ISPConfig and Postmark Mail Relay Multiple Domain

Discussion in 'Installation/Configuration' started by pfroz, Feb 4, 2024.

Tags:
  1. pfroz

    pfroz New Member

    I'm not an expert at this and I hope someone can guide me to the correct information.

    - I've install ISPConfig using the script on Ubuntu/nginx/squirrelmail/etc. I've have configure my domain registry. Currently, I have two domain on my server.
    - In Postmark, i have register my two domain.

    I have setup a relay host on "System->Server Config->Mail Tab" to Postmark. Unfortunately this setup is at Server level so I have to choose from one of the two domain I register in Postmark.

    I'm able to send and receive email, however since authentication is at server level the transactional stream outgoing statistics only shows on one of the domain in Postmark.

    Is there a way to move the relay host to a domain level? So that the statistics show the correct outgoing count from the domain and not summed to one of the domain in Postmark.
     
    pfroz, Feb 4, 2024
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Enable System > interface > main config > email > Show per domain relay options. Then remove the relay under System > server config and add it under Email > domain for each domain separately.
     
    till, Feb 4, 2024
    #2
    ahrasis likes this.
  3. pfroz

    pfroz New Member

    Thank you for the response.
    Under System->Server Config->Mail, I removed the "Relayhost", "Relayhost User" and "Relayhost Password"

    I then move to "Email" tab page on the very top to go to the domain email setting. On each Domain, I put on the "Relayhost", "Relayhost User" and "Relayhost Password" in accordance to Postmark setting. I also ensured that the "Active" box is checked.

    I tested by sending email (before and after rebooting) on squirrelmail and it seem the email is not going out. On squirrelmail, I did not get any incoming email issue for the send email. In Postmark, I don't see the message outbound count changing. I also didn't see the test email coming in on M365.

    Also, in the "System->Interface->Main Config->Mail", Is the "Use SMTP to send system mails" supposed to be checked. I tried both check/uncheck but still unable to send email.

    Again thank you in advance for your support in troubleshooting this.
     
    pfroz, Feb 4, 2024
    #3
  4. pfroz

    pfroz New Member

    Also, I went back to "System->Server Config->mail" and inserted back the relay information for the other domain. I then automatically received the previous e-mail I sent out. I'm unsure what holding it from sending out when the relay information is at the domain level vs the the server level?
     
    pfroz, Feb 4, 2024
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Might be that you have to reconfigure squirrelmail to authenticate with email address and password when sending instead of sending unauthenticated on localhost. Test with a desktop email client where you do smtp authentication if the different relay settings work.

    And in general, you can likely leave the global relay setting active for those mails that do not get sent with authentication.
     
    till, Feb 4, 2024
    #5
    ahrasis likes this.
  6. pfroz

    pfroz New Member

    I'm getting "Thunderbird failed to find the settings for your email client" when trying to "Test with a desktop email client" using Thunderbird. I've installed it on the ubuntu server, put the same login/password as my squirrelmail account and the following configuration:

    Incoming:
    Protocol: IMAP
    Hostname: server hostname
    Port: left blank
    Connection security: SSL/TLS
    Username: same as the mailbox in ISPConfig

    Outgoing:
    Hostname: server hostname
    Port: left blank
    Connection security: SSL/TLS
    Authentication method: Normal passwords
    Username: same as the mailbox in ISPConfig

    I have also run the test script but don't see anything out of the ordinary:

    Code:
    ##### SCRIPT FINISHED #####
Results can be found in htf_report.txt
To view results use your favourite text editor or type 'cat htf_report.txt | more' on the server console.

