2

I'm setting up a Postfix server that use Dovecot SASL Authentication on a EC2 virtual machine with an ubuntu 16.04 Xenial. I can send mails to my Gmail account but I cannot receive them. It supposed to store mails in 'usr/Maildir'. I'm also available to receive mails if I send them from a telnet session.

My settings are the following:

In /etc/postfix/main.cf

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/mycrt.crt
smtpd_tls_key_file = /etc/postfix/ssl/mymail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydomain = domain.com
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
relay_domains = $mydestination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = mydomain.com
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_CAfile = /etc/ssl/certs/mycert.pem
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command =
smtp_use_tls = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_auth_only = no

In /etc/dovecot/10-master.conf

# Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

In /conf.d/10-auth.conf

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login

#!include auth-deny.conf.ext
#!include auth-master.conf.ext


!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Error messages in /var/log/mail.err

Jul  3 19:29:46 ip-172-31-0-124 dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Jul  3 19:29:46 ip-172-31-0-124 dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied

And /var/log/mail.log

Jul  3 22:41:38 ip-172-31-0-124 postfix/smtpd[18851]: connect from unknown[45.13.39.19]
Jul  3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: connect from mail-vs1-f46.google.com[209.85.217.46]
Jul  3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: lost connection after STARTTLS from mail-vs1-f46.google.com[209.85.217.46]
Jul  3 22:41:40 ip-172-31-0-124 postfix/cleanup[19071]: A305E4651D: message-id=<20190703224140.A305E4651D@mail.mydomain.com>
Jul  3 22:41:40 ip-172-31-0-124 postfix/qmgr[18850]: A305E4651D: from=<double-bounce@mail.mydomain.com>, size=920, nrcpt=1 (queue active)
Jul  3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: disconnect from mail-vs1-f46.google.com[209.85.217.46] ehlo=1 starttls=0/1 commands=1/2
Jul  3 22:41:40 ip-172-31-0-124 postfix/local[19073]: A305E4651D: to=<root@mydomain.com>, orig_to=<postmaster>, relay=local, delay=0.01, delays=0/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Jul  3 22:41:40 ip-172-31-0-124 postfix/qmgr[18850]: A305E4651D: removed
Jul  3 22:41:46 ip-172-31-0-124 postfix/smtpd[18851]: warning: unknown[45.13.39.19]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul  3 22:41:47 ip-172-31-0-124 postfix/smtpd[18851]: disconnect from unknown[45.13.39.19] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

Executing 'openssl s_client -connect mydomain:25 -starttls smtp' OUTPUT:

CONNECTED(00000003)
139707798795928:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 285 bytes and written 340 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1562190493
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I've already checked the MX registry and is everthing OK. I've spent a lot of time with this issue. Hope you can help

Santiago Madrid
  • 23
  • 1
  • 5

1 Answers1

2

The basic problem here is that you announce that you use starttls:

smtp_use_tls = yes

Yet you do not have a valid certificate configured. This means that starttls will actually fail.

You either have to disable TLS (set smtp_use_tls = no) or install proper certificates. Let's encrypt certificates will work great for this. 

#Install certbot
sudo apt install certbot
#Get certificate
sudo certbot certonly --domain example.org

Edit the following parameters in main.cf:

smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem

Comment out the smtpd_tls_CAfile line, as the CA certificate is bundled with the server certificate in the fullchain.pem.

vidarlo
  • 22,691