MX records, Thunderbird, Postfix, Dovecot

Hi everyone!

I am trying to get my mail server set up … but I cannot send or receive e-mails. Also, please note that I haven’t yet got an SSL certificate for the subdomain mail.mydomain.tlp.

Here is what I have done thus far …

• a) opened ports 25, 143, 587 and 993
• a) created an MX record on my registrar pointing to mydomain.tlp
• a) created a Mail user

• a1) logged into Thunderbird - bypassed the warning

• a2) VMin > Email Settings > Mail Cli. Config > Cli. Autoconf. > Yes
• a2) logged into Thunderbird - bypassed the warning - deleted the “mail” subdomain so it IMAP points to “mydomain.tlp”

• a3) copy LE SSL certificates for mydomain.tlp and www.mydomain.tlp to Postfix and Dovecot
• a3) VMin > Email Settings > Mail Cli. Config > Cli. Autoconf. > Yes
• a3) logged into Thunderbird - bypassed the warning - deleted the “mail” subdomain so it IMAP points to “mydomain.tlp”

• a4) copy LE SSL certificates for mydomain.tlp and www.mydomain.tlp to Postfix and Dovecot
• a4) log into Thunderbird

Path a1 defaluts to port 143 for IMAP and no idea what port it uses for SMTP, but it issues a warning.

Path a2 defaults to port 993 for IMAP and 587 for SMTP, but it issues a warning that there is no encryption.

Path a4 is what gives me the best feeling thus far, but mail is not being sent or received …

Troubleshooting

host -t mx mydomain.tlp

points to mail.mydomain.tlp

host mail.mydomain.tlp

EDIT: points to my IP address

whois mydomain.tlp

shows my name servers (glue records?) are my registrar’s

Any ideas on how to proceed? I am quite lost.

Thanks in advance

mail.mydomain.tlp must point to the IP address of the box on which you have installed virtualmin, for incoming email to land on your server.

How are you testing for delivery of outgoing email? This is trickier to configure than incoming email because there are anti-spam system which will block your email even if your server sends it out successfully. Don’t test for outgoing email by sending test messages to gmail, for example.

Also you could leave Thunderbird out and simplify testing by using the built in webmail client, Usermin. That’s virtualmin.hostname:20000

You could do this later: setup a virtual server virtualmin.hostname, in enabled features be sure to leave out Email for domain, and then use the buttons under Let’s Encrypt tab to copy SSL certificates to Postfix and Dovecot of this virtual server.

But first, let’s get incoming email to land on your server. Point mail.mydomain.tpl to point to the IP address of the Virtualmin box.

I don’t know what gives but this morning I woke up and mail.mydomain.tlp is pointing to my IP address … but mail isn’t yet working.

DNS propagation works in mysterious ways and patience is a virtue.

I don’t fully understand what you mean or what the purpose of doing this would be.

I just tried copying the SSL Certificates to Postfix and Dovecot, and so the warning for Thunderbird did not pop-up if VMin > Email Settings > Mail Cli. Config > Cli. Autoconf. > No … but it persisted when VMin > Email Settings > Mail Cli. Config > Cli. Autoconf. > Yes

I have also tried adding the SPF and DKIM TXT records for my domain at my registrar … but my email still isn’t working.

I am also unable to edit the original post anymore so here is an update:

I am trying to get my mail server set up … but I cannot send or receive e-mails. Also, please note that I haven’t yet got an SSL certificate for the subdomain mail.mydomain.tlp.

