Postfix email server not receiving email from external email

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

I'm trying to set up a mail server on Ubuntu 16.04.5 LTS with Postfix and Dovecot.

I can send out email without any problem and mail sent from localhost also finds its way into the inbox. However, email sent from outside (say, Gmail) is not showing up.

There are a lot of similar questions on serverfault and other sites, however I'm still unable to make it work.

My main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/MYDOMAIN.FI/fullchain.pem
smtpd_tls_key_file =/etc/letsencrypt/live/MYDOMAIN.FI/privkey.pem
smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.MYDOMAIN.FI
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.MYDOMAIN.FI, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "$EXTENSION"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

As you can see I use an SSL certificate from letsencrypt.

I have replaced my actual domain with MYDOMAIN.FI in case there are some horrible holes I've left in my config by mistake.

Ouput of sudo lsof -iTCP -sTCP:LISTEN -P:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 29u IPv4 2041021 0t0 TCP *:143 (LISTEN)
systemd 1 root 44u IPv6 2041022 0t0 TCP *:143 (LISTEN)
systemd 1 root 56u IPv4 2041023 0t0 TCP *:993 (LISTEN)
systemd 1 root 59u IPv6 2041024 0t0 TCP *:993 (LISTEN)
sshd 1589 root 3u IPv4 14438 0t0 TCP *:22 (LISTEN)
sshd 1589 root 4u IPv6 14448 0t0 TCP *:22 (LISTEN)
mysqld 1870 mysql 22u IPv4 16248 0t0 TCP mail.MYDOMAIN.FI:330 6 (LISTEN)
apache2 1876 root 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 1876 root 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
miniserv. 2050 root 5u IPv4 16967 0t0 TCP *:10000 (LISTEN)
apache2 3762 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3762 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3763 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3763 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3766 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3766 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3767 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3767 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3771 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3771 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3842 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3842 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3843 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3843 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 4465 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 4465 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
master 20916 root 13u IPv4 2039338 0t0 TCP *:25 (LISTEN)
master 20916 root 14u IPv6 2039339 0t0 TCP *:25 (LISTEN)
master 20916 root 28u IPv4 2044183 0t0 TCP *:465 (LISTEN)
master 20916 root 111u IPv6 2044184 0t0 TCP *:465 (LISTEN)
master 20916 root 114u IPv4 2044888 0t0 TCP *:587 (LISTEN)
master 20916 root 115u IPv6 2044889 0t0 TCP *:587 (LISTEN)
dovecot 21229 root 3u IPv4 2041021 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 4u IPv6 2041022 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 5u IPv4 2041023 0t0 TCP *:993 (LISTEN)
dovecot 21229 root 6u IPv6 2041024 0t0 TCP *:993 (LISTEN)

It does list the port 25's command as "master" rather than "postfix". Not sure if that's relevant.

I've also just now noticed that there's the mysqld command listening on mail.MYDOMAIN.FI:330. Is this normal?

Output of netstat -tulpn:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1870/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1/init
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2050/perl
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1589/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1/init
tcp6 0 0 :::587 :::* LISTEN 20916/master
tcp6 0 0 :::143 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 1876/apache2
tcp6 0 0 :::465 :::* LISTEN 20916/master
tcp6 0 0 :::22 :::* LISTEN 1589/sshd
tcp6 0 0 :::25 :::* LISTEN 20916/master
tcp6 0 0 :::443 :::* LISTEN 1876/apache2
tcp6 0 0 :::993 :::* LISTEN 1/init
udp 0 0 0.0.0.0:10000 0.0.0.0:* 2050/perl
udp 0 0 0.0.0.0:68 0.0.0.0:* 1195/dhclient

Domain should be properly set up. I can use online services like https://www.adminkit.net/telnet.aspx and https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap to check the ports and all connect OK.

/etc/dovecot.conf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb 
 driver = passwd

passdb 
 args = %s
 driver = pam

protocols = " imap"

service auth 
 unix_listener /var/spool/postfix/private/auth 
 group = postfix
 mode = 0660
 user = postfix
 


ssl=required
ssl_cert = </etc/letsencrypt/live/MYDOMAIN.fi/fullchain.pem
ssl_key = </etc/letsencrypt/live/MYDOMAIN.fi/privkey.pem

log_path = /var/log/dovecot/dovecot.log
# Debug
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

master.cfg:

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
submission inet n - - - - smtpd -v
 -o syslog_name=postfix/submission
 -o smtpd_tls_wrappermode=no
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
smtp inet n - y - - smtpd -v
smtps inet n - y - - smtpd -v
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache

maildrop unix - n n - - pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient

uucp unix - n n - - pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 ifmail unix - n n - - pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 $nexthop $user

Some log output with verbose enabled:

Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 250 DSN
Oct 30 11:21:08 mail postfix/smtpd[15895]: < mail-qt1-f180.google.com[209.85.160.180]: STARTTLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 220 2.0.0 Ready to start TLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr size = 32
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 3dBahrjW0vbosyTKvktYBqwgAeKFMcaSFZXzLuCQJE8=
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = tktkey
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr keyname = [data 0 bytes]
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: dyOgaB79c3WwkEvn7j2vy4l+BbNCdTfeefaIo1tc0RCukA/4SsmzUQMfefep4DH4T15cOEPT6EcbQ8Bvs9otmDdVPIJ0zxeiQUZqefefeSiabN9hbAAAAAA==
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_create: SASL service=smtp, realm=mail.MYDOMAIN.fi
Oct 30 11:21:08 mail postfix/smtpd[15895]: name_mask: noanonymous
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_connect: Connecting
Oct 30 11:21:08 mail postfix/smtpd[15895]: warning: SASL: Connect to private/dovecot-auth failed: Connection refused
Oct 30 11:21:08 mail postfix/smtpd[15895]: fatal: no SASL authentication mechanisms

ubuntu postfix email-server dovecot ubuntu-16.04

share|improve this question

edited 12 mins ago

asked 3 hours ago

Mauri

62

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The most interesting part would be the relevant entries from your mail log files.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added logs from /var/log/mail.log to the original post
  – Mauri
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I see your /etc/hosts file contents. Why? I assume you’ve serup your DNS correctly (MX and relevant A records)?
  – Tom
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  There are 40 questions about the SASL authentication mechanism error message on SF. I suggest you look at them, most probably this can be closed as a duplicate to one of them.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

favorite

I'm trying to set up a mail server on Ubuntu 16.04.5 LTS with Postfix and Dovecot.

