I have two machines, one running Ubuntu and one runing Debian, both running Postfix. The intent is that machine#2 becomes a SMTP relay/smarthost for machine#1. I have created a CA and issued certificates for both of the machines: a server certificate for #2 and a client certificate for #1.
When sending e-mail from #1 (by having the MUA talk to Postfix on localhost:25 with the intent that it relays e-mail to #2), the basic things work fine: the machines can talk to each other and an attempt to relay is actually made. The idea is to allow relaying on #2 if a valid client-side SSL/TLS certificate is presented from #1.
The relevant configuration for #2 is:
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/cert2.pem
smtpd_tls_key_file = /etc/ssl/private/key2-d.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination permit_tls_all_clientcerts
The configuration on #1 is:
smtp_tls_CAfile = /etc/ssl/certs/cacert.pem
smtp_tls_cert_file = /etc/ssl/private/cert1.pem
smtp_tls_key_file = /etc/ssl/private/key1-d.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = verify
smtp_tls_loglevel = 2
Machine#1 connects to #2, enables STARTTLS, the log files show that it successfuly verifies the certificate from #2, and attempts to relay the message. However, it appears not to send the client certificate to #2, and #2 refuses to relay the message.
Log entries from #1:
Apr 17 01:18:14 mail1 postfix/smtp[30250]: Verified TLS connection established to mail2[x.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:14 mail1 postfix/smtp[30244]: 8A2328BDB4: to=<addr#gmail.com>, relay=mail2[x.x.x.x]:25, delay=3488, delays=3486/0.41/0.85/0.19, dsn=4.7.1, status=deferred (host mail2[x.x.x.x] said: 454 4.7.1 <addr#gmail.com>: Relay access denied (in reply to RCPT TO command))
Log entries from #2:
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: Anonymous TLS connection established from unknown[y.y.y.y]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: NOQUEUE: reject: RCPT from unknown[y.y.y.y]: 454 4.7.1 <addr#gmail.com>: Relay access denied; from=<addr#mail1> to=<addr#gmail.com> proto=ESMTP helo=<mail1>
Any ideas? I'm basing my assumption that #1 didn't send its client cert on the "Anonymous TLS connection established" part in the logs from mail2.
A TLS server must request a certificate from the client, the client will not send it by its own. Try to add
smtpd_tls_ask_ccert=yes
on the server side
add your server adress ( server1.domaine.com ) in the postfix conf file main.cf
mynetworks = 127.0.0.1/8
Related
Has anyone successfully set up msmtp with a Mailgun account? I keep getting "Relaying denied", and msmtp reports that the envelope from is invalid. I have tried every variation of the from address that I can think of, scoured Mailgun's documentation for details on their SMTP parameters, and searched the web for examples, and I've not found anything that differs from my setup (aside from server and account names, of course).
Here is my /etc/msmtprc file,
account default
# The SMTP smarthost
host smtp.mailgun.org
# Use TLS on port 465
port 465
tls on
tls_starttls off
user manul#mail.mydomain.net
password [snip]
from mailgun#mydomain.net
# Syslog logging with facility LOG_MAIL instead of the default LOG_USER
syslog LOG_MAIL
And the msmtp session:
$ echo 'Subject: Grfg' | msmtp -v 'aidalgol#example.net'
loaded system configuration file /etc/msmtprc
ignoring user configuration file /home/me/.msmtprc: No such file or directory
falling back to default account
using account default from /etc/msmtprc
host = smtp.mailgun.org
port = 465
source ip = (not set)
proxy host = (not set)
proxy port = 0
timeout = off
protocol = smtp
domain = localhost
auth = none
user = manul#mail.mydomain.net
password = *
passwordeval = (not set)
ntlmdomain = (not set)
tls = on
tls_starttls = off
tls_trust_file = system
tls_crl_file = (not set)
tls_fingerprint = (not set)
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = on
tls_min_dh_prime_bits = (not set)
tls_priorities = (not set)
auto_from = off
maildomain = (not set)
from = mailgun#aidalgolland.net
add_missing_from_header = on
add_missing_date_header = on
remove_bcc_headers = on
dsn_notify = (not set)
dsn_return = (not set)
logfile = (not set)
logfile_time_format = (not set)
syslog = LOG_MAIL
aliases = (not set)
reading recipients from the command line
TLS session parameters:
(TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
TLS certificate information:
Owner:
Common Name: *.mailgun.org
Organization: MAILGUN TECHNOLOGIES\, INC
Organizational unit: MAILGUN TECHNOLOGIES\, INC
Locality: San Francisco
State or Province: California
Country: US
Issuer:
Common Name: Thawte TLS RSA CA G1
Organization: DigiCert Inc
Organizational unit: www.digicert.com
Country: US
Validity:
Activation time: Wed 19 Feb 2020 13:00:00 NZDT
Expiration time: Wed 20 Apr 2022 00:00:00 NZST
Fingerprints:
SHA256: 9E:5F:9B:27:BB:26:14:6F:3E:2F:50:75:FE:BF:64:1C:4B:8D:E0:A6:B7:EA:4F:27:13:05:FD:81:3F:57:52:26
SHA1 (deprecated): 54:36:F6:D1:44:0A:B4:62:F0:94:1B:21:7A:1B:82:5C:DF:FD:FF:57
<-- 220 Mailgun Influx ready
--> EHLO localhost
<-- 250-smtp-out-n17.prod.us-east-1.postgun.com
<-- 250-AUTH PLAIN LOGIN
<-- 250-SIZE 52428800
<-- 250-8BITMIME
<-- 250-ENHANCEDSTATUSCODES
<-- 250-SMTPUTF8
<-- 250 PIPELINING
--> MAIL FROM:<mailgun#myexample.net>
--> RCPT TO:<aidalgol#example.net>
--> DATA
<-- 550 5.7.1 Relaying denied
msmtp: envelope from address mailgun#mydomain.net not accepted by the server
msmtp: server message: 550 5.7.1 Relaying denied
msmtp: could not send mail (account default from /etc/msmtprc)
It turned out to be that I needed to set auth on in the msmtp configuration. The error envelope from address mailgun#mydomain.net not accepted by the server from msmtp was completely wrong.
