Cannot configure mail client (Thunderbird nor iOS) with Cloudflare DNS

It all started because I couldn’t set up my email account on my iOS device.
I’ve come a long way and read a lot of topics, but now I really need your help!

I summarized my steps, hoping that someone could give me a hand!

I installed Virtualmin on a clean install of Ubuntu;
I configured a virtual server with Virtualmin;
I set up the nameservers on the registrar, aiming for Cloudflare;
On Cloudflare, I entered all the DNS correctly (I reported them just in case):

#xxx.xxx.xxx.xxx is the IP of my VPS:

A    admin    xxx.xxx.xxx.xxx
A    autoconfig    xxx.xxx.xxx.xxx
A    autodiscover    xxx.xxx.xxx.xxx
A    mail    xxx.xxx.xxx.xxx
A    trelune.tech    xxx.xxx.xxx.xxx
A    webmail    xxx.xxx.xxx.xxx
A    www    xxx.xxx.xxx.xxx
MX    domain.tld   5 mail.domain.tld
TXT    xxxxxx._domainkey    v=DKIM1; k=rsa; t=s; p=PUBLIC_KEY
TXT    _dmarc    v=DMARC1....
TXT    domain.tld    v=spf1 ip4:xxx.xxx.xxx.xxx

-I installed via virtualmin scripts roundcube, in the domain.tld/roundcube folder
-I instead installed WordPress in the top-level domain (directly in the public_html folder).
-I have done several tests, and this does not affect the result in the slightest.
-I have successfully configured SSL certificates via let’sEncrypt.
-I configured fail2ban correctly, but the IP address of my device does not appear in the “jail”. Even by stopping the “fail2ban” service, the problem does not change.
The outcome of the configuration is:

Current SSL certificate details:
...
Issuer organization
	Let's Encrypt
Other domain names
	admin.domain.tld, autoconfig.domain.tld, autodiscover.domain.tld, mail.domain.tld, domain.tld, webmail.domain.tld, www.domain.tld.
Used by services
	Webmin (domain.tld), Usermin (host domain.tld), Dovecot (host domain.tld), Postfix (host domain.tld)

My site domain.tld works perfectly (https ON).

-I created a new user via Virtualmin’s edit user screen.
The new user created is user@domain.tld
For this user, the Login permissions enabled are Email and FTP
The Create extra Unix user on Postfix systems when using user@domain format] flag in the advanced options of the Virtualmin Configuration in System Settings is also set to Yes
(I specify this because I saw that it was a solution recommended in other topics).

Suppose I try to connect to the address domain.tld/roundcube, I can correctly log in to the email account.
I can send and receive messages. Systems like mail-tester.com tell me that my configurations (DKIM, SPF, dmarc…) are ok and that I am not being labeled as spam.
Everything works perfectly.

Checking the email log in /var/log/, I see when roundcube checks for new emails (once a minute) and I see the new emails arriving in the inbox. This is an example of an incoming email from Gmail:

Dec 18 20:49:36 vmixxxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=77094, secured, session=<qmO8DM4MgIR/AAAB>
Dec 18 20:49:36 vmixxxxxxxx dovecot: imap(user@domain.tld)<77094><qmO8DM4MgIR/AAAB>: Disconnected: Logged out in=332 out=2305 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Dec 18 20:49:38 vmixxxxxxxx postfix/smtpd[77095]: connect from mail-ot1-f66.google.com[209.85.210.66]
Dec 18 20:49:39 vmixxxxxxxx postfix/smtpd[77095]: AB16619A0B68: client=mail-ot1-f66.google.com[209.85.210.66]
Dec 18 20:49:39 vmixxxxxxxx postfix/cleanup[77100]: AB16619A0B68: message-id=<CAKExcJG_=6xxxxxxxxxxxxxxxxxxxxxxj_8-+g@mail.gmail.com>
Dec 18 20:49:39 vmixxxxxxxx opendkim[679]: AB16619A0B68: DKIM verification successful
Dec 18 20:49:39 vmixxxxxxxx opendkim[679]: AB16619A0B68: s=20230601 d=gmail.com a=rsa-sha256 SSL 
Dec 18 20:49:39 vmixxxxxxxx postfix/qmgr[74661]: AB16619A0B68: from=<normalgmailaccount@gmail.com>, size=2997, nrcpt=1 (queue active)
Dec 18 20:49:39 vmixxxxxxxx postfix/smtpd[77095]: disconnect from mail-ot1-f66.google.com[209.85.210.66] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Dec 18 20:49:40 vmixxxxxxxx spamd[924]: spamd: connection from 127.0.0.1 [127.0.0.1]:56162 to port 783, fd 5
Dec 18 20:49:40 vmixxxxxxxx spamd[924]: spamd: setuid to user@domain.tld succeeded
Dec 18 20:49:40 vmixxxxxxxx spamd[924]: spamd: processing message <CAKExcJG_=6xxxxxxxxxxxxxxxxxxxxxxj_8-+g@mail.gmail.com> for user@domain.tld:1007
Dec 18 20:49:40 vmixxxxxxxx spamd[924]: spamd: clean message (-0.2/5.0) for user@domain.tld:1007 in 0.5 seconds, 3329 bytes.
Dec 18 20:49:40 vmixxxxxxxx spamd[924]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE scantime=0.5,size=3329,user=user@domain.tld,uid=1007,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56162,mid=<CAKExcJG_=6xxxxxxxxxxxxxxxxxxxxxxj_8-+g@mail.gmail.com>,autolearn=ham autolearn_force=no
Dec 18 20:49:40 vmixxxxxxxx postfix/local[77101]: AB16619A0B68: to=<user-domain.tld@vmixxxxxxxx.contaboserver.net>, orig_to=<user@domain.tld>, relay=local, delay=1.2, delays=0.1/0.01/0/1.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Dec 18 20:49:40 vmixxxxxxxx postfix/qmgr[74661]: AB16619A0B68: removed
Dec 18 20:49:40 vmixxxxxxxx spamd[831]: prefork: child states: II
Dec 18 20:49:45 vmixxxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=77127, secured, session=<zvo7Dc4MkOB/AAAB>
Dec 18 20:49:45 vmixxxxxxxx dovecot: imap(user@domain.tld)<77127><zvo7Dc4MkOB/AAAB>: Disconnected: Logged out in=514 out=5988 deleted=0 expunged=0 trashed=0 hdr_count=8 hdr_bytes=2141 body_count=0 body_bytes=0

So, from the web interface, everything work correctly.
This log puzzles me because I see a redirect to the user-domain.tld (Dec 18 20:49:40 vmixxxxxxxx postfix/local…)
Checking the Virtual Domains in Webmin → Servers → Postfix Mail Server, I see that

Name              Maps to
user@domain.tld   user-domain.tld

so probably it is ok.

For completeness, I also report the /etc/postfix/main.cf file
(Removing check_policy_service inet:127.0.0.1:10023 from the smtpd_recipient_restrictions resolved the issue where incoming emails were not delivered).

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = vmixxxxxxx.contaboserver.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, vmixxxxxxx.contaboserver.net, localhost.contaboserver.net, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
allow_percent_hack = no
resolve_dequoted_address = no
tls_server_sni_maps = hash:/etc/postfix/sni_map
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

The thing that seems strange to me here is:

myhostname = vmixxxxxxx.contaboserver.net

and that it is not my virtualserver of course, but could be the basic configuration of virtualmin to run multiple virtual servers on the same VPS (?).

So, this is all about my situation.
The thing I can’t do at all is configure a mail client, whether it’s Thunderbird or iOS mail (iOS is more important to me)

The autoconfig system works, so much that by visiting the site
https://domain.tld/cgi-bin/autoconfig.cgi?emailaddress=user@domain.tld, the XML file is returned to me:

<clientConfig version="1.1">
<emailProvider id="domain.tld">
<domain>domain.tld</domain>
<displayName/>
<displayShortName/>
<incomingServer type="imap">
<hostname>mail.domain.tld</hostname>
<port>993</port>
<socketType>SSL</socketType>
<authentication>password-cleartext</authentication>
<username>user@domain.tld</username>
</incomingServer>
<incomingServer type="pop3">
<hostname>mail.domain.tld</hostname>
<port/>
<socketType>SSL</socketType>
<authentication/>
<username>user@domain.tld</username>
</incomingServer>
<outgoingServer type="smtp">
<hostname>mail.domain.tld</hostname>
<port>587</port>
<socketType>STARTTLS</socketType>
<authentication>password-cleartext</authentication>
<username>user@domain.tld</username>
</outgoingServer>
</emailProvider>
</clientConfig>

Thunderbird successfully detects the configuration from the server, but then, once the correct password is entered, after a few minutes, Thunderbird says it is unable to authenticate. Your configuration, username or password may be incorrect.
I remember that, however, the same username and password allow login into the roundcube webmail on domain.tld/roundcube.
The password is basic and long for testing purposes but without any special characters.