I can send out email without any problem and mail sent from localhost also finds its way into the inbox. However, email sent from outside (say, Gmail) is not showing up.

There are a lot of similar questions on serverfault and other sites, however I'm still unable to make it work.

My main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/MYDOMAIN.FI/fullchain.pem
smtpd_tls_key_file =/etc/letsencrypt/live/MYDOMAIN.FI/privkey.pem
smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.MYDOMAIN.FI
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.MYDOMAIN.FI, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "$EXTENSION"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

As you can see I use an SSL certificate from letsencrypt.

I have replaced my actual domain with MYDOMAIN.FI in case there are some horrible holes I've left in my config by mistake.

Ouput of sudo lsof -iTCP -sTCP:LISTEN -P:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 29u IPv4 2041021 0t0 TCP *:143 (LISTEN)
systemd 1 root 44u IPv6 2041022 0t0 TCP *:143 (LISTEN)
systemd 1 root 56u IPv4 2041023 0t0 TCP *:993 (LISTEN)
systemd 1 root 59u IPv6 2041024 0t0 TCP *:993 (LISTEN)
sshd 1589 root 3u IPv4 14438 0t0 TCP *:22 (LISTEN)
sshd 1589 root 4u IPv6 14448 0t0 TCP *:22 (LISTEN)
mysqld 1870 mysql 22u IPv4 16248 0t0 TCP mail.MYDOMAIN.FI:330 6 (LISTEN)
apache2 1876 root 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 1876 root 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
miniserv. 2050 root 5u IPv4 16967 0t0 TCP *:10000 (LISTEN)
apache2 3762 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3762 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3763 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3763 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3766 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3766 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3767 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3767 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3771 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3771 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3842 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3842 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3843 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3843 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 4465 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 4465 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
master 20916 root 13u IPv4 2039338 0t0 TCP *:25 (LISTEN)
master 20916 root 14u IPv6 2039339 0t0 TCP *:25 (LISTEN)
master 20916 root 28u IPv4 2044183 0t0 TCP *:465 (LISTEN)
master 20916 root 111u IPv6 2044184 0t0 TCP *:465 (LISTEN)
master 20916 root 114u IPv4 2044888 0t0 TCP *:587 (LISTEN)
master 20916 root 115u IPv6 2044889 0t0 TCP *:587 (LISTEN)
dovecot 21229 root 3u IPv4 2041021 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 4u IPv6 2041022 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 5u IPv4 2041023 0t0 TCP *:993 (LISTEN)
dovecot 21229 root 6u IPv6 2041024 0t0 TCP *:993 (LISTEN)

It does list the port 25's command as "master" rather than "postfix". Not sure if that's relevant.

I've also just now noticed that there's the mysqld command listening on mail.MYDOMAIN.FI:330. Is this normal?

Output of netstat -tulpn:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1870/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1/init
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2050/perl
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1589/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1/init
tcp6 0 0 :::587 :::* LISTEN 20916/master
tcp6 0 0 :::143 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 1876/apache2
tcp6 0 0 :::465 :::* LISTEN 20916/master
tcp6 0 0 :::22 :::* LISTEN 1589/sshd
tcp6 0 0 :::25 :::* LISTEN 20916/master
tcp6 0 0 :::443 :::* LISTEN 1876/apache2
tcp6 0 0 :::993 :::* LISTEN 1/init
udp 0 0 0.0.0.0:10000 0.0.0.0:* 2050/perl
udp 0 0 0.0.0.0:68 0.0.0.0:* 1195/dhclient

Domain should be properly set up. I can use online services like https://www.adminkit.net/telnet.aspx and https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap to check the ports and all connect OK.

/etc/dovecot.conf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb 
 driver = passwd

passdb 
 args = %s
 driver = pam

protocols = " imap"

service auth 
 unix_listener /var/spool/postfix/private/auth 
 group = postfix
 mode = 0660
 user = postfix
 


ssl=required
ssl_cert = </etc/letsencrypt/live/MYDOMAIN.fi/fullchain.pem
ssl_key = </etc/letsencrypt/live/MYDOMAIN.fi/privkey.pem

log_path = /var/log/dovecot/dovecot.log
# Debug
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

master.cfg:

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
submission inet n - - - - smtpd -v
 -o syslog_name=postfix/submission
 -o smtpd_tls_wrappermode=no
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
smtp inet n - y - - smtpd -v
smtps inet n - y - - smtpd -v
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache

maildrop unix - n n - - pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient

uucp unix - n n - - pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 ifmail unix - n n - - pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 $nexthop $user

Some log output with verbose enabled:

Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 250 DSN
Oct 30 11:21:08 mail postfix/smtpd[15895]: < mail-qt1-f180.google.com[209.85.160.180]: STARTTLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 220 2.0.0 Ready to start TLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr size = 32
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 3dBahrjW0vbosyTKvktYBqwgAeKFMcaSFZXzLuCQJE8=
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = tktkey
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr keyname = [data 0 bytes]
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: dyOgaB79c3WwkEvn7j2vy4l+BbNCdTfeefaIo1tc0RCukA/4SsmzUQMfefep4DH4T15cOEPT6EcbQ8Bvs9otmDdVPIJ0zxeiQUZqefefeSiabN9hbAAAAAA==
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_create: SASL service=smtp, realm=mail.MYDOMAIN.fi
Oct 30 11:21:08 mail postfix/smtpd[15895]: name_mask: noanonymous
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_connect: Connecting
Oct 30 11:21:08 mail postfix/smtpd[15895]: warning: SASL: Connect to private/dovecot-auth failed: Connection refused
Oct 30 11:21:08 mail postfix/smtpd[15895]: fatal: no SASL authentication mechanisms

ubuntu postfix email-server dovecot ubuntu-16.04

share|improve this question

edited 12 mins ago

asked 3 hours ago

Mauri

62

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The most interesting part would be the relevant entries from your mail log files.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added logs from /var/log/mail.log to the original post
  – Mauri
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I see your /etc/hosts file contents. Why? I assume you’ve serup your DNS correctly (MX and relevant A records)?
  – Tom
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  There are 40 questions about the SASL authentication mechanism error message on SF. I suggest you look at them, most probably this can be closed as a duplicate to one of them.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

I'm trying to set up a mail server on Ubuntu 16.04.5 LTS with Postfix and Dovecot.

I can send out email without any problem and mail sent from localhost also finds its way into the inbox. However, email sent from outside (say, Gmail) is not showing up.

There are a lot of similar questions on serverfault and other sites, however I'm still unable to make it work.

My main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/MYDOMAIN.FI/fullchain.pem
smtpd_tls_key_file =/etc/letsencrypt/live/MYDOMAIN.FI/privkey.pem
smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.MYDOMAIN.FI
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.MYDOMAIN.FI, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "$EXTENSION"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

As you can see I use an SSL certificate from letsencrypt.

I have replaced my actual domain with MYDOMAIN.FI in case there are some horrible holes I've left in my config by mistake.

Ouput of sudo lsof -iTCP -sTCP:LISTEN -P:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 29u IPv4 2041021 0t0 TCP *:143 (LISTEN)
systemd 1 root 44u IPv6 2041022 0t0 TCP *:143 (LISTEN)
systemd 1 root 56u IPv4 2041023 0t0 TCP *:993 (LISTEN)
systemd 1 root 59u IPv6 2041024 0t0 TCP *:993 (LISTEN)
sshd 1589 root 3u IPv4 14438 0t0 TCP *:22 (LISTEN)
sshd 1589 root 4u IPv6 14448 0t0 TCP *:22 (LISTEN)
mysqld 1870 mysql 22u IPv4 16248 0t0 TCP mail.MYDOMAIN.FI:330 6 (LISTEN)
apache2 1876 root 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 1876 root 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
miniserv. 2050 root 5u IPv4 16967 0t0 TCP *:10000 (LISTEN)
apache2 3762 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3762 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3763 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3763 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3766 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3766 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3767 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3767 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3771 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3771 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3842 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3842 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3843 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3843 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 4465 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 4465 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
master 20916 root 13u IPv4 2039338 0t0 TCP *:25 (LISTEN)
master 20916 root 14u IPv6 2039339 0t0 TCP *:25 (LISTEN)
master 20916 root 28u IPv4 2044183 0t0 TCP *:465 (LISTEN)
master 20916 root 111u IPv6 2044184 0t0 TCP *:465 (LISTEN)
master 20916 root 114u IPv4 2044888 0t0 TCP *:587 (LISTEN)
master 20916 root 115u IPv6 2044889 0t0 TCP *:587 (LISTEN)
dovecot 21229 root 3u IPv4 2041021 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 4u IPv6 2041022 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 5u IPv4 2041023 0t0 TCP *:993 (LISTEN)
dovecot 21229 root 6u IPv6 2041024 0t0 TCP *:993 (LISTEN)

It does list the port 25's command as "master" rather than "postfix". Not sure if that's relevant.

I've also just now noticed that there's the mysqld command listening on mail.MYDOMAIN.FI:330. Is this normal?

Output of netstat -tulpn:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1870/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1/init
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2050/perl
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1589/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1/init
tcp6 0 0 :::587 :::* LISTEN 20916/master
tcp6 0 0 :::143 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 1876/apache2
tcp6 0 0 :::465 :::* LISTEN 20916/master
tcp6 0 0 :::22 :::* LISTEN 1589/sshd
tcp6 0 0 :::25 :::* LISTEN 20916/master
tcp6 0 0 :::443 :::* LISTEN 1876/apache2
tcp6 0 0 :::993 :::* LISTEN 1/init
udp 0 0 0.0.0.0:10000 0.0.0.0:* 2050/perl
udp 0 0 0.0.0.0:68 0.0.0.0:* 1195/dhclient

Domain should be properly set up. I can use online services like https://www.adminkit.net/telnet.aspx and https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap to check the ports and all connect OK.

