SSL for Postfix / Dovecot

just_me · August 15, 2016, 11:37am

Hi,
i setup a new server some time ago and was now moving some virtual servers to it. Certs are being made via letsencrypt, which is working very well now and i also pointed Dovecot and Postfix to the certs from letsencrypt.

Now it looks like, that i can connect to dovecot via SSL, but not to postfix (for SMTP) Postfix will only allow connections on Port 25. I am pretty sure, that i am overlooking something important, but i cannot get it. My postfix maincf is as follows:


See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific:  Specifying a file name will cause the first
line of that file to be used as the name.  The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
readme_directory = no
TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/server.example.com/cert.pem

smtpd_tls_key_file = /etc/letsencrypt/live/server.example.com/privkey.pem

smtpd_use_tls = yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_mandatory_protocols = SSLv3, TLSv1

smtpd_tls_mandatroy_ciphers = high
See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

myhostname = server.example.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = server.example.com, localhost.example.com, , localhost

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = all

virtual_alias_maps = hash:/etc/postfix/virtual

sender_bcc_maps = hash:/etc/postfix/bcc

home_mailbox = Maildir/

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

allow_percent_hack = no

smtp_use_tls = yes

Any help truly appreciated. It also looks like the emails can be sent to another server of mine but not to other mailserveres. Very strange.

Best

Eric · August 15, 2016, 3:00pm

Howdy,

Do you receive an error when trying to connect to port 465 or 587?

Also, what is the output of these commands:


netstat -an | grep :465
netstat -an | grep 587

just_me · August 16, 2016, 6:00am


root@server ~ # netstat -an | grep 587
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
tcp6       0      0 :::587                           :::*                    LISTEN
root@server ~ # netstat -an | grep 465
unix  2      [ ]         DGRAM                    15465

And here a part from the logfile:
Aug 11 11:53:36 server postfix/smtpd[13296]: connect from x4db438c7.example.com[196.196.196.199] Aug 11 11:53:43 server postfix/smtpd[13296]: 4151E581B75: client=x4db438c7.example.com[196.196.196…199], sasl_method=PLAIN, sasl_username=info.example Aug 11 11:53:43 server postfix/cleanup[13299]: 4151E581B75: message-id=57AC4C37.8000501@example.com Aug 11 11:53:43 serve2 postfix/smtpd[13296]: disconnect from x4db438c7.example.com [196.196.196.199]

This user seems to be able to send emails to different server, another can’t, which i will further investigate, but i am wondering, since it says sasl_method PLAIN.

Hmmm.
Thanks