So I decided to give Google Cloud a try and setup a Perfect Server Debian 9. Have done it plenty of times before on my own servers and vm's...the only problem is that google blocks port 25 outgoing. They allow 587 and 465 though....but I can't seem to get it to work with emails leaving the server. Incoming email is fine. postfix master.cf has submission uncommented. roundcube, I've edited config.inc.php so it looks at port 587 with tls://%n and user credentials. roundcube shows the email going without error. I check mail.log and I see the email passing into amavis, BUT then I see it trying to leave google on port 25 again...could it be that amavis is reinjecting the email into postfix on port 25? If so, how do I change that? If not....what am I missing. Thanx.
Mail servers communicate between each other on port 25. Google blocks port 25 outgoing which means you can't use Google compute engine to host a mail server, or at least you need a second mail server which is not hosted at Google to act as a relay. It's the same with amazon. Better use a different hosting company when you want to run a mail server.
Thank you Till, this was my understanding as well, but then I read this: https://cloud.google.com/compute/docs/tutorials/sending-mail/ which makes it sound like they prefer us to use a 3rd party, but still allow it on different ports....so then I got really confused.
The article explains what I mentioned as an option in my post, if you want to use google cloud then you need a second mail server outside of compute engine as email relay as they do not allow you to send emails on port 25 which is required for a mail server. You can configure such a relay server in ISPConfig under System > server config > mail. But this renders the whole thing quite useless in my opinion, there are many good cloud hosters available that allow you to run a mail server, so why use one which does not allow it.
Just as a clarification, the alternate ports they mentioned can just be used to connect to an external relay server. They are not a replacement for port 25, so your server will not be able to send out emails on its own when its in compute engine.
Sorry to continue on this one. So I followed the recommendation of google and setup via mailgun from this: https://cloud.google.com/compute/docs/tutorials/sending-mail/using-mailgun Instead of their direct settings, I used ISPC for relayhost: [smtp.mailgun.org]:2525 Of course, this made the same changes they recommend with one exception that I manually changed in main.cf: smtp_tls_security_level = encrypt I'm trying to send via roundcube and made the following changes per various threads here: default_host=tls://%n smtp_server=tls://%n smtp_port=587 smtp_auth_type=PLAIN smtp_user=%u smtp_pass=%p (sorry the above isn't formatted). When I send I get the following: Jul 25 00:55:15 ns1 postfix/smtp[20593]: c80c360bef: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.08, delays=0.06/0.01/0.01/0, dns=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1]) Seems like it's upset that amavis isn't accepting/giving tls....but I don't understand exactly why I needed for force tls from roundcube anyway. Whatever it is...it's not sending and that's the error. Any ideas?
Please undo the smtp_tls_security_level change you made as this switches internal connections to amavis to tls which does not work. You may do this for a special transport in master.cf by using an -o parameter line but not globally.
Thank you Till. I changed it to = may and now Roundcube login says Connection to storage server failed.
update: I was able to login to roundcube by changing the config: default_host = localhost smtp_server = tls://%n Now when I email, it's an instant bounceback: host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=01263-09 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10027): 530 5.7.0 Must issue a STARTTLS command first (in reply to end of DATA command)
Seems as if you still configured your system to require tls for internal connections. Please undo these changes to get the working setup back. Connections on localhost between postfix and amavis shall not be over TLS and the system will fail if you force tls on localhost as you can see.
the only change I have now: ISPC: relayhost set to mailgun port 2525 smtp_tls_security_level = may (even though google's doc wanted encrypt) roundcube I reverted to default : default_host=localhost smtp_server=localhost smtp_port=25 #smtp_auth_type=PLAIN smtp_user='' smtp_pass='' Now it gives error on send: 5.7.0 Must issue a STARTTLS command first).
master.cf Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject #$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject #$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o smtp_bind_address= # -o smtp_tls_security_level=none 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes # -o smtp_tls_security_level=none 127.0.0.1:10027 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes # -o smtp_tls_security_level=none
The error means that you are still enforcing tls, either in master.cf or main.cf r you did not restart postfix after you did config changes. I've attached the postfix config files or a working setup so that you can compare yours with known good ones to fix your setup. Had to rename the files to .txt for the upload.
And you might have to revert the roundcube config as well if its not working after you reverted the postfix config.
thank you Till. Got it. The difference was: smtpd_tls_security_level = may. mine was set to encrypt. I had smtp_tls_security_level set properly, but not that. I'm sure in all my changes I forgot that one. Thank you for everything.