/etc/dovecot.conf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb 
 driver = passwd

passdb 
 args = %s
 driver = pam

protocols = " imap"

service auth 
 unix_listener /var/spool/postfix/private/auth 
 group = postfix
 mode = 0660
 user = postfix
 


ssl=required
ssl_cert = </etc/letsencrypt/live/MYDOMAIN.fi/fullchain.pem
ssl_key = </etc/letsencrypt/live/MYDOMAIN.fi/privkey.pem

log_path = /var/log/dovecot/dovecot.log
# Debug
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

master.cfg:

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
submission inet n - - - - smtpd -v
 -o syslog_name=postfix/submission
 -o smtpd_tls_wrappermode=no
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
smtp inet n - y - - smtpd -v
smtps inet n - y - - smtpd -v
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache

maildrop unix - n n - - pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient

uucp unix - n n - - pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 ifmail unix - n n - - pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 $nexthop $user

Some log output with verbose enabled:

Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 250 DSN
Oct 30 11:21:08 mail postfix/smtpd[15895]: < mail-qt1-f180.google.com[209.85.160.180]: STARTTLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 220 2.0.0 Ready to start TLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr size = 32
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 3dBahrjW0vbosyTKvktYBqwgAeKFMcaSFZXzLuCQJE8=
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = tktkey
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr keyname = [data 0 bytes]
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: dyOgaB79c3WwkEvn7j2vy4l+BbNCdTfeefaIo1tc0RCukA/4SsmzUQMfefep4DH4T15cOEPT6EcbQ8Bvs9otmDdVPIJ0zxeiQUZqefefeSiabN9hbAAAAAA==
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_create: SASL service=smtp, realm=mail.MYDOMAIN.fi
Oct 30 11:21:08 mail postfix/smtpd[15895]: name_mask: noanonymous
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_connect: Connecting
Oct 30 11:21:08 mail postfix/smtpd[15895]: warning: SASL: Connect to private/dovecot-auth failed: Connection refused
Oct 30 11:21:08 mail postfix/smtpd[15895]: fatal: no SASL authentication mechanisms

ubuntu postfix email-server dovecot ubuntu-16.04

share|improve this question

edited 12 mins ago

asked 3 hours ago

Mauri

62

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I'm trying to set up a mail server on Ubuntu 16.04.5 LTS with Postfix and Dovecot.

I can send out email without any problem and mail sent from localhost also finds its way into the inbox. However, email sent from outside (say, Gmail) is not showing up.

There are a lot of similar questions on serverfault and other sites, however I'm still unable to make it work.

My main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/MYDOMAIN.FI/fullchain.pem
smtpd_tls_key_file =/etc/letsencrypt/live/MYDOMAIN.FI/privkey.pem
smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.MYDOMAIN.FI
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.MYDOMAIN.FI, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "$EXTENSION"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

As you can see I use an SSL certificate from letsencrypt.

I have replaced my actual domain with MYDOMAIN.FI in case there are some horrible holes I've left in my config by mistake.

Ouput of sudo lsof -iTCP -sTCP:LISTEN -P:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 29u IPv4 2041021 0t0 TCP *:143 (LISTEN)
systemd 1 root 44u IPv6 2041022 0t0 TCP *:143 (LISTEN)
systemd 1 root 56u IPv4 2041023 0t0 TCP *:993 (LISTEN)
systemd 1 root 59u IPv6 2041024 0t0 TCP *:993 (LISTEN)
sshd 1589 root 3u IPv4 14438 0t0 TCP *:22 (LISTEN)
sshd 1589 root 4u IPv6 14448 0t0 TCP *:22 (LISTEN)
mysqld 1870 mysql 22u IPv4 16248 0t0 TCP mail.MYDOMAIN.FI:330 6 (LISTEN)
apache2 1876 root 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 1876 root 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
miniserv. 2050 root 5u IPv4 16967 0t0 TCP *:10000 (LISTEN)
apache2 3762 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3762 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3763 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3763 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3766 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3766 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3767 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3767 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3771 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3771 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3842 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3842 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 3843 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 3843 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
apache2 4465 www-data 4u IPv6 16115 0t0 TCP *:80 (LISTEN)
apache2 4465 www-data 6u IPv6 16119 0t0 TCP *:443 (LISTEN)
master 20916 root 13u IPv4 2039338 0t0 TCP *:25 (LISTEN)
master 20916 root 14u IPv6 2039339 0t0 TCP *:25 (LISTEN)
master 20916 root 28u IPv4 2044183 0t0 TCP *:465 (LISTEN)
master 20916 root 111u IPv6 2044184 0t0 TCP *:465 (LISTEN)
master 20916 root 114u IPv4 2044888 0t0 TCP *:587 (LISTEN)
master 20916 root 115u IPv6 2044889 0t0 TCP *:587 (LISTEN)
dovecot 21229 root 3u IPv4 2041021 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 4u IPv6 2041022 0t0 TCP *:143 (LISTEN)
dovecot 21229 root 5u IPv4 2041023 0t0 TCP *:993 (LISTEN)
dovecot 21229 root 6u IPv6 2041024 0t0 TCP *:993 (LISTEN)

It does list the port 25's command as "master" rather than "postfix". Not sure if that's relevant.

I've also just now noticed that there's the mysqld command listening on mail.MYDOMAIN.FI:330. Is this normal?

Output of netstat -tulpn:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1870/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1/init
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2050/perl
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1589/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 20916/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1/init
tcp6 0 0 :::587 :::* LISTEN 20916/master
tcp6 0 0 :::143 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 1876/apache2
tcp6 0 0 :::465 :::* LISTEN 20916/master
tcp6 0 0 :::22 :::* LISTEN 1589/sshd
tcp6 0 0 :::25 :::* LISTEN 20916/master
tcp6 0 0 :::443 :::* LISTEN 1876/apache2
tcp6 0 0 :::993 :::* LISTEN 1/init
udp 0 0 0.0.0.0:10000 0.0.0.0:* 2050/perl
udp 0 0 0.0.0.0:68 0.0.0.0:* 1195/dhclient

Domain should be properly set up. I can use online services like https://www.adminkit.net/telnet.aspx and https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap to check the ports and all connect OK.

