Solved: cannot receive mail: SSL_accept error from

Discussion in 'Installation/Configuration' started by leonardo.saracini, Oct 3, 2016.

  1. leonardo.saracini

    leonardo.saracini New Member

    Hallo I have installed ISPConfig 3.1 on Ubuntu 15.10 64bit server (VPS)
    if I try to send mail to me by a google account google sen me this error:
    "Technical details of temporary failure: The recipient server did not accept our requests to connect"
    "unable to read banner"
    I can check for mail on server.
    So I think my DNS setting and almost IPConfig mail setting is right.

    Can anybody help please?
    my netstat -tulpn:
    Code:
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address  Foreign Address  State  PID/Program name
    tcp  0  0 0.0.0.0:993  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 0.0.0.0:995  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 127.0.0.1:10024  0.0.0.0:*  LISTEN  28914/amavisd-new (
    tcp  0  0 127.0.0.1:10025  0.0.0.0:*  LISTEN  22082/master 
    tcp  0  0 127.0.0.1:10026  0.0.0.0:*  LISTEN  28914/amavisd-new (
    tcp  0  0 127.0.0.1:10027  0.0.0.0:*  LISTEN  22082/master 
    tcp  0  0 0.0.0.0:587  0.0.0.0:*  LISTEN  22082/master 
    tcp  0  0 127.0.0.1:11211  0.0.0.0:*  LISTEN  18514/memcached
    tcp  0  0 0.0.0.0:110  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 0.0.0.0:143  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 0.0.0.0:21  0.0.0.0:*  LISTEN  29909/pure-ftpd (SE
    tcp  0  0 80.241.208.16:53  0.0.0.0:*  LISTEN  15578/named 
    tcp  0  0 127.0.0.1:53  0.0.0.0:*  LISTEN  15578/named 
    tcp  0  0 0.0.0.0:22  0.0.0.0:*  LISTEN  652/sshd 
    tcp  0  0 0.0.0.0:25  0.0.0.0:*  LISTEN  3790/smtpd 
    tcp  0  0 127.0.0.1:953  0.0.0.0:*  LISTEN  15578/named 
    tcp6  0  0 :::443  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::993  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::995  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::3306  :::*  LISTEN  12836/mysqld 
    tcp6  0  0 :::587  :::*  LISTEN  22082/master 
    tcp6  0  0 :::110  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::143  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::8080  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::80  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::8081  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::21  :::*  LISTEN  29909/pure-ftpd (SE
    tcp6  0  0 :::53  :::*  LISTEN  15578/named 
    tcp6  0  0 :::22  :::*  LISTEN  652/sshd 
    tcp6  0  0 :::25  :::*  LISTEN  3790/smtpd 
    tcp6  0  0 ::1:953  :::*  LISTEN  15578/named 
    udp  0  0 127.0.0.1:11211  0.0.0.0:*  18514/memcached
    udp  0  0 80.241.208.16:53  0.0.0.0:*  15578/named 
    udp  0  0 127.0.0.1:53  0.0.0.0:*  15578/named 
    udp  0  0 80.241.208.16:123  0.0.0.0:*  24415/ntpd 
    udp  0  0 127.0.0.1:123  0.0.0.0:*  24415/ntpd 
    udp  0  0 0.0.0.0:123  0.0.0.0:*  24415/ntpd 
    udp6  0  0 :::53  :::*  15578/named 
    udp6  0  0 fe80::250:56ff:fe3c:123 :::*  24415/ntpd 
    udp6  0  0 2a02:c205:2008:5519:123 :::*  24415/ntpd 
    udp6  0  0 ::1:123  :::*  24415/ntpd 
    udp6  0  0 :::123  :::*  24415/ntpd 
    
    My iptables:
    Code:
    iptables -L -n
    Chain INPUT (policy ACCEPT)
    target  prot opt source  destination 
    f2b-dovecot-pop3imap  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 110,995,143,993
    f2b-pureftpd  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 21
    f2b-postfix-sasl  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 25
    f2b-sshd  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target  prot opt source  destination 
    
