Confirm mail client setup?

I followed Linode's guide:

https://www.linode.com/docs/email/postf … -and-mysql">https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql

Server Information

Account Type: (POP3)

Incoming mail server: (mail.example.com)

Outgoing mail server (SMTP): (mail.example.com)

Logon Information

User Name: (someone@example.com)

Password:

Require logon using Secure Password Authentication (SPA) ?

Outgoing Server

My outgoing server (SMTP) requires authentication (Yes)

Server Port Numbers

Incoming server (POP3): (995)

This server requires an encrypted connection (SSL) Yes

Outgoing server (SMTP): (25)

Use the following type of encrypted connection: (TLS)

What am I missing?

25 Replies

> What am I missing? It's hard to tell. What problem are you having?

I followed these Linode guides:

Running a Mail Server

https://www.linode.com/docs/email/runni … il-server/">https://www.linode.com/docs/email/running-a-mail-server/

Email with Postfix, Dovecot, and MySQL

https://www.linode.com/docs/email/postf … -and-mysql">https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql

How to Make a Self-Signed SSL Certificate

https://www.linode.com/docs/security/ss … rtificate/">https://www.linode.com/docs/security/ssl/how-to-make-a-selfsigned-ssl-certificate/

and even did the double checks with no errors -Troubleshooting Problems with Postfix, Dovecot, and MySQL

https://www.linode.com/docs/email/postf … and-mysql/">https://www.linode.com/docs/email/postfix/troubleshooting-problems-with-postfix-dovecot-and-mysql/

and I cannot connect to the 'mail.example.com' in my mail client.

I can connect to mail.example.com just fine, maybe you made a typo.

sudo netstat -plantu

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:42575 0.0.0.0:* LISTEN 2785/rpc.statd

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2754/rpcbind

tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 23222/master

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6475/sshd

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 23222/master

tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 23686/dovecot

tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 23686/dovecot

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3749/mysqld

tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 23222/master

tcp 0 288 106.185.45.57:22 75.196.59.40:57669 ESTABLISHED 23631/sshd: username

tcp6 0 0 :::111 :::* LISTEN 2754/rpcbind

tcp6 0 0 :::465 :::* LISTEN 23222/master

tcp6 0 0 :::22 :::* LISTEN 6475/sshd

tcp6 0 0 :::25 :::* LISTEN 23222/master

tcp6 0 0 :::443 :::* LISTEN 19833/apache2

tcp6 0 0 :::993 :::* LISTEN 23686/dovecot

tcp6 0 0 :::995 :::* LISTEN 23686/dovecot

tcp6 0 0 :::46569 :::* LISTEN 2785/rpc.statd

tcp6 0 0 :::587 :::* LISTEN 23222/master

udp 0 0 0.0.0.0:58421 0.0.0.0:* 2785/rpc.statd

udp 0 0 0.0.0.0:68 0.0.0.0:* 2951/dhclient

udp 0 0 0.0.0.0:111 0.0.0.0:* 2754/rpcbind

udp 0 0 106.185.45.57:123 0.0.0.0:* 4735/ntpd

udp 0 0 127.0.0.1:123 0.0.0.0:* 4735/ntpd

udp 0 0 0.0.0.0:123 0.0.0.0:* 4735/ntpd

udp 0 0 0.0.0.0:809 0.0.0.0:* 2754/rpcbind

udp 0 0 127.0.0.1:841 0.0.0.0:* 2785/rpc.statd

udp 0 0 0.0.0.0:54165 0.0.0.0:* 2951/dhclient

udp6 0 0 :::5596 :::* 2951/dhclient

udp6 0 0 :::111 :::* 2754/rpcbind

udp6 0 0 2400:8900::f03c:91f:123 :::* 4735/ntpd

udp6 0 0 fe80::f03c:91ff:fe5:123 :::* 4735/ntpd

udp6 0 0 ::1:123 :::* 4735/ntpd

udp6 0 0 :::123 :::* 4735/ntpd

udp6 0 0 :::809 :::* 2754/rpcbind

udp6 0 0 :::45948 :::* 2785/rpc.statd

@vonskippy:

I can connect to mail.example.com just fine, maybe you made a typo. hahaa

mail.harris.hk

Are you running a firewall such as iptables? I ask because your mail ports are not available. When I check mail.harris.hk for open mail ports (25,587,993,995) I get no response.

