I have been using this setup for many years Workaround
I just updated my server to the latest guide (Buster) and it was working good for a month.
I have DMARC setup
v=DMARC1; p=quarantine; sp=none; rua=mailto:postmaster#example.org; ruf=mailto:postmaster#example.org; rf=afrf; pct=100; ri=86400
I have SPF setup. I understand that this is a soft fail.
v=spf1 mx a ip4:XX.XX.XX.XX/27 ~all
And I have DKIM setup as well
v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQE...public key
I have tested these with mxtoolbox.com and they seem to be fine.
My master.cf is
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
And my main.cf is
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.example.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mail.example.org, mail3.example.org, localhost.example.org, localhost
relayhost =
I have received hundreds of thousands of emails to a specific account from that account like this:
Return-Path: <nobody#mail.example.org>
Delivered-To: support_desk#example.org
Received: from mail.example.org
by mail.example.org with LMTP
id wD98AeFp/F8WUgAASGYJ/Q
(envelope-from <nobody#mail.example.org>)
for <support_desk#example.org>; Mon, 11 Jan 2021 10:08:17 -0500
Received: by mail.example.org (Postfix, from userid 65534)
id 06C412449DA; Mon, 11 Jan 2021 08:11:36 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
s=2020122201; t=1610370697; h=from:from:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:content-type:
content-transfer-encoding:in-reply-to:references;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=kDMb7uDRl/dzTXWGMi75Cx0OgKvqDTgzuMgBD8bsFzDCAYFgd3csm78WFY2XoLjq30BqTD
c3k4lwsvACLKhWK8L3j+l9AsX6lnJBzs7N7OBXWf6VN2U5Wdb3OSLjvyI20DOlwW/6sd94
lRC446wHCsex4iP7XOJXRaJo4+bH7NY=
To: support_desk#example.org
Subject: Support [TICKET 1877258] [TICKET 1877259]
From: Archie Support <support#example.org>
Message-Id: <20210111131137.06C412449DA#mail.example.org>
Date: Mon, 11 Jan 2021 08:11:36 -0500 (EST)
Can anyone please help and let me know if there is an issue with my config? It seems that now my server is also listed on a couple of blacklists.
Any ideas are appreciated.
Turned out to be a loop. Someone connected and guessed an account that was an alias, that would then reply to the sender and forward the email to some other account.
All-in-all a good excuse to enjoy a 12-pack while reading mail logs...
Related
and thank you for reading. I know this question has been asked many times - I've read a ton of different answers, and have tried most of them. None of them have worked so far. I'm pretty new to using postfix and appreciate any assistance you can provide.
I'm using Proxmox 6.1, on Debian buster. I'm attempting to use the email function for failed backups. My domain is using Gsuite mail. I have setup the SMTP relay with both my ipv4 and ipv6 public addresses, and I have verified the credentials are correct and generated new .db each time I made a change.
My sasl_passwd
smtp-relay.gmail.com:587 root#mydomain.com:password
My main.cf (domain & ip have been edited)
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
#myhostname=pve.myisp (auto generated)
myhostname = mydomain.com
#G-Suite relay test
relayhost = smtp-relay.gmail.com:587
# Use tls
smtp_use_tls = yes
smtp_tls_security_level = encrypt
tls_random_source = dev:/dev/urandom
# Use sasl when authenticating to foreign SMTP servers
smtp_sasl_auth_enable = yes
# Path to password map file
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# List of CAs to trust when verifying server certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Eliminates default security options which are imcompatible with gmail
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
compatibility_level = 2
Error logs:
Apr 30 16:45:52 pve postfix/qmgr[34586]: 4B3AD320C9A: from=<root#mydomain.com>, size=396, nrcpt=1 (queue active)
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: SASL authentication failed; server smtp-relay.gmail.com[74.125.30.28] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials m33sm110720uad.2 - gsmtp
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: to=<mypersonalemail#gmail.com>, relay=smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c]:587, delay=2.6, delays=0.05/0.06/2.4/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials v7sm169048ooo.20 - gsmtp)
I managed to solve my issue.
Ignore any & all gsuite documentation, and use [smtp.gmail.com]:587 instead of smtp-relay.gmail.com:587
I have RBL checks in postfix but it doesn't work and blacklisted IPs get through.
This is the smtpd_recipient_restrictions of my postfix's main.cf file:
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client b.barracudacentral.org,
check_policy_service unix:private/policyd-spf,
check_client_access pcre:/etc/postfix/rbl_override
My IP has access to query b.barracudacentral.org and
dig +short #b.barracudacentral.org 4.3.2.1.b.barracudacentral.org.
returns 127.0.0.2 but postfix says Host not found.
postfix log:
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: dns_query: 4.3.2.1.b.barracudacentral.org (A): Host not found
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: ctable_locate: install entry key 4.3.2.1.b.barracudacentral.org
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: generic_checks: name=reject_rbl_client status=0
Please check if the smtpd process is running chrooted. For this, check the "chroot" column in master.cf.