/etc/dovecot.conf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb 
 driver = passwd

passdb 
 args = %s
 driver = pam

protocols = " imap"

service auth 
 unix_listener /var/spool/postfix/private/auth 
 group = postfix
 mode = 0660
 user = postfix
 


ssl=required
ssl_cert = </etc/letsencrypt/live/MYDOMAIN.fi/fullchain.pem
ssl_key = </etc/letsencrypt/live/MYDOMAIN.fi/privkey.pem

log_path = /var/log/dovecot/dovecot.log
# Debug
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

master.cfg:

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
submission inet n - - - - smtpd -v
 -o syslog_name=postfix/submission
 -o smtpd_tls_wrappermode=no
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
smtp inet n - y - - smtpd -v
smtps inet n - y - - smtpd -v
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache

maildrop unix - n n - - pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient

uucp unix - n n - - pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 ifmail unix - n n - - pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 $nexthop $user

Some log output with verbose enabled:

Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 250 DSN
Oct 30 11:21:08 mail postfix/smtpd[15895]: < mail-qt1-f180.google.com[209.85.160.180]: STARTTLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: > mail-qt1-f180.google.com[209.85.160.180]: 220 2.0.0 Ready to start TLS
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr size = 32
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: seed
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 3dBahrjW0vbosyTKvktYBqwgAeKFMcaSFZXzLuCQJE8=
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr request = tktkey
Oct 30 11:21:08 mail postfix/smtpd[15895]: send attr keyname = [data 0 bytes]
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: status
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: 0
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: keybuf
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute value: dyOgaB79c3WwkEvn7j2vy4l+BbNCdTfeefaIo1tc0RCukA/4SsmzUQMfefep4DH4T15cOEPT6EcbQ8Bvs9otmDdVPIJ0zxeiQUZqefefeSiabN9hbAAAAAA==
Oct 30 11:21:08 mail postfix/smtpd[15895]: private/tlsmgr: wanted attribute: (list terminator)
Oct 30 11:21:08 mail postfix/smtpd[15895]: input attribute name: (end)
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_create: SASL service=smtp, realm=mail.MYDOMAIN.fi
Oct 30 11:21:08 mail postfix/smtpd[15895]: name_mask: noanonymous
Oct 30 11:21:08 mail postfix/smtpd[15895]: xsasl_dovecot_server_connect: Connecting
Oct 30 11:21:08 mail postfix/smtpd[15895]: warning: SASL: Connect to private/dovecot-auth failed: Connection refused
Oct 30 11:21:08 mail postfix/smtpd[15895]: fatal: no SASL authentication mechanisms

ubuntu postfix email-server dovecot ubuntu-16.04

ubuntu postfix email-server dovecot ubuntu-16.04

share|improve this question

edited 12 mins ago

asked 3 hours ago

Mauri

62

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 12 mins ago

asked 3 hours ago

Mauri

62

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

edited 12 mins ago

edited 12 mins ago

edited 12 mins ago

asked 3 hours ago

Mauri

62

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 3 hours ago

Mauri

62

asked 3 hours ago

Mauri

62

62

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Mauri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The most interesting part would be the relevant entries from your mail log files.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added logs from /var/log/mail.log to the original post
  – Mauri
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I see your /etc/hosts file contents. Why? I assume you’ve serup your DNS correctly (MX and relevant A records)?
  – Tom
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  There are 40 questions about the SASL authentication mechanism error message on SF. I suggest you look at them, most probably this can be closed as a duplicate to one of them.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  The most interesting part would be the relevant entries from your mail log files.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added logs from /var/log/mail.log to the original post
  – Mauri
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I see your /etc/hosts file contents. Why? I assume you’ve serup your DNS correctly (MX and relevant A records)?
  – Tom
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  There are 40 questions about the SASL authentication mechanism error message on SF. I suggest you look at them, most probably this can be closed as a duplicate to one of them.
  – Gerald Schneider
  3 hours ago
  

  
  
  
  

The most interesting part would be the relevant entries from your mail log files.
– Gerald Schneider
3 hours ago

The most interesting part would be the relevant entries from your mail log files.
– Gerald Schneider
3 hours ago

I have added logs from /var/log/mail.log to the original post
– Mauri
3 hours ago

I have added logs from /var/log/mail.log to the original post
– Mauri
3 hours ago

I see your /etc/hosts file contents. Why? I assume you’ve serup your DNS correctly (MX and relevant A records)?
– Tom
3 hours ago

I see your /etc/hosts file contents. Why? I assume you’ve serup your DNS correctly (MX and relevant A records)?
– Tom
3 hours ago

1

1

There are 40 questions about the SASL authentication mechanism error message on SF. I suggest you look at them, most probably this can be closed as a duplicate to one of them.
– Gerald Schneider
3 hours ago

There are 40 questions about the SASL authentication mechanism error message on SF. I suggest you look at them, most probably this can be closed as a duplicate to one of them.
– Gerald Schneider
3 hours ago

add a comment | 

2 Answers
2

active

oldest

votes

up vote
3
down vote

You have:

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_recipient_restrictions = 
 reject_unknown_sender_domain, 
 reject_unknown_recipient_domain,
 reject_unauth_pipelining,
 permit_mynetworks, 
 permit_sasl_authenticated, 
 reject_unauth_destination

As these are missing the final permit in the end, only mynetworks and SASL authenticated are allowed to use the server. This limitation affects all mail including the messages having this server as the final destination. This gives the fatal: no SASL authentication mechanisms error.

