Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th August 2011, 05:59
Wych Wych is offline
Junior Member
 
Join Date: Nov 2009
Posts: 17
Thanks: 0
Thanked 1 Time in 1 Post
Default ISPConfig 3 + Squeeze - SSL/TLS 465 SMTP Fail

Hi there.

New install of ISPConfig 3 on Debian Squeeze [previously on Lenny]

Created using: http://www.ispconfig.org/news/tutori...r-ispconfig-3/

Previous server used:

Port: 465
Connection security: SSL/TLS
Authentication method: normal password

If I try to use these setting on this fresh install [complete format with previous back up files stored on a seperate drive] I get the following error:

Sending of message failed.
The message could not be sent because connecting to SMTP server mail.myserver.com (changed from real name - error has correct name) failed. The server may be unavailable or is refusing SMTP connections. Please verify that your SMTP server settings are correct and try again, or contact the server administrator.


I can send using:

Port: 25
Connection security: STARTTLS
Authentication method: normal password

No errors appear in mail.log or mail.err

I've compared the master.cf pre/post [original/current]

Differing section appears to be:

Original
Quote:
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o milter_macro_daemon_name=ORIGINATING
Current
Quote:
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
main.cf has a couple of minor differences

Original
Quote:
smtpd_tls_CAfile = /etc/postfix/cert.pem
*This line is missing in the current main.cf

Current
Quote:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
*These lines do not appear in the original main.cf

No firewall rules are set to block ports.

hopefully I've provided enough detail.

Last edited by Wych; 30th August 2011 at 06:01.
Reply With Quote
Sponsored Links
  #2  
Old 30th August 2011, 06:28
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default

The output of postconf -a should be:
cyrus
dovecot

Here is a working main.cf (uncommented only) from a fairly new sqeeze setup for you to compare with:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail.example.tld
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.example.tld, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0


You can compare and check that /etc/mailname contains your proper mail name.
Also check that ports are open in your router.
Reply With Quote
  #3  
Old 30th August 2011, 07:23
Wych Wych is offline
Junior Member
 
Join Date: Nov 2009
Posts: 17
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by CSsab View Post
The output of postconf -a should be:
cyrus
dovecot
Confirmed

Quote:
Originally Posted by CSsab View Post
Here is a working main.cf (uncommented only) from a fairly new sqeeze setup for you to compare with:
Only difference is the last 3 lines on my main.cf

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =


*These 3 lines also appeared in my previous main.cf

Quote:
Originally Posted by CSsab View Post
You can compare and check that /etc/mailname contains your proper mail name.
Also check that ports are open in your router.
/etc/mailname confirmed

Same external setup [router, cable etc] as per previous server which worked.
Reply With Quote
  #4  
Old 30th August 2011, 07:50
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default

Comment them out (you can always uncomment them later if you want to):

#smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_sasl_security_options =

Then reload and restart postfix.
/etc/init.d/postfix reload
/etc/init.d/postfix restart
/etc/init.d/dovecot restart

Also check out your smtp dialogue at mxtoolbox.com

After that the next thing you can look at it your dovecot configuration in /etc/dovecot/dovecot.conf

Last edited by CSsab; 30th August 2011 at 07:53.
Reply With Quote
  #5  
Old 30th August 2011, 08:38
Wych Wych is offline
Junior Member
 
Join Date: Nov 2009
Posts: 17
Thanks: 0
Thanked 1 Time in 1 Post
Default

Commented out the 3 lines - done

/etc/init.d/postfix reload - done
/etc/init.d/postfix restart - done
/etc/init.d/dovecot restart - done

Change SMTP settings to SSL/TLS 465 - done
Test email to external adr - fail [as per previous error]

Change SMTP settings back to STARTTLS 25 - done
Test email to external adr - bounce back fail from relay outbound.mailhop.org [required to use this due to blacklisting issues]

Uncomment lines, reload/restart - done.

Returned to usable state.

MXtoolbox results:

220 *correct server name* ESMTP Postfix (Debian/GNU)
  • OK - correct IP resolves to correct IP at ISP
  • Warning - Reverse DNS does not match SMTP Banner
  • 0 seconds - Good on Connection time
  • Not an open relay.
  • 1.513 seconds - Good on Transaction time

6 open ports:
25 smtp Success 218 ms
80 http Success 218 ms
110 pop3 Success 218 ms
143 imap Success 218 ms
443 https Success 218 ms
8080 webcache Success 218 ms


These ports were closed:
21 ftp Timeout 0 ms
22 ssh Timeout 0 ms
23 telnet Timeout 0 ms
53 dns Timeout 0 ms
139 netbios Timeout 0 ms
389 ldap Timeout 0 ms
587 msa-outlook Timeout 0 ms
1352 lotus notes Timeout 0 ms
1433 sql server Timeout 0 ms
3306 my sql Timeout 0 ms
3389 remote desktop Thread was being aborted. 0 ms

I notice that it doesn't check 465 or any other mail ports like 993.
Reply With Quote
  #6  
Old 30th August 2011, 09:31
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default

For mail you only need:

Mail Server (POP3) 110
Mail Server (SMTP) 25

Reply With Quote
  #7  
Old 30th August 2011, 09:39
Wych Wych is offline
Junior Member
 
Join Date: Nov 2009
Posts: 17
Thanks: 0
Thanked 1 Time in 1 Post
Default

Confirmed those 3 lines are required to relay through DynDNS

https://www.dyndns.com/support/kb/ma...d.html#postfix

Plus this line which was in my original main.cf

smtp_tls_CAfile = /etc/postfix/cert.pem

testing now
Reply With Quote
  #8  
Old 30th August 2011, 10:45
Wych Wych is offline
Junior Member
 
Join Date: Nov 2009
Posts: 17
Thanks: 0
Thanked 1 Time in 1 Post
Default

DENIED!

I'm beginning to think I can live with STARTTLS 25 & relaying through mailhop.
Reply With Quote
  #9  
Old 30th August 2011, 11:34
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default

1. In a normal setup you don't have a /etc/postfix/cert.pem

2. Those dyndns lines are "optional" and perhaps you should look at your DNS setup first.

Do you have a dynamic IP?
Reply With Quote
  #10  
Old 30th August 2011, 12:12
Wych Wych is offline
Junior Member
 
Join Date: Nov 2009
Posts: 17
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

Yes my IP is dynamic - which is why I've used DynDNS for as long as I can remember to in conjunction with mail & web services.

DNS is fine - website works, webmail works.

The only reason I'm using the DynDNS lines is they were in my previous operating Lenny setup.

Is there is a reason why the cert wasn't included in this version of ISPConfig?

I was running with out the extra lines but still using the relay with out problem - I had hoped adding them would fix the 465 access issue.

The differences in the master.cf above aren't the problem?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP warnings after upgrade to ISP config 3.03 stevegjacobs Installation/Configuration 5 30th October 2010 15:31
ISPConfig 3.0.0.8 RC1 released till General 92 22nd February 2010 10:52
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 13:20
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 16:47
SMTP, POP and ISPCONFIG Query zimele General 11 15th July 2006 15:19


All times are GMT +2. The time now is 18:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.