I have a debian server with postfix, fail2ban, roundcube, webmin and dovecot installed on it. I have been able to send mails from port 25, but regardless of what I try I can't get it to work from 465 and/or 587 regardless of the method I try. This happens in roundcube and a mail client, although I suspect that both errors may differ. I have tried various things these last few days and also read for some possible solutions, but neither of them worked for me so after all here's what I've got:
Roundcube config/config.inc.php:
<?php
$config['debug_level'] = 4;
$config['smtp_debug'] = true;
$config = [];
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
// or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://user:pass@localhost/db';
// The IMAP host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
$config['default_host'] = 'mail.domain.tld';
// SMTP server host (for sending mails).
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
// To specify different SMTP servers for different IMAP hosts provide an array
// of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com' => 'smtp.example.net']
$config['smtp_server'] = 'tls://mail.domain.tld';
// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)
$config['smtp_port'] = 587;
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';
// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';
// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'Webmail';
// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = 'rcmail-random_key_here';
// List of active plugins (in plugins/ directory)
$config['plugins'] = [
'archive',
'zipdownload',
];
// skin name: folder from skins/
$config['skin'] = 'elastic';
$config['imap_conn_options'] = array(
'ssl' => array('verify_peer' => true, 'verfify_peer_name' => false),
'tls' => array('verify_peer' => true, 'verfify_peer_name' => false),
);
$config['default_host'] = 'ssl://mail.domain.tld';
$config['default_port'] = '993';
$config['smtp_server'] = 'tls://mail.domain.tld';
$config['smtp_port'] = '587';
$config['smtp_debug'] = true;
Currently, I'm able to receive emails in roundcube at port 143 and 993, but I can only send from port 25. Here's the error I get when I try to send an email from 587:
SMTP Error (554): Failed to add recipient "[email protected]" (5.7.1 <[email protected]>: Recipient address rejected: Access denied).
Here is what the roundcube logs/smtp.log shows:
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Connecting to tls://mail.hlebarkite.bg:587...
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 220 mail.domain.ltd ESMTP Postfix
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: EHLO webmail.domain.ltd
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-mail.domain.ltd
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-PIPELINING
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-SIZE 10240000
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-VRFY
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-ETRN
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-STARTTLS
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-ENHANCEDSTATUSCODES
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-8BITMIME
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-DSN
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250-SMTPUTF8
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250 CHUNKING
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: MAIL FROM:<[email protected]>
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250 2.1.0 Ok
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: RCPT TO:<[email protected]>
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: RSET
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 250 2.0.0 Ok
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Send: QUIT
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> Recv: 221 2.0.0 Bye
Here is what the logs/error.log shows:
[10-Mar-2022 00:08:05 +0200]: <gqnft6kr> SMTP Error: Failed to add recipient '[email protected]'. 5.7.1 <[email protected]>: Recipient address rejected: Access denied (Code: 554) in /home/webmail/program/lib/Roundcube/rcube.php on line 1774 (POST /?_task=mail&_unlock=loading1646863684782&_framed=1&_action=send)
If i try to send an email like so:
echo "test message body" | mail -s "test" [email protected]
I get the following in /var/log/mail.log
Mar 10 00:12:11 lamp postfix/submission/smtpd[1126]: connect from unknown[xx.xx.xx.xx - this is the server IP]
Mar 10 00:12:11 lamp postfix/submission/smtpd[1126]: warning: SASL: Connect to private/auth failed: No such file or directory
Mar 10 00:12:11 lamp postfix/submission/smtpd[1126]: fatal: no SASL authentication mechanisms
Mar 10 00:12:12 lamp postfix/master[1300]: warning: process /usr/lib/postfix/sbin/smtpd pid 1126 exit status 1
Mar 10 00:12:12 lamp postfix/master[1300]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
Mar 10 00:12:12 lamp postfix/smtp[1125]: C520F1300420: to=<[email protected]>, relay=mail.domain.ltd[xx.xxx.xx.xx server ip]:587, delay=1.1, delays=0.09/0.01/1/0, dsn=4.4.2, status=deferred (lost connection with mail.domain.ltd[xx.xx.xx.xx server IP] while performing the EHLO handshake)
If I try to send an email from a mail client then I see this error:
The reported error was “HELO command failed: Error receiving data: Connection reset by peer”.
Here is what postconf -n looks like:
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_protocols = all
mailbox_size_limit = 0
mydestination = localhost.$mydomain, localhost, $myhostname
mydomain = mail.domain.ltd
myhostname = mail.domain.ltd
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
mynetworks_style = subnet
readme_directory = no
recipient_delimiter = +
relayhost = [mail.domain.ltd]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:username:pass
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit_inet_interfaces
smtpd_sasl_path = private/auth
smtpd_sasl_security_options =
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /var/lib/dehydrated/certs/mail.domain.ltd/fullchain.pem
smtpd_tls_cert_file = /var/lib/dehydrated/certs/mail.domain.ltd/cert.pem
smtpd_tls_key_file = /var/lib/dehydrated/certs/mail.domain.ltd/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual
Here is how /etc/postfix/main.cf looks like:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = /var/lib/dehydrated/certs/mail.domain.ltd/cert.pem
smtpd_tls_key_file = /var/lib/dehydrated/certs/mail.domain.ltd/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination permit_inet_interfaces
myhostname = mail.domain.ltd
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#mydestination = $myhostname, mail.domain.ltd, localdomain, localhost, localhost.localdomain, localhost
# test
mydestination = localhost.$mydomain, localhost, $myhostname
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
smtp_use_tls = yes
smtpd_tls_CAfile = /var/lib/dehydrated/certs/mail.domain.ltd/fullchain.pem
#smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit_inet_interfaces
smtpd_tls_security_level = may
mynetworks_style = subnet
#mydomain = localdomain
# test
mydomain = mail.domain.ltd
smtpd_sasl_security_options =
# test
relayhost = [mail.domain.ltd]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:username:pass
smtp_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
Here is how /etc/postfix/master.cf looks like:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
Any help would be greatly appreciated.