Thus far … I have tried 6 different unsuccessful configurations:

a) opened ports 25, 143, 587 and 993
a) created an MX record on my registrar pointing to mydomain.tlp
a) created a Mail user

a1) logged into Thunderbird - bypassed the warning

a2) VMin > Email Settings > Mail Cli. Config > Cli. Autoconf. > Yes
a2) logged into Thunderbird - bypassed the warning - deleted the “mail” subdomain so it IMAP points to “mydomain.tlp”

a3) copy LE SSL certificates for mydomain.tlp and www.mydomain.tlp to Postfix and Dovecot
a3) VMin > Email Settings > Mail Cli. Config > Cli. Autoconf. > Yes
a3) logged into Thunderbird - bypassed the warning - deleted the “mail” subdomain so it IMAP points to “mydomain.tlp”

a4) copy LE SSL certificates for mydomain.tlp and www.mydomain.tlp to Postfix and Dovecot
a4) log into Thunderbird

a5) copy LE SSL certificates for mydomain.tlp and www.mydomain.tlp to Postfix and Dovecot
a5) VMin > Email Settings > Mail Cli. Config > Cli. Autoconf. > Yes
a5) copied SPF and DKIM TXT records for my domain at my registrar and waited for 24 hours
a5) logged into Thunderbird - bypassed the warning - deleted the “mail” subdomain so it IMAP points to “mydomain.tlp”

a6) copy LE SSL certificates for mydomain.tlp and www.mydomain.tlp to Postfix and Dovecot
a6) copied SPF and DKIM TXT records for my domain at my registrar and waited for 24 hours
a6) log into Thunderbird

Path a1 defaluts to port 143 for IMAP and no idea what port it uses for SMTP, but it issues a warning.

Path a2 defaults to port 993 for IMAP and 587 for SMTP, but it issues a warning that there is no encryption.

Path a4 is what gives me the best feeling thus far, but mail is not being sent or received …

Troubleshooting

host -t mx mydomain.tlp

points to mail.mydomain.tlp

host mail.mydomain.tlp

points to my IP address

whois mydomain.tlp

shows my name servers (glue records?) are my registrar’s

Any ideas on how to proceed? I am so lost.

The reason he states this is that you are trying to do too much at once thus you won’t be able to find where your problem lies. You need to determine if your email server is even working properly before you try to setup Thunderbird. You need to login to usermin and send and receive email from here. If you can’t do it from usermin, then you’ll never get it to work with TB. Once you get it working on your server then you start to troubleshoot TB. Any changes in your DNS records can take time to propagate so this adds another layer of is it not working or have I not waited long enough.

I have given DNS a minimum of 24 hours every time I have made a change to it ever since I realized my mistake. Things are not working …

But I have bought a new computer and I am going to try to set up things with my own authoritative servers instead of my DNS from next week on … I figured things might be much easier that way. We’ll see

centaro,
Can i advise the following…and i have spent hundreds of hours learning my way through this over the years and its the best way i have found.

To start with you will have yourdomain.com and server1.yourdomain.com where (you can substitute the names to suit your actual domain and hostname…however to begin with, best to keep “yourdomain.com” the same for both)

• server1.yourdomain.com is the hostname.domain.com for your VPS
• yourdomain.com is to become your first virtualmin virtual server and therefore apache website
• make sure you have setup a reverse ptr with your VPS provider…without this you will have trouble

1. Do not use your server1.yourdomain.com as a nameserver for dns. You should use your domain registrars free dns (if they offer it. if they do not move your domain to one who does). The reason for this is twofold:

• a. simplify the testing process and avoid any confusion because you are also trying to get your vps working and its hard to know where the problem lies when you complicate things
• b. your registrar dns will be far more powerful and resistant to issues because they have a very large network of servers controlling dns…you have just 1!

2. All that is needed at your domain registrar for your server dns resolution is the following record
   
server1.yourdomain.com A record 12.34.56.78 (server public ipaddress)


3. For your primary domain on the above server, at your registrar, use the following dns records
   
yourdomain.com A record 12.34.56.78
_dmarc.yourdomain.com TXT record v=DMARC; p=none, rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; fo=1
yourdomain.com TXT record v=spf1 a mx a:yourdomain.com ip4:12.34.56.78 a:server1.yourdomain.com
yourdomain.com MX record server1.yourdomain.com

4. once the above are all resolving correctly, in Virtualmin>Virtual Server “yourdomain.com”, goto Server Configuration>SSL and obtain a letsencrypt SSL for yourdomain.com. Copy that certificate to webmin, postfix, dovecot, ftp etc

To ensure your _dmarc and spf records are written correctly use an online generator for those (google “mxtoolbox spf generator” or “mxtoolbox dmarc generator” for examples)

Anyway, once you have the above dns records at your registrar…use mxtoolbox to check for dns resolution and also for checking the STMP server, MX records, spf records, reverse ptr, and dmarc.