There is no way to add the account on iOS either.

Checking the logs, I don’t even see Thunderbird’s connection attempt failing.
I understand that the saslauthd process is involved, but

journalctl -fu saslauthd

doesn’t return new logs when I try to connect via Thunderbird (only the failed attempts by bruteforce hosts that are then banned thanks to fail2ban).

I checked again by logging in via the domain.tld/roundcube, everything works, and the emails arrive both incoming and outgoing.

Please, I’ve been going crazy for days on this configuration and can’t find any solutions.

I know it’s a very long topic, but I tried to summarize all the steps, hoping to make life easier for anyone with the same problem!

Thanks for your help!

Your configuration should tell postfix more about sasl, something like the following:

smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces permit_tls_all_clientcerts permit_sasl_authenticated
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_security_options = nonanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_tls_ask_ccert = yes
mynetworks_style = host

I setup myhostname as primary TLD of my server, with matching /etc/hosts setup.

eg. myhostname = example.com

If you’re not showing up in logs after all that and a reload, double check to make sure fail2ban hasn’t nabbed you.

I you should be using a FQDN like server.mydomain.com.
My config doesn’t have a myhostname. Its pulll it from the server name, ie mail.mydomain.com (not my providers name)

maybe Ubuntu does it differently to Rocky

Thank you so much for your precious answer!
So, it looks like my main.cf file lacked an important part of the client configuration.
I’d like to know what could have caused it.

The only part that you mention present in my main.cf file is:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

I missed all the other parts, so I have integrated them.

Now my main.cf file looks like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = vmixxxxxxx.contaboserver.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, vmixxxxxxx.contaboserver.net, localhost.contaboserver.net, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/

smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces permit_tls_all_clientcerts permit_sasl_authenticated
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtp_sasl_security_options = nonanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_tls_ask_ccert = yes
mynetworks_style = host

smtp_dns_support_level = dnssec
smtp_host_lookup = dns
allow_percent_hack = no
resolve_dequoted_address = no
tls_server_sni_maps = hash:/etc/postfix/sni_map
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

After saving the file, I reloaded postfix and restarted saslauthd, just in case…

postfix reload
systemctl restart saslauthd

the journalctl -fu saslauthd report this:

Dec 19 09:14:04 vmixxxxxxx.contaboserver.net systemd[1]: Starting LSB: saslauthd startup script...
Dec 19 09:14:04 vmixxxxxxx.contaboserver.net saslauthd[125386]:  * Starting SASL Authentication Daemon saslauthd
Dec 19 09:14:04 vmixxxxxxx.contaboserver.net saslauthd[125408]:                 : master pid is: 125408
Dec 19 09:14:04 vmixxxxxxx.contaboserver.net saslauthd[125408]:                 : listening on socket: /var/spool/postfix/var/run/saslauthd/mux
Dec 19 09:14:04 vmixxxxxxx.contaboserver.net saslauthd[125386]:    ...done.
Dec 19 09:14:04 vmixxxxxxx.contaboserver.net systemd[1]: Started LSB: saslauthd startup script.

so no trace of the Thunderbird try of connection (if this is the right place to look into), and I still have the error that no auth is possible…

The fail2ban log report only ssh attempt, and none of the found is my IP address.

2023-12-19 09:13:02,444 fail2ban.filter         [82669]: INFO    [sshd] Found 5.196.27.126 - 2023-12-19 09:13:01
2023-12-19 09:13:02,522 fail2ban.actions        [82669]: NOTICE  [sshd] Ban 45.90.12.6
2023-12-19 09:13:02,531 fail2ban.actions        [82669]: NOTICE  [sshd] Ban 5.196.27.126
2023-12-19 09:13:04,196 fail2ban.filter         [82669]: INFO    [sshd] Found 45.90.12.6 - 2023-12-19 09:13:03
2023-12-19 09:13:04,695 fail2ban.filter         [82669]: INFO    [sshd] Found 5.196.27.126 - 2023-12-19 09:13:04
2023-12-19 09:13:36,194 fail2ban.filter         [82669]: INFO    [sshd] Found 202.88.228.179 - 2023-12-19 09:13:35
2023-12-19 09:13:36,585 fail2ban.actions        [82669]: NOTICE  [sshd] Ban 202.88.228.179
2023-12-19 09:13:38,944 fail2ban.filter         [82669]: INFO    [sshd] Found 202.88.228.179 - 2023-12-19 09:13:38

To be extra safe, I cleaned the postfix-sasl jail:

immagine1444×783 57.8 KB

but nothing changed.

