Solved: Having problems with SMTP

openssl s_client -connect <mydomain>:587 -starttls smtp</mydomain>

Mail protocols use CR/LF for line breaks (Windows format) so you will need to add -crlf to the above command.

And it's -starttls smtp not -starttls smtp</mydomain>

You'll be asking openssl to connect without encryption and then use a separate SMTP command to enable encryption.

Telnet on :25 result:

Depending on where you're testing from, this might be "normal".

Port 25 is commonly blocked by home Internet providers as a "security" measure.

You may also want to do ss -tlnp on the server. You should see postfix listening on ports 25, 587 and maybe 465 (which is SSL "from the start", without separate STARTTLS).

Finally, it's always good to check the firewall on the server: ufw status if you're running Debian or Ubuntu.

Thanks for such a quick reply.

Sorry about the </mydomain>, it was added automatically after <mydomain> because written without backticks. Did not know that markdown is supported here. Fixed it.

All the ports 25, 465 and 587 are allowed in firewall and Postfix is istening.

I tried the -crlf option, but nothing changed. Is the concern here, that I submit command by entering a newline on Linux with \n, but it expects \r\n, so it doesn't know I actually submitted anything?

I just read some more detailed info on SMTP, SSL/TLS and STARTTLS. If I understand correctly, both 465 and 587 provide connection over SSL/TLS, but on 587 I need to initiate it with STARTTLS (which is what the -starttls option does I suppose)? So when I connect to 465, it should be secured from the start? And will all that be set up by simply following the mentioned guide?

If I understand correctly, both 465 and 587 provide connection over SSL/TLS, but on 587 I need to initiate it with STARTTLS (which is what the -starttls option does I suppose)?

Yes

So when I connect to 465, it should be secured from the start?

Provided that it's set up correctly in postfix config. Port 465 is for mail clients really.

If you can use 465 then you don't really need 587 (you'll use one or the other).

This enables port 465 in my postfix master.cf:

smtps     inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING

Now port 25 is "submission" - it's how "other" mail servers will submit mail into "your" postfix.

You need that independently of 465 or 587 if you want to be able to accept mail from the outside.

In master.cf:

smtp      inet  n       -       y       -       -       smtpd

It's prudent to enable STARTTLS support on the 25, but strictly it's not required.

In main.cf:

smtpd_tls_security_level = may

And will all that be set up by simply following the mentioned guide?

Haven't seen the guide sorry.

I tried the -crlf option, but nothing changed.

Ok, at this point I'd try openssl from the same machine (to "localhost") or even just "telnet localhost 25" or "telnet localhost 587".

25 works ok:

root@localhost:~# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 czechsmoke.cz ESMTP Postfix (Ubuntu)
EHLO smokemachine
250-czechsmoke.cz
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
STARTTLS
220 2.0.0 Ready to start TLS

465 and 587 are the same:

root@localhost:~# telnet localhost 465 // or 587
Trying ::1...
Connected to localhost.
Escape character is '^]'.
EHLO smokemachine
           // no reaction

No command is accepted.

OpenSSL is the same on all the ports.

I checked my master and main configs and it's all set up the same.

telnet localhost 465

This is wrong - for port 465 with SSL "from the start" you should be using openssl s_client

// or 587

For this telnet is fine.

You're not even getting the banner (greeting) from postfix - which is supposed to print even before you send any commands. I mean this part is missing:

220 czechsmoke.cz ESMTP Postfix (Ubuntu)

I would still check ss -tlnp to see who (what process) is listening on these "bad" ports. Relevant output from my system (Debian testing):

ss -tlnp
State         Recv-Q        Send-Q                Local Address:Port                 Peer Address:Port                                                                            
LISTEN        0             100                         0.0.0.0:465                       0.0.0.0:*            users:(("master",pid=10413,fd=18))                                 
LISTEN        0             100                         0.0.0.0:25                        0.0.0.0:*            users:(("smtpd",pid=11777,fd=6),("master",pid=10413,fd=13))        
LISTEN        0             100                            [::]:465                          [::]:*            users:(("master",pid=10413,fd=19))                                 
LISTEN        0             100                            [::]:25                           [::]:*            users:(("smtpd",pid=11777,fd=7),("master",pid=10413,fd=14))        

Second I would check mail logs:

1 - tail -f /var/log/mail.err and mail.info - tail -f will watch output from what you're doing right now… and it's possible that the errors you're running into could take time to show.