Your mail.harris.hk 'A' records resolve, but there doesn't seem to be a 'MX' record for your domain.

@Main Street James:

Are you running a firewall such as iptables? I ask because your mail ports are not available. When I check mail.harris.hk for open mail ports (25,587,993,995) I get no response. iptables -L -n

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all – 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 106.185.45.57 0.0.0.0/0 tcp dpt:22

fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "

DROP all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* Allow loopback connections */

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* Allow Ping to work as expected */

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,25,53,80,443,465,993,995,5222,5269,5280,8999:9003

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 53

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

Chain FORWARD (policy DROP)

target prot opt source destination

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ssh (1 references)

target prot opt source destination

RETURN all -- 0.0.0.0/0 0.0.0.0/0

@vonskippy:

Your mail.harris.hk 'A' records resolve, but there doesn't seem to be a 'MX' record for your domain. How can I check the MX record? Where would I look locally in the server to verify?

Your IPTABLE rules are messed up - you have a REJECT ALL several lines ABOVE your ACCEPT 22,25,53,80,443,465,993,995,5222,5269,5280,8999:9003 rule.

You also have multiple rules for TCP22

MX records are setup in your DNS manager (so in the Linode DNS manager). You want to point your MX record to mail, then have a A record for mail.harris.hk (which you already have).

In the future, remember it's always a good test to TEMPORARILY disable your firewall rules, test your problem, if it works, then it's a firewall rule, if it still doesn't work, then it's not a firewall rule. Just remember to re-enable your firewall after you complete your tests.

@vonskippy:

Your IPTABLE rules are messed up - you have a REJECT ALL several lines ABOVE your ACCEPT 22,25,53,80,443,465,993,995,5222,5269,5280,8999:9003 rule.

You also have multiple rules for TCP22
How can I do this carefully, without locking myself out of my own server? I am thinking if I DROP 22 it will take out all the rules. Any suggestions, ideas?
@vonskippy:

MX records are setup in your DNS manager (so in the Linode DNS manager). You want to point your MX record to mail, then have a A record for mail.harris.hk (which you already have).
Okay, I edited the subdomain to 'mail' on the MX records for 'mail.harris.hk'
@vonskippy:

In the future, remember it's always a good test to TEMPORARILY disable your firewall rules, test your problem, if it works, then it's a firewall rule, if it still doesn't work, then it's not a firewall rule. Just remember to re-enable your firewall after you complete your tests. I was following all the Linode tutorial guides and following them. oops To re-enable, I think that means restarting the service then testing, then re-edit?

@Fufu:

@vonskippy:

Your IPTABLE rules are messed up - you have a REJECT ALL several lines ABOVE your ACCEPT 22,25,53,80,443,465,993,995,5222,5269,5280,8999:9003 rule.

You also have multiple rules for TCP22
How can I do this carefully, without locking myself out of my own server? I am thinking if I DROP 22 it will take out all the rules. Any suggestions, ideas?

Use Lish: https://www.linode.com/docs/networking/ … shell-lish">https://www.linode.com/docs/networking/using-the-linode-shell-lish

You can completely disable network access and still access a Linode server with Lish.

Thanks @masonm:

@Fufu:

@vonskippy:

Your IPTABLE rules are messed up - you have a REJECT ALL several lines ABOVE your ACCEPT 22,25,53,80,443,465,993,995,5222,5269,5280,8999:9003 rule.