If you want to see the non-anonymized output start the script with --debug as parameter (php -q htf-common-issues.php --debug).

root@ispconfig3:~# cat htf_report.txt | more

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Ubuntu 22.04.3 LTS
 
[INFO] uptime:  23:07:45 up 1 day, 15:26,  1 user,  load average: 1.39, 0.64, 0.
27
 
[INFO] memory:
               total        used        free      shared  buff/cache   available
Mem:           3.7Gi       2.3Gi       185Mi       100Mi       1.3Gi       1.1Gi
Swap:          2.0Gi       1.7Gi       288Mi
 
[INFO] systemd failed services status:
  UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.11p1


##### VERSION CHECK #####

[INFO] php (cli) version is 8.1.27
[INFO] php-cgi (used for cgi php in default vhost!) is version 8.1.27

##### PORT CHECK #####


##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
    Unknown process (nginx:) (PID 916)
[INFO] I found the following mail server(s):
    Postfix (PID 7633)
[INFO] I found the following pop3 server(s):
    Dovecot (PID 1070)
[INFO] I found the following imap server(s):
    Dovecot (PID 1070)
[INFO] I found the following ftp server(s):
    PureFTP (PID 1045)

##### LISTENING PORTS #####
(only        ()
Local        (Address)
[anywhere]:993        (1070/dovecot)
[anywhere]:995        (1070/dovecot)
[anywhere]:3010        (2511/node)
[localhost]:11332        (1090/rspamd:)
[localhost]:11333        (1090/rspamd:)
[localhost]:11334        (1090/rspamd:)
[anywhere]:587        (7633/master)
[anywhere]:465        (7633/master)
[anywhere]:443        (916/nginx:)
[anywhere]:143        (1070/dovecot)
[anywhere]:110        (1070/dovecot)
[anywhere]:80        (916/nginx:)
[anywhere]:4190        (1070/dovecot)
[localhost]:10023        (899/postgrey)
[anywhere]:21        (1045/pure-ftpd)
[anywhere]:22        (695/sshd:)
[anywhere]:25        (7633/master)
[anywhere]:8081        (916/nginx:)
[anywhere]:8080        (916/nginx:)
[localhost]:6379        (681/redis-server)
[localhost]:53        (690/named)
[localhost]:27017        (2141/mongod)
***.***.***.***:53        (458/systemd-resolve)
***.***.***.***:53        (690/named)
[localhost]:631        (90419/cupsd)
[anywhere]:3306        (827/mariadbd)
[localhost]:953        (690/named)
[localhost]:11211        (645/memcached)
*:*:*:*::*:993        (1070/dovecot)
*:*:*:*::*:995        (1070/dovecot)
*:*:*:*::*:10023        (899/postgrey)
*:*:*:*::**:*:*:*::*53        (690/named)
*:*:*:*::*:587        (7633/master)
*:*:*:*::*:3350        (700/xrdp-sesman)
*:*:*:*::*:465        (7633/master)
*:*:*:*::*:443        (916/nginx:)
*:*:*:*::*:11334        (1090/rspamd:)
*:*:*:*::*:11332        (1090/rspamd:)
*:*:*:*::*:11333        (1090/rspamd:)
[localhost]43        (1070/dovecot)
[localhost]10        (1070/dovecot)
*:*:*:*::*:80        (916/nginx:)
*:*:*:*::*:4190        (1070/dovecot)
*:*:*:*::*:21        (1045/pure-ftpd)
*:*:*:*::*:22        (695/sshd:)
*:*:*:*::*:25        (7633/master)
*:*:*:*::*:8081        (916/nginx:)
*:*:*:*::*:8080        (916/nginx:)
*:*:*:*::*:953        (690/named)
*:*:*:*::*:631        (90419/cupsd)
*:*:*:*::*:38543        (2511/node)
*:*:*:*::*:3389        (782/xrdp)
*:*:*:*::*:3306        (827/mariadbd)
*:*:*:*::*:53        (690/named)
*:*:*:*::*:6379        (681/redis-server)




##### IPTABLES #####
Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  [anywhere]/0            [anywhere]/0         
 
ufw-before-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-logging-input  all  --  [anywhere]/0            [anywhere]/0         
 
ufw-reject-input  all  --  [anywhere]/0            [anywhere]/0           
ufw-track-input  all  --  [anywhere]/0            [anywhere]/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  [anywhere]/0            [anywhere]/0       
    
ufw-before-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-logging-forward  all  --  [anywhere]/0            [anywhere]/0       
  
ufw-reject-forward  all  --  [anywhere]/0            [anywhere]/0           
ufw-track-forward  all  --  [anywhere]/0            [anywhere]/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  [anywhere]/0            [anywhere]/0       
  