    Chain OUTPUT (policy ACCEPT)
    target  prot opt source  destination 
    
    Chain f2b-dovecot-pop3imap (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0 
    
    Chain f2b-postfix-sasl (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0 
    
    Chain f2b-pureftpd (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0 
    
    Chain f2b-sshd (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0   
    best regards,
    Leonardo
     
    Last edited: Oct 5, 2016
  2. leonardo.saracini

    leonardo.saracini New Member

    if I try to connect from
    telnet mydomain.com 25
    I can log in.
    if I try HELO google.com
    it give me an:
    Connection closed by foreign host.
    someone have any idea?

    regards
     
  3. leonardo.saracini

    leonardo.saracini New Member

    still no mail is received :confused:
    I try to manual connect to see if there was some error.
    this is my screen:
    Code:
    [email protected]:$ openssl s_client -connect host.domain:465 
    CONNECTED(00000003) depth=0 C = IT, ST = FIRENZE, L = CERBAIA, O = SOCIETA, OU = DEVELOP, CN = host1.domain, emailAddress = [email protected] 
    verify error:num=18:self signed certificate verify return:1 depth=0 
    C = IT, ST = FIRENZE, L = CERBAIA, O = SOCIETA, OU = DEVELOP, CN = host1.domain, emailAddress = [email protected] 
    verify return:1 --- Certificate chain 0 s:/C=IT/ST=FIRENZE/L=CERBAIA/O=SOCIETA/OU=DEVELOP/CN=host1.domain/e[email protected] 
    i:/C=IT/ST=FIRENZE/L=CERBAIA/O=SOCIETA/OU=DEVELOP/CN=host1.domain/e[email protected] 
    --- Server certificate -----BEGIN CERTIFICATE----- MIIGEzCCA/ugAwIBAgIJALnWrpKbYlaEMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD VQQGEwJJVDEQMA4GA1UECAwHRklSRU5aRTEQMA4GA1UEBwwHQ0VSQkFJQTEUMBIG A1UECgwLQUxHT1JJVE1JQ0ExEDAOBgNVBAsMB0RFVkVMT1AxHzAdBgNVBAMMFnNl cnZlci5hbGdvcml0bWljYS5uZXQxIzAhBgkqhkiG9w0BCQEWFGluZm9AYWxnb3Jp dG1pY2EubmV0MB4XDTE2MDkyMTE0MDMzOFoXDTI2MDkxOTE0MDMzOFowgZ8xCzAJ BgNVBAYTAklUMRAwDgYDVQQIDAdGSVJFTlpFMRAwDgYDVQQHDAdDRVJCQUlBMRQw EgYDVQQKDAtBTEdPUklUTUlDQTEQMA4GA1UECwwHREVWRUxPUDEfMB0GA1UEAwwW c2VydmVyLmFsZ29yaXRtaWNhLm5ldDEjMCEGCSqGSIb3DQEJARYUaW5mb0BhbGdv cml0bWljYS5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQHAZ7 05i2n0fHdUdJMn4WLdOE3wi+oTvZXkC6DfUR7JQ7GkouhAI5X2Xs5asKa0lEBVlY l1ET5o0CyB1iZ1GDsU8AUAFqtRBATc9l7mHcDJSYe02V+2qljcF6UZCqdccGSMFg y70C3DJRTHAXwCE5Vv7nJRg386MPIx/cwBUakV/I1i0WRe3//o3VTTpkv3+kfqVI rlR5GOpqZfaaalu1lNFOwzMGd80gToIlgjKSDS8+be2mfxS4apCeVO1SqagINtvc nMYnM06ly51K1cqP9120PlUieO4vfaoilsN0SNUoEr7ty1yn6oZ3vRfFBxTlGi/h FnchfNsYx+S6ulmQTQyWLNP0PFGDn57Ei8PCCuBnXIdJfm3T5tvDmzLlRlICMUV2 oiabbCYsjrcv96Wi85raIVthq6yyGOwq9SiTa8ClcEYL/lLaoQFX5qv+FLsrpCmJ Z1yLUMHnn1Hr2zIVrIomx0ZoezyQufu56MEvREH77h3IVXHEgrgfYLhZmk7hhwFw 