Cannot Get Postfix to Send from Remote: Perfect Server 10.04 Postfix/Courier/Squirrel

Hi;

I have been working on this for days. I built a server using the guide in Perfect Server Ubuntu 10.04, specifically using Postfix/Courier/SquirrelMail.

The SquirrelMail part of it sends and receives perfectly. I can receive using a MUA such as Outlook or Thunderbird, using both IMAP and POP3. However, I cannot get it to send at all. It simply times out.

Then entry in /var/log/mail.log that seems to match the connection attempt is:

Sep 4 15:15:02 teva postfix/smtpd[10030]: connect from localhost.localdomain[127.0.0.1]
Sep 4 15:15:02 teva postfix/smtpd[10030]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Sep 4 15:15:02 teva postfix/smtpd[10030]: disconnect from localhost.localdomain[127.0.0.1]

I can connect from a remote host via "telnet domainName.com 25" and even send an email like that. Thinking about it, that's no different than the way SquirrelMail does it other than showing that port 25 is open.

Thinking that it was a problem with "smtpd_recipient_restrictions", I commented out the ISPConfig3 line and deleted the "check_recipient_access" that ISPConfig3 uses to whitelist, but it made no difference at all.

It seems like it may be an authorization problem, but I'm at a loss. Here is my main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# --Greg Added
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = teva.domainName.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = domainName.com
mydestination = localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 [xx.xx.43.158]
mailbox_size_limit = 0
recipient_delimiter = +
#inet_interfaces = 127.0.0.1
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
# smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

Thanks in advance for your help ... I'm going crazy here!

Greg

 

For Reference:

Here is the telnet response:

teva:/etc/postfix# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 teva.domainName.com ESMTP Postfix (Ubuntu)
EHLO example.com
250-teva.domainName.com
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
teva:/etc/postfix#

and the netstat:

teva:/etc/postfix# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:9393 *:* LISTEN 8183/apache2
tcp 0 0 *:tproxy *:* LISTEN 8183/apache2
tcp 0 0 *:ftp *:* LISTEN 8192/pure-ftpd (SER
tcp 0 0 teva.domainName:domain *:* LISTEN 1028/named
tcp 0 0 localhost.locald:domain *:* LISTEN 1028/named
tcp 0 0 *:ssh *:* LISTEN 893/sshd
tcp 0 0 *:smtp *:* LISTEN 9978/master
tcp 0 0 localhost.localdoma:953 *:* LISTEN 1028/named
tcp 0 0 *:https *:* LISTEN 8183/apache2
tcp 0 0 *:9090 *:* LISTEN 8183/apache2
tcp 0 0 localhost.localdo:10024 *:* LISTEN 1086/amavisd (maste
tcp 0 0 localhost.localdo:10025 *:* LISTEN 9978/master
tcp 0 0 *:mysql *:* LISTEN 1007/mysqld
tcp 0 0 localhost.localdo:spamd *:* LISTEN 1090/spamd.pid
tcp 0 0 *:www *:* LISTEN 8183/apache2
tcp 0 0 localhost.localdo:mysql localhost.localdo:46579 ESTABLISHED 1007/mysqld
tcp 0 0 teva.domainName:www c-98-231-111-6.hs:52302 ESTABLISHED 11081/apache2
tcp 0 0 teva.domainName:www c-98-231-111-6.hs:52301 ESTABLISHED 28303/apache2
tcp 0 0 teva.domainName:www c-98-231-111-6.hs:52297 ESTABLISHED 28409/apache2
tcp 0 0 teva.domainName:www c-98-231-111-6.hs:52299 ESTABLISHED 28397/apache2
tcp 0 0 teva.domainName:www 204.197.203.226:40412 TIME_WAIT -
tcp 0 48 teva.domainName:ssh net-69-39-61-221.:50890 ESTABLISHED 8260/0
tcp 0 0 localhost.localdo:46579 localhost.localdo:mysql ESTABLISHED 6844/amavisd (ch12-
tcp 0 0 localhost.localdo:mysql localhost.localdo:47169 ESTABLISHED 1007/mysqld
tcp 0 0 localhost.localdo:47169 localhost.localdo:mysql ESTABLISHED 8549/amavisd (ch10-
tcp 0 0 teva.domainName:www c-98-231-111-6.hs:52298 ESTABLISHED 28396/apache2
tcp 0 0 teva.domainName:ssh net-69-39-61-221.:51895 ESTABLISHED 9725/sshd: root@not
tcp 0 0 teva.domainName:www c-98-231-111-6.hs:52300 ESTABLISHED 28385/apache2
tcp6 0 0 [::]:ftp [::]:* LISTEN 8192/pure-ftpd (SER
tcp6 0 0 [::]:domain [::]:* LISTEN 1028/named
tcp6 0 0 [::]:ssh [::]:* LISTEN 893/sshd
tcp6 0 0 [::]:imaps [::]:* LISTEN 2378/couriertcpd
tcp6 0 0 [::]op3s [::]:* LISTEN 2412/couriertcpd
tcp6 0 0 [::]op3 [::]:* LISTEN 2392/couriertcpd
tcp6 0 0 [::]:imap2 [::]:* LISTEN 2353/couriertcpd
getnameinfo failed
tcp6 0 0 teva.domainNameop3 [UNKNOWN]:64594 TIME_WAIT -
tcp6 0 0 teva.domainName:imap2 net-69-39-61-221.:50109 ESTABLISHED 9127/couriertls
teva:/etc/postfix#

