Solved: cannot receive mail: SSL_accept error from

Discussion in 'Installation/Configuration' started by leonardo.saracini, Oct 3, 2016.

  1. leonardo.saracini

    leonardo.saracini New Member

    Hallo I have installed ISPConfig 3.1 on Ubuntu 15.10 64bit server (VPS)
    if I try to send mail to me by a google account google sen me this error:
    "Technical details of temporary failure: The recipient server did not accept our requests to connect"
    "unable to read banner"
    I can check for mail on server.
    So I think my DNS setting and almost IPConfig mail setting is right.

    Can anybody help please?
    my netstat -tulpn:
    Code:
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address  Foreign Address  State  PID/Program name
    tcp  0  0 0.0.0.0:993  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 0.0.0.0:995  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 127.0.0.1:10024  0.0.0.0:*  LISTEN  28914/amavisd-new (
    tcp  0  0 127.0.0.1:10025  0.0.0.0:*  LISTEN  22082/master 
    tcp  0  0 127.0.0.1:10026  0.0.0.0:*  LISTEN  28914/amavisd-new (
    tcp  0  0 127.0.0.1:10027  0.0.0.0:*  LISTEN  22082/master 
    tcp  0  0 0.0.0.0:587  0.0.0.0:*  LISTEN  22082/master 
    tcp  0  0 127.0.0.1:11211  0.0.0.0:*  LISTEN  18514/memcached
    tcp  0  0 0.0.0.0:110  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 0.0.0.0:143  0.0.0.0:*  LISTEN  15454/dovecot 
    tcp  0  0 0.0.0.0:21  0.0.0.0:*  LISTEN  29909/pure-ftpd (SE
    tcp  0  0 80.241.208.16:53  0.0.0.0:*  LISTEN  15578/named 
    tcp  0  0 127.0.0.1:53  0.0.0.0:*  LISTEN  15578/named 
    tcp  0  0 0.0.0.0:22  0.0.0.0:*  LISTEN  652/sshd 
    tcp  0  0 0.0.0.0:25  0.0.0.0:*  LISTEN  3790/smtpd 
    tcp  0  0 127.0.0.1:953  0.0.0.0:*  LISTEN  15578/named 
    tcp6  0  0 :::443  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::993  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::995  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::3306  :::*  LISTEN  12836/mysqld 
    tcp6  0  0 :::587  :::*  LISTEN  22082/master 
    tcp6  0  0 :::110  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::143  :::*  LISTEN  15454/dovecot 
    tcp6  0  0 :::8080  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::80  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::8081  :::*  LISTEN  3278/apache2 
    tcp6  0  0 :::21  :::*  LISTEN  29909/pure-ftpd (SE
    tcp6  0  0 :::53  :::*  LISTEN  15578/named 
    tcp6  0  0 :::22  :::*  LISTEN  652/sshd 
    tcp6  0  0 :::25  :::*  LISTEN  3790/smtpd 
    tcp6  0  0 ::1:953  :::*  LISTEN  15578/named 
    udp  0  0 127.0.0.1:11211  0.0.0.0:*  18514/memcached
    udp  0  0 80.241.208.16:53  0.0.0.0:*  15578/named 
    udp  0  0 127.0.0.1:53  0.0.0.0:*  15578/named 
    udp  0  0 80.241.208.16:123  0.0.0.0:*  24415/ntpd 
    udp  0  0 127.0.0.1:123  0.0.0.0:*  24415/ntpd 
    udp  0  0 0.0.0.0:123  0.0.0.0:*  24415/ntpd 
    udp6  0  0 :::53  :::*  15578/named 
    udp6  0  0 fe80::250:56ff:fe3c:123 :::*  24415/ntpd 
    udp6  0  0 2a02:c205:2008:5519:123 :::*  24415/ntpd 
    udp6  0  0 ::1:123  :::*  24415/ntpd 
    udp6  0  0 :::123  :::*  24415/ntpd 
    
