Postfix - Connect, Pregreet, Hangup

Discussion in 'General' started by onastvar, Feb 16, 2016.

  1. onastvar

    onastvar Member

    Hello,
    One of users got "Error 403 - Forbidden" when trying to reply/send email. This is what is in the mail log. Any idea why this might have happen?

    /var/log/mail.log
    Feb 15 07:24:18 sun postfix/postscreen[13641]: CONNECT from [196.20.68.185]:27349 to [177.178.22.22]:25
    Feb 15 07:24:18 sun postfix/postscreen[13641]: PREGREET 14 after 0.17 from [196.20.68.185]:27349: EHLO ylmf-pc\r\n
    Feb 15 07:24:18 sun postfix/postscreen[13641]: HANGUP after 0.41 from [196.20.68.185]:27349 in tests after SMTP handshake

    Thanks
     
  2. ztk.me

    ztk.me Active Member

  3. Jesse Norell

    Jesse Norell Active Member

    If the client were rejected for the helo hostname, or any other reason, you'd have a 'reject: ....' log message. Those are postscreen logs; from http://www.postfix.org/POSTSCREEN_README.html:

    Code:
    When an SMTP client sends a command before the postscreen_greet_wait time has elapsed, postscreen(8) logs this as:
    
        PREGREET count after time from [address]:port text...
    
    Translation: the client at [address]:port sent count bytes before its turn to speak. This happened time seconds after the postscreen_greet_wait timer was started. The text is what the client sent (truncated to 100 bytes, and with non-printable characters replaced with C-style escapes such as \r for carriage-return and \n for newline).
    
    The postscreen_greet_action parameter specifies the action that is taken next
    And:

    Code:
    When an SMTP client hangs up unexpectedly, postscreen(8) logs this as:
    
        HANGUP after time from [address]:port in test name
    
    Translation: the SMTP client at [address]:port disconnected unexpectedly, time seconds after the start of the test named test name.
    So in your logs, 196.20.68.185 connected, sent the EHLO command before it was supposed to, then dropped the connection.

    Now "Error 403 - Forbidden" is a webserver error - so your user is replying to an email in webmail (roundcube or squirrelmail) provided by your ispconfig setup? Your webmail shouldn't be hitting postscreen on your mail server, you might simply need to tell it (webmail) to send authenticated on port 587. But a few other questions if that doesn't do it, what is 196.20.68.185, the ip address of your webmail server? Is your mail service on the same machine as webmail or a different machine? And what webmail program is it? If it's tripping up pregreet stuff in postscreen, it's not speaking smtp very intelligently; maybe there's a bugfix/way to improve that, too.
     
    ztk.me likes this.
  4. onastvar

    onastvar Member

    Thank You very much Jesse! Server IP is 177.178.22.22 (I changed IP number in log for privacy reasons) I have Roundcube installed as webmail. I use one server for following services:
    Web-Server: Online
    FTP-Server: Online
    SMTP-Server: Online
    POP3-Server: Online
    IMAP-Server: Online
    DNS-Server: Online
    mySQL-Server: Online


    /etc/postfix/main.cf

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    postscreen_greet_action = enforce
    
    policy-spf_time_limit = 3600s
    
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
    
    strict_rfc821_envelopes = yes
    
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = sun.bluesignals.com
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = sun.bluesignals.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023
    
    smtpd_data_restrictions = reject_unauth_pipelining
    
    smtpd_delay_reject = yes
    
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
    
     
  5. Jesse Norell

    Jesse Norell Active Member

    what do you have for smtp settings in your roundcube config file (eg. /opt/roundcube/config/config.inc.php if you followed the ispconfig howto to set it up, or /etc/roundcube/main.inc.php if using a debian package)? Try something like:

    Code:
    $config['smtp_server'] = 'localhost';
    $config['smtp_port'] = 587;
    $config['smtp_user'] = '%u';
    $config['smtp_pass'] = '%p';
    
    That assumes you have submission port configured (check in /etc/postfix/master.cf, or run netstat -an | grep :587)
     
  6. onastvar

    onastvar Member

    Submission port 587 is configured
    Code:
    netstat -an | grep :587
    tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
    tcp6       0      0 :::587                  :::*                    LISTEN
    I don't have any of the SMTP lines you mentioned in my /var/www/webmail/config/config.inc.php

    Code:
    $config['smtp_server'] = 'localhost';
    $config['smtp_port'] = 587;
    $config['smtp_user'] = '%u';
    $config['smtp_pass'] = '%p';
     
    Last edited: Feb 17, 2016
  7. Jesse Norell

    Jesse Norell Active Member

    So submission port is open, just configure roundcube to use it, and you should be good.
     
  8. onastvar

    onastvar Member

    Thanks again!
     

Share This Page