For other people who got here you'll probably need to go to
https://app.mailgun.com/app/sending/domains/**YOUR-DOMAIN-NAME-HERE/credentials
to get your per-domain credentials as suggested here:
https://documentation.mailgun.com/en/latest/quickstart-sending.html#send-via-api
I diagrammed what to put where in the configuration file along with how to navigate to the setting. This should help make things super clear hopefully.
Note: The grey info-box in the bottom right with the password copy thing I got to by clicking on the green outlined "Reset password" button
I am trying to understand why opening a socket to Gmail's server via SSL provides different responses for different servers. This is stopping me from connecting to Gmail for sending out emails.
Below is a very simple script:
<?php
$smtp_connect = fsockopen('ssl://smtp.googlemail.com', 465,
$errno,
$errstr,
300);
var_dump(fgets($smtp_connect, 512));
?>
On server 1 [no ssl cert installed], the output of the above code is: string(57) "220 smtp.googlemail.com ESMTP s89sm726209qkl.44 - gsmtp
"
On server 2 [ssl cert installed], the output of the above code is: string(71) "220-mycompany.pro.com ESMTP Exim 4.87 #1 Wed, 26 Oct 2016 07:42:49 -0400
"
Can anyone explain why this happens, and how can I make server 2 have the same behavior as server 1?
Update: I have also tried smtp.gmail.com, the output is same as using smtp.googlemail.com.
The line you get the the SMTP welcome message. It is perfectly normal that different servers give a different welcome message. It is even normal that the response to commands you send is different. This means that when communicating with an SMTP server you should not assume fixed strings as response but implement proper parsing of SMTP. See the SMTP standard (RFC 2821) for details about this protocol.
I've had a Ubuntu 14.04 server configured and running fine for some time now. There are web, ftp and mail server installed and functioning properly on it. A week ago the SSL certificate that I had been using to connect to the management console and for mail expired and I went ahead and acquired a new one from StartSSL.
The new certificate is for mail.mydomain.com. The Postfix (main.cf) configuration contains the following:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/mail.crt
smtpd_tls_key_file = /etc/postfix/mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail.mysite.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = mail.mysite.eu, localhost, localhost.localdomain
Dovecot.conf
protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
postmaster_address = postmaster#saturn13.eu
ssl_cert = </etc/postfix/mail.crt
ssl_key = </etc/postfix/mail.key
ssl_protocols = !SSLv2 !SSLv3
Dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/postix/mail.crt
ssl_key = </etc/postfix/mail.key
I read that StartSSL requires an intermediate and root CA to be installed, so I tried concatenating them into a mail.pem file which I then proceeded to set in both Postfix and Dovecot. Try as I might, every time I ran openSSL test, the results were like this:
root#server:/etc/dovecot# openssl s_client -connect mail.mysite.com:465
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
What's even more puzzling for me is the fact that when I try to connect to the account with Thunderbird, a popup window appears asking to confirm a security exception for www.mysite.com:443.
So, could you help me figure out what's wrong in this configuration? When I open the mail.crt file in Windows, everything appears normal. So why can't I connect to the server and why is Thunderbird trying to connect to www and on port 443?
Thank you!
with startssl certs you need to wait for one day or ocsp validating will fail.
firefox and thunderbird have ocsp enabled. maybe this was the cause for TB...
for the openssl error, maybe you are using the wrong ciphers? Check here: https://weakdh.org/sysadmin.html
your mail.crt looks like:
-----BEGIN CERTIFICATE-----
..xxx..