    My iptables:
    Code:
    iptables -L -n
    Chain INPUT (policy ACCEPT)
    target  prot opt source  destination 
    f2b-dovecot-pop3imap  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 110,995,143,993
    f2b-pureftpd  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 21
    f2b-postfix-sasl  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 25
    f2b-sshd  tcp  --  0.0.0.0/0  0.0.0.0/0  multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target  prot opt source  destination 
    
    Chain OUTPUT (policy ACCEPT)
    target  prot opt source  destination 
    
    Chain f2b-dovecot-pop3imap (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0 
    
    Chain f2b-postfix-sasl (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0 
    
    Chain f2b-pureftpd (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0 
    
    Chain f2b-sshd (1 references)
    target  prot opt source  destination 
    RETURN  all  --  0.0.0.0/0  0.0.0.0/0   
    best regards,
    Leonardo
     
    Last edited: Oct 5, 2016
  2. leonardo.saracini

    leonardo.saracini New Member

    if I try to connect from
    telnet mydomain.com 25
    I can log in.
    if I try HELO google.com
    it give me an:
    Connection closed by foreign host.
    someone have any idea?

    regards
     
  3. leonardo.saracini

    leonardo.saracini New Member

    still no mail is received :confused:
    I try to manual connect to see if there was some error.
    this is my screen:
    Code:
    [email protected]:$ openssl s_client -connect host.domain:465 
    CONNECTED(00000003) depth=0 C = IT, ST = FIRENZE, L = CERBAIA, O = SOCIETA, OU = DEVELOP, CN = host1.domain, emailAddress = [email protected] 
    verify error:num=18:self signed certificate verify return:1 depth=0 
    C = IT, ST = FIRENZE, L = CERBAIA, O = SOCIETA, OU = DEVELOP, CN = host1.domain, emailAddress = [email protected] 
    verify return:1 --- Certificate chain 0 s:/C=IT/ST=FIRENZE/L=CERBAIA/O=SOCIETA/OU=DEVELOP/CN=host1.domain/e[email protected] 
    i:/C=IT/ST=FIRENZE/L=CERBAIA/O=SOCIETA/OU=DEVELOP/CN=host1.domain/e[email protected] 
    --- Server certificate -----BEGIN CERTIFICATE----- MIIGEzCCA/ugAwIBAgIJALnWrpKbYlaEMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD VQQGEwJJVDEQMA4GA1UECAwHRklSRU5aRTEQMA4GA1UEBwwHQ0VSQkFJQTEUMBIG A1UECgwLQUxHT1JJVE1JQ0ExEDAOBgNVBAsMB0RFVkVMT1AxHzAdBgNVBAMMFnNl cnZlci5hbGdvcml0bWljYS5uZXQxIzAhBgkqhkiG9w0BCQEWFGluZm9AYWxnb3Jp dG1pY2EubmV0MB4XDTE2MDkyMTE0MDMzOFoXDTI2MDkxOTE0MDMzOFowgZ8xCzAJ BgNVBAYTAklUMRAwDgYDVQQIDAdGSVJFTlpFMRAwDgYDVQQHDAdDRVJCQUlBMRQw EgYDVQQKDAtBTEdPUklUTUlDQTEQMA4GA1UECwwHREVWRUxPUDEfMB0GA1UEAwwW c2VydmVyLmFsZ29yaXRtaWNhLm5ldDEjMCEGCSqGSIb3DQEJARYUaW5mb0BhbGdv cml0bWljYS5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQHAZ7 05i2n0fHdUdJMn4WLdOE3wi+oTvZXkC6DfUR7JQ7GkouhAI5X2Xs5asKa0lEBVlY l1ET5o0CyB1iZ1GDsU8AUAFqtRBATc9l7mHcDJSYe02V+2qljcF6UZCqdccGSMFg y70C3DJRTHAXwCE5Vv7nJRg386MPIx/cwBUakV/I1i0WRe3//o3VTTpkv3+kfqVI rlR5GOpqZfaaalu1lNFOwzMGd80gToIlgjKSDS8+be2mfxS4apCeVO1SqagINtvc