1KO7rfaSZ0e0ebO1yUIx1df66FohX3fYuih6O+MLXso20wd1ylyqnA4esU8TYvHV oS8iclsGVXorAZN9fgOuJks/C5GHn9sC0lzjImuDHZG3My5VEMxMeBiTn8Mhw7PQ omSrG3QdJVvrBddZRXt4pz0/7u5qEC7dMLmr2QIDAQABo1AwTjAdBgNVHQ4EFgQU UHEZfizWsn6oKoMvqTuEGeIBqccwHwYDVR0jBBgwFoAUUHEZfizWsn6oKoMvqTuE GeIBqccwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAYndVeZrKYpxh 3FPsbpwfOS3gJaNKdc0xeuBpzqguDa8kip6Y6N2nsI+Zq6Tpu9N+Akl80g657oCX 94KErJnmFSLVUqT23O0+LghMQbfK+2U0K1dvBU9h1o3yrS1jyLpKIzh2IYF1AvFc 5LNEBL+h9nqBuKfNe4H0KXiSOx6QMa5aj2voC89j4u+7vBFQjgu/RKuzIdjOqhSb DXyjWjLr0LhFo41tSXsj2WTSTBNhm7ylxARzn7dEv/Eh4IpEmVSOdvxJWV1WEPo+ Da2x/yYGiNkLLKzUL101MB5Te3mRF7R5aIOQNivX4TzDKX9wQi12PBtPrAv9xR3A mNjUdtbZpiouKrwwMBFp/FRh+cEVq+g35djFwga26vsbueO+Yj++4e8RePy49Kkk UbaFjCExCreYait72F9Jmhkqj+g7q+NLTDdVufmYqK00Y+nK/2oFesDOAGRzuAcs qtyW+tR//d/rwK5/3vy0UefsVdd5eqB2bvu27jeHH6ohmE3ueKwTd1iOh7va1eYT uOFtT9A2EY3sG/WBYibJ6T6TV3Wc8wpuUkVYa0XNMTUq1tRdrzhw/mJ393FNj94h 17vu1v6xe2MP9G5UCEXtGn1peuVlA27URyV5KkS3XLKbBcURHUQgdhejdjRFiXoM OZCyK8rC8dp8LowS59xdeTeKj/mY0uA= 
    -----END CERTIFICATE
    ----- subject=/C=IT/ST=FIRENZE/L=CERBAIA/O=SOCIETA/OU=DEVELOP/CN=host1.[email protected] [email protected][email protected] 
    --- No client certificate CA names sent 
    --- SSL handshake has read 2474 bytes and written 421 bytes 
    --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE 
    SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 
    Session-ID: FA68D11E229FAB57601FF2F23E379543C77EB05901831E242CBE438162A28266 Session-ID-ctx: Master-Key: 3C84FB705AA3A950F826C76FEF61FDE1707A02CE78924566EEE5EE9EC45EA49CC05F671C858869A87F2D8C218E7F038C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 9e e4 9d db 54 42 76 a7-ef ba 78 01 87 48 1e a3 ....TBv...x..H.. 0010 - 73 18 e2 ba aa 67 e7 08-38 33 18 0d 7d 08 a7 97 s....g..83..}... 0020 - 0e 14 7a 1b bd 0a 77 75-8d a9 e2 ae 3d 59 16 3a ..z...wu....=Y.: 0030 - 03 8d 47 35 73 b3 f9 42-7c 24 8c 9f 41 8b 09 22 ..G5s..B|$..A.." 0040 - 94 34 8f de eb 74 74 b7-22 e0 66 5e 28 a2 bb d7 .4...tt.".f^(... 0050 - c9 2d eb 30 1d a9 9b aa-a2 d2 a0 50 d8 19 69 4e .-.0.......P..iN 0060 - b8 64 eb 3c d5 10 95 0c-2e 39 fe 6c 8d fc ce d3 .d.<.....9.l.... 0070 - b0 25 18 80 4d 86 8b 94-6b 0d 8e 70 c9 39 74 16 .%..M...k..p.9t. 0080 - 3f f3 ba 02 85 ea de 6c-a4 bb f6 ff b0 67 e4 cb ?......l.....g.. 0090 - 45 b2 58 e4 a3 00 a4 49-a0 b1 80 c8 52 73 68 4b E.X....I....RshK Start Time: 1475571527 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) 
    --- 220 host3.domain ESMTP Postfix (Ubuntu) 
    EHLO localhost 250-host3.domain 
    250-PIPELINING 
    250-SIZE 
    250-VRFY 
    250-ETRN 
    250-AUTH PLAIN LOGIN 
    250-AUTH=PLAIN LOGIN 
    250-ENHANCEDSTATUSCODES 
    250-8BITMIME 
    250 DSN 
    quit 221 2.0.0 Bye closed
    
