Mail Server tutorial for 14.04 isn't quite right, not sure what to do.

[neltnerb]

I should further note that with this configuration, I am able to send mail through the telnet prompt.

Code:

telnet navolta.com 25
Trying 184.106.238.45...
Connected to saikoled.
Escape character is '^]'.
220 navolta.com ESMTP Postfix (Ubuntu)
HELO navolta.com
250 navolta.com
MAIL FROM: neltnerb@navolta.com
250 2.1.0 Ok
RCPT TO: neltnerb@mit.edu
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
SUBJECT: test
test
.
250 2.0.0 Ok: queued as B8E7410C072

and this results in an email arriving in my inbox at neltnerb@mit.edu. I am a little concerned that sending mail via the relay did not seem to actually require SASL authentication.

I should also note that telnet into navolta.com on port 25 from my other computer does not successfully connect. I am not sure if this is correct.

I checked the firewall, and running sudo ufw status gives:

Code:

WARN: Duplicate profile 'Apache', using last found
WARN: Duplicate profile 'Apache Secure', using last found
WARN: Duplicate profile 'Apache Full', using last found
ERROR: problem running iptables: modprobe: ERROR: ../libkmod/libkmod-index.c:821 index_mm_open() magic check fail: b007fa57 instead of b007f457
modprobe: ERROR: ../libkmod/libkmod.c:556 kmod_search_moddep() could not open moddep file '/lib/modules/2.6.35.4-rscloud/modules.dep.bin'
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

which it did not say previously when using ufw in Ubuntu 12.04. I do not understand the nature of this error message. I will create a separate post about this behavior in ufw.

[TheFu]

I didn't re-read everything above, but something is jumping out at me.
The FQDN is normally system.domain.com - mail.example.com. The MX record is used to tell other SMTP servers which host to send email at. Don't know if it matters, but thought I'd mention it.

Why would sending email need authentication if the client is on MyNetworks?

The iptables error seems to say that the kernel doesn't have it loaded. That is probably bad on an internet facing server of any sort. Having a firewall that can restrict the bad-servers out there is important - even if just to slow down their connections. I realize this isn't helpful at this time.

Oh - and the reason I'm not just posting my config for you to copy - I have a front-end server that receives all email, then forwards to to a Zimbra server. There are multiple domains involved with backup mail servers - things are complicated here. I haven't used dovecot/courier-imap in about 8 yrs.

There is a good set of tutorials at howtoforge.com - that might be helpful. Just know that working doesn't mean secured too. That is still your responsibility.

[neltnerb]

Thanks TheFu for your suggestion!

I am tracking down the possibility that the iptables issue is due to rackspace not having a current kernel running on the virtual server. It seems they automatically load the kernel from the host machine instead of the virtual machine, and since it only happened after I upgraded from 12.04 to 14.04, I suspect that the new version of iptables may be looking for a different version of the kernel module.

If I can get the ability to telnet into the machine on port 25 remotely, hopefully I will be unable to send email through telnet, but connect to it. Hopefully update shortly, rackspace tech support may have more information specific to their virtual servers that I don't know yet.

[TheFu]

Please re-read my last post - updated - however, I'd assumed the server was on a network you controlled, not at a remote hosting provider. I've actually never run a full email server on someone else's network - just forwarding servers.

So about the iptables stuff - you need to know if the instance is Xen paravirtual or not. If it is, you can only run kernels they provide and only load modules they provide. LXC or Docker has similar limitations - not so good when control over the network is needed. I know that rackspace can support full KVM VMs (they are a huge openstack shop; see them at the openstack meetings here), but don't know which you are on.
The invoice should clearly say what you have - HVM or container or paravirtual or ... ?

If you can telnet to port 25 - then use any client to send email. I'd definitely want authentication mandatory or your domain will be marked as a spammer (open relay) very quickly and become useless.

[nerdtron]

I'm I late on suggesting an email server?

We used this on a production environment and is working very well. Complete with postfix, dovecot, amavisd, spamassassin with fail2ban and iptables. Up and running in less than 15 minutes and with very minimal configuration. I can't promote it well enough. It's worth a shot, just install it on a FRESH Ubuntu server (no extra packages installed).
http://iredmail.org/install_iredmail_on_ubuntu.html

[neltnerb]

Thanks nerdtron, that looks like a great solution... I've already got apache2 running several sites though, so it's not really a fresh server. It's actually been upgraded from 10.04 over the years. I'd definitely like to avoid reinstalling from scratch since I don't want to end up having to fix the webserver too

[Doug S]

For one, the official guide clearly has a typo on the smtpd_recipient_restrictions line, the backslash is not allowed in that command.

The backslash is supposed to mean to continue the command on the next line.

So, I think I can guess with fair certainty that the issue is the "smtpd_sasl_type = dovecot" directive.

For sure that is the difference between our two setups. I didn't do the SMTP Auth stuff, and I assume that if you do the tcp session is expecting some cypher exchange packets immediately after the connection is established and you would not get that with a telnet session.

It would be good to update the serverguide (which I can help with) as needed as and as result of your investigation.

[neltnerb]

I think at this point I'm going to try to switch things over to just using the google apps toolkit. Alas, this is just taking too much attention and I've got too many other things to take care of.

With regards to the "typo", yes, I realize that's what the backslash means. However, the command doesn't allow multi-line input, so the guide should have the whole command on one line so people copy/pasting will not run into trouble.

Before deciding that this is probably just too far beyond my level to be able to do securely and reliably, I was able to send emails locally through telnet as well as receive emails, so it might actually have been working once I got the iptables issue worked out. I'm going to try to figure that one out anyway since my firewall should be, well, operational regardless of whether it's running a mailserver, but I'll track that in the separate thread since it's not directly related to the original problem anymore.

I definitely think that the documentation needs a refresh; I'm no linux expert, but I have been using it regularly for over a decade and I wasn't able to get it to work. It's possible that it's related to having gone the upgrade route (10.04 to 12.04 to 14.04) instead of a fresh install, and it could also easily be related to the virtual hosting from rackspace having an outdated kernel. However, either way I think that some of the information is no longer accurate.

The most obvious one is that in the section "SMTP Authentication" it claims that the /etc/postfix/main.cf file should look a certain way. After executing those commands on a fresh postfix install, the file does not look that way. This is confusing, and would be good to update.

It might also be simpler to actually just have users start by installing mail-stack-delivery, and then provide guidance on modifying that seemingly pretty good basic configuration.