[SOLVED] Tech support: Postfix + Dovecot mail server, can't receive mail or log in via Thunderbird
[SOLVED] Tech support: Postfix + Dovecot mail server, can't receive mail or log in via Thunderbird
Hi there, was thinking around of the best place to post this. Initially I thought maybe the Dovecot mailing list but I'm not sure if this is a Dovecot issue or if the issue lies with Postfix, so I figured maybe a more general Linux community. If people have suggestions about where I could post this that may have more people see it who are able/willing to help, I would also appreciate that.
I apologise, this post will probably be quite long, so I really do appreciate if anyone takes the time to read it and give advice.
Anyway, I was following this tutorial to set up a mail server with Postfix and Dovecot. The tutorial is for Ubuntu but I am using an Alpine Linux server, however the tutorial mostly concerns configuring Postfix and Dovecot which is distro-independent.
Deviations from the tutorial
I followed the tutorial with the exceptions of the following (deviations listed in order of the part of the tutorial they deviated from, so hopefully this is easy to follow linearly):
My server's hostname is domain.com not mail.domain.com (mail.domain.com is what my MX record points to), but this shouldn't really matter as I configured postfix with:
myhostname=mail.domain.com
mydomain=domain.com
I installed packages with apk not apt obviously, and installed Postfix with doas apk add postfix.
I didn't get the ncurses Postfix configuration popup when I installed or started Postfix.
Alpine doesn't auto-start the Postfix service, so I did
doas rc-update add postfix default
doas rc-service postfix start
I used doas apk add mailutils --update-cache --repository https://dl-cdn.alpinelinux.org/alpine/edge/testing/ to install and test the mail program.
I didn't increase attachment size limit.
Alpine doesn't seem to have a dovecot-imapd package, so I just installed dovecot and dovecot-lmtpd.
When configuring /etc/dovecot/conf.d/15-mailboxes.conf, I also set Drafts, Junk, and Sent Messages to auto-create as well as Trash.
I started the dovecot service the same way I did postfix above.
What works
I can send mail with sendmail and GNU mailutils mail. The following works:
echo "test email" | sendmail [email protected]
And
mail -a FROM:[email protected] [email protected]
(where domain.com is my Postfix mail server, and [email protected] is my existing email address with an external provider)
The above results in me receiving the email in my spam folder at [email protected] from [email protected], email all appears normal to me.
The issue
I've noticed two problems which may be related.
Can't log into Thunderbird
Firstly, I can't log into Thunderbird. I get the following error:
(Transcription: Unable to log in at server. Probably wrong configuration, username or password.)
To log in, I am entering my email address at [email protected], where user is my UNIX user (which is part of the mail group), and domain.com is my domain. I entered my password as my user account's password.
Thunderbird seems to recognise my mail server as it auto configured to the following:
INCOMING: IMAP, hostname mail.domain.com, port 993, SSL/TLS, normal password, username user (i.e. without the @domain.com)
OUTGOING: hostname mail.domain.com, port 465, SSL/TLS, normal password, username user
I have also tried the same configuration with STARTTLS and ports 143 and 587, to the same error.
Can't receive mail
I've also tried to send myself emails from my other email addresses. I've tried two of my external email addresses so far. My email clients say they've sent the emails and they appear in my Sent folder, however my Protonmail has sent me some emails today from their mailer daemon complaining that Your email could not be delivered for more than 12 hour(s).:
<[email protected]>: host domain.com[MY IP] said: 454 4.7.1
<[email protected]>: Relay access denied (in reply to RCPT TO command)
I've checked /var/log/messages (which is the Alpine Linux syslog) and found the following, which I don't know how to interpret:
Nov 2 17:57:03 domain mail.info postfix/smtpd[28188]: connect from mail-41103.protonmail.ch[185.70.41.103]
Nov 2 17:57:03 domain mail.info postfix/smtpd[28188]: Anonymous TLS connection established from mail-41103.protonmail.ch[185.70.41.103]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1)
Nov 2 17:57:04 domain mail.info postfix/smtpd[28188]: NOQUEUE: reject: RCPT from mail-41103.protonmail.ch[185.70.41.103]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-41103.protonmail.ch>
Nov 2 17:57:04 domain mail.info postfix/smtpd[28188]: disconnect from mail-41103.protonmail.ch[185.70.41.103] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
I have dovecot configured to use the maildir format (or at least I think I do; I followed the tutorial to set it up to use maildir) but I don't see anything in my ~/Maildir directory.