In main.cf I changed even the myhostname value
in

myhostname = mail.domain.tld

but the only change with this is that the Rouncube interface stops sending and receiving emails.

TY

edit:
my fault. It probably is the previous edit that broke the Rouncube interface. I’ll try this fix separately.
TYx2

edit-2:
I tried my old main.cf config with:

myhostname = mail.domain.tld

and Thunderbird still can’t login, but the Roundcube interface works smoothly.
My guess here is that with this configuration, user@domain.tld works, but a second domain (domain2.tld) doesn’t.

You need to check the mail log file why thunderbird won’t login.

This is my var/log/mail.log file:

#me logging in the domain.tld/roundcube webmail:
Dec 19 11:34:01 vmixxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=136764, secured, session=<AVOnZ9oMWrp/AAAB>
Dec 19 11:34:01 vmixxxxxxx dovecot: imap(user@domain.tld)<136764><AVOnZ9oMWrp/AAAB>: Disconnected: Logged out in=82 out=774 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Dec 19 11:34:02 vmixxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=136766, secured, session=<VR6zZ9oMXrp/AAAB>
Dec 19 11:34:02 vmixxxxxxx dovecot: imap(user@domain.tld)<136766><VR6zZ9oMXrp/AAAB>: Disconnected: Logged out in=44 out=662 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Dec 19 11:34:03 vmixxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=136768, secured, session=<lHi9Z9oMYrp/AAAB>
Dec 19 11:34:03 vmixxxxxxx dovecot: imap(user@domain.tld)<136768><lHi9Z9oMYrp/AAAB>: Disconnected: Logged out in=294 out=6019 deleted=0 expunged=0 trashed=0 hdr_count=10 hdr_bytes=2717 body_count=0 body_bytes=0
Dec 19 11:34:03 vmixxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=136770, secured, session=<F6m+Z9oMZrp/AAAB>
Dec 19 11:34:03 vmixxxxxxx dovecot: imap(user@domain.tld)<136770><F6m+Z9oMZrp/AAAB>: Disconnected: Logged out in=233 out=1097 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

# brute force attempt (it is not me):
Dec 19 11:34:43 vmixxxxxxx postfix/smtpd[136774]: connect from unknown[45.129.14.89]
Dec 19 11:34:45 vmixxxxxxx postfix/smtpd[136774]: warning: unknown[45.129.14.89]: SASL LOGIN authentication failed: authentication failure
Dec 19 11:34:45 vmixxxxxxx postfix/smtpd[136774]: disconnect from unknown[45.129.14.89] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
#about this fail2ban will say:
2023-12-19 11:34:45,954 fail2ban.filter         [135476]: INFO    [postfix-sasl] Found 45.129.14.89 - 2023-12-19 11:34:45

#me refreshing the webmail:
Dec 19 11:34:56 vmixxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=136777, secured, session=<qbfwatoMfrp/AAAB>
Dec 19 11:34:56 vmixxxxxxx dovecot: imap(user@domain.tld)<136777><qbfwatoMfrp/AAAB>: Disconnected: Logged out in=363 out=2709 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Dec 19 11:35:04 vmixxxxxxx dovecot: imap-login: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=136783, secured, session=<0j5Ua9oMDqV/AAAB>
Dec 19 11:35:04 vmixxxxxxx dovecot: imap(user@domain.tld)<136783><0j5Ua9oMDqV/AAAB>: Disconnected: Logged out in=333 out=2311 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

As you can see, there is no trace of Thunderbird trying to connect (OFC I waited a minute or so not to mix the logs).

edit:
even the /var/log/mail.err file has no trace of the connection attempt from Thunderbird, but before the errors caused by the brute-force attacks, I see:

Dec 18 12:12:32 vmixxxxxxx milter-greylist: cannot read dumpfile "/var/lib/milter-greylist/greylist.db"
Dec 18 12:12:32 vmixxxxxxx milter-greylist: starting with an empty greylist
Dec 19 09:18:57 vmixxxxxxx postfix/smtp[125650]: error: open database /etc/postfix/sasl_passwd.db: No such file or directory
Dec 19 09:23:34 vmixxxxxxx postfix/smtpd[126555]: fatal: no SASL authentication mechanisms
Dec 19 09:24:36 vmixxxxxxx postfix/smtpd[126697]: fatal: no SASL authentication mechanisms
...

could be the lack of the file /etc/postfix/sasl_passwd.db the cause of my problems?
If yes, how I make Virtualmin to build it?