ufw-before-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-after-logging-output  all  --  [anywhere]/0            [anywhere]/0         
 
ufw-reject-output  all  --  [anywhere]/0            [anywhere]/0           
ufw-track-output  all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0         
   udp dpt:137
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0         
   udp dpt:138
ufw-skip-to-policy-input  tcp  --  [anywhere]/0            [anywhere]/0         
   tcp dpt:139
ufw-skip-to-policy-input  tcp  --  [anywhere]/0            [anywhere]/0         
   tcp dpt:445
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0         
   udp dpt:67
ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0         
   udp dpt:68
ufw-skip-to-policy-input  all  --  [anywhere]/0            [anywhere]/0         
   ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3
/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3
/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELA
TED,ESTABLISHED
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 3
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 11
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 12
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 8
ufw-user-forward  all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           
ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELA
TED,ESTABLISHED
ufw-logging-deny  all  --  [anywhere]/0            [anywhere]/0            ctsta
te INVALID
DROP       all  --  [anywhere]/0            [anywhere]/0            ctstate INVA
LID
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 3
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 11
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 12
ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 8
ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp spt:67 d
pt:68
ufw-not-local  all  --  [anywhere]/0            [anywhere]/0           
ACCEPT     udp  --  [anywhere]/0            ***.***.***.***          udp dpt:535
3
ACCEPT     udp  --  [anywhere]/0            ***.***.***.***      udp dpt:1900
ufw-user-input  all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           
ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELA
TED,ESTABLISHED
ufw-user-output  all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3
/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  [anywhere]/0            [anywhere]/0            ctstate INVA
LID limit: avg 3/min burst 10
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3
/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE mat
ch dst-type LOCAL
RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE mat
ch dst-type MULTICAST
RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE mat
ch dst-type BROADCAST
ufw-logging-deny  all  --  [anywhere]/0            [anywhere]/0            limit
: avg 3/min burst 10
DROP       all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            ctstate NEW
ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:21
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:22
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:25
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:53
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:80
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:110
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:143
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:443
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:465
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:587
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:993
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:995
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:3306
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:4190
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8080
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8081
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            multiport dp
orts 40110:40210
ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp dpt:53
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:3389
ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:3010

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3
/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  [anywhere]/0            [anywhere]/0            reject-with
icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  [anywhere]/0            [anywhere]/0           

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination         




##### LET'S ENCRYPT #####
acme.sh is installed in /root/.acme.sh/acme.sh
     
    pfroz, Feb 6, 2024
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not let Thunderbird try to retrieve server settings on its own; this will likely fail. You must enter the details. Just enter your settings. Take care that you use the complete email address as username, os ist [email protected] and not just username. Thunderbird has a bug that tends to remove the domain part from the username; if Thunderbird does that, just add full username again, it will work then. Thunderbird works fine with ISPConfig, I use that combination for more than 15 years.
     
    till, Feb 6, 2024
    #7
    ahrasis likes this.
  8. pfroz

    pfroz New Member

    Ok after a few configuration, it work now. Just to have the info for someone else to follow. First and for most is that I have my dynamic ip routed to noip.com so this will be different for someone that have static ip.

    My issue was that I didn't have CNAME configure on DNS registry and not TXT to my server hostname. Once this confiture I was able to get Thunderbird to connect. Also, ensure for IMAP and SMTP that 993/465 (unless you choose custom port) is forwarded to the server.

    Going back to the initial issue with setting up server/domain level relay host. After removing the server relay and keeping the domain level relay information. When sending through thunderbird I get the following message:

    First it ask to add security exception, which I confirmed but then a popup with
    "Sending of the message failed. The certificate is not trusted because it is self-signed. The configuration related to myhostname.domain.tld must be corrected."

    I believe I fixed this by adding the myhostname.domain.tld to the sites on ISPConfig and generating SSL using Let's Encrypt SSL.