You also have multiple rules for TCP22
How can I do this carefully, without locking myself out of my own server? I am thinking if I DROP 22 it will take out all the rules. Any suggestions, ideas?

Use Lish: https://www.linode.com/docs/networking/ … shell-lish">https://www.linode.com/docs/networking/using-the-linode-shell-lish

You can completely disable network access and still access a Linode server with Lish. Which iptables commands should I be using to DROP and ACCEPT?

I am new to self-managed webservers and feel if I really mess this up, I will not know how to fix it.

This is in a chain? Okay, so what command would I use first and last that would not kill my chain?

Sorry for all the questions.

I find it's easiest to edit the rules in their saved config file - that way you can put them in the EXACT order you need (versus typing in your rules one at a time via a terminal session).

In CentOS, that file is located /etc/sysconfig/iptables, I'm not sure where it's located in DEB based systems.

After you edit the config file, either restart IPTABLES or just reboot the server to load the new ruleset.

Reset securing my Server:

https://www.linode.com/docs/security/se … ur-server/">https://www.linode.com/docs/security/securing-your-server/

sudo iptables -L -n

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)

target prot opt source destination

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

s3r3na@kalos:~$ sudo nano /etc/network/if-pre-up.d/firewall

s3r3na@kalos:~$ sudo chmod +x /etc/network/if-pre-up.d/firewall

s3r3na@kalos:~$ sudo iptables -L -n

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)

target prot opt source destination

DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Looked over Prerequisites:

https://www.linode.com/docs/email/postf … -and-mysql">https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql

Troubleshot - Telnet, which I cannot check:

https://www.linode.com/docs/email/postf … and-mysql/">https://www.linode.com/docs/email/postfix/troubleshooting-problems-with-postfix-dovecot-and-mysql/

sudo telnet 106.185.45.57

Trying 106.185.45.57…

telnet: Unable to connect to remote host: Connection refused

"Checking Port Availability

Sometimes email problems occur because the mail server and mail client aren’t talking to each other on the same ports. For mail to get from client to server, or vice versa, both have to be using the same ports, and those ports also have to be open along the internet route between the two. If you are following the accompanying Postfix, Dovecot, and MySQL installation guide, you should be using the following ports:

25, 465, or 587 with TLS encryption for outgoing mail (SMTP)

993 with SSL encryption for incoming IMAP

995 with SSL encryption for incoming POP3

First, check your mail client settings and make sure that you have the correct ports and security settings selected.

Next, use the Telnet tool to check that ports are open both on your Linode and on the route between your client and your Linode. The same test should be run on both your Linode and your home computer. First we’ll present how to run the test from both locations, and then we’ll discuss the implications."

Now I don't see any email ports opened in your IPTABLES rules (25, 465, 587, 993, 995)

Also, when you use telnet for testing services, you need to remember to ADD the port number after the IP number

so….

telnet 106.185.45.57 25

Assuming you've just setup your server (i.e. there isn't much of anything important or confidential on it), there's little to risk by turning off your firewall and testing your email setup. If it works, then you just need to figure out the firewall rules, if it doesn't, then you need to fix your email server config before worrying about your firewall config. Just remember to turn your firewall back on after your tests.

What distro are you using?

@vonskippy:

Now I don't see any email ports opened in your IPTABLES rules (25, 465, 587, 993, 995)

Also, when you use telnet for testing services, you need to remember to ADD the port number after the IP number

so….

telnet 106.185.45.57 25

Assuming you've just setup your server (i.e. there isn't much of anything important or confidential on it), there's little to risk by turning off your firewall and testing your email setup. If it works, then you just need to figure out the firewall rules, if it doesn't, then you need to fix your email server config before worrying about your firewall config. Just remember to turn your firewall back on after your tests.

What distro are you using?
Thank you. The telnet does work when I put a space in between the ports and the ip address.

The ports are open are 25, 443, 567, 465, 80, 993, and 995. Other ports are not open when I use telnet.

I am running Debian 7.6.

