Solved: Having problems with SMTP
I followed the "Email with Postfix, Dovecot, and MySQL" guide and I am now trying to connect to SMTP and IMAP. IMAP works fine, but I'm having problems with SMTP. If I understand correctly, I should be able to establish a connection with SMTP on port 587. So I tried to test that with openssl:
openssl s_client -connect [mydomain]:587 -starttls smtp
The result is:
CONNECTED(00000003)
and nothing else. No certificate, no reaction to any following commands.
Telnet on :25 result:
Trying 172.104.224.178...
And nothing else, it just freezes like that.
Telnet on :587 result:
Trying 172.104.224.178...
Connected to czechsmoke.cz.
Escape character is '^]'.
And then no reaction to any commands.
12 Replies
openssl s_client -connect <mydomain>:587 -starttls smtp</mydomain>
Mail protocols use CR/LF for line breaks (Windows format) so you will need to add -crlf to the above command.
And it's -starttls smtp
not -starttls smtp</mydomain>
You'll be asking openssl to connect without encryption and then use a separate SMTP command to enable encryption.
Telnet on :25 result:
Depending on where you're testing from, this might be "normal".
Port 25 is commonly blocked by home Internet providers as a "security" measure.
You may also want to do ss -tlnp
on the server. You should see postfix listening on ports 25, 587 and maybe 465 (which is SSL "from the start", without separate STARTTLS).
Finally, it's always good to check the firewall on the server: ufw status
if you're running Debian or Ubuntu.
Thanks for such a quick reply.
Sorry about the </mydomain>
, it was added automatically after <mydomain>
because written without backticks. Did not know that markdown is supported here. Fixed it.
All the ports 25, 465 and 587 are allowed in firewall and Postfix is istening.
I tried the -crlf option, but nothing changed. Is the concern here, that I submit command by entering a newline on Linux with \n, but it expects \r\n, so it doesn't know I actually submitted anything?
I just read some more detailed info on SMTP, SSL/TLS and STARTTLS. If I understand correctly, both 465 and 587 provide connection over SSL/TLS, but on 587 I need to initiate it with STARTTLS (which is what the -starttls option does I suppose)? So when I connect to 465, it should be secured from the start? And will all that be set up by simply following the mentioned guide?
If I understand correctly, both 465 and 587 provide connection over SSL/TLS, but on 587 I need to initiate it with STARTTLS (which is what the -starttls option does I suppose)?
Yes
So when I connect to 465, it should be secured from the start?
Provided that it's set up correctly in postfix config. Port 465 is for mail clients really.
If you can use 465 then you don't really need 587 (you'll use one or the other).
This enables port 465 in my postfix master.cf:
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Now port 25 is "submission" - it's how "other" mail servers will submit mail into "your" postfix.
You need that independently of 465 or 587 if you want to be able to accept mail from the outside.
In master.cf:
smtp inet n - y - - smtpd
It's prudent to enable STARTTLS support on the 25, but strictly it's not required.
In main.cf:
smtpd_tls_security_level = may
And will all that be set up by simply following the mentioned guide?
Haven't seen the guide sorry.
I tried the -crlf option, but nothing changed.
Ok, at this point I'd try openssl from the same machine (to "localhost") or even just "telnet localhost 25" or "telnet localhost 587".
25 works ok:
root@localhost:~# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 czechsmoke.cz ESMTP Postfix (Ubuntu)
EHLO smokemachine
250-czechsmoke.cz
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
STARTTLS
220 2.0.0 Ready to start TLS
465 and 587 are the same:
root@localhost:~# telnet localhost 465 // or 587
Trying ::1...
Connected to localhost.
Escape character is '^]'.
EHLO smokemachine
// no reaction
No command is accepted.
OpenSSL is the same on all the ports.
I checked my master and main configs and it's all set up the same.
telnet localhost 465
This is wrong - for port 465 with SSL "from the start" you should be using openssl s_client
// or 587
For this telnet is fine.