If you wish to have different settings for SASL authenticated users, enable submission. That's another instance of SMTPd listening on TCP/587 for the outbound mail of your own users. Following the examples in Postfix and Dovecot SASL HowTo you'll configure your Postfix exactly that way (see the example in Using SASL with Postfix submission port).

share|improve this answer

answered 2 hours ago

Esa Jokinen

21.5k23157

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you for the answer. I tried the example given in your link and even tried setting smtpd_recipient_restrictions = permit but to no avail.
  – Mauri
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  You should add the permit in the end of both lists (smtpd_sender_restrictions & smtpd_recipient_restrictions). Alone it would permit too much.
  – Esa Jokinen
  52 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My settings are now smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit and smtpd_sender_restrictions = reject_unknown_sender_domain, permit
  – Mauri
  32 mins ago
  
  

  
  
  
  

add a comment | 

up vote
0
down vote

1) The Mysqld listening port 3306, so you must have a database installed? should not interfere with the mail service.

2) The /master process listening on port 25 is the Postfix Mail Transport Agent. Looks normal

3)Try testing your mail server externally using https://mxtoolbox.com/NetworkTools.aspx

Do the MX check, https://mxtoolbox.com/MXLookup.aspx (to see that Your DNS is correctly configured) and the SMTP tests https://mxtoolbox.com/diagnostic.aspx

4) The message warning: SASL: Connect to private/dovecot-auth failed: Connection refused points to a misconfigured docecot ( /etc/dovecot/dovecot.conf ). You need to add the SSL cert here as well + a number of other settings worth checking. One hint is to add DEBUG switches.

Change the default settings to something usefull in dovecot.conf

#log_path = /var/log/dovecot/dovecot.log
# Debug
#mail_debug = yes
# auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes

In /etc/postfix/master.cf, add debug/verbose logging as follows

smtp inet n - n - - smtpd -v

Se also http://www.postfix.org/DEBUG_README.html

share|improve this answer

answered 1 hour ago

Ingvar J

444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  For point 3: first test gives error No DMARC Record found. Second test gives me warning Reverse DNS does not match SMTP Banner Everything else is in the green. For point 4) I have included my dovecot.conf in the original post
  – Mauri
  42 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog
  – Ingvar J
  21 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added the log output to the original post. I also included my master.cfg, which I noticed has a smtpd_sasl_path=private/auth in the submission part, where as the main.cfg has smtpd_sasl_path = private/dovecot-auth. Is this relevant?
  – Mauri
  10 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Mauri is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937813%2fpostfix-email-server-not-receiving-email-from-external-email%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

You have:

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_recipient_restrictions = 
 reject_unknown_sender_domain, 
 reject_unknown_recipient_domain,
 reject_unauth_pipelining,
 permit_mynetworks, 
 permit_sasl_authenticated, 
 reject_unauth_destination

As these are missing the final permit in the end, only mynetworks and SASL authenticated are allowed to use the server. This limitation affects all mail including the messages having this server as the final destination. This gives the fatal: no SASL authentication mechanisms error.

If you wish to have different settings for SASL authenticated users, enable submission. That's another instance of SMTPd listening on TCP/587 for the outbound mail of your own users. Following the examples in Postfix and Dovecot SASL HowTo you'll configure your Postfix exactly that way (see the example in Using SASL with Postfix submission port).

share|improve this answer

answered 2 hours ago

Esa Jokinen

21.5k23157

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you for the answer. I tried the example given in your link and even tried setting smtpd_recipient_restrictions = permit but to no avail.
  – Mauri
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  You should add the permit in the end of both lists (smtpd_sender_restrictions & smtpd_recipient_restrictions). Alone it would permit too much.
  – Esa Jokinen
  52 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My settings are now smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit and smtpd_sender_restrictions = reject_unknown_sender_domain, permit
  – Mauri
  32 mins ago
  
  

  
  
  
  

add a comment | 

up vote
3
down vote

You have:

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_recipient_restrictions = 
 reject_unknown_sender_domain, 
 reject_unknown_recipient_domain,
 reject_unauth_pipelining,
 permit_mynetworks, 
 permit_sasl_authenticated, 
 reject_unauth_destination

As these are missing the final permit in the end, only mynetworks and SASL authenticated are allowed to use the server. This limitation affects all mail including the messages having this server as the final destination. This gives the fatal: no SASL authentication mechanisms error.

If you wish to have different settings for SASL authenticated users, enable submission. That's another instance of SMTPd listening on TCP/587 for the outbound mail of your own users. Following the examples in Postfix and Dovecot SASL HowTo you'll configure your Postfix exactly that way (see the example in Using SASL with Postfix submission port).

share|improve this answer

answered 2 hours ago

Esa Jokinen

21.5k23157

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you for the answer. I tried the example given in your link and even tried setting smtpd_recipient_restrictions = permit but to no avail.
  – Mauri
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  You should add the permit in the end of both lists (smtpd_sender_restrictions & smtpd_recipient_restrictions). Alone it would permit too much.
  – Esa Jokinen
  52 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My settings are now smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit and smtpd_sender_restrictions = reject_unknown_sender_domain, permit
  – Mauri
  32 mins ago
  
  

  
  
  
  

add a comment | 

up vote
3
down vote

up vote
3
down vote

You have:

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_recipient_restrictions = 
 reject_unknown_sender_domain, 
 reject_unknown_recipient_domain,
 reject_unauth_pipelining,
 permit_mynetworks, 
 permit_sasl_authenticated, 
 reject_unauth_destination

As these are missing the final permit in the end, only mynetworks and SASL authenticated are allowed to use the server. This limitation affects all mail including the messages having this server as the final destination. This gives the fatal: no SASL authentication mechanisms error.