nMYnM06ly51K1cqP9120PlUieO4vfaoilsN0SNUoEr7ty1yn6oZ3vRfFBxTlGi/h FnchfNsYx+S6ulmQTQyWLNP0PFGDn57Ei8PCCuBnXIdJfm3T5tvDmzLlRlICMUV2 oiabbCYsjrcv96Wi85raIVthq6yyGOwq9SiTa8ClcEYL/lLaoQFX5qv+FLsrpCmJ Z1yLUMHnn1Hr2zIVrIomx0ZoezyQufu56MEvREH77h3IVXHEgrgfYLhZmk7hhwFw 1KO7rfaSZ0e0ebO1yUIx1df66FohX3fYuih6O+MLXso20wd1ylyqnA4esU8TYvHV oS8iclsGVXorAZN9fgOuJks/C5GHn9sC0lzjImuDHZG3My5VEMxMeBiTn8Mhw7PQ omSrG3QdJVvrBddZRXt4pz0/7u5qEC7dMLmr2QIDAQABo1AwTjAdBgNVHQ4EFgQU UHEZfizWsn6oKoMvqTuEGeIBqccwHwYDVR0jBBgwFoAUUHEZfizWsn6oKoMvqTuE GeIBqccwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAYndVeZrKYpxh 3FPsbpwfOS3gJaNKdc0xeuBpzqguDa8kip6Y6N2nsI+Zq6Tpu9N+Akl80g657oCX 94KErJnmFSLVUqT23O0+LghMQbfK+2U0K1dvBU9h1o3yrS1jyLpKIzh2IYF1AvFc 5LNEBL+h9nqBuKfNe4H0KXiSOx6QMa5aj2voC89j4u+7vBFQjgu/RKuzIdjOqhSb DXyjWjLr0LhFo41tSXsj2WTSTBNhm7ylxARzn7dEv/Eh4IpEmVSOdvxJWV1WEPo+ Da2x/yYGiNkLLKzUL101MB5Te3mRF7R5aIOQNivX4TzDKX9wQi12PBtPrAv9xR3A mNjUdtbZpiouKrwwMBFp/FRh+cEVq+g35djFwga26vsbueO+Yj++4e8RePy49Kkk UbaFjCExCreYait72F9Jmhkqj+g7q+NLTDdVufmYqK00Y+nK/2oFesDOAGRzuAcs qtyW+tR//d/rwK5/3vy0UefsVdd5eqB2bvu27jeHH6ohmE3ueKwTd1iOh7va1eYT uOFtT9A2EY3sG/WBYibJ6T6TV3Wc8wpuUkVYa0XNMTUq1tRdrzhw/mJ393FNj94h 17vu1v6xe2MP9G5UCEXtGn1peuVlA27URyV5KkS3XLKbBcURHUQgdhejdjRFiXoM OZCyK8rC8dp8LowS59xdeTeKj/mY0uA= 
    -----END CERTIFICATE
    ----- subject=/C=IT/ST=FIRENZE/L=CERBAIA/O=SOCIETA/OU=DEVELOP/CN=host1.[email protected] [email protected][email protected] 
    --- No client certificate CA names sent 
    --- SSL handshake has read 2474 bytes and written 421 bytes 
    --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE 
    SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 
    Session-ID: FA68D11E229FAB57601FF2F23E379543C77EB05901831E242CBE438162A28266 Session-ID-ctx: Master-Key: 3C84FB705AA3A950F826C76FEF61FDE1707A02CE78924566EEE5EE9EC45EA49CC05F671C858869A87F2D8C218E7F038C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 9e e4 9d db 54 42 76 a7-ef ba 78 01 87 48 1e a3 ....TBv...x..H.. 0010 - 73 18 e2 ba aa 67 e7 08-38 33 18 0d 7d 08 a7 97 s....g..83..}... 0020 - 0e 14 7a 1b bd 0a 77 75-8d a9 e2 ae 3d 59 16 3a ..z...wu....=Y.: 0030 - 03 8d 47 35 73 b3 f9 42-7c 24 8c 9f 41 8b 09 22 ..G5s..B|$..A.." 0040 - 94 34 8f de eb 74 74 b7-22 e0 66 5e 28 a2 bb d7 .4...tt.".f^(... 0050 - c9 2d eb 30 1d a9 9b aa-a2 d2 a0 50 d8 19 69 4e .-.0.......P..iN 0060 - b8 64 eb 3c d5 10 95 0c-2e 39 fe 6c 8d fc ce d3 .d.<.....9.l.... 0070 - b0 25 18 80 4d 86 8b 94-6b 0d 8e 70 c9 39 74 16 .%..M...k..p.9t. 0080 - 3f f3 ba 02 85 ea de 6c-a4 bb f6 ff b0 67 e4 cb ?......l.....g.. 0090 - 45 b2 58 e4 a3 00 a4 49-a0 b1 80 c8 52 73 68 4b E.X....I....RshK Start Time: 1475571527 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) 
    --- 220 host3.domain ESMTP Postfix (Ubuntu) 
    EHLO localhost 250-host3.domain 
    250-PIPELINING 
    250-SIZE 
    250-VRFY 
    250-ETRN 
    250-AUTH PLAIN LOGIN 
    250-AUTH=PLAIN LOGIN 
    250-ENHANCEDSTATUSCODES 
    250-8BITMIME 
    250 DSN 
    quit 221 2.0.0 Bye closed
    
