DDNS provider gives me the option to configure an MX record. I configured it. And dig myhostname.ddns.net MX +short returns 1 myhostname.ddns.net which is what I expect.
    • < – mipnw – 2018-05-03T18:58:42.697

    start="2">

  • That's the problem indeed. I can telnet to port 25 from inside the LAN but not from outside. Port 25 on the rasbperry PI is open since I can telnet to it from inside the LAN. Port Forwarding on my home router works since I can SSH to the PI from outside the LAN, and navigate a website from outside the LAN. So port 80 and 22 forward just fine, and port 25 is set to forward as well. Comcast must be blocking port 25, but why?
    • < – mipnw – 2018-05-03T18:59:17.827

    start="3">

  • I don't expect this PI to handle a gazilion amount of traffic. That's not the point of this setup. My needs should be handled more than appropriately by a raspberry PI. Also I can send email from PI via GMAILs SMTP just fine and it's not ending up in recipients spam folders. I don't care if my PI receives SPAM when I open port 25, I can deal with that.
    • < – mipnw – 2018-05-03T19:02:06.130

    Linux distro on the PI is raspbian – mipnw – 2018-05-03T19:04:11.880

    Comcast blocks port 25: https://www.xfinity.com/support/articles/email-port-25-no-longer-supported

    – mipnw – 2018-05-03T19:14:30.190

    0

    As Comcast says on Ports blocked on Comcast's network you could use port 587.

    Edit: ComCast also stated --> If you are running a mail server please contact Comcast Customer Security Assurance at 1-877-807-6580 for more information on this block.

    See: How to configure TLS encryption in Postfix

    Kyrie001

    Posted 2018-05-03T05:41:16.167

    Reputation: 50

    2Configuring TLS encryption isn't going to allow my mail server to receive incoming emails from other email servers to my users. If i understand SMTP (not sure I do) email servers trying to deliver emails to my server will connect to port 25. Port 587 is for outgoing emails from my users through my server to the rest of the world. Port 25 is blocked, so I can never receive emails, which defeats the purpose of hosting behind home internet service. – mipnw – 2018-05-04T07:35:42.903

    https://serverfault.com/questions/149903/what-ports-to-open-for-mail-server – Kyrie001 – 2018-05-04T07:44:10.177

    indeed. Jason Berg's answer in your link "Port 25 needs to be open in order for it to receive mail from the internet. All mail servers will establish a connection on port 25 and initiate TLS (encryption) on that port if necessary." is quite clear. Unfortunately it means hosting mail server is dead on arrival if port 25 is blocked. – mipnw – 2018-05-04T07:56:14.193

    Asked: 2018-05-03T05:41:16.167

    Viewed: 125 times

    Active: 2018-05-04T07:59:40.823