I'm still pretty much a complete neophyte when it comes to Ubuntu/Linux in general, but I'm familiar with how sending mail via SMTP works in general. So now I currently have two Ubuntu servers running on the same subnet (10.XXX.XXX.XXX/26):
SERVER1
Ubuntu 20.04.6 LTS
10.XXX.XXX.0
SERVER2
Ubuntu 22.04.2 LTS
10.XXX.XXX.1
The Postfix mail server (installed using iRedMail) is installed on SERVER1 and is publicly accessible via smtp.mydomain.dev. My mail client is set up to use this server for sending/receiving mail and works normally. I can also log in to webmail.mydomain.dev and view/send mail from there via Nginx running on the same server.
I've just started setting up SERVER2 and I was trying to configure Fail2Ban to send out notifications using the Postfix on SERVER1, but none of those notifications are getting to my inbox.
At one point in my various attempts to get this working I was able to successfully send email messages to my "work" account via the command line on SERVER2:
echo "Testing my sendmail relay" | mail -s 'Relay Test' myemail@anotherdomain.com
Unfortunately, I must've messed something up even worse now because even this has stopped working at this time.
I've gone through various iterations of configuration updates on both SERVER1 and SERVER2. Here's basically what I'm looking at now:
SERVER2
sendmail.mc
define(`SMART_HOST',`[smtp.mydomain.dev]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
# FEATURE(`authinfo', `hash -o /etc/mail/smtp-auth-creds.db')dnl
# define(`confAUTH_OPTIONS', `A p')dnl
# TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
# define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
And compiled/restarted
sudo make -C /etc/mail
sudo systemctl restart sendmail
I already have a "relay user" I set up in Postfix on SERVER1 (irelay@mydomain.dev), so I set up sendmail according to an article I found - How to configure Sendmail to use SMTP relay - to test with authentication credentials. This didn't seem to help either, which is why those last four lines are currently commented out.
/etc/mail/auth-creds
AuthInfo:smtp.mydomain.dev "U:irelay@mydomain.dev" "P:123456789nTx+5$wZa01IWMG@domDEV" "M:PLAIN"
And hash created
makemap hash smtp-auth-creds < smtp-auth-creds
As for the Fail2Ban configuration:
jail.conf
[DEFAULT]
ignoreip = 127.0.0.1 127.0.0.0/8 24.XXX.XXX.XXX/27 10.XXX.XXX.XXX/26 192.168.155.0/24
findtime = 3600
maxretry = 3
bantime = -1
mta = sendmail
action = %(action_mwl)s
destemail = admin@mydomain.dev
sender = fail2ban@mydomain.dev
These lines were taken and tweaked from another Ubuntu server that's relaying mail through my corporate Exchange server (Microsoft 365) and seems to be working without a problem.
SERVER1
postfix/main.cf
# hostname
myhostname = smtp.mydomain.dev
myorigin = smtp.mydomain.dev
mydomain = smtp.mydomain.dev
# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
# in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
# for example:
#
# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 24.XXX.XXX.XXX/27 10.XXX.XXX.XXX/26 192.168.155.0/24 [::1]
# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain
I made sure to add the 10.XXX.XXX.XXX/26 network here. Noting the comment above, I looked in the iredapd/settings.py, but couldn't find the MYNETWORKS section so I just added it to the end:
ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True
ALLOWED_LOGIN_MISMATCH_SENDERS = ['irelay@mydomain.dev']
MYNETWORKS = ['24.XXX.XXX.XXX/27', '10.XXX.XXX.XXX/26', '192.168.155.0/24']
I've been around and around on these configuration settings trying to find what I'm missing or messing up, but I'm totally lost at this point. The Fail2Ban notifications have never made it through, but when I was able to send mail from the command line, it was always appending the computer's hostname (server2.mydomain.local) instead of the domain name, no matter which variation of mail I tried:
mail -s 'Testing' -r 'SERVER2 <server2@mydomain.dev>' recipient@anotherdomain.com
mail -s 'Testing' -a "From: server2@mydomain.dev" recipient@anotherdomain.com
mail -aFrom:server2@mydomain.dev -s 'Testing' recipient@anotherdomain.com
So, I'm completely lost at this point and would appreciate being pointed in the right direction. How can I get SERVER2 to relay its notification mail messages through Postfix on SERVER1? I'm absolutely certain I'm going to want to be able to do this for other services as well, so I really need to track this one down. If there's more information needed to help diagnose the issue, I'll do my best to find it and share it.
UPDATE
So, I got it back to sending through the command line by switching my sendmail.mc configuration back to using port 25 (I had wanted to use port 587 for "security", but I'll worry about that bit later). I also added back in the relay authentication bits, so now my sendmail.mc configuration looks like this:
dnl # Default Mailer setup
define(`SMART_HOST',`[smtp.mydomain.dev]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 25')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 25')dnl
FEATURE(`authinfo', `hash -o /etc/mail/smtp-auth-creds.db')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
Followed up with a recompile and restart:
sudo make -C /etc/mail
sudo systemctl restart sendmail
I tested sending to my work mail (recipient@anotherdomain.com), my personal Gmail account (myaccount@gmail.com), and the admin@mydomain.dev address to which I want the Fail2Ban notifications to be delivered. All of them went through successfully, although Gmail flagged it as spam because the sender is still showing up as myuser@server2.mydomain.local. That makes sense coming from the command line, so I won't delve too deeply into that.
So, now it's on to trying to get the Fail2Ban notifications to go through. I manually entered a ban for an IP address that's banned on another server and watched the mail.log file with tail. I'm seeing the mail come in, but it's apparently being rejected, so I'm still missing something...
May 5 10:10:45 smtp postfix/postscreen[13274]: CONNECT from [10.XXX.XXX.253]:57996 to [10.XXX.XXX.0]:25
May 5 10:10:45 smtp postfix/postscreen[13274]: WHITELISTED [10.XXX.XXX.253]:57996
May 5 10:10:45 smtp postfix/smtpd[13275]: connect from _gateway[10.XXX.XXX.253]
May 5 10:10:45 smtp postfix/smtpd[13275]: Anonymous TLS connection established from _gateway[10.XXX.XXX.253]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
May 5 10:10:45 smtp postfix/smtpd[13275]: NOQUEUE: reject: RCPT from _gateway[10.XXX.XXX.253]: 554 5.7.1 <admin@mydomain.dev>: Recipient address rejected: SMTP AUTH is required for users under this sender domain; from=<fail2ban@mydomain.dev> to=<admin@mydomain.dev> proto=ESMTP helo=<server2.mydomain.local>
May 5 10:10:45 smtp postfix/smtpd[13275]: NOQUEUE: reject: RCPT from _gateway[10.XXX.XXX.253]: 550 5.1.1 <fail2ban@mydomain.dev>: Recipient address rejected: User unknown; from=<> to=<fail2ban@mydomain.dev> proto=ESMTP helo=<server2.mydomain.local>
May 5 10:10:46 smtp postfix/smtpd[13275]: disconnect from _gateway[10.XXX.XXX.253] ehlo=2 starttls=1 mail=2 rcpt=0/2 data=0/2 rset=3 quit=1 commands=9/13
I don't like to assume, but it doesn't look like it's using the authentication credentials I set up in smtp-auth-creds.