    still get
    SSL_accept error from mail-wm0-f54.google.com[74.125.82.54]: lost connection
    lost connection after CONNECT from mail-wm0-f45.google.com[74.125.82.45]

    on mail log

    help help
    please
     
    Last edited: Oct 5, 2016
  4. leonardo.saracini

    leonardo.saracini New Member

    some more data:
    I try same command above on 25 port same result but if I try on 587 I get:
    Code:
    [email protected]:$ openssl s_client -connect host.domain:587 
    CONNECTED(00000003) 139853529339552:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795: 
    --- no peer certificate available 
    --- No client certificate CA names sent 
    --- SSL handshake has read 7 bytes and written 295 bytes 
    --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported 
    Compression: NONE Expansion: NONE ---
    this response is more significative.
     
    Last edited: Oct 5, 2016
  5. Jesse Norell

    Jesse Norell Well-Known Member

    To use s_client on port 587 you need to add `-starttls smtp` to your options. Can you post the output in a code block so it preserves formatting? (ie. in this editor, it's the Insert button > Code) Or just post the actual server/domain name you are testing so it can be queried remotely.
     
  6. leonardo.saracini

    leonardo.saracini New Member

    I often use markdown and so I haven't see the button. Sorry.
    My problem is that my postfix cannot receive mail.
    After two days I understood that there is a problem on my self signed certificate.
    so I try some solution on web unless I found https://help.ubuntu.com/community/Postfix
    that help me a lot.
    ... but not enough :eek:
    if look at my fetchmail log:
    Code:
    Segnalato OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    Oct  4 18:42:00 server fetchmail[6590]: Connessione SSL fallita.
    Oct  4 18:42:00 server fetchmail[6590]: Errore socket durante il recupero da [email protected]
    Oct  4 18:42:00 server fetchmail[6590]: Stato dell'interrogazione = 2 (SOCKET)
    Oct  4 18:42:00 server fetchmail[6590]: Segnalato OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    Oct  4 18:42:00 server fetchmail[6590]: Connessione SSL fallita.
    Oct  4 18:42:00 server fetchmail[6590]: Errore socket durante il recupero da [email protected]
    Oct  4 18:42:00 server fetchmail[6590]: Stato dell'interrogazione = 2 (SOCKET)
    Oct  4 18:42:02 server fetchmail[6590]: Errore di verifica del certificato del server: unable to get local issuer certificate
    Oct  4 18:42:02 server fetchmail[6590]: Catena di certificazione interrotta in: /C=IT/O=Colt Engine/CN=Certificate Authority
    Oct  4 18:42:02 server fetchmail[6590]: Questo potrebbe significare che il server non ha fornito il certificato(i) CA intermedio, non c'è niente che fetchmail possa fare al riguardo. Per ulteriori dettagli consultare il documento README.SSL-SERVER fornito con fetchmail.
    Oct  4 18:42:02 server fetchmail[6590]: Questo potrebbe significare che il certificato firmato della CA principale non è nel percorso dei certificati attendibili CA, o che è necessario eseguire un c_rehash nella directory dei certificati. Per ulteriori dettagli consultare la pagina di --sslcertpath e --sslcertfile nel manuale.
    