2 - less /var/log/mail.err and mail.info (and press G to scroll to the end) - this is to see what's already there.

Third this could be an low entropy problem specific to recent (4.14.+ IIRC) Linux kernel versions. I'd try to install haveged - should be in the distro's repositories. Even if that's not it - it won't hurt.

Fourth, since you're using MySQL integration - I would check MySQL logs too.

Finally just a wild guess. I'd try removing this line from master.cf (occurs twice) and restarting postfix.

  -o smtpd_sasl_auth_enable=yes

If it helps you'll know the issue is caused by authentication configuration.

Oh and this from the outside:

Telnet on :25 result:
Trying 172.104.224.178...
And nothing else, it just freezes like that.

vs. this from same machine

root@localhost:~# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 czechsmoke.cz ESMTP Postfix (Ubuntu)
EHLO smokemachine

Tells me that either

• postfix port 25 is not set to listen on "any"

You can tell from ss -tlnp which I already suggested above.

• or you don't have a firewall rule to allow port 25 from the outside

If you use ufw (typical for Debian / Ubuntu) - ufw status.

Thank your for helping me with this.

/var/log/mail.err turned out to be helpfull. I had a syntax error in master.cf at:

submission inet n - y - - smtpd
  -o syslog_name = postfix/submission
  ...

The spaces around = are not allowed here.

After I fixed this:

Result of openssl on 465:

CONNECTED(00000005)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And mail.err logs:

Apr  5 11:24:40 localhost postfix/submission/smtpd[26808]: fatal: unexpected command-line argument: reject

Result of openssl on 587 (with -starttls smtp):

CONNECTED(00000005)
Didn't find STARTTLS in server response, trying anyway...
... // Then it's the same as with 465

After that, mail.err logs:

Apr  5 11:25:24 localhost postfix/smtps/smtpd[26820]: fatal: unexpected command-line argument: reject

(With IMAP and POP3, all works OK, it shows the certificate, and the handshake succeeds.)

And as for the firewall and ports:

master is listening on 25, 465 and 587 and they're allowed for any in the firewall.

Apr 5 11:24:40 localhost postfix/submission/smtpd[26808]: fatal: unexpected command-line argument: reject

That's your "next" error to solve at this point.

cd /etc/postfix
grep -r reject

My guess is that you've got a space or something in

smtpd_client_restrictions=permit_sasl_authenticated,reject

Also about this

Didn't find STARTTLS in server response, trying anyway...

If you're going to keep port 587 enabled (that's service submission) you'll want it to advertise STARTTLS which it's not doing right now.

For this add these -o parameters under submission in master.cf

smtpd_tls_security_level=may
smtpd_tls_auth_only=yes

http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

http://www.postfix.org/TLS_README.html

Regarding STARTTLS on port 587: I see you already have

smtpd_tls_security_level=encrypt

Let's see if that issue goes away (and the "commands don't get a response" does too) after you've fixed the "reject" config error.

And about port 25.

If you're testing from home - it's very likely that port 25 is blocked by your Internet Service Provider.

I just tried from a Linode (where it's not blocked) and it worked:

$ telnet 172.104.224.178 25
Trying 172.104.224.178...
Connected to 172.104.224.178.
Escape character is '^]'.
220 czechsmoke.cz ESMTP Postfix (Ubuntu)
QUIT
Connection closed by foreign host.

You are absolutely right… It was the dumb syntax problem again. But at least I know now how to check those problems in the Postfix setup. Now everything works fine. Thanks again!