Personally, i dont think you should be trying to us “mail.yourdomain.com”. This only works properly if you name your VPS hostname= mail.yourdomain.com. If you have called your VPS hostname server1.yourdomain.com, the attempting to use a different subdomain in is not only ridiculous, it creates additonal lookups for dns to figure out what the actual name of the system is. This also means you need to add additional dns record resolving mail.yourdomain.com to server1.yourdomain.com that is essentially redundant (and actually not even needed). The only reason we use mail.domain.com is because automated scripts for email client apps on mobile phones and desktop pcs go looking for it. You can easily manually configure these apps to use your server name instead and it works perfectly fine.

btw, you do have a reverse ptr dont you? (this normally needs to be done via your VPS service provider)

as people already suggested, there are lots of online tools to test mail setup. (intodns.com, mxtoolbox, ssl-tools, etc)
never had an issue, even with virtualmin defaults, without messing around much.

after setting up virtualmin correctly, login to usermin and test mail delivery to/from.
then copy your ssl certificate from virtualmin to postfix/dovecot, and re-test from usermin.

if all that are working ok, then test thunderbird…

Have you copied an old Postfix config from another machine? What’s your OS and version and what versions Postfix and Dovecot?

1. can you telnet on port 25 to your server and see an ESMTP Postfix welcome banner?

2. Post the output of postconf -n (with sensitive info redacted if you feel necessary)

3. post output of Webmin > Networking > FirewallD (or Linux Firewall) and iptables -nvL INPUT --line & iptables -nvL OUTPUT --line

4. Turn up Postfix and Dovecot logging:

Postfix
in /etc/dovecot/conf.d/10-logging.conf

log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
debug_log_path = /var/log/dovecot-debug.log
mail_debug = yes
auth_verbose = yes
auth_debug_passwords = yes
auth_verbose_passwords = plain
verbose_ssl = yes

In /etc/postfix/main.cf

smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2

Optionally make the smtp daemon verbose, in master.cf change the first smtp line to have smtpd -v plus any other existing arguments. This causes a lot of log noise though.

Watch /var/log/maillog and /var/log/dovecot-info.log as you connect, send and receive emails…

tail -fn 50 /var/log/maillog /var/log/dovecot-info.log

What do you see?

Hi @adamjedgar

I am now testing your set-up, and I have some questions.

I am hosting at home and using VM’s, but I assume we are talking about the name you give the machine when running

mysql_secure_installation

and it doesn’t matter that I am hosting at home, is that correct?

Also,

I am hosting at home, so I am going to have to look at that.

This I would have to do as a subdomain record at my registrar … I am trying to look for an alternative, but I don’t see any options hinting to “server dns resolution”.

This is how I have set it up:

but MXToolBox suggest to put the IP4 at the end.

I wiil give the set-up 24 hours and test it.

No idea. I am hosting at home.

And hello @chriswoods

No, I am now working on fresh installations of CentOS 7 that are up to date with Postfix v2.10.1 and Dovecot v2.2

Yes, I can

I will edit this message later with more info this evening.

When testing telnet to your IP:25, are you testing on the LAN or from another device on the internet? If your provider is filtering inbound port 25 you’ll have problems.

Unless you have a static IP and you have an ISP who is able to set up a PTR record, I would advise against hosting on a home connection. Many mail providers now 100% block dynamic PTRs, broadband connections or non-static IPs from relaying directly to their servers.

Even then, you will have deliverability problems due to having ‘bad’ neighbours in your IP range. I would be tempted to buy a small VPS with a good host and use that for outbound relaying; set up your home server’s Postfix to route via that other server as a smarthost. Added advantage is that you can apply iptables rules to firewall off the Postfix server in addition to configuring it to not be an open relay.