    I stop testing for today... my brain is smoking :D




    regards
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

  8. leonardo.saracini

    leonardo.saracini New Member

    This id my /etc/postfix/master.cf:
    Code:
    [email protected]:~# cat /etc/postfix/master.cf
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #submission inet n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=$mua_client_restrictions
      -o smtpd_helo_restrictions=$mua_helo_restrictions
      -o smtpd_sender_restrictions=$mua_sender_restrictions
      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    
    
    127.0.0.1:10027 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
                -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
    
     
  9. leonardo.saracini

    leonardo.saracini New Member

    and this is my main.cf
    Code:
    [email protected]:~# cat /etc/postfix/main.cf
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
    smtpd_tls_key_file = /etc/ssl/private/smtpd.key
    smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_auth_only = no
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
    smtp_tls_loglevel = 3
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = gemini.algoritmica.net
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = gemini.algoritmica.net, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:127.0.0.1:10023
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    see any misconfiguration?
     
  10. Jesse Norell

    Jesse Norell Well-Known Member

    You do not have "submission" enabled in master.cf, which is why port 587 does not work.
     
  11. leonardo.saracini

    leonardo.saracini New Member

    Thak you Jesse I too have noticed the "submission" part. now I have enabled it but I'm thinking the problems are still the certificate.
    I try to build a CA and self signed cretificate but I'm not shure that is working.
    If google send a mail to me this is now the mail log:
    Code:
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: SSL_accept error from mail-wm0-f53.google.com[74.125.82.53]: lost connection
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostname: mail-wm0-f53.google.com ~? 127.0.0.0/8
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostaddr: 74.125.82.53 ~? 127.0.0.0/8
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostname: mail-wm0-f53.google.com ~? [::1]/128
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_hostaddr: 74.125.82.53 ~? [::1]/128
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_list_match: mail-wm0-f53.google.com: no match
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: match_list_match: 74.125.82.53: no match
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: auto_clnt_open: connected to private/anvil
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: send attr request = disconnect
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: send attr ident = smtp:74.125.82.53
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: private/anvil: wanted attribute: status
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: input attribute name: status
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: input attribute value: 0
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: private/anvil: wanted attribute: (list terminator)
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: input attribute name: (end)
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: lost connection after CONNECT from mail-wm0-f53.google.com[74.125.82.53]
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: disconnect from mail-wm0-f53.google.com[74.125.82.53]
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: master_notify: status 1
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: connection closed
    Oct  6 14:33:08 gemini postfix/smtps/smtpd[31921]: watchdog_stop: 0x55b2d09bd190
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[27953]: idle timeout -- exiting
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: watchdog_start: 0x55b2d09bd190
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: proxymap stream disconnect
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: auto_clnt_close: disconnect private/tlsmgr stream
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: watchdog_stop: 0x55b2d09bd190
    Oct  6 14:34:11 gemini postfix/smtps/smtpd[31921]: watchdog_start: 0x55b2d09bd190
    -
    my master.cf in next message
     
  12. leonardo.saracini

    leonardo.saracini New Member

    my actual master.cf is:
    Code:
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd -v -v
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    submission inet n       -       -       -       -       smtpd -v -v
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd -v -v
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    
    
    127.0.0.1:10027 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
                -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    You removed # between the tlsproxy and submission lines which should not be removed. Add the # in front of the linesthatt start with -o between tlsproxy and submission.
     
  14. leonardo.saracini

    leonardo.saracini New Member

    Tanks to Till and Jesse the problem is out: solved. so at last wasn't a certification problem.
    tank very much,
    regards
     

Share This Page