Hi again all, The last problem appears to have been related in part to upgrading from Debian 11->12, even though I did so on a brand new server. So I'm going out on a limb and hoping this is similar this time and give a clue as to the problem. Short Version: I can't send email. Either from the command line or from webmail for a created email mailbox. The squirrelmail interface simply says this: "SMTP Error (): Authentication failed." The mail.log file output is a little different though, complaining of a refused connection? Code: <936831><iqexNfkQ6qEAAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=430 out=1971 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=314 body_count=1 body_bytes=18 2024-02-09T20:59:59.389853+00:00 s91370 postfix/submission/smtpd[936832]: connect from localhost[::1] 2024-02-09T20:59:59.390092+00:00 s91370 postfix/submission/smtpd[936832]: warning: connect to Milter service inet:localhost:11332: Connection refused 2024-02-09T20:59:59.390552+00:00 s91370 postfix/submission/smtpd[936832]: disconnect from localhost[::1] ehlo=1 quit=1 commands=2 Other searches seem to indicate a problem when switching to the rspamd. But I've never switched, as this is a new server. (unless upgrading from Debian 11 to Debian 12 is a switch). Note: I just updated ISPConfig to the p2 release. Receiving mail is working fine.
Here is the postfix master.cf Code: smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache postlog unix-dgram n - n - 1 postlogd # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
Have you done the ISPConfig update and let it reconfigure services after you updated Debian? You must always update ISPConfig after the OS as it can not configure the new system otherwise.
yes, twice in fact. Once immediately after I upgraded to Debian 12 and again yesterday after the p2 update was released.
Please run the test script and post the output: https://forum.howtoforge.com/threads/please-read-before-posting.58408/
Oh yes, sorry. I meant to do that as well. Here it is (just run now). Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 12 (bookworm) [INFO] uptime: 08:51:07 up 3 days, 16:32, 1 user, load average: 0.06, 0.03, 0.00 [INFO] memory: total used free shared buff/cache available Mem: 31Gi 2.7Gi 25Gi 103Mi 3.9Gi 28Gi Swap: 4.0Gi 0B 4.0Gi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION 0 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.11p2 ##### VERSION CHECK ##### [INFO] php (cli) version is 8.2.15 [INFO] php-cgi (used for cgi php in default vhost!) is version 8.2.15 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Unknown process (nginx:) (PID 754643) [INFO] I found the following mail server(s): Postfix (PID 936692) [INFO] I found the following pop3 server(s): Dovecot (PID 936703) [INFO] I found the following imap server(s): Dovecot (PID 936703) [INFO] I found the following ftp server(s): PureFTP (PID 936752) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:4190 (936703/dovecot) [localhost]:953 (936757/named) [localhost]:953 (936757/named) [localhost]:953 (936757/named) [localhost]:953 (936757/named) [localhost]:953 (936757/named) [localhost]:953 (936757/named) [localhost]:953 (936757/named) [localhost]:953 (936757/named) [localhost]:53 (936757/named) [localhost]:53 (936757/named) [localhost]:53 (936757/named) [localhost]:53 (936757/named) [localhost]:53 (936757/named) [localhost]:53 (936757/named) [localhost]:53 (936757/named) [localhost]:53 (936757/named) [anywhere]:8081 (754643/nginx:) [anywhere]:8080 (754643/nginx:) [anywhere]:443 (754643/nginx:) [anywhere]:465 (936692/master) [anywhere]:143 (936703/dovecot) [anywhere]:25 (936692/master) [anywhere]:21 (936752/pure-ftpd) [anywhere]:22 (878/sshd:) [anywhere]:110 (936703/dovecot) [anywhere]:80 (754643/nginx:) [anywhere]:993 (936703/dovecot) [anywhere]:995 (936703/dovecot) [localhost]:6379 (859/redis-server) [anywhere]:587 (936692/master) [anywhere]:3306 (936300/mariadbd) [localhost]:11211 (837/memcached) ***.***.***.***:53 (936757/named) ***.***.***.***:53 (936757/named) ***.***.***.***:53 (936757/named) ***.***.***.***:53 (936757/named) ***.***.***.***:53 (936757/named) ***.***.***.***:53 (936757/named) ***.***.***.***:53 (936757/named) ***.***.***.