    Retry sending email on Thunderbird move it to the sent folder. Unfortunately, I'm not getting it on the other end with email relay information at domain level. When I added the relay information to the server level, I then received the email. Is it right to assume that the email seem to get stuck at postfix and not at dovecot?
     
    pfroz, Feb 6, 2024
    #8
    ahrasis likes this.
  9. pfroz

    pfroz New Member

    Here is my postfix, main.cf file

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
#smtp_tls_security_level = dane
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = hostname.domain.tld
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = hostname.domain.tld, localhost, localhost.localdomain
relayhost = smtp.postmarkapp.com
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users =
authorized_mailq_users = nagios, icinga
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
smtputf8_enable = no
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
message_size_limit = 0

smtp_use_tls = yes
    Also, you mention earlier "to reconfigure squirrelmail to authenticate with email address and password when sending instead of sending unauthenticated on localhost". I did try this on the ISPConfig->System Option->Main Config->Mail. Is this the right place? However, it didn't work either.
     
    Last edited: Feb 6, 2024
    pfroz, Feb 6, 2024
    #9
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You shouldn't do this because because it will normally break the renewal of LE SSL certs for your server.

    Follow LE FAQ thread to troubleshoot if you have problems with them.
     
    ahrasis, Feb 7, 2024
    #10
  11. pfroz

    pfroz New Member

    Ok, I've removed the sites myhostname.domain.tld from ispconfig and force to update my LE SSL using the following

    Code:
    ispconfig_update.sh --force
    from https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/

    I guess because I changed the hostname after initial installation that the SSL encrypt is not valid anymore. I also tested the original problem but seem it is not fixed yet. So going back to do more troubleshooting.

    Checked mail.log:

    Code:
    Feb  7 18:16:00 ispconfig3 postfix/smtpd[15730]: warning: unknown[45.129.14.179]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:01 ispconfig3 postfix/smtpd[15730]: disconnect from unknown[45.129.14.179] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:03 ispconfig3 postfix/smtpd[15707]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb  7 18:16:03 ispconfig3 postfix/smtpd[15707]: connect from unknown[45.129.14.128]
Feb  7 18:16:09 ispconfig3 postfix/smtpd[15714]: warning: hostname 179.hosted-by.198xd.com does not resolve to address 45.129.14.179
Feb  7 18:16:09 ispconfig3 postfix/smtpd[15714]: connect from unknown[45.129.14.179]
Feb  7 18:16:09 ispconfig3 postfix/smtpd[15730]: warning: hostname srv-141-98-11-95.serveroffer.net does not resolve to address 141.98.11.95: Name or service not known
Feb  7 18:16:09 ispconfig3 postfix/smtpd[15730]: connect from unknown[141.98.11.95]
Feb  7 18:16:12 ispconfig3 postfix/smtpd[15730]: warning: unknown[141.98.11.95]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:12 ispconfig3 postfix/smtpd[15730]: disconnect from unknown[141.98.11.95] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:14 ispconfig3 postfix/smtpd[15707]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:15 ispconfig3 postfix/smtpd[15707]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:19 ispconfig3 postfix/smtpd[15730]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb  7 18:16:19 ispconfig3 postfix/smtpd[15730]: connect from unknown[45.129.14.128]
Feb  7 18:16:21 ispconfig3 postfix/smtpd[15714]: warning: unknown[45.129.14.179]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:22 ispconfig3 postfix/smtpd[15714]: disconnect from unknown[45.129.14.179] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:27 ispconfig3 postfix/smtpd[15707]: warning: hostname 179.hosted-by.198xd.com does not resolve to address 45.129.14.179
Feb  7 18:16:27 ispconfig3 postfix/smtpd[15707]: connect from unknown[45.129.14.179]
Feb  7 18:16:35 ispconfig3 postfix/smtpd[15714]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb  7 18:16:35 ispconfig3 postfix/smtpd[15714]: connect from unknown[45.129.14.128]
Feb  7 18:16:35 ispconfig3 postfix/smtpd[15730]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:36 ispconfig3 postfix/smtpd[15730]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:37 ispconfig3 postfix/smtpd[15730]: warning: hostname srv-141-98-11-95.serveroffer.net does not resolve to address 141.98.11.95: Name or service not known
Feb  7 18:16:37 ispconfig3 postfix/smtpd[15730]: connect from unknown[141.98.11.95]
Feb  7 18:16:39 ispconfig3 postfix/smtpd[15707]: warning: unknown[45.129.14.179]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb  7 18:16:39 ispconfig3 postfix/smtpd[15707]: disconnect from unknown[45.129.14.179] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:40 ispconfig3 postfix/smtpd[15730]: warning: unknown[141.98.11.95]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:40 ispconfig3 postfix/smtpd[15730]: disconnect from unknown[141.98.11.95] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:44 ispconfig3 postfix/smtpd[15707]: warning: hostname 179.hosted-by.198xd.com does not resolve to address 45.129.14.179
Feb  7 18:16:44 ispconfig3 postfix/smtpd[15707]: connect from unknown[45.129.14.179]
Feb  7 18:16:45 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:16:47 ispconfig3 postfix/smtpd[15707]: warning: unknown[45.129.14.179]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:47 ispconfig3 postfix/smtpd[15707]: disconnect from unknown[45.129.14.179] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:48 ispconfig3 postfix/smtpd[15714]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb  7 18:16:48 ispconfig3 postfix/smtpd[15714]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:16:50 ispconfig3 postfix/smtpd[15730]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb  7 18:16:50 ispconfig3 postfix/smtpd[15730]: connect from unknown[45.129.14.128]
Feb  7 18:16:57 ispconfig3 postfix/smtpd[15730]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  7 18:16:58 ispconfig3 postfix/smtpd[15730]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  7 18:17:02 ispconfig3 postfix/smtpd[15707]: warning: hostname 179.hosted-by.198xd.com does not resolve to address 45.129.14.179
Feb  7 18:17:02 ispconfig3 postfix/smtpd[15707]: connect from unknown[45.129.14.179]
Feb  7 18:17:06 ispconfig3 postfix/smtpd[15714]: warning: hostname srv-141-98-11-95.serveroffer.net does not resolve to address 141.98.11.95: Name or service not known
Feb  7 18:17:06 ispconfig3 postfix/smtpd[15714]: connect from unknown[141.98.11.95]
    Also checked, mail.err