If you do that, don’t be tempted by DigitalOcean or OVH or anyone cheap like that, their networks are known for being very spammy systems.

I was testing from LAN … I just tested online and the connection is denied. So, I should contact my ISP or is it my registrar I should contact?

Why are they blocking this service?

Anyway, is port 25 required or can we just set the mail server up so that it runs on port 587 and SMTPS by default?

It sounds tricky though, because I know for instance that HTTPS (443) won’t work if you disable HTTP (80) … so … my hopes aren’t too high right now.

Anyway, here is the output of postconf -n … and I think I have redacted all sensitive information, please tell me if I have not.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, server1.XXXXX.tlp
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

this is what I see at FirewallD

ccc741×437 22.4 KB

This are the outputs of iptables -nvL INPUT --line and OUTPUT

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5687 1709K ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 187 12937 ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
3 127 19942 INPUT_direct all – * * 0.0.0.0/0 0.0.0.0/0
4 119 19462 INPUT_ZONES_SOURCE all – * * 0.0.0.0/0 0.0.0.0/0
5 119 19462 INPUT_ZONES all – * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 113 19118 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 9565 packets, 821K bytes)
num pkts bytes target prot opt in out source destination
1 3625 746K ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0
2 9565 821K OUTPUT_direct all – * * 0.0.0.0/0 0.0.0.0/0

maybe it is not that ISP’s block port 25, but something else? And what do you mean by turn up? :turnip emoji not available:

I will have a look at the rest of your message during the weekend, I am too tired. But thanks for the help guys. I am learning a lot and some people might find this useful in the future

Looks like your server should be able to send/receive fine – so unfortunately, your port 25 may be being filtered.

TCP 25 is one of the most abused across the Internet. And it’s also required to send and receive emails. Using SMTPS only will not help (see this to understand why - it’s just a TLS upgrade to an initial unencrypted connection).

• https://www.dynu.com/en-US/Email/StoreForward
• https://global.vipre.com/email-security-importance-locking-port-25-2/
• https://www.authsmtp.co.uk/faqs/faq-4.html
• http://www.circleid.com/posts/port_25_blocking_or_fix_smtp_and_leave_port_25_alone_for_the_sake_of_spam/
  (etc)

If it is port 25 being filtered by your ISP, and it’s not a local firewall / port forward / vSwitch misconfiguration, there’s not much you can do.

Frankly, if you don’t have a static IP and your ISP won’t set a custom PTR record for you (to match your DNS record), there’s little point hosting a mailserver on your home connection. A common check nowadays is for receiving mailservers to compare the PTR record and the server’s declared FQDN, and quarantine/score as spam/outright reject the email if they do not match. Other RBL checks will flag any connection which is from a dynamic or ISP IP range.

That’s why you may wish to sign up to something like Dynu’s store-and-forward (aka hold-and-forward) service. Disclaimer: I’ve never used Dynu and I’m not personally recommending, but that sort of thing is what you’ll need to do in order to run your mailserver over an ISP connection which filters SMTP. I have some personal accounts on Dreamhost, who use MailChannels for all of their customers’ hosted email accounts, and it’s good - but expensive.

Alternative solutions like Dynu, Postini, Mailroute, MailChannels, G Suite, Mimecast, SpamTitan, will help you but they all have a further cost.

Helpfully, if you do use a third party mail filtering service, there is easy integrated configuration for a few providers within Virtualmin > yourserver.tld > Server Configuration > Email Settings > Cloud mail filtering provider settings.

Alternatively, you could run a ‘first-hop’ Postfix server on the public internet somewhere, just to relay all incoming and outgoing emails through (Postfix smarthost style). Virtualmin can support this: https://www.virtualmin.com/documentation/email/hold-and-forward but the first server will need Virtualmin Pro (or you DIY configure your own server). That page is quite a good read as it discusses changes required to secure the Postfix server.

That increases hackers’ attack surface to your systems and requires you to supervise your public Postfix server and make sure it’s secure, is not inadvertently working as an open relay, etc. You may figure that the extra cost isn’t worth it when you can pay someone else to route your email.