If you wish to have different settings for SASL authenticated users, enable submission. That's another instance of SMTPd listening on TCP/587 for the outbound mail of your own users. Following the examples in Postfix and Dovecot SASL HowTo you'll configure your Postfix exactly that way (see the example in Using SASL with Postfix submission port).

share|improve this answer

answered 2 hours ago

Esa Jokinen

21.5k23157

You have:

smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_recipient_restrictions = 
 reject_unknown_sender_domain, 
 reject_unknown_recipient_domain,
 reject_unauth_pipelining,
 permit_mynetworks, 
 permit_sasl_authenticated, 
 reject_unauth_destination

As these are missing the final permit in the end, only mynetworks and SASL authenticated are allowed to use the server. This limitation affects all mail including the messages having this server as the final destination. This gives the fatal: no SASL authentication mechanisms error.

If you wish to have different settings for SASL authenticated users, enable submission. That's another instance of SMTPd listening on TCP/587 for the outbound mail of your own users. Following the examples in Postfix and Dovecot SASL HowTo you'll configure your Postfix exactly that way (see the example in Using SASL with Postfix submission port).

share|improve this answer

answered 2 hours ago

Esa Jokinen

21.5k23157

share|improve this answer

share|improve this answer

answered 2 hours ago

Esa Jokinen

21.5k23157

answered 2 hours ago

Esa Jokinen

21.5k23157

answered 2 hours ago

Esa Jokinen

21.5k23157

21.5k23157

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you for the answer. I tried the example given in your link and even tried setting smtpd_recipient_restrictions = permit but to no avail.
  – Mauri
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  You should add the permit in the end of both lists (smtpd_sender_restrictions & smtpd_recipient_restrictions). Alone it would permit too much.
  – Esa Jokinen
  52 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My settings are now smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit and smtpd_sender_restrictions = reject_unknown_sender_domain, permit
  – Mauri
  32 mins ago
  
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you for the answer. I tried the example given in your link and even tried setting smtpd_recipient_restrictions = permit but to no avail.
  – Mauri
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  You should add the permit in the end of both lists (smtpd_sender_restrictions & smtpd_recipient_restrictions). Alone it would permit too much.
  – Esa Jokinen
  52 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My settings are now smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit and smtpd_sender_restrictions = reject_unknown_sender_domain, permit
  – Mauri
  32 mins ago
  
  

  
  
  
  

Thank you for the answer. I tried the example given in your link and even tried setting smtpd_recipient_restrictions = permit but to no avail.
– Mauri
54 mins ago

Thank you for the answer. I tried the example given in your link and even tried setting smtpd_recipient_restrictions = permit but to no avail.
– Mauri
54 mins ago

1

1

You should add the permit in the end of both lists (smtpd_sender_restrictions & smtpd_recipient_restrictions). Alone it would permit too much.
– Esa Jokinen
52 mins ago

You should add the permit in the end of both lists (smtpd_sender_restrictions & smtpd_recipient_restrictions). Alone it would permit too much.
– Esa Jokinen
52 mins ago

My settings are now smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit and smtpd_sender_restrictions = reject_unknown_sender_domain, permit
– Mauri
32 mins ago

My settings are now smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit and smtpd_sender_restrictions = reject_unknown_sender_domain, permit
– Mauri
32 mins ago

add a comment | 

up vote
0
down vote

1) The Mysqld listening port 3306, so you must have a database installed? should not interfere with the mail service.

2) The /master process listening on port 25 is the Postfix Mail Transport Agent. Looks normal

3)Try testing your mail server externally using https://mxtoolbox.com/NetworkTools.aspx

Do the MX check, https://mxtoolbox.com/MXLookup.aspx (to see that Your DNS is correctly configured) and the SMTP tests https://mxtoolbox.com/diagnostic.aspx

4) The message warning: SASL: Connect to private/dovecot-auth failed: Connection refused points to a misconfigured docecot ( /etc/dovecot/dovecot.conf ). You need to add the SSL cert here as well + a number of other settings worth checking. One hint is to add DEBUG switches.

Change the default settings to something usefull in dovecot.conf

#log_path = /var/log/dovecot/dovecot.log
# Debug
#mail_debug = yes
# auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes

In /etc/postfix/master.cf, add debug/verbose logging as follows

smtp inet n - n - - smtpd -v

Se also http://www.postfix.org/DEBUG_README.html

share|improve this answer

answered 1 hour ago

Ingvar J

444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  For point 3: first test gives error No DMARC Record found. Second test gives me warning Reverse DNS does not match SMTP Banner Everything else is in the green. For point 4) I have included my dovecot.conf in the original post
  – Mauri
  42 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog
  – Ingvar J
  21 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added the log output to the original post. I also included my master.cfg, which I noticed has a smtpd_sasl_path=private/auth in the submission part, where as the main.cfg has smtpd_sasl_path = private/dovecot-auth. Is this relevant?
  – Mauri
  10 mins ago
  

  
  
  
  

add a comment | 

up vote
0
down vote

1) The Mysqld listening port 3306, so you must have a database installed? should not interfere with the mail service.

2) The /master process listening on port 25 is the Postfix Mail Transport Agent. Looks normal

3)Try testing your mail server externally using https://mxtoolbox.com/NetworkTools.aspx

Do the MX check, https://mxtoolbox.com/MXLookup.aspx (to see that Your DNS is correctly configured) and the SMTP tests https://mxtoolbox.com/diagnostic.aspx

4) The message warning: SASL: Connect to private/dovecot-auth failed: Connection refused points to a misconfigured docecot ( /etc/dovecot/dovecot.conf ). You need to add the SSL cert here as well + a number of other settings worth checking. One hint is to add DEBUG switches.

