I think for experts on postfix this issue is peace of cake, but after spend days trying aking my own server for private user, I'am out of ideas.
I can inside of my network:
Send e-mails from LAN -> DMZ -> WAN Receive e-mails from WAN -> DMZ -> LAN
Example:
On LAN I can connect on mailserver inside of DMZ, send mail to Gmail, Yahoo, Hotmail, etc...
I can send email to other domains I have, like domain2, domain3, etc...
I can receive all emails.
I can reply all emails.
I cannot send email from external source, example:
4G -> WAN -> DMZ (From this point I can read emails) But, when I try send, got lot of errors about access denied, relay forbiden, etc...
Outside of my internal network, using a 4G smartphone to connect on this second scenario I get:
I can receive all emails.
I cannot reply emails.
I cannot send emails.
From my current setup the error accessing outside of LAN / DMZ (example connecting and authenticating on 4G from smartphone) is:
Oct 17 06:06:04 mail postfix/submission/smtpd[20879]: connect from unknown[138.0.151.15]:52395
Oct 17 06:06:04 mail postfix/submission/smtpd[20879]: NOQUEUE: reject: RCPT from unknown[138.0.151.15]:52395: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[100.64.250.167]>
Oct 17 06:06:24 mail postfix/submission/smtpd[20879]: lost connection after DATA from unknown[138.0.151.15]:52395
Oct 17 06:06:24 mail postfix/submission/smtpd[20879]: disconnect from unknown[138.0.151.15]:52395 ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 commands=4/6
My current master.cf is:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
-o receive_override_options=no_address_mappings
# -o smtpd_client_connect_count_limit=100
# -o smtpd_sasl_auth_enable=yes
-o smtp_tls_security_level=may
# SSL 465
smtps inet n - n - - smtpd
# -o smtpd_client_connect_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_client_restrictions=permit_sasl_authenticated,permit_auth_destinations,reject
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
# TLS 587
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o receive_override_options=no_address_mappings
-o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot-lda -f ${sender} -a ${recipient} -d ${user}@{nexthop}
amavisd-new unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200s
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
My current main.cf is:
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = mail.$mydomain
mydomain = mywebsite.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, 10.0.0.0/24, 192.168.0.0/24
alias_maps = hash:/etc/aliases
recipient_delimiter = +
mail_spool_directory = /usr/local/vhosts
smtpd_banner = $myhostname ESMTP $mail_name
debug_peer_level = 3
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = no
inet_protocols = all
# Authentication
smtpd_sasl_auth_enable = yes
#smtp_sasl_mechanism_filter = plain, login
# Forbids anonymous and plaintext authentication mechanisms over an
# unencrypted transport layer
smtp_sasl_security_options = noanonymous, noplaintext, noactive, nodictionary
# Allows plaintext mechanisms when talking to the server with TLS
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
smtpd_sender_login_maps = proxy:mysql:/usr/local/etc/postfix/mysql-sender-logins-maps.cf
lmtp_tls_fingerprint_digest = sha1
local_header_rewrite_clients = permit_mynetworks permit_sasl_authenticated
# Virtual mailboxes
local_transport = virtual
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_base = /usr/local/vhosts
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_gid_maps = static:5000
virtual_uid_maps = static:5000
mailbox_size_limit = 0
virtual_mailbox_limit = 0
# The maximal size in bytes of a message, including envelope
# information.
message_size_limit = 104857600
# The maximal number of recipients per message for the smtp message
# delivery transport.
smtp_destination_recipient_limit = 10
# How many simultaneous connections any remote SMTP client is
# allowed to have
smtpd_client_connection_count_limit = 10
# The maximal number of message delivery requests that any client is
# allowed to make to this server per time unit.
smtpd_client_message_rate_limit = 25
# Limit the number of times RSET can be used
smtpd_junk_command_limit = 1
# Limit number of destination address per message
smtpd_recipient_limit = 50
# Decrease the client limit for sending the HOor EHLO command
smtp_helo_timeout = 60s
always_add_missing_headers = yes
biff = no
enable_long_queue_ids = yes
###### Restrictions 2
# Require HELO or EHLO before commencing a MAIL transaction - RFC 821
smtpd_helo_required = yes
# Disable the SMTPD VRFY command
# Reduces chance of spammer look for valid address
postscreen_disable_vrfy_command = yes
disable_vrfy_command = yes
# Disable rewrite from user%domain to user@domain
allow_percent_hack = no
# Disable rewrite from site!user to user@site
swap_bangpath = no
###### Slowdown Bad Clients
# The maximal number of errors code 500 a remote client is allowed to
# make without delivering mail.
smtpd_hard_error_limit = 3
# The maximal number or errors code 400, server will delay all responses
# using the value from smtpd_error_sleep_time
smtpd_soft_error_limit = 1
# Server response delay in seconds after errors
smtpd_error_sleep_time = 20
# Mime Header Checks
mime_header_checks = pcre:${config_directory}/mime_header_checks
# Amavis
content_filter = amavisd-new:[127.0.0.1]:10024
###### Restrictions
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
defer_unauth_destination
permit
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# check_recipient_access pcre:${config_directory}/recipient_checks.pcre,