    Code:
    Feb  7 18:05:52 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:07:02 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:08:07 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:09:05 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:10:00 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: EOF
Feb  7 18:11:23 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:12:22 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:12:25 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:13:48 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:14:45 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: EOF
Feb  7 18:15:52 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:16:45 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:17:08 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:18:03 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Feb  7 18:18:59 ispconfig3 dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: EOF
     
    Last edited: Feb 8, 2024
    pfroz, Feb 7, 2024
    #11
  12. pfroz

    pfroz New Member

    I'm trying to resolve the issue, so been playing with the postfix main.cfg and creating custom mysql proxy for postmarkapp.com as shown postmarkup configuration. Here is the smtp configuration:

    Code:
    #start postmarkapps settings
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = static:secret:secret
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-postmark-passwordmap.cf
#sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-postmark-relayhost.cf
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
smtp_tls_loglevel = 1
relayhost = [smtp.postmarkapp.com]:25
##end postmarkapp settings
    And here is the 'mysql-virtual_sender-postmark-passwordmap.cf'

    Code:
    User = dbuser
password = dbpassword
dbname = dbispconfig
hosts = 127.0.0.1
query = SELECT CONCAT('static:',relay_user,':',relay_pass)
  FROM mail_domain
  WHERE domain = '%d'
  AND active = 'y'
  AND concat(relay_host,relay_user,relay_pass) != ''
  AND server_id = 1
    I'm able to send an email with the following uncommented and commented in my main.cf
    smtp_sasl_password_maps = static:secret:secret
    #smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-postmark-passwordmap.cf

    However, I'm not able to send one with the following configuration
    #smtp_sasl_password_maps = static:secret:secret
    smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-postmark-passwordmap.cf

    I also check my "mysql-virtual_sender-postmark-passwordmap.cf" using "portmap -q" and it does out put the correct value in the format of "static:secret:secret".

    Am I missing somthing? Is the query need to be save as something e.g. "query = SELECT CONCAT('static:',relay_user,':',relay_pass) as somevariable"?
     
    pfroz, Feb 8, 2024
    #12

Share This Page