SMTP Works internally only
Basically, I followed the guide in the Linode Library for setting up postfix and courier on Karmic 9.10. So far, so good. My users can log into their POP3 and IMAP with no problems. There are two issues however:
1) Email sent from the outside world never reaches their accounts
2) They cannot use the smtp server on my linode to send mail.
The first one is the most important though it would be nice to fix the latter. I dont want to become an open relay of course, so point 2 could be a security issue.
I wondered what it could be, I noticed that an smtp port was opened when I ran postfix but that it was bound to localhost when using netstat -pal. This clearly wont do. I have unsuccessfully managed to change this to be [::] (i.e, working on all the interfaces).
But do I really want to use port 25 to do this? Some say that 25 is blocked by their isps and that 587 is the new 25? Looking around, this is apparently related to the program submission . I would obviously rather use a secure link to my postfix app so I uncommented the submission lines in the master.cf. Here is the result from netstat
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:mysql *:* LISTEN -
tcp 0 0 localhost:submission *:* LISTEN -
tcp 0 0 *:ssh *:* LISTEN -
tcp 0 48 homer:ssh xx-xx-xx-xx.xx:64005 ESTABLISHED -
tcp6 0 0 [::]:imaps [::]:* LISTEN -
tcp6 0 0 [::]:pop3s [::]:* LISTEN -
tcp6 0 0 [::]:pop3 [::]:* LISTEN -
tcp6 0 0 [::]:imap2 [::]:* LISTEN -
tcp6 0 0 [::]:www [::]:* LISTEN -
tcp6 0 0 [::]:ssh [::]:* LISTEN -
udp 0 0 homer:ntp *:* -
udp 0 0 localhost:ntp *:* -
udp 0 0 *:ntp *:* -
udp6 0 0 fe80::fcfd:6dff:fe4:ntp [::]:* -
udp6 0 0 ip6-localhost:ntp [::]:* -
udp6 0 0 [::]:ntp [::]:* -
So again, its binding to localhost. Here is my config master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
# -o mynetworks=127.0.0.1/8
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
And Finally, the main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.wicked-game.co.uk
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = mail.wicked-game.co.uk, localhost, localhost.localdomain
relayhost =
mynetworks = #127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
html_directory = /usr/share/doc/postfix/html
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
Some people have suggested using Google App engine for this sort of thing.Im not adverse to doing that but I feel im quite close to getting this fixed so I'd like to try this first. I suspect that submission with a secure login is the best way to go (on port 587) but how to bind it to the right interface is eluding me. Many thanks for any help!
Ben
3 Replies
@main.cf:
inet_interfaces = loopback-only
Also, don't comment out the smtp line in your master.cf. Incoming mail will only arrive on port 25, even if you choose to use 587 for submission of outgoing messages.
Also, im sure one isn't supposed to be able to telnet straight in on port 587 are they?
Mar 29 18:13:41 localhost postfix/smtpd[10383]: warning: private/proxymap socket: service dict_proxy_open: Connection reset by peer
Mar 29 18:13:41 localhost postfix/trivial-rewrite[10123]: warning: private/proxymap socket: service dict_proxy_open: Success
Mar 29 18:13:41 localhost postfix/master[10068]: warning: process /usr/lib/postfix/proxymap pid 10391 exit status 1
Mar 29 18:13:41 localhost postfix/master[10068]: warning: /usr/lib/postfix/proxymap: bad command startup -- throttling
Mar 29 18:13:42 localhost postfix/proxymap[10392]: fatal: open /etc/postfix/mysql-virtual_transports.cf: No such file or directory
Mar 29 18:14:41 localhost postfix/proxymap[10396]: fatal: open /etc/postfix/mysql-virtual_transports.cf: No such file or directory
Mar 29 18:14:42 localhost postfix/trivial-rewrite[10123]: warning: private/proxymap socket: service dict_proxy_open: Success
Mar 29 18:14:42 localhost postfix/smtpd[10383]: warning: private/proxymap socket: service dict_proxy_open: Connection reset by peer
Mar 29 18:14:42 localhost postfix/master[10068]: warning: process /usr/lib/postfix/proxymap pid 10396 exit status 1
Mar 29 18:14:42 localhost postfix/master[10068]: warning: /usr/lib/postfix/proxymap: bad command startup -- throttling
I suspect something is missing in the virtual_transports.cf. Best check that
UPDATE: Ok i commented out that line in main.cf and it now works!