If you can get your ISP to unblock TCP 25 (inbound and outbound) AND can set a custom PTR record for your static IP, there’s still hope, but don’t forget the deliverability issues you will also have.

It can be an infuriating struggle to self-host email these days. I’ve been fighting with some large providers for years to stop them auto-blocking some servers’ IPs simply because their IP ‘reputation’ is classed as undetermined - mostly because they don’t send large volumes of email. The irony!

My suggestion is that you go to vultr and get a VPS from them…they are free to setup an account with and only charge by the hour for VPS’s. They are as cheap as. You can run a 2GB RAM VPS for a whole day for hardly anything.
If you are just testing, it would cost like $2 or $3 for like a whole day for a pretty decent system from them. If you went the cheapest option, you can run a server for a week for the above amount.

Whilst you can absoultely run virtualmin on the $5/month VPS, my suggestion would be that if running a control panel, dont choose the $5 month server…go for the next one up. It runs virtualmingpl brilliantly (see one in image below that i have highlighted in red box).

vultr VPS pricing1163×800 65 KB

vultr only charge as you go… the cost of a cheap cup of coffee will run this server for a week!

the vultr interface is really easy to use and inputing reverse ptr is unbelievably simple and happens immediately.

about port 25, enforce tls in main.cf and be over with it… it will only use 587 and/or 465.
another “hack” is to change port number 25->587 in /etc/services (for debian based distros).

and an offtopic thing (sorry for that), but vultr is on my top10-spammers list, and usually blocked from any machine i manage…
sent some abuse reports last year, never got any replies … meaning they can’t handle all that spam/malicious activity, and just allow it…

I am giving it up for now. There is no way on Earth my landlords are giving me access to their ISP’s account … I will try again when I move to a new apartment in the distant future. Thanks for the support guys. It has been interesting =)

Agreed on Vultr. All the low-end VPS providers are generally blocked or regarded with high suspicion by mailserver operators. OVH, Vultr, Bluehost, Digital Ocean, etc. All are bad choices for hosting an email server.

Concerning port 25, sending servers expect that to be open. If he can’t accept on 25, his mailserver’s going to be pretty idle…

I would personally consider a Postini/Mailroute/Dynu/G Suite setup - have your local server ultimately hold your email, but route everything through an external service. Advantage is that those options already offer antispam and virus scanning included plus RBL checking, so it’s less work for your server to do. As long as you can get mail traffic flowing between your local server and the third party service on a port other than 25, you’re sorted.

For the cost of a few dollars it gives you a great deal of flexibility regarding where you host your email too, and protects against any power or network outages at your place.

Or, you can always subscribe to a VPN service which offers a dedicated static IP (I use Torguard and NordVPN and both offer this; loads of other providers offer this like PIA, Windscribe, the list is long). Make sure your server is always connected to the VPN from boot and you’re sorted.

However you still won’t be able to set a PTR record - really important these days for correct email delivery - and you will possibly have deliverability problems from your IP being in a ‘dirty’ range.

The only practical solutions nowadays for mail delivery are to either

• Run a VDS/VPS on a reputable provider, pay for the privilege of not being on the same network as spammers, and try to deal with the occasional deliverability problems to major operators
• Use third-party email hosting services as the ‘frontend’ for your mail server operation, and connect your local Postfix server to that for the actual sending/receiving.

Regrettably self-hosting email is increasingly difficult, largely due to spammers becoming more sophisticated and the sheer volume of traffic mail systems have to deal with from senders with ‘poor’ reputation.

Unfortunately that biases deliverability towards the huge operators, net result being that they trust small operators less and less - because the volume of email from small providers is low (obviously!), IP reputation is unknown, etc.

It is still possible, I look after self-hosted email for a few small businesses, and loads of people self host their own email. Doing it without any additional costs is what’s becoming almost impossible.

I hate that the port 25 block has made you give up on Virtualmin. If you want a free smarthost (for testing or low volume use) I would be happy to offer you one. We could set up our Virtualmin boxes such that yours could relay email via mine. Let me know @Centaro or anyone else who wants this.