Postfix/Dovecot can receive (but not send) mail

Discussion in 'Server Operation' started by teer26, Oct 9, 2019.

  1. teer26

    teer26 New Member

    Using Roundcube (1.3.10) with Postfix (3.4.3) and Dovecot (2.2.36) on CentOS 7 VPS.
    I can login and receive emails, but I cannot send them. Trying to send mail results in "*Waiting for webmail.mydomain.com...*" in the bottom browser status bar, while Roundcube displays "*Sending message...*" for 2-3 minutes.

    What could be causing this behavior? I had the server working until I switched to "secure" ports/services. But even after (exhaustively) reading the Postfix/Dovecot documentation, I'm still as confused as I was when I started.

    Note: I am also using Nginx/PostfixAdmin/MariaDB if that matters at all.

    /var/log/maillog displays the following.
    Code:
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: initializing the server-side TLS engine
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: connect from localhost[127.0.0.1]
    Oct  6 20:13:10 hwsrv-579344 opendmarc[1060]: ignoring connection from localhost
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: setting up TLS connection from localhost[127.0.0.1]
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:before/accept initialization
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE90] (11 bytes => 6 (0x6))
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 52 53 45 54 0d 0a                                RSET..
    Oct  6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
    Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => 5 (0x5))
    Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 51 55 49 54 0d                                   QUIT.
    Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:error in SSLv2/v3 read client hello A
    Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept error from localhost[127.0.0.1]: -1
    Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
    Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: lost connection after STARTTLS from localhost[127.0.0.1]
    Oct  6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
    Oct  6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: initializing the server-side TLS engine
    Oct  6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: connect from unknown[4.5.6.7]
    Oct  6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: lost connection after AUTH from unknown[4.5.6.7]
    Oct  6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: disconnect from unknown[4.5.6.7] ehlo=1 auth=0/1 commands=1/2
    Below are my configuration settings for Postfix, Dovecot and Roundcube:

    postconf -n
    Code:
    alias_database                      = $alias_maps
    alias_maps                          = hash:/etc/postfix/aliases
    biff                                = no
    broken_sasl_auth_clients            = yes
    command_directory                   = /usr/sbin
    compatibility_level                 = 2
    daemon_directory                    = /usr/libexec/postfix
    data_directory                      = /var/lib/postfix
    debug_peer_level                    = 2
    debugger_command                    = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                                          ddd $daemon_directory/$process_name $process_id & sleep 5
    html_directory                      = no
    inet_interfaces                     = all
    inet_protocols                      = ipv4
    mail_owner                          = postfix
    mailq_path                          = /usr/bin/mailq.postfix
    manpage_directory                   = /usr/share/man
    meta_directory                      = /etc/postfix
    milter_default_action               = accept
    milter_protocol                     = 2
    mydestination                       = $myhostname, localhost.$mydomain, localhost
    newaliases_path                     = /usr/bin/newaliases.postfix
    non_smtpd_milters                   = unix:/var/run/opendkim/opendkim.socket,
                                          unix:/var/run/opendmarc/opendmarc.socket,
                                          unix:/var/run/spamass-milter/spamass-milter.socket
    queue_directory                     = /var/spool/postfix
    readme_directory                    = /usr/share/doc/postfix-2.6.6/README_FILES
    relay_domains                       = *
    sample_directory                    = /usr/share/doc/postfix-2.6.6/samples
    sendmail_path                       = /usr/sbin/sendmail.postfix
    setgid_group                        = postdrop
    shlib_directory                     = no
    smtp_tls_loglevel                   = 1
    smtp_tls_security_level             = may
    smtp_use_tls                        = yes
    
    smtpd_milters                       = unix:/var/run/opendkim/opendkim.socket,
                                          unix:/var/run/opendmarc/opendmarc.socket,
                                          unix:/var/run/spamass-milter/spamass-milter.socket
    smtpd_recipient_restrictions        = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_relay_restrictions            = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_sasl_auth_enable              = yes
    smtpd_sasl_local_domain             = $mydomain
    smtpd_sasl_path                     = /var/run/dovecot/auth-client
    smtpd_sasl_security_options         = noanonymous
    smtpd_sasl_tls_security_options     = $smtpd_sasl_security_options
    smtpd_sasl_type                     = dovecot
    smtpd_tls_auth_only                 = yes
    smtpd_tls_cert_file                 = /etc/ssl/private/vmail.crt
    smtpd_tls_key_file                  = /etc/ssl/private/vmail.key
    smtpd_tls_loglevel                  = 3
    smtpd_tls_received_header           = yes
    smtpd_tls_security_level            = may
    smtpd_tls_session_cache_database    = btree:${data_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout     = 3600s
    smtpd_use_tls                       = yes
    
    tls_random_source                   = dev:/dev/urandom
    unknown_local_recipient_reject_code = 550
    
