I have a fresh install of 3.82.gpl GPL on Centos5. Backed up and restored a few machines from another server (which worked fine, same network, etc).

Everything works , POP3, IMAP, HTTP, etc. but no-one can send outgoing mail from any of the domains. The connections are refused. No ports are blocked, Virtualmin seems to be refusing the connection. Using Outlook Express, Logging in to server using standard auth with same as inbound.

The server receives mail, no prob but won’t allow clients to connect for outbound.

Help!

Thanks

Howdy,

You may want to verify that saslauthd is running. You can do that by logging into the command line as root, and running this command:

/etc/init.d/saslauthd restart

You may also want to take a look in /var/log/maillog for clues as to what the problem is – it should show any saslauth errors, as well as all connection attempts.

-Eric

maillog has this error(s):

Jan 21 16:46:52 vps07 postfix/master[579]: warning: process /usr/libexec/postfix/smtpd pid 20300 exit status 1
Jan 21 16:46:52 vps07 postfix/master[579]: warning: /usr/libexec/postfix/smtpd: bad command startup – throttling
Jan 21 16:47:52 vps07 postfix/smtpd[20306]: fatal: parameter “smtpd_recipient_restrictions”: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

Oh and I did the restart it seems to be ok:

[root@vps07 log]# /etc/init.d/saslauthd restart
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
[root@vps07 log]#

Howdy,

It looks like the relevant error is this:

fatal: parameter “smtpd_recipient_restrictions”: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit

It’s saying something is awry with your smtpd_recipient_restrictions line in /etc/postfix/main.cf. What does that line look like?

-Eric

It looks like:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated

but I don’t think that’s really the issue. It’s not even letting the client connect. What I don’t get is this was a fresh install form the Virtualmin site and there were no errors.

Shouldn’t it default to allowing mail to be sent by authenticated users on port 25?

The error you showed suggests that Postfix wasn’t able to launch properly. You’ll need to fix the error listed there before things will be working… it could certainly explain why you’re unable to send email.

My recommendation would be to edit /etc/postfix/main.cf, and change this line:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated

To read:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

After that, restart Postfix with “/etc/init.d/postfix restart”, and see if that resolves your issues.

-Eric

Hi Eric-

I did as you suggested. The error isn’t showing up in the log now but I still can’t connect. Funny thing is that the connect attempt does not show in maillog. I tried disabling iptables but it didn’t make any difference.

Howdy,

What port is it that your email client is trying to connect on?

Then, on your server, run “netstat -an | grep LISTEN | grep tcp” – is that port one of the ones listening on your server?

And then in the email logs – after restarting Postfix, you don’t see any other errors?

-Eric

Hi:

Result was:
[root@vps07 /]# netstat -an | grep LISTEN | grep tcp
tcp 0 0 74.51.38.170:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:11000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 :::21 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:953 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
tcp 0 0 :::993 :::* LISTEN
tcp 0 0 :::995 :::* LISTEN
tcp 0 0 :::110 :::* LISTEN
tcp 0 0 :::143 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN


So I’m guessing 25 isn’t listening? How do I fix that?

One other thought – you had mentioned seeing a connection attempt to port 587.

On CentOS, Postfix/Saslauthd doesn’t listen to port 587 by default, as that requires some additional setup.

If I remember correctly, I believe port 465 does indeed work by default. You may want to try configuring your client to connect on port 465.

Alternatively, if you disable SSL/TLS altogether for outgoing SMTP, it should be able to connect to port 25 without a problem. That should at least get things up and running.

-Eric

Howdy,

This line here is your port 25:

So port 25 is indeed listening.

It doesn’t look like port 587 or 465 are listening, however, so you’d need to either setup an SSL certificate in Postfix to get those working – or you could always temporarily set your desktop client to just use port 25 without SSL.

To setup an SSL cert, you’d need to add an SSL cert to one of your Virtual Servers… then go into Server Configuration -> Manage SSL Certs, and click the “Copy to Postfix” button.

-Eric

Sorry, yes I see 25 there. I don’t want SSL, just normal auth.

So why is it rejecting connection attempts?

The log is now giving me:
Jan 21 20:04:33 vps07 postfix/postfix-script: starting the Postfix mail system
Jan 21 20:04:33 vps07 postfix/master[31517]: daemon started – version 2.3.3, configuration /etc/postfix
Jan 21 20:04:33 vps07 postfix/qmgr[31520]: 888EEF32898: from=rick@duvals.ca, size=1470, nrcpt=1 (queue active)
Jan 21 20:04:33 vps07 postfix/qmgr[31520]: warning: connect to transport smtp: Connection refused


Hrm, it seems like something odd is going on… did you perform this installation yourself? It wasn’t done by your ISP (or some other third party)? And you’re sure no configuration changes were made?