-----END CERTIFICATE-----
and your mail.key like
-----BEGIN RSA PRIVATE KEY-----
...xxx...
-----END RSA PRIVATE KEY-----
you don't need to install startssl root cert as it is installed in all browsers...
just the intermediate:
for postfix i'm using
smtpd_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem
for dovecot
ssl_ca = </etc/ssl/private/sub.class1.server.ca.pem
and apache
SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem
I recently installed Postfix, Dovecot to setup a mail server on my own VPS ( using this tutorial: Email with Postfix, Dovecot, Mysql)
Imaps server uses port 993 for Authentication, and Postfix uses port 25 to send mails.
In this tutorial, users stored in a Database ( so imaps use mysql to authenticate users).
i'm sure every thing works fine with imaps and postfix , because few days ago i installed Kmail client (on my linux) and receive mails from my server. sending mails also works fine, i sent a mail to Gmail and google received it without a problem (in my "Gmail inbox" not spam folder)
So to get to my Emails from a web mail client, i installed Roundcube on /var/www/mail directory.
I configured Roundcube many times. but each time it gives me this Error:
IMAP Error: Login failed for [me#mydomain] from X.x.X.x . Empty
startup greeting (localhost:993) in
/var/www/mm/program/lib/Roundcube/rcube_imap.php on line 184 (POST
/mm/?_task=login?_task=login&_action=login)
When i do log in from roundcube, imap server says ( in /var/log/mail.log ):
May 20 07:05:16 my-server dovecot: imap-login: Disconnected (no auth
attempts): rip=::1, lip=::1, TLS handshaking: Disconnected
Here is my roundcube config file :
$config['db_dsnw'] = 'mysql://roundcubeuser:myPassword#localhost/roundcubemail';
// ----------------------------------
// IMAP
// ----------------------------------
$config['debug_level'] = 13;
$config['default_host'] = 'ssl://127.0.0.1';
$config['default_port'] = 993;
// ----------------------------------
// SMTP
// ----------------------------------
$config['smtp_server'] = 'ssl://localhost';
What's the problem? i really have no idea what is happening !
Thank you.
I'm using postfix + dovecot + roundcube a few months now and it's working for me. In my configuration, postfix rejects plaintext sessions, so roundcube has to connect with ssl - and it's working.
This is from my main.inc.php. I don't remember editing anything here, it's just the initial config created during the installation.
Now that I'm looking at it, default_port doesn't make any sense, I think it's just ignored.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %s - domain name after the '#' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %d = domain.tld
// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
$rcmail_config['default_host'] = array("ssl://localhost:993");
// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
In case the other answer does not work, this is what worked for me. My config.inc.php now contains:
$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
NOTE: using tls://localhost did not work for me. I had to specify ssl:// as the URI scheme.
Via PhpMyAdmin, I also ran this SQL command (all my user accounts are on the same machine that runs RoundCube):
UPDATE `rc_users` SET `mail_host`='ssl://localhost'
I got the port number 993 from running sudo netstat -tulnp in order to determine the port on which Dovecot was listening.
I am getting SMTP Authentication Failure on the server and the mail is getting send via the server SMTP only...
It appears to be a server configuration or related problem, but I am not sure.
This is the debug details:
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
Failed to authenticate password. Error: 535 Incorrect authentication data
from: 250 OK
to: 250 Accepted
data: 354 Enter message, ending with "." on a line by itself
250 OK id=1U8Pjp-0002As-FB
quit: 221 ************** closing connection
Your message has been successfully sent using the following protocol: smtp
While testing from my local system, this works and the email is being sent via sendgrid.me
Again, This may not be a SendGrid Problem, but if you have faced similar issue, Can you please tell me what is the problem here?
I am using CentOs and I have cPanel in the server. I believe we are using EXIM for mail server.
For anyone that comes across this in future and are using cpanel/whm, you need to 'disable' this option under 'SMTP Restrictions' in WHM.
I was able to resolve this.
The issue was my server was not allowing the use of external SMTP and using its own SMTP server. I changed the settings and now it works fine.
I am using centos 7 Finally it works!
I was getting this issue(tail -f /var/log/mailog):
to=<usmanali#example.com>, relay=smtp.sendgrid.net[169.45.113.201]:587, delay=0.3, delays=0.05/0.07/0.16/0.02, dsn=5.0.0, status=bounced (host smtp.sendgrid.net[169.45.113.201] said: 550 Unauthenticated senders not allowed (in reply to MAIL FROM command))
Then i changed file /etc/postfix/main.cf in this way that added following lines into end of file
mtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
mailbox_size_limit = 256000000
# Sendgrid Settings
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:apikey:SG.YOUR_SENDGRID_KEY
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000
relayhost = [smtp.sendgrid.net]:587
Then Installing postfix missing module dependency using:
sudo yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
Then restarting postfix
sudo systemctl restart postfix.service