Develop Reference

Setting up postfix and dovecot and having authenticity failed issues

I have setup postfix, dovecot and rainloop on Ubuntu Server 20.04 and having some issues with authentication on the SMTP connection, I can successfully login using rainloop and I can also access via ios externally and view emails but I am unable to send, the only way that I can send using Rainloop is to uncheck the use authentication checkbox in the domains.
In rainloop domain setup for the server if I choose SSL/TLS on SMTP and Test the connection I get
stream_socket_client(): unable to connect to ssl://127.0.0.1:465 (Connection refused)
here are my configs for postfix and dovecot
main.cf
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.arpradio.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.arpradio.com/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.arpradio.com
mydomain = arpradio.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, arpradio.com, mail.arpradio.com, localhost.arpradio.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
# mailbox_command = /usr/bin/procmail
# RBL
strict_rfc821_envelopes = yes
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unverified_recipient_reject_code = 554
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, permit
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
I found this in /var/log/auth.log
auth: pam_unix(dovecot:auth): Couldn't open /etc/securetty: No such file or directory
auth: pam_unix(dovecot:auth): check pass; user unknown
auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user#domain.com rhost=<IP>

Your problem is that you have not enabled smtps listener in postfix master.cf. You need to uncomment that listener.

Postfix Username and Password not accepted (BadCredentials)

and thank you for reading. I know this question has been asked many times - I've read a ton of different answers, and have tried most of them. None of them have worked so far. I'm pretty new to using postfix and appreciate any assistance you can provide.
I'm using Proxmox 6.1, on Debian buster. I'm attempting to use the email function for failed backups. My domain is using Gsuite mail. I have setup the SMTP relay with both my ipv4 and ipv6 public addresses, and I have verified the credentials are correct and generated new .db each time I made a change.
My sasl_passwd
smtp-relay.gmail.com:587 root#mydomain.com:password
My main.cf (domain & ip have been edited)
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
#myhostname=pve.myisp (auto generated)
myhostname = mydomain.com
#G-Suite relay test
relayhost = smtp-relay.gmail.com:587
# Use tls
smtp_use_tls = yes
smtp_tls_security_level = encrypt
tls_random_source = dev:/dev/urandom
# Use sasl when authenticating to foreign SMTP servers
smtp_sasl_auth_enable = yes
# Path to password map file
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# List of CAs to trust when verifying server certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Eliminates default security options which are imcompatible with gmail
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
compatibility_level = 2
Error logs:
Apr 30 16:45:52 pve postfix/qmgr[34586]: 4B3AD320C9A: from=<root#mydomain.com>, size=396, nrcpt=1 (queue active)
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: SASL authentication failed; server smtp-relay.gmail.com[74.125.30.28] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials m33sm110720uad.2 - gsmtp
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: to=<mypersonalemail#gmail.com>, relay=smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c]:587, delay=2.6, delays=0.05/0.06/2.4/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials v7sm169048ooo.20 - gsmtp)

I managed to solve my issue.
Ignore any & all gsuite documentation, and use [smtp.gmail.com]:587 instead of smtp-relay.gmail.com:587

Configure MX and postfix

I have two domains, dom1.com and dom2.com; dom1.com has IP1; the email for dom1.com are handled by google.
I need to create an email, xxx#dom2.com and redirect all emails to an email account of dom1.com ( example: yyy#dom1.com )
I 'd like to use postfix, installed on dom1.com server.
I set the MX record for dom2.com in this way:
MX mail.dom2.com
mail A IP1
so mail.dom2.com should point to IP1.
To configure postfix on dom1.com server, I did as follow:
myhostname = dom1.com
mydestination = dom1.com, dom2.com
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual
in virtual_domains:
dom1.com #domain
dom2.com #domain
in virtual:
xxx#dom2.com yyy#dom1.com
than I did postmap for both files and I reload postfix ... but sending email to xxx#dom2.com , I don't reveice emails on yyy#dom1.com
Where is the error?
Thanks in advance

Option what you want to use is: Catch-all
This Tutorial will help you to setup catch-all email address with postfix.
Step 1. Configure Catch-All Account
Edit /etc/postfix/virtual and configure your catch-all address like below.
# nano /etc/postfix/virtual
#example.com myuser
If you want to add exception’s in catch-all and do not want to catch-all specific accounts, Add them also in /etc/postfix/virtual file. Below configuration will send all emails to user “myuser” except emails of info#example.com and support#example.com.
#example.com myuser
info#example.com info
support#example.com support
Save /etc/postfix/virtual file and execute following command.
# postmap /etc/postfix/virtual
2. Update Postfix Configuration File
Edit Postfix configuration file /etc/postfix/main.cf and add following line at end of file.
# nano /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual
3. Reload Postfix Server
After changing we need to reload server to activate newly settings addedUse following command to reload postfix configuration .
# service postfix reload