    still get
    SSL_accept error from mail-wm0-f54.google.com[74.125.82.54]: lost connection
    lost connection after CONNECT from mail-wm0-f45.google.com[74.125.82.45]

    on mail log

    help help
    please
     
    Last edited: Oct 5, 2016
  4. leonardo.saracini

    leonardo.saracini New Member

    some more data:
    I try same command above on 25 port same result but if I try on 587 I get:
    Code:
    [email protected]:$ openssl s_client -connect host.domain:587 
    CONNECTED(00000003) 139853529339552:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795: 
    --- no peer certificate available 
    --- No client certificate CA names sent 
    --- SSL handshake has read 7 bytes and written 295 bytes 
    --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported 
    Compression: NONE Expansion: NONE ---
    this response is more significative.
     
    Last edited: Oct 5, 2016
  5. Jesse Norell

    Jesse Norell Active Member

    To use s_client on port 587 you need to add `-starttls smtp` to your options. Can you post the output in a code block so it preserves formatting? (ie. in this editor, it's the Insert button > Code) Or just post the actual server/domain name you are testing so it can be queried remotely.
     
  6. leonardo.saracini

    leonardo.saracini New Member

    I often use markdown and so I haven't see the button. Sorry.
    My problem is that my postfix cannot receive mail.
    After two days I understood that there is a problem on my self signed certificate.
    so I try some solution on web unless I found https://help.ubuntu.com/community/Postfix
    that help me a lot.
    ... but not enough :eek:
    if look at my fetchmail log:
    Code:
    Segnalato OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    Oct  4 18:42:00 server fetchmail[6590]: Connessione SSL fallita.
    Oct  4 18:42:00 server fetchmail[6590]: Errore socket durante il recupero da [email protected]
    Oct  4 18:42:00 server fetchmail[6590]: Stato dell'interrogazione = 2 (SOCKET)
    Oct  4 18:42:00 server fetchmail[6590]: Segnalato OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    Oct  4 18:42:00 server fetchmail[6590]: Connessione SSL fallita.
    Oct  4 18:42:00 server fetchmail[6590]: Errore socket durante il recupero da [email protected]
    Oct  4 18:42:00 server fetchmail[6590]: Stato dell'interrogazione = 2 (SOCKET)
    Oct  4 18:42:02 server fetchmail[6590]: Errore di verifica del certificato del server: unable to get local issuer certificate
    Oct  4 18:42:02 server fetchmail[6590]: Catena di certificazione interrotta in: /C=IT/O=Colt Engine/CN=Certificate Authority
    Oct  4 18:42:02 server fetchmail[6590]: Questo potrebbe significare che il server non ha fornito il certificato(i) CA intermedio, non c'è niente che fetchmail possa fare al riguardo. Per ulteriori dettagli consultare il documento README.SSL-SERVER fornito con fetchmail.
    Oct  4 18:42:02 server fetchmail[6590]: Questo potrebbe significare che il certificato firmato della CA principale non è nel percorso dei certificati attendibili CA, o che è necessario eseguire un c_rehash nella directory dei certificati. Per ulteriori dettagli consultare la pagina di --sslcertpath e --sslcertfile nel manuale.
    