    virtual_alias_maps                  = proxy:mysql:/etc/postfix/sql/virtual_alias_maps.cf
    virtual_gid_maps                    = static:2000
    virtual_mailbox_base                = /var/www/mail/vmail
    virtual_mailbox_domains             = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf
    virtual_mailbox_maps                = proxy:mysql:/etc/postfix/sql/virtual_mailbox_maps.cf
    virtual_minimum_uid                 = 2000
    virtual_transport                   = lmtp:unix:private/dovecot-lmtp
    virtual_uid_maps                    = static:2000
    /etc/postfix/master.cf
    Code:
    smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
    spamassassin unix -     n       n       -       -       pipe user=spamassassin argv=/usr/bin/spamc -f -e  /usr/sbin/sendmail -oi -f ${sender} ${recipient}
    submission inet n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=no
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
      -o smtpd_sasl_security_options=noanonymous
      -o smtpd_sasl_local_domain=$myhostname
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_sender_restrictions=reject_sender_login_mismatch
      -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
      -o smtpd_sasl_security_options=noanonymous
      #-o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    dovecot.conf
    Code:
    auth_mechanisms        = plain login
    disable_plaintext_auth = yes
    default_login_user     = vmail
    first_valid_uid        = 2000
    first_valid_gid        = 2000
    listen                 = *
    mail_access_groups     = vmail
    mail_location          = maildir:/var/www/mail/vmail/%d/%n
    protocols              = imap lmtp pop3
    verbose_ssl            = yes
      
    namespace inbox {
        type = private
        separator = /
        prefix =
        inbox = yes
    }
      
    namespace inbox {
        mailbox Drafts {
            auto = subscribe
            special_use = \Drafts
        }
      
        mailbox Junk {
            auto = subscribe
            special_use = \Junk
        }
      
        mailbox Trash {
            auto = subscribe
            special_use = \Trash
        }
      
        mailbox Sent {
            auto = subscribe
            special_use = \Sent
        }
    }
      
    passdb {
        driver = sql
        args = /etc/dovecot/dovecot-sql.conf
    }
      
    userdb {
        driver = static
        args = /etc/dovecot/dovecot-sql.conf
    }
      
    service lmtp {
        unix_listener /var/spool/postfix/private/dovecot-lmtp {
            group = postfix
            mode = 0600
            user = postfix
        }
    }
      
    service auth {
        unix_listener auth-client {
            group = postfix
            mode = 0660
            user = postfix
       }
       user = root
    }
      
    service imap-login {
        inet_listener imaps {
            port = 993
        }
      
        process_min_avail = 1
        user = vmail
    }
      
    service pop3-login {
        inet_listener pop3s {
            port = 995
        }
      
        process_min_avail = 1
        user = vmail
    }
      
    ssl = required
    ssl_cert = </etc/ssl/private/vmail.crt
    ssl_key = </etc/ssl/private/vmail.key
    roundcubemail-1.3.10/config/config.inc.php
    (see next post, post is too large with it included)


    Thanks in advance for any time and effort on my behalf,
    Sam
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What exactly was changed?
    Can you not undo those changes?
    The mail.log you posted shows postrix producing
    SSL_accept:error
    so i guess something about SSL is not working on your host.
    Further testing of certificate is possible with tools on websites, use Internet Search Engines with
    ssl testing
    as search words. Those tools usually test the website, when testing certificates the e-mail server has, search with
    ssl testing mail server
     
  3. teer26

    teer26 New Member

    Roundcube didn't go through for some reason... :mad:

    roundcubemail-1.3.10/config/config.inc.php
    Code:
    // SQL DATABASE
    $config['db_dsnw'] = 'mysql://roundcube:myassword@localhost/roundcubemail_db';
     
    // IMAP
    $config['default_host'] = 'imaps://mydomain.com/';
    $config['default_port'] = 993;
    
    //SMTP
    $config['smtp_server'] = 'tls://localhost/';
    $config['smtp_port'] = 587;
    $config['smtp_user'] = '%u';
    $config['smtp_pass'] = '%p';
    $config['support_url'] = '[email protected]';
    $config['smtp_auth_type'] = 'PLAIN';
    $config['smtp_auth_cid'] = null;
    $config['smtp_auth_pw'] = null;
    $config['smtp_helo_host'] = '';
    $config['smtp_timeout'] = 0;
    $config['smtp_conn_options'] = array (
      'ssl' =>
      array (
        'verify_peer' => true,
        'verify_peer_name' => false,
        'verify_depth' => 3,
        'cafile' =>
        '/etc/letsencrypt/live/mydomain.com/fullchain.pem',
      ),
    );
     
    //PLUGINS
    $config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'enigma', 'help', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'password', 'subscriptions_option', 'vcard_attachments', 'zipdownload');
    $config['language'] = 'en_US';
    $config['spellcheck_engine'] = 'pspell';
    $config['draft_autosave'] = 60;
     
  4. teer26

    teer26 New Member

    @Taleman Maybe I'm getting somewhere... only one protocol is enabled. I'm using Let's Encrypt certs, if that matters.