reject_unauth_destination,
reject_unauth_pipelining,
# Old versions of Microsoft Outlook only send local hostname.
reject_non_fqdn_hostname,
reject_invalid_hostname,
check_helo_access pcre:${config_directory}/helo_checks.pcre,
check_sender_mx_access cidr:${config_directory}/bogus_mx,
# reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
# Blocking Google Mails.
# reject_rbl_client dnsbl.sorbs.net,
#DNS StUFF site
# reject_unverified_sender,
permit
smtpd_data_restrictions = reject_multi_recipient_bounce
# reject_unauth_pipelining
# permit
masquerade_domains = $mydomain
masquerade_exceptions = root mailer-daemon
notify_classes = data protocol resource software
show_user_unknown_table_name = no
smtp_dns_support_level = enabled
# TLS Settings
smtp_enforce_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
# Mandatory (high-grade) TLS encryption
#smtp_tls_security_level = encrypt
# Allow servers from Internet without encryption devliver mail
# Configurado no master.cf
smtpd_tls_security_level = may
smtp_tls_mandatory_protocols = TLSv1.2 TLSv1.1
smtpd_tls_protocols = TLSv1.2
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_eecdh_grade = ultra
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
smtp_tls_exclude_ciphers = CAMELLIA SEED IDEA RC2 RC4 kSRP kGOST kECDHr kECDHe kDHr kDHd aDSS aPSK aNULL aECDH eNULL EDH-DSS-DES-CBC3-EDH-RSA-DES-CBC3-SHA KRB5-DES CBC3-SHA SHA MEDIUM LOW EXPORT DES MD5 PSK
smtp_tls_mandatory_exclude_ciphers = CAMELLIA SEED IDEA RC2 RC4 kSRP kGOST kECDHr kECDHe kDHr kDHd aDSS aPSK aNULL aECDH eNULL EDH-DSS-DES-CBC3-EDH-RSA-DES-CBC3-SHA KRB5-DES CBC3-SHA SHA MEDIUM LOW EXPORT DES MD5 PSK
smtpd_tls_exclude_ciphers = CAMELLIA SEED IDEA RC2 RC4 kSRP kGOST kECDHr kECDHe kDHr kDHd aDSS aPSK aNULL aECDH eNULL EDH-DSS-DES-CBC3-EDH-RSA-DES-CBC3-SHA KRB5-DES CBC3-SHA SHA MEDIUM LOW EXPORT DES MD5 PSK
smtpd_tls_mandatory_exclude_ciphers = CAMELLIA SEED IDEA RC2 RC4 kSRP kGOST kECDHr kECDHe kDHr kDHd aDSS aPSK aNULL aECDH eNULL EDH-DSS-DES-CBC3-EDH-RSA-DES-CBC3-SHA KRB5-DES CBC3-SHA SHA MEDIUM LOW EXPORT DES MD5 PSK
smtpd_tls_dh1024_param_file = ${config_directory}/dh_2048_params.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 6h
smtp_tls_fingerprint_digest = sha1
smtpd_tls_fingerprint_digest = sha1
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtp_tls_secure_cert_match = nexthop
smtp_tls_loglevel = 0
smtpd_tls_loglevel = 0
smtpd_client_port_logging = yes
smtp_tls_CAfile = /etc/ssl/cert.pem
smtpd_tls_CAfile = /etc/ssl/cert.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/mail.mywebsite.com.crt
smtpd_tls_key_file = /usr/local/etc/postfix/mywebsite.com.privatekey
smtpd_tls_received_header = yes
openssl_path = /usr/local/bin/openssl
tls_daemon_random_bytes = 64
tls_high_cipherlist = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA
tls_medium_cipherlist = EECDH+ECDSA+CHACHA20 EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+AESGCM EECDH+ECDSA+AES256 EECDH+AES256 EECDH+ECDSA+AES128 EECDH+AES128 EECDH+ECDSA+3DES EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_random_source = dev:/dev/random
tls_ssl_options = NO_COMPRESSION
I am on FreeBSD 10.3 and have no knowledge on setup mail servers, Have bought an old book: No Starch Press - The Book of Postfix, but its so outdade... then after many tutorials, get almost done my email server.
My second problem is about internal delivery miss in case of similar mails, example:
[email protected] [email protected]
Only one domain receive the message...
I have dovecot setup also, almost, hehehe
I would be grateful if someone can help me point me on right direction, already tried the solutions from stackExchange with no luck.
If I set my domains using SQL on relay_domains, my server fails on online tests saying is now an open relay...
For example, changing the main.cf:
relay_domains = proxy:mysql:/usr/local/etc/postfix/ntsql-virtual-domains.cf
Then I can send mails from my 4G smartphone, the logs just warn about dont use same domain names twice, in relay_domains
and virtual_mailbox_domains
.
Try commenting out
reject_non_fqdn_hostname
undersmtpd_recipient_restrictions
.In your
main.cf
,smtpd_recipient_restrictions
containsreject_non_fqdn_hostname
(which refers to the client's name specified by the client duringHELO
) andsmtpd_helo_required = yes
.HELO
line from the client in the logged case:helo=<[100.64.250.167]>
, which is not a FQDN, thus should be rejected according to your config.It looks like you have at least attempted to get SASL working but it doesn't look like the client that produced the error attempted to authenticate. I'd recommend making sure smtp auth works, confirming the client is configured to authenticate, then go from there.
You can test smtp auth manually by connecting to the smtp submission port using the openssl client and sending the
auth login
command.We had a similar issue where postfix was working fine when connecting from within LAN. But once you switch your device to external net, mails simply won't go. Turned out that it was IPv6 vs IPv4 issue. Once we change the postfix setting to use IPv4 only, things started to work without problem.
on a linux server [centos] you can set that as below
in the /etc/postfix/main.cf file. Ubuntu should also have some similar file to be updated.