nagios does not send emalis

I'm trying to setup email notifications on a nagios server. The nagios machine has been running okay for a little while now. Except for the fact that it hasn't been sending emails. I've been using a chrome plugin in it's place until I get this resolved.
Anyhow, this is how I have my contacts file setup:
define contact{
contact_name nagiosadmin ; Short name of user
use generic-contact ; Inherit default values from generic-contact template (defined above)
alias Nagios Admin ; Full name of user
email admin#example.com; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r,f
host_notification_options d,u,r,f
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
}
define contactgroup{
contactgroup_name admins
alias Nagios Administrators
members nagiosadmin
}
And I have my host and service definitions setup like this:
define host{
use linux-server ; Name of host template to use
; This host definition will inherit all variables that are defined
; in (or inherited by) the linux-server host template definition.
host_name web1
alias web1
address 10.10.10.6
contact_groups admins
}
define service{
use local-service ; Name of service template to use
host_name web1
service_description HTTP
contact_groups admins
check_command check_http
notifications_enabled 1
}
I've tested if this works by shutting down http on a web server it's monitoring. Waited a while and no message received on the mail server.
I've also telnetted to the mail server on the nagios machine. And I'm able to send an email to the account I want via telnet.
I'd appreciate some help here!

Look inside your service notification command configuration and execute it in a terminal for debugging.
Example :
define command {
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n $NOTIFICATIONCOMMENT$\n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}

Why is the netsh http add sslcert throwing error from Powershell ps1 file?

I am trying to add an sslcert using netsh http from within a powershell ps1 file, but it keeps throwing errors:
$guid = [guid]::NewGuid()
netsh http add sslcert ipport=0.0.0.0:443 certhash=5758B8D8248AA8B4E91DAA46F069CC1C39ABA718 appid={$guid}
'JABnAHUAaQBkAA' is not a valid argument for this command.
The syntax supplied for this command is not valid. Check help for the correct syntax.
Usage: add sslcert [ipport=]<IP Address:port>
[certhash=]<string>
[appid=]<GUID>
[[certstorename=]<string>
[verifyclientcertrevocation=]enable|disable
[verifyrevocationwithcachedclientcertonly=]enable|disable
[usagecheck=]enable|disable
[revocationfreshnesstime=]<u-int>
[urlretrievaltimeout=]<u-int>
[sslctlidentifier=]<string>
[sslctlstorename=]<string>
[dsmapperusage=]enable|disable
[clientcertnegotiation=]enable|disable]
Parameters:
Tag Value
ipport - IP address and port for the binding.
certhash - The SHA hash of the certificate. This hash
is 20 bytes long and specified as a hex
string.
appid - GUID to identify the owning application.
certstorename - Store name for the certificate. Defaults
to MY. Certificate must be stored in the
local machine context.
verifyclientcertrevocation - Turns on/off verification of revocation
of client certificates.
verifyrevocationwithcachedclientcertonly - Turns on/off usage of
only cached client
certificate for revocation checking.
usagecheck - Turns on/off usage check. Default is enabled.
revocationfreshnesstime - Time interval to check for an updated
certificate revocation list (CRL). If this
value is 0, then the new CRL is updated
only if the previous one expires. (in
seconds)
urlretrievaltimeout - Timeout on attempt to retrieve certificate
revocation list for the remote URL.
(in milliseconds)
sslctlidentifier - List the certificate issuers that can
be trusted. This list can be a subset of
the certificate issuers that are trusted
by the machine.
sslctlstorename - Store name under LOCAL_MACHINE where
SslCtlIdentifier is stored.
dsmapperusage - Turns on/off DS mappers. Default is
disabled.
clientcertnegotiation - Turns on/off negotiation of certificate.
Default is disabled.
Remarks: adds a new SSL server certificate binding and corresponding client
certificate policies for an IP address and port.
Examples:
add sslcert ipport=1.1.1.1:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899
-AABBCCDDEEFF}
I might be wrong, but I believe it has something to do how I go about specifying the appid GUID in my powershell script file. Could someone please help me solve the error?

It's a problem with the way Powershell parses cmd commands.
This will execute the command successfully:
$guid = [guid]::NewGuid()
$Command = "http add sslcert ipport=0.0.0.0:443 certhash=5758B8D8248AA8B4E91DAA46F069CC1C39ABA718 appid={$guid}"
$Command | netsh

The reason for the error is that the curly braces have to be escaped each with a backtick (`).
The following command will work from the PowerShell commandline:
This will work from the PowerShell commadline:
$AppId = [Guid]::NewGuid().Guid
$Hash = "209966E2BEDA57E3DB74FD4B1E7266F43EB7B56D"
netsh http add sslcert ipport=0.0.0.0:8000 certhash=$Hash appid=`{$Guid`}
The important details are to escape each { } with a backtick (`).
If netsh raises an error 87 try appending certstorename my
There is no need to use variables. Its just for sake of convenience.

Below code will work, & here is used for invoke program with parameters, and "appid={$guid}" make it pass string value.
& netsh http add sslcert ipport=0.0.0.0:443 certhash=5758B8D8248AA8B4E91DAA46F069CC1C39ABA718 "appid={$guid}"