Running GNU mail results in the output:
Cannot open mailbox /var/mail/user: No such file or directory
No mail for user
My configuration
Output of postconf -n:
command_directory = /usr/sbin
compatibility_level = 3.9
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydomain = domain.com
myhostname = mail.domain.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtputf8_enable = no
unknown_local_recipient_reject_code = 550
Output of doveconf -n:
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# OS: Linux 6.6.58-0-lts x86_64
# Hostname: domain.com
auth_debug = yes
auth_mechanisms = plain login
auth_username_format = %n
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = create
special_use = \Drafts
}
mailbox Junk {
auto = create
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
auto = create
special_use = \Sent
}
mailbox Trash {
auto = create
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/users
driver = passwd-file
}
protocols = imap lmtp lmtp
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service lmtp {
unix_listener lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
Logs
This seems to be a dovecot log of an authentication attempt.
Nov 02 18:11:11 auth: Debug: client in: AUTH 3 PLAIN service=imap secured=tls session=JeHL+PEltufBIH/a lip=<my server IP> rip=<my home IP> lport=993 rport=59318 local_name=mail.domain.com resp=<hidden>
Nov 02 18:11:11 auth: Debug: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): Performing passdb lookup
Nov 02 18:11:11 auth: Debug: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): lookup: user=user file=/etc/dovecot/users
Nov 02 18:11:11 auth: Info: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): unknown user
Nov 02 18:11:11 auth: Debug: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): Finished passdb lookup
Nov 02 18:11:11 auth: Debug: auth(user,<my home IP>,<JeHL+PEltufBIH/a>): Auth request finished
Nov 02 18:11:13 auth: Debug: client passdb out: FAIL 3 user=user [email protected]
Nov 02 18:11:13 imap-login: Debug: Ignoring unknown passdb extra field: original_user
Nov 02 18:11:13 imap-login: Info: Disconnected: Connection closed (auth failed, 3 attempts in 22 secs): user=<user>, method=PLAIN, rip=<my home IP>, lip=<my server IP>, TLS, session=<JeHL+PEltufBIH/a>
Thanks for reading this fairly long post. Do ask if I need to provide any more configs, logs, etc. Appreciate any help, thanks in advance
You're viewing a single thread.
Okay, there are two different issues here. First, the mail delivery.
You have
mydomain = domain.com
myhostname = mail.domain.comand getting
Relay access denied (in reply to RCPT TO command)
This means that received mail is addressed to a domain that is not configured for local delivery, and the mail server is not accepting it to be relayed to the actual target server. This is a good thing, you do not want to have a public relay under any circumstances because it would mean people could make your server launch spam anywhere.
As for why it's not configured to accept that domain for local delivery, you need to look at the mydestination setting:
mydestination (default: $myhostname, localhost.$mydomain, localhost)
The list of domains that are delivered via the $local_transport mail delivery transport. [...]
(from postconf(5).)
You left it at the default value, so it will accept mail addressed to mail.domain.com, localhost.domain.com, and localhost. You'll probably want to set that to additionally contain $mydomain (at least that is how mine is configured).
Also, something else:
My server’s hostname is domain.com not mail.domain.com (mail.domain.com is what my MX record points to), but this shouldn’t really matter as I configured postfix with:
You'll want those to match up, system hostname and postfix's myhostname, since you'll need to set the PTR record of your IP to match the hostname your SMTP server identifies itself as, and otherwise your server's IP resolves to mail.domain.com while the canonical hostname is domain.com. It will work for mail, it'll just not be nice when your server's IP resolves to mail.domain.com for stuff that isn't mail and that isn't the canonical hostname. I recommend giving it some other hostname (or just setting both to mail.domain.com if the system just handles mail).
