Query, I don't receive email "Client host rejected: Access denied"

First, I appreciate the very complete and useful tutorial: The Perfect Server - Debian 10 (Nginx, BIND, Dovecot, ISPConfig 3.1)
I am not an expert, I have several doubts and that is why I would like to ask these questions.

1 - In Chapter 8 after installing I opened the file /etc/postfix/master.cf I see that the following line does not exist:

What I did was add this line, but when I did it I didn't receive emails and from gmail it showed the following:

Then I deleted it to leave it as before and it works well, I can receive emails, but my question is if this missing line affects security?

2 - I don't know much about the subject, but the MX, A, TXT and other data should be added in the control panel where the Domain is registered or in the VPS service or in the ISPConfig panel or in the 3?

3 - These are the services that are working, the question is whether the signed services [-] are completely turned off or only work when they should do it to save resources or should I activate them?

Expand: #Service --status-all

# service --status-all
[ + ] amavis
[ - ] amavisd-snmp-subagent
[ - ] amavis-mc
[ + ] apparmor
[ + ] bind9
[ + ] clamav-daemon
[ + ] clamav-freshclam
[ + ] cloud-config
[ + ] cloud-final
[ + ] cloud-init
[ + ] cloud-init-local
[ + ] cron
[ + ] dbus
[ + ] dovecot
[ + ] fail2ban
[ - ] fcgiwrap
[ + ] haveged
[ - ] hwclock.sh
[ + ] kmod
[ + ] memcached
[ + ] mysql
[ + ] networking
[ + ] nginx
[ + ] ntp
[ + ] openbsd-inetd
[ + ] php7.3-fpm
[ + ] postfix
[ + ] postgrey
[ + ] procps
[ + ] pure-ftpd-mysql
[ - ] quota
[ - ] quotarpc
[ - ] rsync
[ + ] rsyslog
[ - ] screen-cleanup
[ - ] spamassassin
[ + ] ssh
[ - ] sudo
[ + ] udev
[ + ] ufw
[ + ] unscd

4. For example, is spamassassin working? Does it activate automatically when needed? Or should I activate it so that it is always active? :

Expand: #systemctl status spamassassin

#systemctl status spamassassin
● spamassassin.service - Perl-based spam filter using text analysis
Loaded: loaded (/lib/systemd/system/spamassassin.service; disabled; vendor preset: enabled)
Active: inactive (dead)

Dec 08 20:44:00 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 20:44:01 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 20:44:07 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 20:44:07 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 20:44:07 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 20:44:16 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 20:44:16 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 20:44:16 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 21:14:10 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
Dec 08 21:15:07 mail systemd [1]: /lib/systemd/system/spamassassin.service:6: PIDFile = references path below legacy directory / var / run /, updating / var
lines 1-14 / 14 (END)

5. The VPS that I am configuring is only for personal mail, which ports are recommended to be left open with ufw?

6. How can I measure the security of this server and how can I know when all programs should be updated?

Thank you very much for the help and excuse my bad English.

 

It depends 'where' (which line) you have added that. You have to show master.cf file to judge that.

These records are DNS entries and should be made where the DNS of your domain is managed. In your case I guess, that it is managed in the control panel of your domain. (although it could be managed by ISPconfig, but I would not recommend that for a new user).

The [-] services are not running as a daemon (in background). Only activate the services you need to run in background. For example, if this is only a mail server, you would not need pure-ftpd-mysql

Spamassassin is being called by Amavis for mail scanning. No need to have it run as a daemon.

Depends on the services you want to use:
Receive mail unencrypted/TLS/SSL: 25 / 587 / 465
POP3 unencrypted / SSL: 110 / 995
IMAP unencrypted/TLS / SSL: 143 / 995
If you are unsure, open all of them. Ports below 1024 can only be used by root user and if an attacker has root, then the firewall will not help you.

"apt update" shows you if there are outdated packages (of the packages managed via package manager, which should be all, depends on your setup)
For testing your mailserver:

• https://www.mail-tester.com/
• https://mecsa.jrc.ec.europa.eu/
• https://ssl-tools.net/mailservers
• https://hardenize.com

Note that these will not test or measure your security, only show obvious problems.

 

Hello thanks for answering, I reinstalled it and now it works fine, it was some error of mine installation, but I have other doubts.

How can I add a new domain? (domini2.net)

Try adding the new domain in ISPConfig from Mail / Add domain /:

Server: mail .domain1 .com
Domain: domain2 .net

The new email from domain2. net works fine, even receiving and sending is almost immediate.

But maybe it is so fast is because something is not going well, I would like to know if I should add domain2.net in some server configuration from the console, I think that something does not work well, I do not know if I have to do something different or if I have to configure DNS records differently because mecsa .jrc. ec .europa .eu/ shows this big difference

In Phishing and identity theft:
mail@ domain1. com 5 starts
mail@ domain2 .net 0 starts


Thank you very much for the help

 

mx/spf/DMARC/_mta-sts entries have to be done for each domain sending/receiving mails individually. Note that made DNS entries can take some time to propagate through the servers, especially if the TTL is at the standard value

 

I followed this guide for installation
The Perfect Server - Debian 10 (Nginx, BIND, Dovecot, ISPConfig 3.1)

Is it necessary to add the new domain .net from the terminal, add some security from the terminal linux? or is it only necessary to add it from ISPConfig?

Is there a guide or section on howtoforge .com to learn how to configure mx / spf / DMARC / _mta-sts correctly

Thank you

 

There is no need to use the command line (for this).
Is your DNS managed by ISPconfig or by your provider / something else?

If your DNS is not managed by ISPconfig (for beginners, I would suggest to use the providers tool and not ispconfig), you have to put the values by yourself into the corresponding form.
MX: your mail domain (should match the domain in your certificate)
SPF: https://www.dmarcanalyzer.com/spf/ ("v=spf1 a mx ~all" should do it in the beginning)
DMARC: If configured in ISPconfig, the necessary DNS entry is shown.

 

- The DNS is managed by godaddy
- Two days ago I set it
- I receive and send emails, in fact it is very fast, almost immediate and I don't know if it's normal.
- Glockapps spam testing shows the following.
- I also show the godaddy configuration in case I have to correct it.

 

You have a different MX host in your configs. Postfix (as setup with ISPconfig) does not support SNI -> only one certificate is used by postfix. If you do not have a certificate, which is valid for both domains, then this is your error.

What happens with receiving mails:
When you sent a mail to [email protected], the sending mailserver looks for the MX entry of domain.com. If it finds something like mail.domain.com, it connects to it (otherwise it uses domain.com).
The sender then tries to establish a connection to mail.domain.com and tries to encrypt that connection. The receiver (postfix) greets the connection with a domain name (mailname) which should match the domain the sender asked for (MX entry). Additionally, the used certificate by postfix has to match that mailname (otherwise it is obviously not a trusted connection).

What happens with sending mails:
- Postfix connects to an server and greets with its mailname and says it wants to send a mail from [email protected]
- Other server tests if an SPF record for domain.com. Currently it says "mx".
- Other server looks up "mx" record and compares it to the IP of the server which is connecting.
- Other server tests if ptr record matches domain of sender. Otherwise it is probably spam

Therefore:
- Use a single domain for your mail server and stick to it (mail.domain.com)
- Set PTR record of your server IP to that domain
- Use this as your mailname (verify in /etc/postfix/main.cf is: myorigin = $myhostname and myhostname = mail.domain.com)
- Verify your certificate (in smtpd_tls_key_file and smtpd_tls_cert_file) matches that domain name
- For all your domains, set MX to mail.domain.com