I FUBAR'd a working system when I added another virtual domain to my email server, now I cannot even revert to its old state. I've tried everything I could find online, but nothing seemed to work. I'm currently running a Postfix (3.4.3) /Dovecot (2.2.36) setup on CentOS 7 with MariaDB, and a RoundCube client as webmail. LetsEncrypt for SSL certs. My questions are: 1. How do I get it working again with just one domain? (urgrent, is my primary personal account) 2. How do I make Postfix/Dovecot acknowledge SSL certs for each additional virtual domain? I login to RoundCube at webmail.mydomain.com, which works without issue. But trying to send mail results in: Code: NOQUEUE: reject: RCPT from example12345.hostwindsdns.com[111.222.222.111]: 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<webmail.mydomain.com> My doveconf -n Code: auth_mechanisms = plain login default_login_user = vmail first_valid_gid = 2000 first_valid_uid = 2000 listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " mail_access_groups = vmail mail_location = maildir:/var/www/mail/vmail/%d/%n namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocols = imap lmtp pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0600 user = postfix } user = root } service imap-login { inet_listener imaps { port = 993 } process_min_avail = 1 user = vmail } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3s { port = 995 } process_min_avail = 1 user = vmail } ssl = required ssl_cert = </etc/ssl/private/mydomain_com_fullchain.pem ssl_key = </etc/ssl/private/mydomain_com_privkey.pem userdb { args = /etc/dovecot/dovecot-sql.conf driver = static } verbose_ssl = yes My postconf -n: Code: alias_database = $alias_maps alias_maps = hash:/etc/postfix/aliases biff = no broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix milter_default_action = accept milter_protocol = 2 mydestination = $myhostname, localhost.$mydomain, localhost newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = unix:/var/run/opendkim/opendkim.socket, unix:/var/run/opendmarc/opendmarc.socket, unix:/var/run/spamass-milter/spamass-milter.socket queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = * sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = no smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_use_tls = yes smtpd_milters = unix:/var/run/opendkim/opendkim.socket, unix:/var/run/opendmarc/opendmarc.socket, unix:/var/run/spamass-milter/spamass-milter.socket smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = /var/run/dovecot/auth-client smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/private/mydomain_com_fullchain.pem smtpd_tls_key_file = /etc/ssl/private/mydomain_com_privkey.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/sql/virtual_alias_maps.cf virtual_gid_maps = static:2000 virtual_mailbox_base = /var/www/mail/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/virtual_mailbox_maps.cf virtual_minimum_uid = 2000 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:2000 My config.inc.php Code: $config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcubemail_db'; $config['default_host'] = 'imaps://mydomain.com/'; $config['default_port'] = 993; $config['smtp_server'] = 'tls://mydomain.com/'; $config['support_url'] = '[email protected]'; $config['des_key'] = 'abcdefghijklmnopqrstuvwxyz'; $config['product_name'] = 'MyDomain.com Webmail'; $config['language'] = 'en_US'; $config['draft_autosave'] = 60; $config['spellcheck_engine'] = 'pspell'; Thanks in advance for any help anyone can provide!
The error comes from "reject_sender_login_mismatch", probably in your master.cf file. As an immediate workaround, you could remove that restriction. You need a certificate, that is valid for all domains you are using. Usually you use a single (sub)domain for everything mail related. For example mail.domain.com. This domain is used in your certificate, as your mailname/mydestination, for all clients to connect to your server, your MX/rnds enries, etc ...
Nope, still got the same error unfortunately. Could it have something to do with [email protected] not technically being part of webmail.mydomain.com? So it expects [email protected], because that what Roundcube exists on?
Well, if the error comes, you have that restriction somewhere Have you restarted the postfix service after the change? It does not have anything to with the host roundcube is set up on. Roundcube is just an IMAP client. The question is if postfix knows that the user which is used to authenticate when sending mail is connected to the "from" address of the mail. However, that check is done when reject_sender_login_mismatch is set => http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
Always, religiously, probably to the point of excessiveness Alright, so here is where things stand: As per your suggestion, I took all my mail subdomains (mail.domain.com, pop3.domain.com, smtp.domain.com, imap.domain.com) for my two domains out of their domain-specific certs and combined them into one multi-domain email cert. I'm keeping the non-email on their own certs for Nginx (since this server is primarily a webserver). I can send email that gets received by my various other emails (Gmail, Outlook, Verizon.net, etc). But when I reply to the email from those aforementioned other emails, it does not go through. Nor have I yet received a "bounced back" email message. Now /var/log/maillog shows: I'm guessing permission is denied because of Code: smtpd_sasl_security_options = noanonymous What are the security repercussions of changing this? My Postfix main.cf: Code: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination ... smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf smtpd_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_unknown_sender_domain,permit My Postfix master.cf: Code: smtp inet n - n - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=spamassassin argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} submission inet n - n - - smtpd -o smtpd_tls_wrappermode=no -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_sasl_security_options=noanonymous # -o milter_macro_daemon_name=ORIGINATING Roundcube config is unchanged. The only thing changed about Dovecot's dovecot.conf is the (mail-specific) cert.
You probably have a line like this in your postfix config:"smtpd_sasl_path = /var/run/dovecot/auth-client" However, it looks like postfix has no rights to read the file or it does not exist. What option have you set in dovecot for "service auth"? It should match the postifx config
Right, so I finally fixed it, and can now send and receive emails on the primary domain. Steini86 may have literally been a lifesaver, as it was only so much longer before I gave up and became a Luddite. Your solution was spot on, but for future generations entering the (very surprisingly) maddeningly complex world of email servers I will post exactly what I did here. Changed dovecot.conf (this might have been the original config, but I switched so many things so many times I cannot remember anymore. In any event, it looks like this now) Code: service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0600 user = postfix } user = root } Changed Postfix main.cf: Somehow, my previous config worked despite the two bolded lines being different? Code: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination ... smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_unknown_sender_domain,permit smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf Changed Postfix master.cf: Note: master.cf overrides anything set in main.cf, so any duplicate entries between those two files may confuse troubleshooting. Code: submission inet n - n - - smtpd -o smtpd_tls_wrappermode=no -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_sasl_security_options=noanonymous But wait, there's more! Once you change the auth in Dovecot and Postfix (as shown above), it still may not work because of permissions. Mine did not, I kept getting (among several others): Code: fatal: scan_dir_push: open directory maildrop: Permission denied The solution to this is to run Code: sudo postfix set-permissions But on CentOS 7 (or at least, my server) it will say Code: chown: cannot access '/etc/postfix/postfix-files.d': No such file or directory I'm not sure if this is a bug, but while there is a postfix-files in that location there is no postfix-files.d. So I copied it with Code: sudo cp /etc/postfix/postfix-files /etc/postfix/postfix-files.d I restarted Postfix, and then voila! it worked. Thanks again to Steini86 for saving my butt
