Mail Server tutorial for 14.04 isn't quite right, not sure what to do.

[neltnerb]

Sorry if this is super easy, I'm not very experienced with running a server.

I'm trying to get a mailserver running on my virtual server, but nothing is quite fitting together right. I have Ubuntu 14.04 installed, and was following this server guide to get it up and running.

https://help.ubuntu.com/14.04/serverguide/postfix.html

Before starting, I did

Code:

apt-get purge postfix dovecot-core
apt-get --purge autoremove

in order to get a clean postfix configuration (it somehow has some memory of the last time I configured it, but the /etc/postfix directory is gone).

I've tried doing this using the full version, and also using the mail-stack-delivery version, but neither is quite working.

Using the full version, I get to the end and when I try to test it over telnet it connects for a moment and then reports

Code:

Escape character is '^]'.
Connection closed by foreign host.

The time to close varies from nearly immediate to 10 seconds or so. However, I can't find anything in /var/log/mail.log

I tried purging postfix again, and telnet instead never connects, so I figure postfix must be running but having some error after connection that breaks it.

When I try next to use the mail-stack-delivery option, I *am* able to connect to postfix through telnet as I should, but now ehlo doesn't return the

Code:

250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN

lines (it has 250-STARTTLS and 250 8BITMIME).

This is all rather confusing to me. Particularly that there are no log files or error messages indicating what could be happening. Does anyone have an idea for how to diagnose this and get it up and running?

contents of /etc/postfix/main.cf

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = navolta.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = navolta.com, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 184.106.238.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

[TheFu]

So - I looked at the DNS stuff - looks fine from here.

The mynetworks line looks incorrect - it is meant for internal IPs, not the public IPs. It is a best practice NOT to place the real email server on a public network - use an email gateway that does most of the spam filtering/dropping and have it forward to the real email server on the internal network. You'll thank me for this.

If there isn't a connection being made, I would guess that there is a router or firewall blocking port 25 ... or the forwarding isn't working correctly. Can't tell from here.

I assume the certs in the config file are there and for the correct hostname?

Running postconf -n will show the actual settings. Helpful.

[neltnerb]

Thanks so much for taking a look!

I'm afraid I don't know what an email gateway is... this is my first time setting up a mail server that's not exclusively used locally. Is that intended to be a separate computer, or something like amavisd-new? I hadn't gotten quite that far in the installation yet.

There is a connection being made, at least when done from the server, it just disconnects rapidly. Fairly confident it isn't a firewall issue.

Would certificates cause the telnet connection on port 25 to drop? I think I did them correctly, but that's certainly a possibility; I haven't gotten far enough to test that.

Probably worth mentioning that I did first try this tutorial for 12.04:

https://help.ubuntu.com/community/MailServer

With that I was able to get all the port 25 stuff working, and even got as far as reading mailboxes with IMAP, but sending mail never worked right so I upgraded to 14.04 and started over with the newer tutorial. There could be residue from that process, although I was pretty thorough with the apt-get purging afterwards.

Output of postconf -n

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = navolta.com, localhost.localdomain, localhost
myhostname = navolta.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 184.106.238.0/24
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

[TheFu]

Going to 14.04 is probably smart at this point. My main email server is still on 10.04, but we'll move to 12.04 this fall sometime. The front-end server is on 12.04 - soon to be 14.04.

I tried to connect to your server - if any connection was made, it didn't look right from here. What do the log files show?

[neltnerb]

Going to 14.04 is probably smart at this point. My main email server is still on 10.04, but we'll move to 12.04 this fall sometime. The front-end server is on 12.04 - soon to be 14.04.

I tried to connect to your server - if any connection was made, it didn't look right from here. What do the log files show?

Nothing whatsoever in the logs. The last message is from yesterday.

Code:

Aug 22 03:47:32 auth: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug 22 03:47:32 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug 22 03:47:32 ssl-params: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug 22 03:47:32 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug 22 03:47:32 auth-worker: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Aug 22 03:47:32 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)

which I believe is just from the last time I restarted postfix, though I don't know for sure.