Change the default settings to something usefull in dovecot.conf

#log_path = /var/log/dovecot/dovecot.log
# Debug
#mail_debug = yes
# auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes

In /etc/postfix/master.cf, add debug/verbose logging as follows

smtp inet n - n - - smtpd -v

Se also http://www.postfix.org/DEBUG_README.html

share|improve this answer

answered 1 hour ago

Ingvar J

444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  For point 3: first test gives error No DMARC Record found. Second test gives me warning Reverse DNS does not match SMTP Banner Everything else is in the green. For point 4) I have included my dovecot.conf in the original post
  – Mauri
  42 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog
  – Ingvar J
  21 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added the log output to the original post. I also included my master.cfg, which I noticed has a smtpd_sasl_path=private/auth in the submission part, where as the main.cfg has smtpd_sasl_path = private/dovecot-auth. Is this relevant?
  – Mauri
  10 mins ago
  

  
  
  
  

add a comment | 

up vote
0
down vote

up vote
0
down vote

1) The Mysqld listening port 3306, so you must have a database installed? should not interfere with the mail service.

2) The /master process listening on port 25 is the Postfix Mail Transport Agent. Looks normal

3)Try testing your mail server externally using https://mxtoolbox.com/NetworkTools.aspx

Do the MX check, https://mxtoolbox.com/MXLookup.aspx (to see that Your DNS is correctly configured) and the SMTP tests https://mxtoolbox.com/diagnostic.aspx

4) The message warning: SASL: Connect to private/dovecot-auth failed: Connection refused points to a misconfigured docecot ( /etc/dovecot/dovecot.conf ). You need to add the SSL cert here as well + a number of other settings worth checking. One hint is to add DEBUG switches.

Change the default settings to something usefull in dovecot.conf

#log_path = /var/log/dovecot/dovecot.log
# Debug
#mail_debug = yes
# auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes

In /etc/postfix/master.cf, add debug/verbose logging as follows

smtp inet n - n - - smtpd -v

Se also http://www.postfix.org/DEBUG_README.html

share|improve this answer

answered 1 hour ago

Ingvar J

444

1) The Mysqld listening port 3306, so you must have a database installed? should not interfere with the mail service.

2) The /master process listening on port 25 is the Postfix Mail Transport Agent. Looks normal

3)Try testing your mail server externally using https://mxtoolbox.com/NetworkTools.aspx

Do the MX check, https://mxtoolbox.com/MXLookup.aspx (to see that Your DNS is correctly configured) and the SMTP tests https://mxtoolbox.com/diagnostic.aspx

4) The message warning: SASL: Connect to private/dovecot-auth failed: Connection refused points to a misconfigured docecot ( /etc/dovecot/dovecot.conf ). You need to add the SSL cert here as well + a number of other settings worth checking. One hint is to add DEBUG switches.

Change the default settings to something usefull in dovecot.conf

#log_path = /var/log/dovecot/dovecot.log
# Debug
#mail_debug = yes
# auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes

In /etc/postfix/master.cf, add debug/verbose logging as follows

smtp inet n - n - - smtpd -v

Se also http://www.postfix.org/DEBUG_README.html

share|improve this answer

answered 1 hour ago

Ingvar J

444

share|improve this answer

share|improve this answer

answered 1 hour ago

Ingvar J

444

answered 1 hour ago

Ingvar J

444

answered 1 hour ago

Ingvar J

444

444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  For point 3: first test gives error No DMARC Record found. Second test gives me warning Reverse DNS does not match SMTP Banner Everything else is in the green. For point 4) I have included my dovecot.conf in the original post
  – Mauri
  42 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog
  – Ingvar J
  21 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added the log output to the original post. I also included my master.cfg, which I noticed has a smtpd_sasl_path=private/auth in the submission part, where as the main.cfg has smtpd_sasl_path = private/dovecot-auth. Is this relevant?
  – Mauri
  10 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  For point 3: first test gives error No DMARC Record found. Second test gives me warning Reverse DNS does not match SMTP Banner Everything else is in the green. For point 4) I have included my dovecot.conf in the original post
  – Mauri
  42 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog
  – Ingvar J
  21 mins ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I have added the log output to the original post. I also included my master.cfg, which I noticed has a smtpd_sasl_path=private/auth in the submission part, where as the main.cfg has smtpd_sasl_path = private/dovecot-auth. Is this relevant?
  – Mauri
  10 mins ago
  

  
  
  
  

For point 3: first test gives error No DMARC Record found. Second test gives me warning Reverse DNS does not match SMTP Banner Everything else is in the green. For point 4) I have included my dovecot.conf in the original post
– Mauri
42 mins ago

For point 3: first test gives error No DMARC Record found. Second test gives me warning Reverse DNS does not match SMTP Banner Everything else is in the green. For point 4) I have included my dovecot.conf in the original post
– Mauri
42 mins ago

So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog
– Ingvar J
21 mins ago

So the external tests using mxtoolbox looks OK. You can disregard the DMARC and REVERSE DNS for the moment. The next step is to add smtpd -v for verbose logging in the master.cf file on the SMTP protocol, and then try to receive an email from an external provider. Logging goes to /var/log/maillog
– Ingvar J
21 mins ago

I have added the log output to the original post. I also included my master.cfg, which I noticed has a smtpd_sasl_path=private/auth in the submission part, where as the main.cfg has smtpd_sasl_path = private/dovecot-auth. Is this relevant?
– Mauri
10 mins ago

I have added the log output to the original post. I also included my master.cfg, which I noticed has a smtpd_sasl_path=private/auth in the submission part, where as the main.cfg has smtpd_sasl_path = private/dovecot-auth. Is this relevant?
– Mauri
10 mins ago

add a comment | 

Mauri is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Mauri is a new contributor. Be nice, and check out our Code of Conduct.

Mauri is a new contributor. Be nice, and check out our Code of Conduct.

Mauri is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937813%2fpostfix-email-server-not-receiving-email-from-external-email%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email