Also note that any host in $mynetworks (permit_mynetworks) won't be blacklisted as well as any SASL authenticated client (permit_sasl_authenticated).
Note:
check_client_access pcre:/etc/postfix/rbl_override
can never act as an override to "reject_rbl_client b.barracudacentral.org" since the latter will always trigger first.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I am currently trying to set up postfix on RHEL as an SMTP Relay for our internal ticketing system.
The basic configuration is running and working fine; mails get send and recieved. We do alter some headers to secure our internal networks, but that's about it.
Trying 10.71.17.107...
Connected to mail-gw.doma.in.
Escape character is '?'.
220 mail-gw.doma.in ESMTP Postfix
STARTTLS
220 2.0.0 Ready to start TLS
Similary, I am able to ask the GMail-Server for STARTTLS, so I presume that firewalls are not an issue:
Trying 108.177.15.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '?'.
220 **************************************************
EHLO mail-gw.doma.in
250-mx.google.com at your service, [91.198.93.107]
250-STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS
I have acquired a free SSL Certificate for this mail-gw, and it seems to be valid. However, whenever I relay a message to GMail, it shows me that the message has not been encrypted.
Not secure according to google
Here is my master.cf
smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
And here is my main.cf
smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords
smtp_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtp_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtp_tls_key_file = /etc/pki/tls/private/prv.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtpd_tls_key_file = /etc/pki/tls/private/prv.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
I am all out of ideas, especially since all solutions in the internet are smtp_tls_security_level = may.
Any help would be appreciated.
e: As per the comments, here is my connection log with Google.
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 220 **************************************************
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: disable_esmtp
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: delay_dotcrlf
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: 14ED21038196: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[173.194.76.27]:25
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: HELO mail-gw.doma.in
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 250 mx.google.com at your service
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: server features: 0x31000 size 0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: MAIL FROM:<dct_test_it#doma.in>
Is it supposed to be this way? When I debug incoming connections, I see my server responding with all SMTP options (including STARTTLS)? Even more confusing since telnetting onto the google host also offers me STARTTLS.
I finally found the solution.
For some reason - I am not sure how - my Postfix thought that our Firewall was doing SMTP Inspection, and enabled the PIX workaround "disable_esmtp"
Thus, my Postfix only started a connection with a HELO, and didn't get the option to STARTTLS.
Solution:
In your main.cf, only enable the other workarounds. For the sake of brevity, I did it like this for now:
smtp_pix_workarounds = delay_dotcrlf
Hard for me to believe that I haven't found anything about this.
Getting error relay access denied on a CentOS server with postfix and dovecot installed, trying to set up a catchall email on a CentOS 7 server. Fresh installation, installed Nano text editor and nothing else, pretty much a clean server in case it matters.
error im getting:
[root#accountcreator ssl]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.tmkiller.site ESMTP Postfix
EHLO howdy.com
250-mail.tmkiller.site
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: testAccount
250 2.1.0 Ok
rcpt to: myEmail#gmail.com
454 4.7.1 <myEmail#gmail.com>: Relay access denied
My main.cf file:
myhostname = mail.mydomain.site
mydomain = mydomain.site
myorigin = $mydomain
home_mailbox = mail/
mynetworks = 127.0.0.0/8
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetwor$
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Yes, i have replaced mydomain.site with my actual domain.
/etc/hosts file:
127.0.0.1 AccountCreator AccountCreator
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4
# The following lines are desirable for IPv6 capable hosts
::1 AccountCreator AccountCreator
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdom$
::1 localhost localhost.localdomain localhost6 localhost6.localdom$
serverIP mail.mydomain.site
I've tried reinstalling the OS and starting all over through this guide:
https://hostpresto.com/community/tutorials/how-to-setup-an-email-server-on-centos7/
I've tried googling around, tried suggestions on several Stack Overflow threads, didn't manage to find a fix that resolved this issue.
I would like to get anything#mydomain.com to forward to catchall#mydomain.com.
You need to setup smtpd_relay_restrictions to allow your domain to send mail through, as it stands it appears your configuration is to only receive emails to your domain.
While you're at it, you should also configure smtpd_client_restrictions and smtpd_sender_restrictions too.
Another thing, if this is centos 7, install roundcube instead of squirrelmail for web mail. It's simpler to maintain and looks cooler.
in your case, under mynetworks you should add the IP address of your server
reload the postfix configuration.