There is not a single line command to disable Debian's iptables, is there?

I see a lot of lengthy tutorials that cut access to my server right away and I am not sure if it is correct or not?

The MX records are correct? I have combed over-and-over these Linode tutorials and roubleshooting ones too and have verified for several days I have followed every step correctly. I have them almost memorized by now. lol

@Fufu:

Thank you. The telnet does work when I put a space in between the ports and the ip address.

The ports are open are 25, 443, 567, 465, 80, 993, and 995. Other ports are not open when I use telnet.
No, they are not. Some are (443, 80) but others aren't (25, 995).

You have to do the test off your linode from another machine. Local traffic from the linode to the same linode won't be caught by the firewall

Thanks sweh@sweh:

@Fufu:

Thank you. The telnet does work when I put a space in between the ports and the ip address.

The ports are open are 25, 443, 567, 465, 80, 993, and 995. Other ports are not open when I use telnet.
No, they are not. Some are (443, 80) but others aren't (25, 995).

You have to do the test off your linode from another machine. Local traffic from the linode to the same linode won't be caught by the firewall

I made the edits to sudo nano /etc/iptables.firewall.rules

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 567 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

telnet from another machine's results

# telnet 106.185.45.57 80
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 443
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 995
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 993
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close
Connection closed.
# telnet 106.185.45.57 465
Trying 106.185.45.57...
Connected to 106.185.45.57.
Escape character is '^]'.
^]
telnet> close                                                                                                                                                
Connection closed.                                                                                                                                           
# telnet 106.185.45.57 567
Trying 106.185.45.57...
telnet: connect to address 106.185.45.57: Connection refused
# telnet 106.185.45.57 25
Trying 106.185.45.57...
telnet: connect to address 106.185.45.57: Connection timed out

sudo iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:567
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

> # telnet 106.185.45.57 25

Trying 106.185.45.57…

telnet: connect to address 106.185.45.57: Connection timed out
I'm guessing you did this from a home machine; many ISPs block outgoing port 25 to prevent spam.

Port 567 you have no process listening.

I don't know why you're not getting a response on some of these ports; application misconfig.

For SSL enabled ports you need to use openssl

eg

% openssl s_client -connect 106.185.45.57:993
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify return:1
...
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
0 logout
closed

Something answers on TCP25, but it doesn't seem to be a SMTP service (I get a blank terminal session, which no matter what I type doesn't echo any commands or error messages, and eventually times out the telnet session).

I really appreciate the help a ALOT!!!

What other information/command result/screenshots/file conf do you need from me?
@sweh:

> # telnet 106.185.45.57 25

Trying 106.185.45.57…

telnet: connect to address 106.185.45.57: Connection timed out
I'm guessing you did this from a home machine; many ISPs block outgoing port 25 to prevent spam.

Port 567 you have no process listening.

I don't know why you're not getting a response on some of these ports; application misconfig.

For SSL enabled ports you need to use openssl

eg

% openssl s_client -connect 106.185.45.57:993
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = kalos.harris.hk, CN = kalos.harris.hk, emailAddress = root@harris.hk
verify return:1
...
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
0 logout
closed

Already I have found this missing, maybe this needs to be somewhere else?

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 567 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

Is my mail server setup correctly with MX in Linode?

MX Records

Mail Server: mail.harris.hk Preference: 10 Subdomain: mail TTL: Default

I have done all the troubleshoot checks with no errors.

Is there anything missing in the Linode documentation?

DNS is reversed.

Ok, you seem to be doing many changes - not all for the better.