Thanks, I added
$mydomaintomydestination. It seems to be sending although I can't see my mail in~/Maildir, but this is in the syslog now:Nov 2 20:45:46 domain mail.info postfix/smtpd[29768]: Anonymous TLS connection es tablished from mail-43167.protonmail.ch[185.70.43.167]: TLSv1.3 with cipher TLS_AES_ 256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1 ) server-digest SHA256 Nov 2 20:45:46 domain mail.info postfix/smtpd[29768]: C2E9F125DF5: client=mail-43 167.protonmail.ch[185.70.43.167] Nov 2 20:45:46 domain mail.info postfix/cleanup[29773]: C2E9F125DF5: message-id=< [email protected]> Nov 2 20:45:46 domain mail.info postfix/qmgr[29128]: C2E9F125DF5: from=<my@ protonmail.com>, size=5933, nrcpt=1 (queue active) Nov 2 20:45:46 domain mail.info postfix/smtpd[29768]: disconnect from mail-43167. protonmail.ch[185.70.43.167] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands= 7 Nov 2 20:45:46 domain mail.info postfix/local[29775]: C2E9F125DF5: passing <user@ domain.com> to transport=lmtp Nov 2 20:45:46 domain mail.info postfix/lmtp[29776]: C2E9F125DF5: to=<[email protected] om>, relay=none, delay=0.05, delays=0.04/0.01/0.01/0, dsn=4.4.1, status=deferred (connect to mail.domain.com[private/dovecot-lmtp]: No such file or directory)I think the last message in the log indicates what's wrong but I don't know how to fix it.
You’ll want those to match up, system hostname and postfix’s myhostname, since you’ll need to set the PTR record of your IP to match the hostname your SMTP server identifies itself as, and otherwise your server’s IP resolves to mail.domain.com while the canonical hostname is domain.com. It will work for mail, it’ll just not be nice when your server’s IP resolves to mail.domain.com for stuff that isn’t mail and that isn’t the canonical hostname. I recommend giving it some other hostname (or just setting both to mail.domain.com if the system just handles mail).
So I have the mail server on a server that's hosting a bunch of things on this domain. All the things I'm hosting have the same IP address. On
domain.comis a static website (hosted on the same server & IP) for instance.What would you suggest I set the PTR record to? I don't really want to pay my VPS host for more IP addresses if it's not necessary, but I can if there will be significant problems caused by sharing this IP address. Currently I have multiple PTR records for all the subdomains I'm using, which hasn't caused problems yet...
Your postfix is set to deliver to lmtp:unix:private/dovecot-lmtp so you need to create the socket there:
service lmtp { - unix_listener lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } }(though for me the path is /var/lib/postfix/queue/private/dovecot-lmtp. YMMV)
What would you suggest I set the PTR record to?
Set system hostname, PTR, and myhostname to NAME.domain.com where NAME is a unique name that you made up (e.g. I have 'polaris.dblsaiko.net'). This also makes adding more hosts later less awkward (as opposed to having the hostname be domain.com).
Thank you! I can now receive mail and my Maildir is being populated :)
Set system hostname, PTR, and myhostname to NAME.domain.com where NAME is a unique name that you made up (e.g. I have ‘polaris.dblsaiko.net’). This also makes adding more hosts later less awkward (as opposed to having the hostname be domain.com).
Cheers, will do
Nice!
Currently I have multiple PTR records for all the subdomains I’m using, which hasn’t caused problems yet…
Wait, what? PTR is set on an IP address, not on a domain name. It should resolve to the canonical domain name of the host behind that IP.
I meant that for my one IP address, I set it to have a PTR to multiple domain names. My VPS host allows me to add multiple domains to my IP address's PTR records. But yeah I'll change it to the NAME.domain.com you suggested
Uh, don't do that if you expect your mail to be delivered.
Multiple PTRs, depending on how the DNS service is set up, may be returned in round-robin fashion, and if you return a PTR that doesn't match what your HELO claims you are, then congrats on your mail being likely tossed in the trash.
Pick the most accurate name (that is, match your HELO domain), and only set one PTR.
(Useless fact of the day: multiple A records behave the same way and you can use that as a poverty-spec version of a load balancer.)
Thanks, yeah I'm changing it now. I am new to server stuff in case that wasn't obvious, I just got a VPS and domain name as a bit of a personal project to learn more about server stuff :) Good to know all these things!
Yeah DNS is, in general, just goofy and weird and a lot of the interactions I wouldn't expect someone who's done it for years to necessarily know.
And besides, the round-robin thing is my favorite weird DNS fact so any excuse to share it is great.
I meant that for my one IP address, I set it to have a PTR to multiple domain names.
Don't do that, yeah. If set it should always point to one domain name, the canonical name for that host, and the domain name should resolve back to that IP.
See https://serverfault.com/questions/618700/why-multiple-ptr-records-in-dns-is-not-recommended