There are other "best practices" how to accomplish this with hash: files for example, so you don't hardcode anything into your configuration, but have separate files that you can administer.
You can read more about it at the postfix official documentation here
also this looks like a typo permit_mynetworks:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetwor$
Going to my app produces a 502 gateway error. Found out that it was because my how_lit.service is failing. But I am having trouble finding out why.
Tried editing the application and the ini document. Cannot figure out whats wrong.
The Nginx and uWSGI services are up and running fine.
Service Status:
lit#digitalocean:~/howlit$ sudo service how_lit status
[sudo] password for lit:
● how_lit.service - uWSGI instance to serve how lit rest api
Loaded: loaded (/etc/systemd/system/how_lit.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2016-08-04 00:30:44 EDT; 5 days ago
Process: 14294 ExecStart=/home/lit/howlit/env/bin/uwsgi --ini /home/lit/howlit/howlit.ini (code=exited, status=1/FAILURE)
Main PID: 14294 (code=exited, status=1/FAILURE)
Aug 04 00:30:44 digitalocean systemd[1]: Started uWSGI instance to serve how lit rest api.
Aug 04 00:30:44 digitalocean uwsgi[14294]: [uWSGI] getting INI configuration from /home/lit/howlit/howlit.ini
Aug 04 00:30:44 digitalocean systemd[1]: how_lit.service: Main process exited, code=exited, status=1/FAILURE
Aug 04 00:30:44 digitalocean systemd[1]: how_lit.service: Unit entered failed state.
Aug 04 00:30:44 digitalocean systemd[1]: how_lit.service: Failed with result 'exit-code'.
Directory and Permissions:
lit#digitalocean:~/howlit$ ls -l .
total 16
drwx---r-x 6 lit www-data 4096 Jul 29 11:47 env
-rwx---r-x 1 lit www-data 202 Aug 3 23:29 howlit.ini
-rwx---r-x 1 lit www-data 1203 Aug 3 23:01 how_lit_restapi.py
-rwxr-xr-x 1 lit www-data 72 Aug 3 23:27 wsgi.py
/etc/systemd/system/how_lit.service:
lit#digitalocean:~/howlit$ cat /etc/systemd/system/how_lit.service
[Unit]
Description=uWSGI instance to serve how lit rest api
After=network.target
[Service]
User=lit
Group=www-data
WorkingDirectory=/home/lit/howlit/
Environment="PATH=/home/lit/howlit/env/bin"
ExecStart=/home/lit/howlit/env/bin/uwsgi --ini /home/lit/howlit/howlit.ini
[Install]
WantedBy=multi-user.target
howlit.ini file:
lit#digitalocean:~/howlit$ cat howlit.ini
[uwsgi]
module = wsgi:app
uid = lit
gid = www-data
master = true
processes = 5
socket = how_lit_restapi.sock
chmod-sock = 666
vacum = true
die-on-term = true
gto = /var/log/uwsgi/%n.log
Tried running it by hand:
lit#digitalocean:~/howlit$ /home/lit/howlit/env/bin/uwsgi --ini /home/lit/howlit/howlit.ini
[uWSGI] getting INI configuration from /home/lit/howlit/howlit.ini
*** Starting uWSGI 2.0.13.1 (64bit) on [Tue Aug 9 18:28:25 2016] ***
compiled with version: 5.4.0 20160609 on 29 July 2016 11:48:08
os: Linux-4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016
nodename: digitalocean
machine: x86_64
clock source: unix
detected number of CPU cores: 1
current working directory: /home/lit/howlit
detected binary path: /home/lit/howlit/env/bin/uwsgi
!!! no internal routing support, rebuild with pcre support !!!
your processes number limit is 1896
your memory page size is 4096 bytes
detected max file descriptor number: 1024
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
bind(): Permission denied [core/socket.c line 230]
permission error again?
SOLVED IT: By sending my socket into tmp, but still getting bad gateway error when I navigate to my site :(
Solved my own problem.
First I checked my services.
sudo service nginx status
sudo service uwsgi status
sudo service how_lit status
then I saw them all running and up but was still getting the bad gateway error. Well after checking the logs had no errors. I had to assume my configs.
Then I realized my mistake....I never restarted all of it, just certain parts at certain times. So I restarted every single one as such:
sudo service nginx restart
sudo service uwsgi restart
sudo service how_lit restart
now it works.
About the permission issue I tried it by putting the socket into the /tmp directory that way www-data group users can access it as well as root. I learned that you need to be able to create the socket and allow access to the system for it.
I moved it out of tmp btw later for production as I was told that was not best practice.