Thanks Again,

Greg

 

Does sending work with a "normal" email client such as Outlook or Thunderbird?

 

No. That's the part that is broken. Sending works with Squirrelmail, but not mail clients like Outlook and Thunderbird.

Thanks for replying!

Greg

 

Did you enable "Server requires authnetication" in your email client?

 

Thanks for replying, Falco.

I love ISPConfig3 by the way.

I pretty much tried every combination of outgoing settings on Thunderbird. The one that actually attempts to connect is:

Port 25
Connection Security: none
Authentication method: Password, transmitted insecurely
User name: [email protected]

(changed the domain name)

I thought about changing to use the submission port, 587, but have not enabled that yet.

Any ideas?

Greg

 

Looks ok. Are there any errors in your mail log while Thunderbird tries to connect?

Does the hostname you use in Thunderbird point to the correct server? Instead of the hostname you can as well use the server's IP to go sure you're connecting to the correct one.

 

I tried using the IP instead of the hostname, just to be sure. No difference. The only message that I can see is:

Sep 7 10:35:02 teva postfix/smtpd[683]: connect from localhost.localdomain[127.0.0.1]
Sep 7 10:35:02 teva postfix/smtpd[683]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Sep 7 10:35:02 teva postfix/smtpd[683]: disconnect from localhost.localdomain[127.0.0.1]

I get no other kind of error at all. Weird.

 

Is this maybe a firewall issue? What's the output of

Code:

iptables -L

?

 

I don't think it is a firewall issuse, FalKo, because I was able to telnet from a server in another part of the world to this server on port 25. I'm including the iptaples (maintained through ispconfig3). Maybe you'll see something I don't:

teva:/etc/postfix# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- base-address.mcast.net/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (22 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (5 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap2
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dptop3s
PAROLE tcp -- anywhere anywhere tcp dpt:mysql
PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
PAROLE tcp -- anywhere anywhere tcp dpt:tproxy
PAROLE tcp -- anywhere anywhere tcp dpt:9090
PAROLE tcp -- anywhere anywhere tcp dpt:9191
PAROLE tcp -- anywhere anywhere tcp dpt:9292
PAROLE tcp -- anywhere anywhere tcp dpt:9393
PAROLE tcp -- anywhere anywhere tcp dpt:9494
PAROLE tcp -- anywhere anywhere tcp dpt:9595
PAROLE tcp -- anywhere anywhere tcp dpt:9696
PAROLE tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:mysql
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

 

Are you absolutely sure then that your email client settings are ok? There should at least be something in the mail log when you try to connect...

 

I'd like to thank you, Falko, for your attempts to help. After reading a lot and just sitting down and reasoning for a while, I've concluded that the data center where we rent the server has port 25 blocked to outgoing traffic.

Your guides on this website are absolutely great. I followed the guide for the Perfet Server using Ubuntu 10.04 LTS. Everything else worked, so my reasoning is that this should have worked as well.

I added the following line to the master.cf :

submission inet n - - - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

This enables the smtp daemon to send through the submission port, 587. After updating my email client (Thunderbird) to reflect 587 instead of 25, and adding port 587 to ISPConfig's firewall rule, sending worked. Since the only thing I really changed was the outbound port (from 25 to 587), I must conclude that the data center provider has outbound port 25 traffic blocked.

One last question, Falko: if I remove 25 from the firewall rule, that should effetively block inbound traffic on port 25. Will internal, localhost, email still work even though I block the port from inbound requests?

Thanks so much for your help!

Greg

 

Yes, it will.