✓ Solved

postfix smtp not listening on port 25

netstat shows nothing for port 25 although postfix is running

22 Replies

✓ Best Answer

I did that and now have errors in mail.log like this:
Nov 28 20:32:34 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=71.190.227.103, lip=45.79.79.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<amrkauprz+lhvunn></amrkauprz+lhvunn>

Linode Staff

All new Linode accounts created by default have SMTP restrictions in place to prevent fraud on our platform and it could be that your account/Linode has SMTP restrictions in place. You can reach out to support via a trouble ticket to have the restrictions lifted if you determined that you have SMTP restrictions in place. Bear in mind that not all requests are approved for SMTP removal.

To check the status of port 25, you can run this nmap command specifying port 25 where $IPAddress is the IP address of your Linode.

nmap -p 25 --reason $IPAddress

Based on the output you can determine if the port is closed, filtered or opened.

A closed port indicates that no application or service is not listening for connections on that port. A closed port can open up at any time if an application or service is started.

A filter port indicates that a firewall, filter, or other network issue is blocking the port. Some standard services that can create a filter port can be, but not limited to, a server or network firewall, router, or security device.

Additionally you can also check the status of the postfix service by running the command below.

sudo service postfix status

This thread has some good information on how to test if postfix is running or not. Should you need to restart Postfix, this guide has instructions on how to get that done. Hopefully this helps.

PORT STATE SERVICE REASON
25/tcp closed smtp reset ttl 64

Linode Staff

Hello there,

As stated earlier, a closed port indicates that no application or service is not listening for connections on that port. A closed port can open up at any time if an application or service is started.

I was able to pull up your account with your user ID and can confirm that SMTP restrictions have been removed from your Linode and account. With that being said, this is likely a misconfiguration with with your postfix server(Likely postfix is not running). You can checkout our guide on Troubleshooting Problems with Postfix, Dovecot, and MySQL which has some good information for troubleshooting such issues.

Our guide on Configuring an Email Server with Postfix, Dovecot, and MySQL on Debian and Ubuntu also has instructions on setting this up with a fresh start. I hope this helps. Reach out if you have any questions or need any further assistance.

Thanks I have the port open now but there's another error with dovecot:

Nov 28 10:28:07 mail dovecot: submission(notshown_user)<49746><hrsa+nrr4odhvunn>: Error: Failed to establish relay connection: Failed to connect to remote server
Nov 28 10:28:07 mail dovecot: submission(notshown_user)<49746><hrsa+nrr4odhvunn>: Disconnect from 71.190.227.103: Failed to establish relay connection in=0 out=22 (state=GREETING)
@ </hrsa+nrr4odhvunn></hrsa+nrr4odhvunn>

postfix and dovecot are separate entities. They are configured separately…and differently. One of them is not correctly-configured to talk to the other. Since dovecot is a local-delivery agent, you don't want it to talk to postfix over the internet. You want postfix/dovecot to communicate using a local-domain socket. That communication uses LMTP (local mail transfer protocol).

You only want dovecot to talk to mail user agents using pop3(s) and/or imap(s). This will require ports 143 (imap), 993 (imaps), 110 (pop3), 995 (pop3s) to be open as well…depending on your choice. My dovecot configuration only requires port 993.

-- sw

I think the new way is to use 143 starttls and 993 ssl/tls isn't necessary anymore The handshake will execute on 143 so no sense going back to my old config, the same as yours, 993 ssl/tls So which settings in which files should I look at?

The ones involving LMTP/LDA:

  • postfix
virtual_transport = lmtp:unix:private/dovecot-lmtp

This specifies the communication socket to be /var/spool/postfix/private/dovecot-lmtp.

  • dovecot
conf.d/15-lda.conf
conf.d/20-lmtp.conf

are the ones I can think of right off hand.

Make sure the permissions are correct on the socket…and the directory containing it.

-- sw

Should the permissions mask be 0660 ?

postfix doesn't start after setting virtual_transport=lmtp:unix:private/dovecot-lmtp

Should the permissions mask be 0660 ?

Mine are srw-rw-rw-…it's a local-domain socket file. No entity from outside the boundaries of your system can access it. dovecot will reject incorrectly-formatted messages so, unless you have a virus, it's probably a pretty safe bet that rogue programs aren't going to be using it. That being said, 0660 (srw-rw----) should work…

postfix doesn't start after setting
 
virtual_transport=lmtp:unix:private/dovecot-lmtp

Does the socket exist? Does it have correct ownership/permissions. I believe dovecot is the one that creates it…using this stanza in conf.d/10-master.conf:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0666
    user = postfix
    group = postfix
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

You'll want to modify the permissions/ownership appropriately.

-- sw

Tried that and restarted dovecot still can't send mail
srw-rw-rw- 1 postfix postfix 0 Nov 28 19:15 dovecot-lmtp

I think this is your problem:

In 10-master.conf lmtp doesn't include the path to the socket but service auth does
 

service lmtp {
unix_listener lmtp {
#mode = 0666
}

I have the following:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0660
    user = postfix
    group = postfix
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}

service imap { ... }

service pop3 { ... }

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
  # permissions make it readable only by root, but you may need to relax these
  # permissions. Users that have access to this socket are able to get a list
  # of all usernames and get results of everyone's userdb lookups.

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = maildrop
  }

  unix_listener auth-userdb {
    mode = 0600
    user = postfix
    group = maildrop
  }

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  #user = $default_internal_user
  user = dovecot
}

auth_mechanisms = login plain

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
  user = postfix
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict { ... }
}

The . . . notation indicates all the content is commented out so is irrelevant. Permissions/ownership will vary.

-- sw

When I try to send mail I get this error now

Nov 28 20:41:01 mail dovecot: submission-login: Login: user=<notshown>, method=PLAIN, rip=71.190.227.103, lip=45.79.79.188, mpid=55967, TLS, session=<voj8ioprpprhvunn>
Nov 28 20:41:01 mail dovecot: submission(notshown)<55967><voj8ioprpprhvunn>: Error: smtp-client: conn 127.0.0.1:25 [1]: connect(127.0.0.1:25) failed: Connection refused
Nov 28 20:41:01 mail dovecot: submission(notshown)<55967><voj8ioprpprhvunn>: Error: Failed to establish relay connection: Failed to connect to remote server
Nov 28 20:41:01 mail dovecot: submission(notshown)<55967><voj8ioprpprhvunn>: Disconnect from 71.190.227.103: Failed to establish relay connection in=0 out=22 (state=GREETING)</voj8ioprpprhvunn></voj8ioprpprhvunn></voj8ioprpprhvunn></voj8ioprpprhvunn></notshown>

I did that and now have errors in mail.log like this:

Nov 28 20:32:34 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=71.190.227.103, lip=45.79.79.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<amrkauprz+lhvunn></amrkauprz+lhvunn>

This is indicative that imaps is not working correctly between dovecot and the mail user agent. Did you set up TLS & a certificate for this? Hint: if your mail domain is the same as the domain for your web server, you can use the same cert your web server uses.

-- sw

Same domain but different machines My mail server is a linode node and my web server is here at home That's because my isp blocks port 25 My certificate was setup using certbot so I use for CA cert /etc/letsencrypt/live/mail.servicemouse.com/fullchain.pem and the same path to privkey.pem If I were to use a self signed certificate then other mail servers would reject mail from mine

You need to set up authentication and a certificate/TLS in dovecot. You do that in conf.d/10-ssl.conf for the cert/TLS and conf.d/10-auth.conf for authentication.

You can use your LetsEncrypt cert as long as the postfix setting:

myhostname = mail.mydomain.com

matches your cert.

In conf.d/10-auth.conf, just uncomment the appropriate line for the kind of authentication you want to use:

#include auth-xxxxxxxxxx.conf.ext

at the bottom and comment out all the rest. You'll have to modify conf.d/auth-xxxxxxxxxx.conf.ext appropriately.

One thing you'll want to do is remove the ability for postfix to act as an open relay:

# this host does not relay mail
#
relayhost =
relay_domains =

Being an open relay is the kiss of death for an email server that doesn't have a small army of people to manage it's reputation.

After you get all that working, you can worry about smtps…and your general security policy wrt postfix. It's never ending…

-- sw

Which auth should I choose It's presesntly set to:
!include auth-system.conf.ext

Which auth should I choose It's presesntly set to:
!include auth-system.conf.ext

It depends on which auth you want. You have to decide…

Look at each of them. They're liberally commented. auth-system.conf.ext is the one for passwd file authentication using PAM (you'll have to configure PAM to accept auth requests from dovecot…the comments allude to how you do this).

I use auth-sql.conf.ext…all the mail accounts on my server are virtual (i.e., there is no login or passwd file entry for stevewi corresponding to stevewi@mydomain.com).

-- sw

Now I'm getting the error mail postfix/master[2495]: fatal: bind 0.0.0.0 port 587: Address already in use
mail postfix/master[2494]: fatal: daemon initialization failure
mail postfix/postfix-script[2496]: fatal: mail system startup failed

I'll try to get more info by raising log levels In the meanwhile I notice users have both /home/<username>/mail/Maildir and /home/<username>/Maildir directories How did this end up happening</username></username>

Now I'm getting the error mail postfix/master[2495]: fatal: bind 0.0.0.0 port 587: Address already in use
mail postfix/master[2494]: fatal: daemon initialization failure
mail postfix/postfix-script[2496]: fatal: mail system startup failed

I solved that error by removing the ipv6 :: from listen in dovecot.conf because it caused dovecot to listen on 587 in conflict with postfix Now I'm back to the same error "failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46"

Dec 2 10:25:33 mail dovecot: auth: Debug: auth client connected (pid=22978)
Dec 2 10:25:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=71.190.227.103, lip=45.79.79.188, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<utnozivswr5hvunn></utnozivswr5hvunn>

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct