Score:0

Postix to relay SMTP from port 587

cn flag

I have a debian server with postfix, fail2ban, roundcube, webmin and dovecot installed on it. I have been able to send mails from port 25, but regardless of what I try I can't get it to work from 465 and/or 587 regardless of the method I try. This happens in roundcube and a mail client, although I suspect that both errors may differ. I have tried various things these last few days and also read for some possible solutions, but neither of them worked for me so after all here's what I've got:

Roundcube config/config.inc.php:

<?php

$config['debug_level'] = 4;
$config['smtp_debug'] = true;

$config = [];

// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://user:pass@localhost/db';

// The IMAP host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
$config['default_host'] = 'mail.domain.tld';

// SMTP server host (for sending mails).
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
// To specify different SMTP servers for different IMAP hosts provide an array
// of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com' => 'smtp.example.net']
$config['smtp_server'] = 'tls://mail.domain.tld';

// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)
$config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'Webmail';

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = 'rcmail-random_key_here';

// List of active plugins (in plugins/ directory)
$config['plugins'] = [
    'archive',
    'zipdownload',
];

// skin name: folder from skins/
$config['skin'] = 'elastic';


$config['imap_conn_options'] = array(
    'ssl' => array('verify_peer' => true, 'verfify_peer_name' => false),
    'tls' => array('verify_peer' => true, 'verfify_peer_name' => false),
);


$config['default_host'] = 'ssl://mail.domain.tld';
$config['default_port'] = '993';
$config['smtp_server'] = 'tls://mail.domain.tld';
$config['smtp_port'] = '587';
$config['smtp_debug'] = true;

Currently, I'm able to receive emails in roundcube at port 143 and 993, but I can only send from port 25. Here's the error I get when I try to send an email from 587:

SMTP Error (554): Failed to add recipient "[email protected]" (5.7.1 <[email protected]>: Recipient address rejected: Access denied).

Here is what the roundcube logs/smtp.log shows:

[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Connecting to tls://mail.hlebarkite.bg:587...
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 220 mail.domain.ltd ESMTP Postfix
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: EHLO webmail.domain.ltd
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-mail.domain.ltd
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-PIPELINING
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-SIZE 10240000
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-VRFY
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-ETRN
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-STARTTLS
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-ENHANCEDSTATUSCODES
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-8BITMIME
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-DSN
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-SMTPUTF8
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250 CHUNKING
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: MAIL FROM:<[email protected]>
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250 2.1.0 Ok
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: RCPT TO:<[email protected]>
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: RSET
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250 2.0.0 Ok
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: QUIT
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 221 2.0.0 Bye

Here is what the logs/error.log shows:

[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> SMTP Error: Failed to add recipient '[email protected]'. 5.7.1 <[email protected]>: Recipient address rejected: Access denied (Code: 554) in /home/webmail/program/lib/Roundcube/rcube.php on line 1774 (POST /?_task=mail&_unlock=loading1646863684782&_framed=1&_action=send)

If i try to send an email like so:

echo "test message body" | mail -s "test" [email protected]

I get the following in /var/log/mail.log

Mar 10 00:12:11 lamp postfix/submission/smtpd[1126]: connect from unknown[xx.xx.xx.xx - this is the server IP]
Mar 10 00:12:11 lamp postfix/submission/smtpd[1126]: warning: SASL: Connect to private/auth failed: No such file or directory
Mar 10 00:12:11 lamp postfix/submission/smtpd[1126]: fatal: no SASL authentication mechanisms
Mar 10 00:12:12 lamp postfix/master[1300]: warning: process /usr/lib/postfix/sbin/smtpd pid 1126 exit status 1
Mar 10 00:12:12 lamp postfix/master[1300]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
Mar 10 00:12:12 lamp postfix/smtp[1125]: C520F1300420: to=<[email protected]>, relay=mail.domain.ltd[xx.xxx.xx.xx server ip]:587, delay=1.1, delays=0.09/0.01/1/0, dsn=4.4.2, status=deferred (lost connection with mail.domain.ltd[xx.xx.xx.xx server IP] while performing the EHLO handshake)

If I try to send an email from a mail client then I see this error:

The reported error was “HELO command failed: Error receiving data: Connection reset by peer”.

Here is what postconf -n looks like:

postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_protocols = all
mailbox_size_limit = 0
mydestination = localhost.$mydomain, localhost, $myhostname
mydomain = mail.domain.ltd
myhostname = mail.domain.ltd
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
mynetworks_style = subnet
readme_directory = no
recipient_delimiter = +
relayhost = [mail.domain.ltd]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:username:pass
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit_inet_interfaces
smtpd_sasl_path = private/auth
smtpd_sasl_security_options =
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /var/lib/dehydrated/certs/mail.domain.ltd/fullchain.pem
smtpd_tls_cert_file = /var/lib/dehydrated/certs/mail.domain.ltd/cert.pem
smtpd_tls_key_file = /var/lib/dehydrated/certs/mail.domain.ltd/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

Here is how /etc/postfix/main.cf looks like:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
smtpd_tls_cert_file = /var/lib/dehydrated/certs/mail.domain.ltd/cert.pem
smtpd_tls_key_file = /var/lib/dehydrated/certs/mail.domain.ltd/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination permit_inet_interfaces
myhostname = mail.domain.ltd
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#mydestination = $myhostname, mail.domain.ltd, localdomain, localhost, localhost.localdomain, localhost
#  test
mydestination = localhost.$mydomain, localhost, $myhostname
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
smtp_use_tls = yes
smtpd_tls_CAfile = /var/lib/dehydrated/certs/mail.domain.ltd/fullchain.pem
#smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit_inet_interfaces
smtpd_tls_security_level = may
mynetworks_style = subnet
#mydomain = localdomain
# test
mydomain = mail.domain.ltd
smtpd_sasl_security_options = 
# test
relayhost = [mail.domain.ltd]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:username:pass
smtp_sasl_security_options = noanonymous 
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot

Here is how /etc/postfix/master.cf looks like:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

Any help would be greatly appreciated.

codlord avatar
mp flag
Your config says you want auth via Dovecot (`smtpd_sasl_type = dovecot`). Is Dovecot installed and setup and running? Your log says `Connect to private/auth failed: No such file or directory` (`smtpd_sasl_path = private/auth`) which seems to indicate not. Or that something is wrong with your setup there. See here: https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.