This is the tree of the /etc/postfix folder, and there is no passwd.db:

If its not showing in the logs maybe your previous failed attempts has cause a block by fail2ban.

Thanks but, as posted before, my IP is not in the fail2ban jail, and the situation doesn’t change even when I stop the fail2ban service.

If you not seeing the thunderbird logins then its either you logging in on the wrong port or the port your using is blocked. Try creating a pop account in Thunderbird using port 110, that how I have it.

If you’re running Cloudflare DNS in proxy mode this kind of behaviour is expected, because Cloudflare by default proxies traffic for the limited number of ports. You could try to connect via IP to your server or put to /etc/hosts on your client computer the record for the domain that Thunderbird is using.

Thanks so much @Ilia for stopping by and changing the topic title! I really appreciate it!
Can I kindly ask you to explain the best steps as if you were talking to a real Virtualmin newbie to achieve the goal of making the system as user-friendly as possible?
The ultimate goal is to make the email system for iOS users as simple as possible to configure on their phones without giving up the protection of Cloudflare.
Can I, by any chance, pass all Virtualmin mail traffic through one of the ports managed by Cloudflare and set the auto-config system (which, among other things, seems to me not to be read by iOS at the moment) to point to those ports? Do you think this is a feasible solution?
Manually editing the individual /etc/hosts files inside each computer that uses the email client seems complex to me (even considering that almost no one uses Linux outside of us).
Thank you so much for your help!

Cloudflare’s proxy mode is designed to work with HTTP/HTTPS traffic to provide benefits like DDoS protection, web optimization, and SSL termination. When the orange cloud (proxy mode) is enabled in Cloudflare’s DNS settings, non-web traffic, such as email (SMTP, IMAP, POP3), will not be proxied through Cloudflare’s network (unless you’re on the paid Cloudflare plan).

Therefore, you must ensure that the DNS records used specifically for email (like the A record for the mail server and MX records) are set to DNS only (grey cloud) to bypass Cloudflare’s proxy. This allows direct communication with your mail server.

Using the /etc/hosts file to override DNS for specific hostnames can be a solution when you need to direct traffic to specific IP addresses within your local system or network, bypassing external DNS lookups. It can be done as follows:

1. Edit /etc/hosts: Open the /etc/hosts file on the client machine that you want to connect to your mail server with administrative privileges. You can use a text editor like nano, vim, or gedit in Linux, or Notepad run as an administrator in Windows.

2. Add Entries: Add entries for your mail server’s hostname with the corresponding IP address. For example:

   1.2.3.4 mail.example.com
   1.2.3.4 smtp.example.com
   1.2.3.4 imap.example.com
   

   * Replace 1.2.3.4 with your mail server’s actual IP address and example.com with your domain.

3. Save and Test: Save the /etc/hosts file and test the connection to your mail server using the hostnames you added. You can do this by pinging the hostname (ping mail.example.com) or by configuring your mail client to use these hostnames.

I’d like to point out that editing the /etc/hosts file affects only the local resolution on the system where the file is changed and is typically used for troubleshooting, development, or when you have a specific need to control the destination of a hostname without altering DNS records on the DNS servers.

Your iOS users would have to use IP address to connect to your server directly in case of using Cloudflare DNS in proxy mode, although this would always show SSL certificate error.

I’d suggest to reach out to Cloudflare support for guidance on either setting up a proxy for mail-related ports or disabling proxying. This step is essential for enabling your server to communicate with other mail servers using port 25 either way.

This was the cause of the error!

Thank you @Ilia, the solution was really that simple! All I had to do was change the Proxy status of the A record in DNS only mode on Cloudflare.

immagine998×138 11.6 KB

In addition, to confirm the operation’s success, I now see the login request in the mail.log file.

Sincerely.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.