Your DNS and MX settings seem to be ok:

http://mxtoolbox.com/SuperTool.aspx?act … n=toolpage">http://mxtoolbox.com/SuperTool.aspx?action=mx%3amail.harris.hk&run=toolpage

http://network-tools.com/default.asp?pr … .harris.hk">http://network-tools.com/default.asp?prog=dnsrec&host=mail.harris.hk

Your PTR points to your domain name (i.e. harris.hk) which is ok, but I think most anti-spam wants it to point to the hostname (i.e. mail.harris.hk)

http://www.myiptest.com/staticpages/ind … DNS-Lookup">http://www.myiptest.com/staticpages/index.php/Reverse-DNS-Lookup

But your firewall is getting worse not better

http://mxtoolbox.com/SuperTool.aspx?act … n=toolpage">http://mxtoolbox.com/SuperTool.aspx?action=scan%3amail.harris.hk&run=toolpage

https://pentest-tools.com/discovery-pro … nline-nmap">https://pentest-tools.com/discovery-probing/tcp-port-scanner-online-nmap

Once again, you should pick a topic (either email service, or firewall) and fix that before moving on. Working on several problems at once just means you have too many variables to determine what's being changed for the better and what's being changed for the worse.

Turn off IPTABLES, and get your Email service working. Once it's working, turn on IPTABLES and once again, get Email working (knowing that any problems with email now are caused by the firewall).

permissions set for mail server:

ls -ld /var/mail

drwxrwsr-x 3 vmail vmail 4096 Oct 22 21:59 /var/mail

ls -ld /etc/dovecot

drwxr-x--- 4 vmail dovecot 4096 Oct 22 21:58 /etc/dovecot

/var/log/mail.log

Oct 20 17:42:48 kalos postfix/smtpd[28156]: fatal: bad boolean configuration: smtpd_sasl_auth_enable = yes  smtpd_recipient_restrictions =          permit_s$
Oct 20 17:42:49 kalos postfix/master[24019]: warning: process /usr/lib/postfix/smtpd pid 28156 exit status 1
Oct 20 17:42:49 kalos postfix/master[24019]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
Oct 20 17:43:13 kalos postfix/master[24019]: terminating on signal 15
Oct 20 17:43:13 kalos postfix/master[28299]: daemon started -- version 2.9.6, configuration /etc/postfix
Oct 21 02:13:37 kalos postfix/master[4048]: daemon started -- version 2.9.6, configuration /etc/postfix
Oct 21 02:26:11 kalos postfix/pickup[4054]: 7450AE8B6: uid=0 from= <root>Oct 21 02:26:11 kalos postfix/cleanup[4966]: 7450AE8B6: message-id=<20141021092611.7450AE8B6@kalos.harris.hk>
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 7450AE8B6: from=<root@harris.hk>, size=1777, nrcpt=1 (queue active)
Oct 21 02:26:11 kalos postfix/lmtp[4974]: 7450AE8B6: to=<root@harris.hk>, orig_to=<root>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.14, delays=0.$
Oct 21 02:26:11 kalos postfix/cleanup[4966]: 91B96E8B9: message-id=<20141021092611.91B96E8B9@kalos.harris.hk>
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: from=<>, size=3710, nrcpt=1 (queue active)
Oct 21 02:26:11 kalos postfix/bounce[4981]: 7450AE8B6: sender non-delivery notification: 91B96E8B9
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 7450AE8B6: removed
Oct 21 02:26:11 kalos postfix/lmtp[4974]: 91B96E8B9: to=<root@harris.hk>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0, dsn=5.1.1$
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: removed
Oct 22 22:07:34 kalos postfix/master[4597]: daemon started -- version 2.9.6, configuration /etc/postfix</root@harris.hk></root></root@harris.hk></root@harris.hk></root> 

service postfix status

[ ok ] postfix is running.

service dovecot status

[ ok ] dovecot is running.

service postfix restart

[ ok ] Stopping Postfix Mail Transport Agent: postfix.
[ ok ] Starting Postfix Mail Transport Agent: postfix.

service dovecot restart

[ ok ] Restarting IMAP/POP3 mail server: dovecot.