    From SSLLabs SSL test (see attachments for screencap):
    Code:
    Protocols
    TLS 1.3    No
    TLS 1.2    Yes
    TLS 1.1    No
    TLS 1.0    No
    SSL 3    No
    SSL 2    No
    For TLS 1.3 tests, we only support RFC 8446.
    
    Cipher Suites
    # TLS 1.2 (server has no preference)
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp521r1 (eq. 15360 bits RSA)   FS 128
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp521r1 (eq. 15360 bits RSA)   FS
    

    I also used Immuniweb (can't post link) mydomain.com:443 HTTPS SSL Security Test
    Everything was good except (from "Test for Compliance with HIPAA guidelines" section):
    Code:
    SERVER DOES NOT SUPPORT OCSP STAPLING
    The server does not support OCSP stapling for its RSA certificate. Its support allows better verification of the certificate validation status.Non-compliant with HIPAA guidance
    and from the "Test for Industry-Best Practices" section:
    Code:
    DNSCAA
    This domain does not have a Certification Authority Authorization (CAA) record.
    Information
    CERTIFICATES DO NOT PROVIDE EV
    The RSA certificate provided is NOT an Extended Validation (EV) certificate.
    Information
    NO SUPPORT OF TLSv1.3
    The server does not support TLSv1.3 which is the only version of TLS that currently has no known flaws or exploitable weaknesses.
    Misconfiguration or weakness
    SERVER DOES NOT HAVE CIPHER PREFERENCE
    The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher suites selected.
    Misconfiguration or weakness
    SERVER DOES NOT PROVIDE HSTS
    The server does not enforce HTTP Strict Transport Security. We advise to enable it to enforce the user to browse the website in HTTPS.
    Misconfiguration or weakness
    SERVER DOES NOT PROVIDE HPKP
    The server does not enforce HTTP Public Key Pinning that helps preventing man-in-the-middle attacks.
    Information
    
    ALWAYS-ON SSL
    The HTTP version of the website redirects to the HTTPS version.
    Good configuration
    SERVER DOES NOT SUPPORT CLIENT-INITIATED SECURE RENEGOTIATION
    The server does not support client-initiated secure renegotiation.
    Good configuration
    SERVER-INITIATED SECURE RENEGOTIATION
    The server supports secure server-initiated renegotiation.
    Good configuration
    SERVER DOES NOT SUPPORT TLS COMPRESSION
    TLS compression is not supported by the server.
    Good configuration
    So I'm guessing that not having TLSv1.3 is what the problem is.
    If it is, do I just update/renew my certs with certbot to get TLSv1.3 enabled? Or is it a config file setting?
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      220.9 KB
      Views:
      42
    • 2.jpg
      2.jpg
      File size:
      405 KB
      Views:
      39
  5. Steini86

    Steini86 Active Member

    Roundcube does not require TLS1.3. Your SSL certificate has nothing to do with your protocol. Your webserver has nothing to do with your mail server. You are mixing up things here (the tests you have shown are for webserver).

    In your roundcube config, use the same server address, that your ssl certificate is for to avoid problems (
    $config['smtp_server'] = 'tls://domain.in.your.certificatefile/'; )
    Verify that this is actually your letsencrypt certificate, you want to use:
    Code:
    smtpd_tls_cert_file                 = /etc/ssl/private/vmail.crt
    smtpd_tls_key_file                  = /etc/ssl/private/vmail.key
    These should be copies of your letsencrypt files, or symlinks to them.

    Remove all the other entries in your roundcube config (standard should be fine). UNLESS, you know what they do and that you want/need them!
    Code:
    // SQL DATABASE
    $config['db_dsnw'] = 'mysql://roundcube:myassword@localhost/roundcubemail_db';
     
    // IMAP
    $config['default_host'] = 'imaps://mydomain.com/';
    $config['default_port'] = 993;
    
    //SMTP
    $config['smtp_server'] = 'tls://domain.in.your.certificatefile/';
    
    //PLUGINS
    $config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'enigma', 'help', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'password', 'subscriptions_option', 'vcard_attachments', 'zipdownload');
    
     
  6. teer26

    teer26 New Member

    Thank you very much! It worked perfectly; amazing how out of everything I tried, using the base default did not occur to me.
    I will post my config once I get the reset password plugin working (which I think requires a few more lines).
    Again, you are a lifesaver. I cannot tell you how many hours I spent giving myself an aneurysm over this.
     

Share This Page