You're not even getting the banner (greeting) from postfix - which is supposed to print even before you send any commands. I mean this part is missing:
220 czechsmoke.cz ESMTP Postfix (Ubuntu)
I would still check ss -tlnp
to see who (what process) is listening on these "bad" ports. Relevant output from my system (Debian testing):
ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 0.0.0.0:465 0.0.0.0:* users:(("master",pid=10413,fd=18))
LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("smtpd",pid=11777,fd=6),("master",pid=10413,fd=13))
LISTEN 0 100 [::]:465 [::]:* users:(("master",pid=10413,fd=19))
LISTEN 0 100 [::]:25 [::]:* users:(("smtpd",pid=11777,fd=7),("master",pid=10413,fd=14))
Second I would check mail logs:
1 - tail -f /var/log/mail.err
and mail.info
- tail -f
will watch output from what you're doing right now… and it's possible that the errors you're running into could take time to show.
2 - less /var/log/mail.err
and mail.info
(and press G
to scroll to the end) - this is to see what's already there.
Third this could be an low entropy problem specific to recent (4.14.+ IIRC) Linux kernel versions. I'd try to install haveged
- should be in the distro's repositories. Even if that's not it - it won't hurt.
Fourth, since you're using MySQL integration - I would check MySQL logs too.
Finally just a wild guess. I'd try removing this line from master.cf (occurs twice) and restarting postfix.
-o smtpd_sasl_auth_enable=yes
If it helps you'll know the issue is caused by authentication configuration.
Oh and this from the outside:
Telnet on :25 result:
Trying 172.104.224.178...
And nothing else, it just freezes like that.
vs. this from same machine
root@localhost:~# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 czechsmoke.cz ESMTP Postfix (Ubuntu)
EHLO smokemachine
Tells me that either
- postfix port 25 is not set to listen on "any"
You can tell from ss -tlnp
which I already suggested above.
- or you don't have a firewall rule to allow port 25 from the outside
If you use ufw (typical for Debian / Ubuntu) - ufw status
.
Thank your for helping me with this.
/var/log/mail.err
turned out to be helpfull. I had a syntax error in master.cf
at:
submission inet n - y - - smtpd
-o syslog_name = postfix/submission
...
The spaces around =
are not allowed here.
After I fixed this:
Result of openssl on 465:
CONNECTED(00000005)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
And mail.err
logs:
Apr 5 11:24:40 localhost postfix/submission/smtpd[26808]: fatal: unexpected command-line argument: reject
Result of openssl on 587 (with -starttls smtp
):
CONNECTED(00000005)
Didn't find STARTTLS in server response, trying anyway...
... // Then it's the same as with 465
After that, mail.err
logs:
Apr 5 11:25:24 localhost postfix/smtps/smtpd[26820]: fatal: unexpected command-line argument: reject
(With IMAP and POP3, all works OK, it shows the certificate, and the handshake succeeds.)
And as for the firewall and ports:
master
is listening on 25, 465 and 587 and they're allowed for any in the firewall.
Apr 5 11:24:40 localhost postfix/submission/smtpd[26808]: fatal: unexpected command-line argument: reject
That's your "next" error to solve at this point.
cd /etc/postfix
grep -r reject
My guess is that you've got a space or something in
smtpd_client_restrictions=permit_sasl_authenticated,reject
Also about this
Didn't find STARTTLS in server response, trying anyway...
If you're going to keep port 587 enabled (that's service submission
) you'll want it to advertise STARTTLS which it's not doing right now.
For this add these -o
parameters under submission
in master.cf
smtpd_tls_security_level=may
smtpd_tls_auth_only=yes
http://www.postfix.org/postconf.5.html#smtpd_tls_security_level
Regarding STARTTLS on port 587: I see you already have
smtpd_tls_security_level=encrypt
Let's see if that issue goes away (and the "commands don't get a response" does too) after you've fixed the "reject" config error.
And about port 25.
If you're testing from home - it's very likely that port 25 is blocked by your Internet Service Provider.
I just tried from a Linode (where it's not blocked) and it worked:
$ telnet 172.104.224.178 25
Trying 172.104.224.178...
Connected to 172.104.224.178.
Escape character is '^]'.
220 czechsmoke.cz ESMTP Postfix (Ubuntu)
QUIT
Connection closed by foreign host.