[TheFu]

Every connection should be logged - assuming postfix is listening.
Is it running? Or did exim get there first and grab the port?
dpkg -l |grep exim - you don't want 2 MTAs on a system.

Which log file? Check the all, please.

[neltnerb]

Thanks for the ideas!

exim was installed, but I had previously disabled it. I purged all of the exim packages to be safe, but the problem with the telnet connection disconnecting after connecting continues.

That was mail.log.

None of the other mail log files (I have .err, .info, .warn) or their .1 versions have anything recent. That includes me successfully connecting via telnet to port 25 from localhost (after which it disconnected).

Perhaps postfix is putting log information elsewhere? Or maybe the verbosity is not high enough?

[Doug S]

Who is listening to port 25? Example:

Code:

doug@doug-64:~$ sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1423/mysqld
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1649/smbd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1592/apache2
tcp        0      0 192.168.111.1:53        0.0.0.0:*               LISTEN      1231/named
... deleted one unrelated line ...
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1231/named
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1090/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1499/master
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1231/named
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1649/smbd
doug@doug-64:~$ ps aux | grep master
root      1499  0.0  0.0  25112  1548 ?        Ss   Aug22   0:00 /usr/lib/postfix/master
doug      4502  0.0  0.0   9388   892 pts/0    S+   09:01   0:00 grep --color=auto master

When I connect to your server port 25, sometimes it disconnects right away and sometimes I am able to type stuff, but get no reply.

[neltnerb]

Hello Doug, thanks for the idea, I was wondering how to do that.

Code:

sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      3525/apache2    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3303/varnishd   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2998/sshd       
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      28574/master    
tcp        0      0 127.0.0.1:6082          0.0.0.0:*               LISTEN      3250/varnishd

I'm afraid I don't know quite what to make of that.

[neltnerb]

I'm going to try setting this up again according to the tutorial to see at what step functionality breaks. Here is my report:

Before starting, I apt-get purge dovecot-core and postfix.

Install Postfix

Code:

apt-get install postfix

Set FQDN to navolta.com and "Internet Site". Reported warning "newaliases: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol", but no errors. Similar repeated warnings for postalias, postmulti, and postfix immediately following.

Also reported warnings:

Code:

Processing triggers for ufw (0.34~rc-0ubuntu2) ...
WARN: Duplicate profile 'Apache', using last found
WARN: Duplicate profile 'Apache Secure', using last found
WARN: Duplicate profile 'Apache Full', using last found

Checking functionality:

Code:

telnet navolta.com 25
Trying 184.106.238.45...
Connected to saikoled.
Escape character is '^]'.
220 saikoled ESMTP Postfix (Ubuntu)
ehlo navolta.com
250-saikoled
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

dpkg-reconfigure

Code:

dpkg-reconfigure postfix

Options:

• System Mail name: navolta.com
• Root and postmaster mail recipient: user account name
• Other destinations to accept mail for: navolta.com, localhost.localdomain, localhost
• Force synchronous updates on mail queue?: No
• Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 184.106.238.0/24 (Note: this is based on the comment in the tutorial that says to replace "192.168.0.0/24 with the actual network and class range of your mail server")
• Mailbox size limit: 0
• Local address extension character: +
• Internet protocols to use: ipv4 (changing to this eliminates the ipv6 warnings above).

After this, output from telnet navolta.com 25 and ehlo navolta.com is unchanged.

SMTP Configuration

First I followed the instructions for creating certificates using the certificate tutorial which puts self-signed certificates into

Code:

/etc/ssl/certs/server.crt
/etc/ssl/private/server.key

Next, I follow the SMTP Authentication section of the tutorial. First it says to configure the following.

Code:

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

and then it says to continue with the following, adjusted for my server.