tail /var/log/mail.log

Oct 21 02:26:11 kalos postfix/lmtp[4974]: 7450AE8B6: to=<root@harris.hk>, orig_to=<root>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.14, delays=0.04/0.02/0.02/0.06, dsn=5.1.1, status=bounced (host kalos.harris.hk[private/dovecot-lmtp] said: 550 5.1.1 <root@harris.hk> User doesn't exist: root@harris.hk (in reply to RCPT TO command))
Oct 21 02:26:11 kalos postfix/cleanup[4966]: 91B96E8B9: message-id=<20141021092611.91B96E8B9@kalos.harris.hk>
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: from=<>, size=3710, nrcpt=1 (queue active)
Oct 21 02:26:11 kalos postfix/bounce[4981]: 7450AE8B6: sender non-delivery notification: 91B96E8B9
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 7450AE8B6: removed
Oct 21 02:26:11 kalos postfix/lmtp[4974]: 91B96E8B9: to=<root@harris.hk>, relay=kalos.harris.hk[private/dovecot-lmtp], delay=0.01, delays=0/0/0/0, dsn=5.1.1, status=bounced (host kalos.harris.hk[private/dovecot-lmtp] said: 550 5.1.1 <root@harris.hk> User doesn't exist: root@harris.hk (in reply to RCPT TO command))
Oct 21 02:26:11 kalos postfix/qmgr[4055]: 91B96E8B9: removed
Oct 22 22:07:34 kalos postfix/master[4597]: daemon started -- version 2.9.6, configuration /etc/postfix
Oct 22 22:46:23 kalos postfix/master[4597]: terminating on signal 15
Oct 22 22:46:23 kalos postfix/master[6166]: daemon started -- version 2.9.6, configuration /etc/postfix</root@harris.hk></root@harris.hk></root@harris.hk></root></root@harris.hk>

tail /var/log/upstart/dovecot.log

tail: cannot open `/var/log/upstart/dovecot.log' for reading: No such file or directory

@vonskippy:

Turn off IPTABLES, and get your Email service working. Once it's working, turn on IPTABLES and once again, get Email working (knowing that any problems with email now are caused by the firewall). How can I turn off iptables in Debian?

As root:

'/etc/init.d/iptables stop'

output: (doesn't work)

'iptables -X'

output: iptables: Too many links.

The CentOS commands do not work either. I am using Debian.

Here's a good thread on the Debian forum explaining it (follow it to the Ubuntu forum for info on UFW) - and a good recommendation - install UFW to manage your IPTABLES. With UFW installed, then it's a simple 'sudo service ufw stop' and 'sudo service ufw start'

http://forums.debian.net/viewtopic.php?f=10&t=112759

After researching something as simple as turning IPTABLES on and off in Debian, I'm oh so glad I use CentOS (service iptables stop / service iptables start).

UFW doesn't function properly in Debian 7.6. It says it will "enables" and "stops" on a reboot, but always displays "inactive" and never actually does anything with Debian 7.6 kernel 3.15.

this is my '$/var/log/mail.log' excerpt of the error I am receiving.

Oct 24 22:03:06 kalos postfix/smtpd[3998]: connect from mta.email.jacquielawson.com[66.231.90.157]

Oct 24 22:03:06 kalos postfix/smtpd[3998]: NOQUEUE: reject: RCPT from mta.email.jacquielawson.com[66.231.90.157]: 554 5.7.1 <username@harris.hk>: Relay access denied; from= Oct 24 22:03:06 kalos postfix/smtpd[3998]: disconnect from mta.email.jacquielawson.com[66.231.90.157]

I believe I have my firewall sorted out:

$iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all – anywhere anywhere

REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp

ACCEPT tcp -- anywhere anywhere tcp dpt:pop3

ACCEPT tcp -- anywhere anywhere tcp dpt:imap2

ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp

ACCEPT tcp -- anywhere anywhere tcp dpt:submission

ACCEPT tcp -- anywhere anywhere tcp dpt:imaps

ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

ACCEPT icmp -- anywhere anywhere

LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "

DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct