Postfix/Dovecot blocking outgoing local email
I've folllowed this guide, to setup our own e-mail server:
Everything is working good, I can both send and receive emails to my Linode.
The problem is since this was setup, the root user cannot send logs etc. anymore, they are blocked:
Aug 4 04:54:35 liXXX-ZZ postfix/smtp[20601]: connect to my.domain.tld[xxx.yy.156.151]:25: Connection refused
Aug 4 04:54:35 liXXX-ZZ postfix/error[20593]: 286A7B26598: to=<root@my.domain.tld>, orig_to=<root>, relay=none, delay=13182, delays=13182/0.01/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to my.domain.tld[xxx.yy.156.151]:25: Connection refused)</root></root@my.domain.tld>
How can I allow the root user to still send these emails?
Thanks!
12 Replies
In /etc/postfix/main.cf I changed:````
mydestination = localhost
To:````
mydestination = localhost, my.domain.tld
And all the queued emails are sent! But does this make it more vulnerable, i.e. will anyone using my adress as smtp be able to send emails without logging onto the server, or does it only allow emails created by root/the system?
Spoofing, which is what I believe you are inquiring about, can be prevented by adding either SPF or DKIM records that will allow other mail servers to verify whether or not the e-mail is coming from your server or someone trying to pretend to be you.
DKIM:
SPF:
Thanks,
Dave.
I already setup SPF as well as DKIM for all outging emails. It seems to work fine. Also tried to connect to my smtp @ linode from another box without username/password and get the desired error messages in return, i.e. "Relay not allowed" or similar. When I connect using an existing email account it's working fine, just like I want to.
Thanks,
Dave.
I also followed this tutorial to setup some rate limiting:
How do I achieve this? I've read some guides but are a bit nervous that other services will be affected. Thanks!
You'll most likely want to change it to 'mydomain.tld' because your e-mails are actually being sent from @mydomain.tld. Unless you actually are sending e-mails as @mail.mydomain.tld. However, adjusting the hostname only isn't going to help your reputation. You'll also want to set up an A record, and then rDNS. See more about that here:
Thanks,
Dave.
The domain name mails are sent from is mail.domain.tld. I've got an A record as well as MX pointed to the box using that domain, so I guess I'll setup reverse DNS for the sub domain?
Also, should the FQDN be "mail.domain.tld"? In that case, what should the hostname be, it has to be "something" related to the FQDN, or can it be whatever?
Thanks!
Thanks for that information. The rDNS should likely be your actual domain, unless this is JUST a mail server. So, for example, if your domain is 'yourdomain.com' that would be your rDNS. Even though you're sending mail from 'mail.yourdomain.com' you can still have your rDNS to yourdomain.com.
Now, if you are using this server strictly for e-mails (which can be the case), then yes, you should have both your hostname and rDNS as mail.yourdomain.com.
Regarding the hostname, you can set this to anything, yes, but I would recommend having it set to something related to yourdomain.com. So for example, 'server1.yourdomain.com'. You could then set up an A record that goes directly to your IP address for server1.yourdomain.com.
In conclusion, this is going to entirely depend on what you're using the server for, but in most cases you will not want to have your rDNS as 'mail.yourdomain.com' as you will be specifying this specifically for the mail server. In my experience, setting the rDNS the same as the hostname has worked for Exim (and PostFix, when I used it). You could also set the rDNS to just 'yourdomain.com'.
Thanks,
Dave.
Thanks!
The server is only used for two things:
1) As a "backup cluster" in our network, all backups made from our app servers as well as a mysql server is saved on this box.
2) As the email server for all outgoing emails in the network, emails are on sent from the app server, i.e. invoice notifications, newsletters etc. No personal emails.
I.e. it's not used for any applications, except from Nagios for monitoring the whole network (4 linodes).
So you mean I should really use "mail.mydomain.tld" as both Hostname and FQDN? The domain are delegated somewhere else, and there is A, MX (mail.mydomain.tld) pointing to the box, and SPF and DKIM for the sub domain only. I setup rDNS yesterday towards mail.mydomain.tld and it's working fine. As of now the FQND is "backup.mydomain.tld".
Thanks,
Dave.
Now these emails are sent to
So, I added
Thanks!