ISPConfig 3 + Squeeze - SSL/TLS 465 SMTP Fail

Discussion in 'Installation/Configuration' started by Wych, Aug 30, 2011.

  1. Wych

    Wych New Member

    Hi there.

    New install of ISPConfig 3 on Debian Squeeze [previously on Lenny]

    Created using:

    Previous server used:

    Port: 465
    Connection security: SSL/TLS
    Authentication method: normal password

    If I try to use these setting on this fresh install [complete format with previous back up files stored on a seperate drive] I get the following error:

    Sending of message failed.
    The message could not be sent because connecting to SMTP server (changed from real name - error has correct name) failed. The server may be unavailable or is refusing SMTP connections. Please verify that your SMTP server settings are correct and try again, or contact the server administrator.

    I can send using:

    Port: 25
    Connection security: STARTTLS
    Authentication method: normal password

    No errors appear in mail.log or mail.err

    I've compared the pre/post [original/current]

    Differing section appears to be:

    Current has a couple of minor differences

    *This line is missing in the current

    *These lines do not appear in the original

    No firewall rules are set to block ports.

    hopefully I've provided enough detail.
    Last edited: Aug 30, 2011
  2. CSsab

    CSsab New Member

    The output of postconf -a should be:

    Here is a working (uncommented only) from a fairly new sqeeze setup for you to compare with:

    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    append_dot_mydomain = no
    readme_directory = /usr/share/doc/postfix
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    myhostname = mail.example.tld
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = mail.example.tld, localhost, localhost.localdomain
    relayhost =
    mynetworks = [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/, mysql:/etc/postfix/
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/, reject_unauth_destination
    smtpd_tls_security_level = may
    transport_maps = proxy:mysql:/etc/postfix/
    relay_domains = mysql:/etc/postfix/
    relay_recipient_maps = mysql:/etc/postfix/
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0

    You can compare and check that /etc/mailname contains your proper mail name.
    Also check that ports are open in your router.
  3. Wych

    Wych New Member


    Only difference is the last 3 lines on my

    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options =

    *These 3 lines also appeared in my previous

    /etc/mailname confirmed

    Same external setup [router, cable etc] as per previous server which worked.
  4. CSsab

    CSsab New Member

    Comment them out (you can always uncomment them later if you want to):

    #smtp_sasl_auth_enable = yes
    #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    #smtp_sasl_security_options =

    Then reload and restart postfix.
    /etc/init.d/postfix reload
    /etc/init.d/postfix restart
    /etc/init.d/dovecot restart

    Also check out your smtp dialogue at

    After that the next thing you can look at it your dovecot configuration in /etc/dovecot/dovecot.conf
    Last edited: Aug 30, 2011
  5. Wych

    Wych New Member

    Commented out the 3 lines - done

    /etc/init.d/postfix reload - done
    /etc/init.d/postfix restart - done
    /etc/init.d/dovecot restart - done

    Change SMTP settings to SSL/TLS 465 - done
    Test email to external adr - fail [as per previous error]

    Change SMTP settings back to STARTTLS 25 - done
    Test email to external adr - bounce back fail from relay [required to use this due to blacklisting issues]

    Uncomment lines, reload/restart - done.

    Returned to usable state.

    MXtoolbox results:

    220 *correct server name* ESMTP Postfix (Debian/GNU)

    • OK - correct IP resolves to correct IP at ISP
    • Warning - Reverse DNS does not match SMTP Banner
    • 0 seconds - Good on Connection time
    • Not an open relay.
    • 1.513 seconds - Good on Transaction time

    6 open ports:
    25 smtp Success 218 ms
    80 http Success 218 ms
    110 pop3 Success 218 ms
    143 imap Success 218 ms
    443 https Success 218 ms
    8080 webcache Success 218 ms

    These ports were closed:
    21 ftp Timeout 0 ms
    22 ssh Timeout 0 ms
    23 telnet Timeout 0 ms
    53 dns Timeout 0 ms
    139 netbios Timeout 0 ms
    389 ldap Timeout 0 ms
    587 msa-outlook Timeout 0 ms
    1352 lotus notes Timeout 0 ms
    1433 sql server Timeout 0 ms
    3306 my sql Timeout 0 ms
    3389 remote desktop Thread was being aborted. 0 ms

    I notice that it doesn't check 465 or any other mail ports like 993.
  6. CSsab

    CSsab New Member

    For mail you only need:

    Mail Server (POP3) 110
    Mail Server (SMTP) 25

  7. Wych

    Wych New Member

  8. Wych

    Wych New Member


    I'm beginning to think I can live with STARTTLS 25 & relaying through mailhop.
  9. CSsab

    CSsab New Member

    1. In a normal setup you don't have a /etc/postfix/cert.pem

    2. Those dyndns lines are "optional" and perhaps you should look at your DNS setup first.

    Do you have a dynamic IP?
  10. Wych

    Wych New Member

    Yes my IP is dynamic - which is why I've used DynDNS for as long as I can remember to in conjunction with mail & web services.

    DNS is fine - website works, webmail works.

    The only reason I'm using the DynDNS lines is they were in my previous operating Lenny setup.

    Is there is a reason why the cert wasn't included in this version of ISPConfig?

    I was running with out the extra lines but still using the relay with out problem - I had hoped adding them would fix the 465 access issue.

    The differences in the above aren't the problem?
  11. CSsab

    CSsab New Member

    No I don't think that the lack of a postfix cert is the problem here.

    You should have a smtpd.cert in /etc/postfix
    and that is why you have the following lines in

    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key

    Your mail record should not be a CNAME record.

    It should be an MX record.

    Have a read here:

    The easiest way to get things working are to follow the howto and then set up your DNS using the wizard.

    This will generate a mail record which will have the same value as that in /etc/mailname.

    You will need to wait for changes you make in the DNS to propogate (they say 12 hours)

    Also have a look here:
    Last edited: Aug 30, 2011
  12. Wych

    Wych New Member

    MX Record is already set:

    Preference Mail Exchangers
    10 [changed]
    It appears that your MX records are setup correctly.

    Just uncommented the entries & did a reload/restart.....

    I have SSL/TLS 465 SMTP access.

    BUT: There's a new problem - now mail wont deliver:

    Aug 30 20:12:14 **** postfix/error[22643]: 302922C436C: to=, relay=none, delay=351, delays=350/0.14/0/0.33, dsn=4.3.0, status=deferred (mail transport unavailable)
    Aug 30 20:12:14 **** postfix/error[22644]: AF9182C436E: to=, relay=none, delay=322, delays=322/0.26/0/0.26, dsn=4.3.0, status=deferred (mail transport unavailable)

    Tried a postfix flush with no result.

    Reverted to the commented, reload/restart - back to receiving mail but sending via 25
    Last edited: Aug 31, 2011
  13. Wych

    Wych New Member

    uncommenting the below in the gave me the result I required

    smtps inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes

    I have also re-done the MX record on DYNDNS as per the above.

    users can now send mail via port 465 with SSL/TLS enabled
    user can now receive mail via port 993 with SSL/TLS enabled

Share This Page