    I stop testing for today... my brain is smoking :D




    regards
     
  7. Jesse Norell

    Jesse Norell Active Member

  8. leonardo.saracini

    leonardo.saracini New Member

    This id my /etc/postfix/master.cf:
    Code:
    [email protected]:~# cat /etc/postfix/master.cf
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #submission inet n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=$mua_client_restrictions
      -o smtpd_helo_restrictions=$mua_helo_restrictions
      -o smtpd_sender_restrictions=$mua_sender_restrictions
      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    
    
    127.0.0.1:10027 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
                -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
    
     
  9. leonardo.saracini

    leonardo.saracini New Member

    and this is my main.cf
    Code:
    [email protected]:~# cat /etc/postfix/main.cf
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
    smtpd_tls_key_file = /etc/ssl/private/smtpd.key
    smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_auth_only = no
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
    smtp_tls_loglevel = 3
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = gemini.algoritmica.net
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = gemini.algoritmica.net, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:127.0.0.1:10023
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    see any misconfiguration?
     
  10. Jesse Norell

    Jesse Norell Active Member

    You do not have "submission" enabled in master.cf, which is why port 587 does not work.
     
  11. leonardo.saracini

    leonardo.saracini New Member

    Thak you Jesse I too have noticed the "submission" part. now I have enabled it but I'm thinking the problems are still the certificate.
    I try to build a CA and self signed cretificate but I'm not shure that is working.
    If google send a mail to me this is now the mail log:
    Code:
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: SSL_accept error from mail-wm0-f53.google.com[74.125.82.53]: lost connection
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostname: mail-wm0-f53.google.com ~? 127.0.0.0/8
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostaddr: 74.125.82.53 ~? 127.0.0.0/8
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostname: mail-wm0-f53.google.com ~? [::1]/128
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostaddr: 74.125.82.53 ~? [::1]/128
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_list_match: mail-wm0-f53.google.com: no match
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_list_match: 74.125.82.53: no match
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: auto_clnt_open: connected to private/anvil
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: send attr request = disconnect
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: send attr ident = smtp:74.125.82.53
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: private/anvil: wanted attribute: status
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: input attribute name: status
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: input attribute value: 0
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: private/anvil: wanted attribute: (list terminator)
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: input attribute name: (end)
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: lost connection after CONNECT from mail-wm0-f53.google.com[74.125.82.53]
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: disconnect from mail-wm0-f53.google.com[74.125.82.53]
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: master_notify: status 1
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: connection closed
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: watchdog_stop: 0x55b2d09bd190
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[27953]: idle timeout -- exiting
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: watchdog_start: 0x55b2d09bd190
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: proxymap stream disconnect
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: auto_clnt_close: disconnect private/tlsmgr stream
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: watchdog_stop: 0x55b2d09bd190
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: watchdog_start: 0x55b2d09bd190
    -
    my master.cf in next message
     
  12. leonardo.saracini

    leonardo.saracini New Member

    my actual master.cf is:
    Code:
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd -v -v
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    submission inet n       -       -       -       -       smtpd -v -v
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd -v -v
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    
    
    127.0.0.1:10027 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
                -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    You removed # between the tlsproxy and submission lines which should not be removed. Add the # in front of the linesthatt start with -o between tlsproxy and submission.
     
  14. leonardo.saracini

    leonardo.saracini New Member

    Tanks to Till and Jesse the problem is out: solved. so at last wasn't a certification problem.
    tank very much,
    regards
     

Share This Page