I'm setting up a new server using Debian 10 and ISPconfig Everything works fine except the mouting of my email address to Gmail as I want to use it to sent and receive my email. This is what I get from the log: Code: Jan 26 18:50:13 server postfix/submission/smtpd[19265]: connect from mail-lj1-f181.google.com[209.85.208.181] Jan 26 18:50:13 server postfix/submission/smtpd[19265]: lost connection after STARTTLS from mail-lj1-f181.google.com[209.85.208.181] Jan 26 18:50:13 server postfix/submission/smtpd[19265]: disconnect from mail-lj1-f181.google.com[209.85.208.181] ehlo=1 starttls=1 commands=2 I want to use TLS on port 587, port 25 works fine.
Code: # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o smtp_bind_address= 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10027 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes
You appear to have an extra blank line in both the submission and smtps entries, remove those and reload postfix.
What error output do you get? The log entries you show earlier aren't errors, it just shows the gmail server dropped the connection after issuing a starttls command. Are you able to send on port 587 with an email client?
Please read this before posting and put the output of the test script in code tags (in the editor: insert -> code) https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
True, it's not an 'error'. Below you can see the log from an attempt to connect with Mozilla Thundebold client. I get the same connection lost alert. You also can see me sending an email to the server getting 'warning: unknown smtpd restriction: "yes"'. Don't mind spambot in the middle Code: Jan 27 12:25:09 server postfix/submission/smtpd[3195]: connect from 178-xxx-90-xxx.access.telenet.be[178.xxx.90.xxx] Jan 27 12:25:09 server postfix/submission/smtpd[3195]: SSL_accept error from 178-xxx-90-xxx.access.telenet.be[178.117.90.xxx]: -1 Jan 27 12:25:09 server postfix/submission/smtpd[3195]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/rec ord/rec_layer_s3.c:1544:SSL alert number 42: Jan 27 12:25:09 server postfix/submission/smtpd[3195]: lost connection after STARTTLS from 178.xxx.90.xxx.access.telenet.be[178.xxx.90.xxx] Jan 27 12:25:09 server postfix/submission/smtpd[3195]: disconnect from 178.xxx.90.xxx.access.telenet.be[178.xxx.90.xxx] ehlo=1 starttls=0/1 commands=1/2 Jan 27 12:25:17 server postfix/smtpd[3153]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 27 12:25:17 server postfix/smtpd[3153]: disconnect from unknown[212.70.149.54] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jan 27 12:25:19 server postfix/submission/smtpd[3185]: warning: hostname ip242.tervelnet.com does not resolve to address 87.246.7.242 Jan 27 12:25:19 server postfix/submission/smtpd[3185]: connect from unknown[87.246.7.242] Jan 27 12:25:22 server postfix/submission/smtpd[3192]: connect from 178-xxx-90-xxx.access.telenet.be[178.xxx.90.xxx] Jan 27 12:25:22 server postfix/submission/smtpd[3192]: SSL_accept error from 178-xxx-90-xxx.access.telenet.be[178.xxx.90.xxx]: -1 Jan 27 12:25:22 server postfix/submission/smtpd[3192]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/rec ord/rec_layer_s3.c:1544:SSL alert number 42: Jan 27 12:25:22 server postfix/submission/smtpd[3192]: lost connection after STARTTLS from 178-xxx-90-xxx.access.telenet.be[178.xxx.90.xxx] Jan 27 12:25:22 server postfix/submission/smtpd[3192]: disconnect from 178.xxx.90.xxx.access.telenet.be[178.xxx.90.xxx] ehlo=1 starttls=0/1 commands=1/2 Jan 27 12:25:24 server postfix/submission/smtpd[3185]: disconnect from unknown[87.246.7.242] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jan 27 12:25:29 server postfix/smtpd[3153]: connect from unknown[212.70.149.54] Jan 27 12:25:38 server postfix/smtpd[3153]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 27 12:25:38 server postfix/smtpd[3153]: disconnect from unknown[212.70.149.54] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jan 27 12:25:39 server postfix/submission/smtpd[3195]: warning: hostname ip242.tervelnet.com does not resolve to address 87.246.7.242 Jan 27 12:25:39 server postfix/submission/smtpd[3195]: connect from unknown[87.246.7.242] Jan 27 12:25:44 server postfix/submission/smtpd[3195]: disconnect from unknown[87.246.7.242] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jan 27 12:25:50 server postfix/smtpd[3153]: connect from www.yyyyy.com[178.xxx.90.xxx] Jan 27 12:25:50 server postfix/smtpd[3153]: warning: unknown smtpd restriction: "yes" Jan 27 12:25:50 server postfix/smtpd[3153]: NOQUEUE: reject: RCPT from www.yyyyy.com[178.xxx.90.xxx]: 451 4.3.5 Server configuration error; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxxxx.colo.transip.net> Jan 27 12:25:50 server postfix/cleanup[3584]: CFB73A2A38: message-id=<[email protected]> Jan 27 12:25:50 server postfix/qmgr[19296]: CFB73A2A38: from=<[email protected]>, size=1523, nrcpt=1 (queue active) Jan 27 12:25:50 server postfix/smtpd[3153]: disconnect from www.yyyyy.com[149.210.147.105] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/ 8 Jan 27 12:25:52 server postfix/smtp[3585]: CFB73A2A38: to=<[email protected]>, orig_to=<postmaster>, relay=none, delay=1.6, delays=0.02/0.02/1.5/0, dsn=5.4. 6, status=bounced (mail for server.xxxx.be loops back to myself)
Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 10 (buster) [INFO] uptime: 12:41:15 up 6 days, 21:31, 1 user, load average: 0,16, 0,11, 0,03 [INFO] memory: total used free shared buff/cache available Mem: 3,9Gi 1,2Gi 873Mi 125Mi 1,8Gi 2,3Gi Swap: 4,0Gi 20Mi 4,0Gi [INFO] systemd failed services status: 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.3.25-1+0~20201130.73+debian10~1.gbp042074 ##### PORT CHECK ##### [WARN] Port 8080 (ISPConfig) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 841) [INFO] I found the following mail server(s): Unknown process (smtpd) (PID 4007) [INFO] I found the following pop3 server(s): Dovecot (PID 485) [INFO] I found the following imap server(s): Dovecot (PID 485) [INFO] I found the following ftp server(s): PureFTP (PID 14538) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:8069 (469/python3) [localhost]:10023 (3342/postgrey) [localhost]:10024 (10672/amavisd-new) [localhost]:10025 (19294/master) [localhost]:10027 (19294/master) [anywhere]:587 (3185/smtpd) [localhost]:11211 (467/memcached) [anywhere]:110 (485/dovecot) [anywhere]:143 (485/dovecot) [anywhere]:465 (19294/master) [anywhere]:21 (14538/pure-ftpd) [anywhere]:22 (881/sshd) [localhost]:5432 (612/postgres) [anywhere]:25 (4007/smtpd) [anywhere]:993 (485/dovecot) [anywhere]:995 (485/dovecot) *:*:*:*::*:10023 (3342/postgrey) *:*:*:*::*:10024 (10672/amavisd-new) *:*:*:*::*:3306 (600/mysqld) *:*:*:*::*:587 (3185/smtpd) *:*:*:*::*:50443 (841/apache2) [localhost]10 (485/dovecot) [localhost]43 (485/dovecot) *:*:*:*::*:80 (841/apache2) *:*:*:*::*:465 (19294/master) *:*:*:*::*:8081 (841/apache2) *:*:*:*::*:21 (14538/pure-ftpd) *:*:*:*::*:22 (881/sshd) *:*:*:*::*:5432 (612/postgres) *:*:*:*::*:25 (4007/smtpd) *:*:*:*::*:443 (841/apache2) *:*:*:*::*:993 (485/dovecot) *:*:*:*::*:995 (485/dovecot)
You also get additional log messages indicating a problem: Code: Jan 27 12:25:09 server postfix/submission/smtpd[3195]: SSL_accept error from 178-xxx-90-xxx.access.telenet.be[178.117.90.xxx]: -1 Jan 27 12:25:09 server postfix/submission/smtpd[3195]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/rec ord/rec_layer_s3.c:1544:SSL alert number 42: Sounds like a certificate file problem? There is an additional error showing there, though: Code: Jan 27 12:25:50 server postfix/smtpd[3153]: warning: unknown smtpd restriction: "yes" Jan 27 12:25:50 server postfix/smtpd[3153]: NOQUEUE: reject: RCPT from www.yyyyy.com[178.xxx.90.xxx]: 451 4.3.5 Server configuration error; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxxxx.colo.transip.net> Sounds like an error in one of your smtpd_*_restrictions (not sure which, maybe run 'postconf | grep 'smtpd_.*_restrictions' | grep yes').
Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on # fresh installs. compatibility_level = 2 # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination myhostname = server.plusmin.be alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = localhost, localhost.$mydomain #relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:$ smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynet$ smtpd_helo_required = yes smtpd_helo_restrictions = yes smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = lmtp:unix:private/dovecot-lmtp header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtp_tls_security_level = dane smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:$ tls_preempt_cipherlist = no address_verify_negative_refresh_time = 60s enable_original_recipient = no smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS address_verify_sender_ttl = 15686s smtp_dns_support_level = dnssec dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth message_size_limit = 0
This is the output of 'postconf | grep 'smtpd_.*_restrictions' | grep yes' Code: smtpd_helo_restrictions = yes
Some lines are cut off, but as others said, it seems like somewhere in the smtpd restrictions you have "yes" which is not allowed.