***:53 (936757/named) [localhost]:10023 (761/postgrey) ***.***.***.***:10023 (761/postgrey) *:*:*:*::*:4190 (936703/dovecot) *:*:*:*::*:953 (936757/named) *:*:*:*::*:953 (936757/named) *:*:*:*::*:953 (936757/named) *:*:*:*::*:953 (936757/named) *:*:*:*::*:953 (936757/named) *:*:*:*::*:953 (936757/named) *:*:*:*::*:953 (936757/named) *:*:*:*::*:953 (936757/named) *:*:*:*::*:8081 (754643/nginx:) *:*:*:*::*:8080 (754643/nginx:) *:*:*:*::*:53 (936757/named) *:*:*:*::*:53 (936757/named) *:*:*:*::*:53 (936757/named) *:*:*:*::*:53 (936757/named) *:*:*:*::*:53 (936757/named) *:*:*:*::*:53 (936757/named) *:*:*:*::*:53 (936757/named) *:*:*:*::*:53 (936757/named) *:*:*:*::*:443 (754643/nginx:) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*:465 (936692/master) [localhost]43 (936703/dovecot) *:*:*:*::*:25 (936692/master) *:*:*:*::*:21 (936752/pure-ftpd) *:*:*:*::*:22 (878/sshd:) [localhost]10 (936703/dovecot) *:*:*:*::*:80 (754643/nginx:) *:*:*:*::*:993 (936703/dovecot) *:*:*:*::*:995 (936703/dovecot) *:*:*:*::*:587 (936692/master) *:*:*:*::*:6379 (859/redis-server) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*2a92:4aff:fe34:53 (936757/named) *:*:*:*::*:3306 (936300/mariadbd) *:*:*:*::*:10023 (761/postgrey) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-postfix-sasl 6 -- [anywhere]/0 [anywhere]/0 multiport dports 25 f2b-sshd 6 -- [anywhere]/0 [anywhere]/0 multiport dports 22 ufw-before-logging-input 0 -- [anywhere]/0 [anywhere]/0 ufw-before-input 0 -- [anywhere]/0 [anywhere]/0 ufw-after-input 0 -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input 0 -- [anywhere]/0 [anywhere]/0 ufw-reject-input 0 -- [anywhere]/0 [anywhere]/0 ufw-track-input 0 -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-before-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-after-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-reject-forward 0 -- [anywhere]/0 [anywhere]/0 ufw-track-forward 0 -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output 0 -- [anywhere]/0 [anywhere]/0 ufw-before-output 0 -- [anywhere]/0 [anywhere]/0 ufw-after-output 0 -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output 0 -- [anywhere]/0 [anywhere]/0 ufw-reject-output 0 -- [anywhere]/0 [anywhere]/0 ufw-track-output 0 -- [anywhere]/0 [anywhere]/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination RETURN 0 -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input 17 -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny 0 -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP 0 -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT 1 -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT 17 -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local 0 -- [anywhere]/0 [anywhere]/0 ACCEPT 17 -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT 17 -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ACCEPT 0 -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN 0 -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN 0 -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT 6 -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT 17 -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:4190 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT 17 -- [anywhere]/0 [anywhere]/0 udp dpt:53 ACCEPT 6 -- [anywhere]/0 [anywhere]/0 tcp dpt:11332 Chain ufw-user-limit (0 references) target prot opt source destination LOG 0 -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT 0 -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT 0 -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
Ok, so Rspamd is not running. Start it and if it does not start, check why in the mail.log and /var/log/rspamd/rspamd.log
systemctl is reporting that rspamd is masked and so can't be enabled. Code: # systemctl start rspamd Failed to start rspamd.service: Unit rspamd.service is masked. # systemctl enable rspamd Synchronizing state of rspamd.service with SysV service script with /lib/systemd/systemd-sysv-install. [B]Executing: /lib/systemd/systemd-sysv-install enable rspamd Failed to enable unit: Unit file /etc/systemd/system/rspamd.service is masked.[/B] I unmasked it, enabled it, and started it successfully and restarted postfix. Nothing has appeared in rspamd.log (it is empty) In mail.log postfix produced the same connection refusal after restart Code: 2024-02-10T17:10:02.788597+00:00 s91370 postfix/smtpd[1232367]: connect from localhost[::1] 2024-02-10T17:10:02.788765+00:00 s91370 postfix/smtpd[1232367]: warning: connect to Milter service inet:localhost:11332: Connection refused 2024-02-10T17:10:02.788947+00:00 s91370 postfix/smtpd[1232367]: lost connection after CONNECT from localhost[::1] 2024-02-10T17:10:02.789023+00:00 s91370 postfix/smtpd[1232367]: disconnect from localhost[::1] commands=0/0 2024-02-10T17:12:24.705874+00:00 s91370 postfix/smtps/smtpd[1232415]: connect from unknown[45.227.254.49] 2024-02-10T17:12:24.706083+00:00 s91370 postfix/smtps/smtpd[1232415]: SSL_accept error from unknown[45.227.254.49]: -1 2024-02-10T17:12:24.706162+00:00 s91370 postfix/smtps/smtpd[1232415]: warning: TLS library problem: error:0A00010B:SSL routines::wrong version number:../ssl/record/ssl3_record.c:354: 2024-02-10T17:12:24.712650+00:00 s91370 postfix/smtps/smtpd[1232415]: lost connection after CONNECT from unknown[45.227.254.49] 2024-02-10T17:12:24.712722+00:00 s91370 postfix/smtps/smtpd[1232415]: disconnect from unknown[45.227.254.49] commands=0/0 I do notice a "TLS library problem"? It also appears that I've lost the ability to receive mail. Test emails from my regular accounts are no longer getting to the mail box. I can see the messages coming to the server in the log but it's not going to the mailbox. With rspamd on or off. Code: 2024-02-10T17:18:26.480151+00:00 s91370 postfix/smtpd[1233053]: improper command pipelining after CONNECT from unknown[]: \003\000\000/*\340\000\000\000\000\000Cookie: mstshash=Administr\r\n\001\000\b\000\003\000\000\000 2024-02-10T17:18:26.480387+00:00 s91370 postfix/smtpd[1233053]: warning: connect to Milter service inet:localhost:11332: Connection refused 2024-02-10T17:18:26.588175+00:00 s91370 postfix/smtpd[1233053]: lost connection after UNKNOWN from unknown[] 2024-02-10T17:18:26.588313+00:00 s91370 postfix/smtpd[1233053]: disconnect from unknown[] unknown=0/1 commands=0/1 .... 2024-02-10T17:20:02.220885+00:00 s91370 postfix/smtpd[1233053]: disconnect from localhost[::1] commands=0/0 2024-02-10T17:20:02.226841+00:00 s91370 dovecot: pop3-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<y4g+QQoRsLkAAAAAAAAAAAAAAAAAAAAB> 2024-02-10T17:20:02.227151+00:00 s91370 dovecot: imap-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<Yoo+QQoRgtEAAAAAAAAAAAAAAAAAAAAB> 2024-02-10T17:20:09.161378+00:00 s91370 dovecot: imap-login: Login: user=<**email removed**>, method=PLAIN, rip=::1, lip=::1, mpid=1233204, secured, session=<bTioQQoR5o4AAAAAAAAAAAAAAAAAAAAB> 2024-02-10T17:20:09.167438+00:00 s91370 dovecot: imap(**email removed**)<1233204><bTioQQoR5o4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=273 out=1516 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 [/quote] Here's a little more complaining about SSL Code: 2024-02-10T17:20:26.445889+00:00 s91370 dovecot: imap(**email removed**)<1233206><IdWvQgoRfo4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=90 out=995 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 2024-02-10T17:20:51.894755+00:00 s91370 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number (no auth attempts in 0 secs): user=<>, rip=**ip removed**, lip=**ip removed**, TLS handshaking: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number, session=<IGg0RAoR6f5QQljT>
I noticed this message from postfix in the logs: Code: 2024-02-10T17:23:14.105527+00:00 s91370 postfix[1233352]: Postfix is using backwards-compatible default settings 2024-02-10T17:23:14.105650+00:00 s91370 postfix[1233352]: See http://www.postfix.org/COMPATIBILITY_README.html for details 2024-02-10T17:23:14.105710+00:00 s91370 postfix[1233352]: To disable backwards compatibility use "postconf compatibility_level=3.6" and "postfix reload" So I have set that compatibility level. No impact. Based on the logs I believe there are two issues occurring right now. 1) An issue with the SSL certificate that postfix is using preventing it from making a secure connection to sending clients/servers. 2) and an issue with sending where it is not authenticating, or it is blocked in some way to the Milter service.