It’s just all a bit strange, I’ve never seen those issues arise in a fresh install.

What output do you receive when typing:

postconf -n

Also, what does your /etc/postfix/master.cf file look like?

-Eric

Hi Eric:

I did the install myself and made no changes at all. Just ran your script, backed up my virtual servers from an older virtualmin, restored and that was it.

However, I think I’m on the right track, i got it working for a small time then screwed it up (since I don’t REALLY know what I’m doing. So here goes…

I went to webmin->postfix->server processes looking to find out what ports were enabled in postfix or something to that effect. I found a process called stmp and one called smtps. I looked at the smtp and noticed that un the box “servername/port” it said smtp. I thought that since it said port I’d give it a try by changin it to 25. Restarted postfix with “service postfix restart” and it made no difference. I repeated the above and made the port 587 and bingo! I could send mail.

So, in a somewhat foolish attempt to understand what was going on I edited the process I had labeled 587 and changed it back but accidentally named it smtpS (S capitalized just for exaggeration purposes here) instead of smtp. Restarted and it was broken again, so reopened the processes to put it back to 587 BUT now I have 3 processes all called smtps and they’re all identical when I open them and I’m 99.9% sure that the one I was editing was much shorter in the “Process Command Line” field than these 3 smtps one are.

So, I’m going to need someone to please tell me what is supposed to be in the “Process Command Line” of the smtp labeled process if I’m to look at this again but it still seems to me the for some reason Postfix wasn’t looking at port 25 or maybe “smtp” wasn’t defined as port 25 for some reason.

To answer your other questions:
[root@vps07 README_FILES]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, vps07.manitres.net
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
[root@vps07 README_FILES]#

And Master CF:

[root@vps07 postfix]# cat master.cf

Postfix master process configuration file. For details on the format

of the file, see the master(5) manual page (command: “man 5 master”).

==========================================================================

service type private unpriv chroot wakeup maxproc command + args

(yes) (yes) (yes) (never) (100)

==========================================================================

587 inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#submission inet n - n - - smtpd

-o smtpd_enforce_tls=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes

When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay unix - - n - - smtp
-o fallback_relay=

-o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache

====================================================================

Interfaces to non-Postfix software. Be sure to examine the manual

pages of the non-Postfix software to find out what options it wants.

Many of the following services use the Postfix pipe(8) delivery

agent. See the pipe(8) man page for information about ${recipient}

and other message envelope options.

====================================================================

maildrop. See the Postfix MAILDROP_README file for details.

Also specify in main.cf: maildrop_destination_recipient_limit=1

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

The Cyrus deliver program has changed incompatibly, multiple times.

old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}

Cyrus 2.1.5 (Amos Gouaux)

Also specify in main.cf: cyrus_destination_recipient_limit=1

cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}

See the Postfix UUCP_README file for configuration details.

uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Other external delivery methods.

ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

I’m comparing your configs to a clean CentOS install I have here… here’s a few changes I’d recommend making –

In your /etc/postfix/main.cf, I’d suggest commenting out this line:

smtpd_tls_security_level = may

And then add this line:

smtpd_sasl_security_options = noanonymous

Your master.cf file has a few oddities in it, including no “smtp” line. That would definitely cause some problems

This is a copy of a clean master.cf file for CentOS:

I’d suggest making backups of your current configs before making any changes. And then once you make the changes, you’d need to restart Postfix.

-Eric

Hi Eric:

I did as you suggested, no difference. Still can’t connect.

I can’t understand why a clean install would have so many problems? Well maybe it’s just one but it sure seems like a lot!

Eric:

I tried what I did before, changed the process that said smtp to 587 and it is working now. Is “smtp” in the process definitions some kind of definition in a table that tells it that smtp should be on port 25 or something like that? Maybe that’s what’s corrupt? The definition?

Howdy,

The issue appears to be that your client is attempting to connect to port 587, when port 587 doesn’t actually listen by default. On a fresh install of CentOS, you have to setup SSL certificates in order to get ports 465 and 587 online. Otherwise, all Outgoing SMTP connections need to be directed at port 25.

I wouldn’t recommend changing “smtp” to 587, as that would just cause a different kind of problem.

My recommendation would be to either have your desktop client not connect to port 587 – you can disable SSL/TLS in your desktop client, and have it instead connect to port 25. Or, you can always follow the instructions I mentioned above for setting up SSL certificates in Postfix. Once you’ve done that, then you can uncomment the “Submission” section of the master.cf, which would properly enable port 587 for your client.

However, if things are actually working for you now, great – perhaps you have a combination of settings there that ended up working for you

Have a good weekend!

-Eric