Code:

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = navolta.com'

At this point, the /etc/postfix.main.cf file looks like this:

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = navolta.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = navolta.com, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 184.106.238.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

which is significantly different than what the tutorial says it should be, but I chalk it up to slight version differences.

At this stage, connecting to the server via telnet navolta.com 25 causes the error seen before regarding the connection being established and then nearly immediately closing with no log messages.

Comparing the instructions in the 14.04 Mail Server Guide to the Community Guide to Postfix has some differences. For one, the official guide clearly has a typo on the smtpd_recipient_restrictions line, the backslash is not allowed in that command.

In particular, the official guide has the following commands missing from the community guide for the first set of commands:

Code:

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'

while the community guide has the added line

Code:

sudo postconf -e 'inet_interfaces = all'

with the explanation that the prior is to authenticate using SASL while the latter authenticates using Dovecot SASL.

The community guide then also instructs to edit /etc/postfix/sasl/smtpd.conf and add:

Code:

pwcheck_method: saslauthd
mech_list: plain login

which in the official guide instead says to only set the mech_list in

Code:

/etc/dovecot/conf.d/10-auth.conf

.

The community guide also instructs to generate certificates for smtpd specifically, whereas the official documentation only mentions the main certificates:

Code:

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

The community guide instructions for the second set of commands is slightly changed from the official instructions, with the added lines:

Code:

sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'

for which I assume the three certificate path changes are due to the production of the extra certificates.

In the interest of confirming the error, I removed these two lines from main.cf

Code:

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'

I created the file /etc/postfix/sasl/smtpd.conf to have:

Code:

pwcheck_method: saslauthd
mech_list: plain login

and I made the permissions on the certificates root:website instead of root:root while removing o-r privileges to match the snakeoil certificate in the directory. I also added

Code:

smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem

to match my CA certificate, which wasn't included before. I also ran

Code:

sudo service saslauthd start

to ensure that saslauthd was actually running.

After doing these changes, the server works again with telnet, showing:

Code:

telnet navolta.com 25
Trying 184.106.238.45...
Connected to saikoled.
Escape character is '^]'.
220 navolta.com ESMTP Postfix (Ubuntu)
ehlo navolta.com
250-navolta.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

but I do not understand entirely why. It could have been the change in authentication service, or the change in permissions on the certificates. To narrow this down, I stopped the saslauthd service and verified that the telnet command still works. I next reset the ownership on the /etc/ssl/private/server.key and /etc/ssl/certs/server.crt to root:root and the telnet command still works.

Next, I re-executed the command:

Code:

sudo postconf -e 'smtpd_sasl_path = private/auth-client'

and now when I run the telnet check, it gives me:

Code:

telnet navolta.com 25Trying 184.106.238.45...
Connected to saikoled.
Escape character is '^]'.
220 navolta.com ESMTP Postfix (Ubuntu)

500 5.5.2 Error: bad syntax
ehlo navolta.com
250-navolta.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
250-AUTH=DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

which is a slight change in that it now appears to allow additional authentication methods.

Finally, adding back in the command

Code:

sudo postconf -e 'smtpd_sasl_type = dovecot'

finally breaks the server. Now when I telnet back in I see the server disconnect.

So, I think I can guess with fair certainty that the issue is the "smtpd_sasl_type = dovecot" directive.

Upon reviewing the postfix documentation, I typed postconf -a to ensure that dovecot SASL is supported in the version of postfix I am using. It appears to be supported. I also noted in the documentation that dovecot SASL needs to be installed, which it possibly isn't. I ran

Code:

apt-get install dovecot-core

to install dovecot. I note that this is different from the official guide which says I need to install dovecot-common. apt-get installed dovecot-core instead, so I assume this is a drop in replacement but this could be incorrect. An apt-cache search did not show any other obvious packages that look like a separated out SASL package.

At this point, I'm not entirely sure what the issue is, but it seems to involve the use of dovecot SASL. More information than this I am not sure how to collect.