Just seeing if rspamd is working. When I go to: https://ip.add.ress:8081/rspamd/ I get 502 Bad Gateway Also: Is there a way to recreate the DKIM keys for an email domain if they are a source of the problem? This email was working yesterday morning before I updated ISPConfig to p2. The keys are in: /var/lib/amavis/dkim
The issues you posted above are not related to DKIM. The DKIM cert is not used by Postfix at all. The issue you posted is most likely not related to ISPConfig and not to the ISPConfig update, they are caused by the Debian update. It seems as if you connect with older clients that do not support modern TLS protocols, and due to the new Debian version, such older clients that only support old SSL3 protocol are denied. Do you get a SSL error when accessing ISPconfig GUI with a browser? If yes, use the ISPConfig updater to recreate the SSL cert. if no, then your SSL cert is fine. And regarding Rspamd, check if its really running, might be that it is down again. Might also be that your system runs ou of memory and this kills Rspamd.
You should consider contacting Thom from ISPConfig business support to have a look at this directly: https://www.ispconfig.org/get-support/?type=ispconfig
The email clients were working with the Debian 12 setup yesterday before updating to p2, I did redo the SSL certs at that time so I suspect that broke the client side. I am not using any clients other than Squirrelmail on the server. I am sending email from my gmail and exchange accounts. Ill check on the rspamd. I do wonder if so many of these issues are related to the Debian 11 to 12 update if it would be best to simply reinstall the server completely with a fresh Debian 12. My host would only install 11, but I have the option of installing 12 myself.
But the problem is that the p2 release does not contain any changes in the mail config. So whatever caused your issue, its not the p2 release in comparison to the p1 release. You can redo the update at any time with: ispconfig_update.sh --force and let it reconfigure services again and also the SSL cert. btw. if the SSL cert is working then you should not create a new one as it makes no sense and might just break things. If you do not have much on the server yet, then that#s an option of course. In this case, take an empty Debian 11 image from your hoster, upgrade to debian 12 first and then install ISPConfig using the auto installer: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/
I suspect it did just break things when I forced the SSL update. So that's on me, lesson learned. The one thing that defijitely wasnt working before I likely broke SSL was the sending connection. I would like to know its root cause before I reinstall in case it crops up again.
I just removed the email domain from ISPConfig and recreated it and now I can receive email again to the domain address. So there must have been something that broke when I forced the update to SSL. I am back to just not being able to send mail from the server. I'll keep working on that with the suggestions you made.
Doing more digging and it just seems as though the rspamd service is at the root of it and not listening/accepting connections even though it is reported as active by systemctl and no errors come up in either the rspamd.log or syslog. Can I turn on a higher level of debugging in postfix for the system itself to see why rspamd isn't listening properly?
You can do that, its not ispconfig specific, just google debug postfix, but postfix will not report any issues when the problem is rspamd, so I doubt that this will help you much. better try to debug rspamd, and also check things like that your harddisk is not full and you have enough free ram.
OK. Some progress. After nothing of interest really came out of the debug logs I decided to go back to basics and just figure out why rspamd wasn't picking up the connection. so I tried to reinstall rspamd (apt install rspamd) Turns out it was missing a package? Code: apt install rspamd Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: libhyperscan5 The following NEW packages will be installed: libhyperscan5 rspamd 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 4,110 kB/6,599 kB of archives. After this operation, 31.4 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 https://rspamd.com/apt-stable bookworm/main amd64 rspamd amd64 3.8.1-1~b8a2d79ee~bookworm [4,110 kB] Fetched 4,110 kB in 2s (2,304 kB/s) Preconfiguring packages ... Selecting previously unselected package libhyperscan5. (Reading database ... 74511 files and directories currently installed.) Preparing to unpack .../libhyperscan5_5.4.0-2_amd64.deb ... Unpacking libhyperscan5 (5.4.0-2) ... Selecting previously unselected package rspamd. Preparing to unpack .../rspamd_3.8.1-1~b8a2d79ee~bookworm_amd64.deb ... Unpacking rspamd (3.8.1-1~b8a2d79ee~bookworm) ... Setting up libhyperscan5 (5.4.0-2) ... Setting up rspamd (3.8.1-1~b8a2d79ee~bookworm) ... Processing triggers for man-db (2.11.2-2) ... Processing triggers for libc-bin (2.36-9+deb12u4) ... Not sure why it wasn't installed fully before. The possibilities are: 1) ISPConfig didn't install libhyperscan on Debian 11 (perhaps it wasn't needed?) and that carried over. 2) It got lost somewhere in the update to Debian 12 After that, rspamd actually started successfully and the connection refused has gone away. However, email is still not sending. So I'm on to the next step I guess. I'll keep working on it. It has nothing to do with hard drive space or RAM, this is a fresh install 1TB HD 32GB RAM with nothing installed. The problem is in the configuration.