email postfix dovecot mysql problems
I have followed the tutorial to set up email using postfix, dovecot, and mysql on my linode. I have all the DNS records set up, including SPF and PTR. I have a certificate using certbot, but I couldn't follow the tutorial exactly for that - because I'm not hosting a web site on the same server I needed to use "standalone." It seemed to work, and doing a 'dry run' of renew returns no errors. I have also verified that postmap can find my virtual users, and so on. But I can't send or receive email. I can't even send email from one virtual user to another, so I don't think it is a gmail issue.
I think the problem is with my firewall. Being unfamiliar with iptables, I installed and used UFW. The first thing I tried was just to allow all of the usual ports, 25, 110, 143, 465, 587, 993, and 995. This apparently only succeeded in opening ports 993 and 995, as verified by nmap, netstat, and telnet. So then I started adding rules for specific services - that didn't make any difference. Maybe there are incompatible rules in my iptables, because it was already running when I added UFW rules?
The result of
sudo iptables -L -nv --line-numbers
is very large. I'll post it if that would help. In the meantime:
sudo ufw status
Status: activeTo Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
25 ALLOW Anywhere
465 ALLOW Anywhere
587 ALLOW Anywhere
110 ALLOW Anywhere
995 ALLOW Anywhere
143 ALLOW Anywhere
993 ALLOW Anywhere
Nginx HTTPS ALLOW Anywhere
Dovecot Secure IMAP ALLOW Anywhere
Dovecot Secure POP3 ALLOW Anywhere
IMAPS ALLOW Anywhere
LDAPS ALLOW Anywhere
POP3S ALLOW Anywhere
Postfix SMTPS ALLOW Anywhere
25/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
465 (v6) ALLOW Anywhere (v6)
587 (v6) ALLOW Anywhere (v6)
110 (v6) ALLOW Anywhere (v6)
995 (v6) ALLOW Anywhere (v6)
143 (v6) ALLOW Anywhere (v6)
993 (v6) ALLOW Anywhere (v6)
Nginx HTTPS (v6) ALLOW Anywhere (v6)
Dovecot Secure IMAP (v6) ALLOW Anywhere (v6)
Dovecot Secure POP3 (v6) ALLOW Anywhere (v6)
IMAPS (v6) ALLOW Anywhere (v6)
LDAPS (v6) ALLOW Anywhere (v6)
POP3S (v6) ALLOW Anywhere (v6)
Postfix SMTPS (v6) ALLOW Anywhere (v6)
25/tcp (v6) ALLOW Anywhere (v6)
and from netstat:
sudo netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 31344/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 854/sshd
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 9558/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 9558/dovecot
tcp6 0 0 :::993 :::* LISTEN 9558/dovecot
tcp6 0 0 :::995 :::* LISTEN 9558/dovecot
Does anyone see my mistake?
1 Reply
I realized it would probably be necessary to see the output from iptables to have any real information about this. Here it is:
sudo iptables -L -nv --line-numbers
Chain INPUT (policy DROP 16416 packets, 839K bytes)
num pkts bytes target prot opt in out source destination
1 191K 17M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2 191K 17M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 53293 2666K ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
4 50455 2537K ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
5 50455 2537K ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
6 50455 2537K ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy ACCEPT 103 packets, 6428 bytes)
num pkts bytes target prot opt in out source destination
1 123K 24M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2 123K 24M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
3 214 14628 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
4 214 14628 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
5 214 14628 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
6 214 14628 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-after-forward (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 37 2886 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
2 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
3 64 2744 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
4 2737 124K ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
5 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
6 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
7 0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCASTChain ufw-after-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "Chain ufw-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
1 13155 668K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "Chain ufw-after-logging-output (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-after-output (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
7 0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 551 76642 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 123K 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 842 40153 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4 842 40153 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
7 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
9 217 7724 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
10 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
11 67143 3427K ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
13 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
14 67143 3427K ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-before-logging-forward (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-before-logging-input (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-before-logging-output (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 551 76642 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 122K 24M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 214 14628 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "Chain ufw-logging-deny (2 references)
num pkts bytes target prot opt in out source destination
1 309 13192 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
2 10 400 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "Chain ufw-not-local (1 references)
num pkts bytes target prot opt in out source destination
1 67143 3427K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
3 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
4 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-reject-forward (1 references)
num pkts bytes target prot opt in out source destination
sudo netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 31344/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 854/sshd
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 9558/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 9558/dovecot
tcp6 0 0 :::993 :::* LISTEN 9558/dovecot
tcp6 0 0 :::995 :::* LISTEN 9558/dovecot
Chain ufw-reject-input (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-reject-output (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-skip-to-policy-input (7 references)
num pkts bytes target prot opt in out source destination
1 2838 129K DROP all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-track-forward (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-track-input (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 1 91 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
2 97 6569 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEWChain ufw-user-forward (1 references)
num pkts bytes target prot opt in out source destinationChain ufw-user-input (1 references)
num pkts bytes target prot opt in out source destination
1 3925 188K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 328 14736 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
3 8632 507K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 733 38440 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
5 1 28 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:25
6 18 796 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
7 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:465
8 32 1732 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
9 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:587
10 36 1836 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
11 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:110
12 31 1548 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
13 1 129 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:995
14 34 1656 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
15 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:143
16 76 4148 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
17 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:993
18 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* 'dapp_Nginx%20HTTPS' */
19 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /* 'dapp_Dovecot%20Secure%20IMAP' */
20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /* 'dapp_Dovecot%20Secure%20POP3' */
21 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /* 'dapp_IMAPS' */
22 3 140 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 /* 'dapp_LDAPS' */
23 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /* 'dapp_POP3S' */
24 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /* 'dapp_Postfix%20SMTPS' */
25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25Chain ufw-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain ufw-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0Chain ufw-user-logging-forward (0 references)
num pkts bytes target prot opt in out source destinationChain ufw-user-logging-input (0 references)
num pkts bytes target prot opt in out source destinationChain ufw-user-logging-output (0 references)
num pkts bytes target prot opt in out source destinationChain ufw-user-output (1 references)
num pkts bytes target prot opt in out source destination