Can't receive email with citadel

Hi,

i have installed citadel using the Linode guide in a subdomain (posta.mydomain.com), and set the MX records as follows:

posta.mydomain.com    10      Default
smtp.secureserver.net    20      Default
mailstore1.secureserver.net    30      Default
mydomain.com    0   posta   Default

so i have add posta.mydomain.com and mydomain.com with the subdomain posta.mydomain.com, instead smtp.secureserver.net and mailstore1.secureserver.net was already there as default (i have the domain with GoDaddy).

In the citadel settings I have insert this:

Fully qualified domain name: mydomain.com
Local host aliases and Directory domains:  mydomain.com and posta.mydomain.com

I have created a new user on Citadel, [email protected] and I can send email, but i can't receive it, and the error that Google give me when i'm trying to send an email from my personal google account in response to [email protected]:

Delivery to the following recipient failed permanently:

    [email protected]

Technical details of permanent failure: 
Google tried to deliver your message, but it was rejected by the server for the recipient domain mydomain.com by smtp.secureserver.net. [68.178.213.37].

The error that the other server returned was:
550 5.1.1 <[email protected]>Recipient not found.</[email protected]> 

what can i do to fix the problem, i have maybe misconfigured citadel or mx record?

16 Replies

What's your real domain we can't check the MX records without it.

sorry it's whaletrue.com

% telnet posta.whaletrue.com 25

Trying 109.74.198.44…

And it hangs there.

So it looks like you haven't opened any firewall rule to allow incoming port 25. Eventually the sending server will time out and move onto the next server, which is the secureserver.net machine, which is rejecting mail.

So you need to allow incoming port 25 mail. You should probably also remove the secureserver stuff if they're not accepting mail for you.

OK your MX records for whaletrue.com look like this

whaletrue.com.        600 IN  MX  20 smtp.secureserver.net.
whaletrue.com.        600 IN  MX  30 mailstore1.secureserver.net.
whaletrue.com.        600 IN  MX  10 posta.whaletrue.com.

Now from what you said your server is posta.whaletrue.com so you don't need the first two.

posta.whaletrue.com points to 109.74.198.44 which is a Linode IP however I can't connect to port 25 on that IP so either it's firewalled off, the smtp server isn't running or it's the wrong IP.

If 109.74.198.44 is the correct IP ensure that a smtp server is running and check your firewall.

You can check what's listening using sudo netstat -lpnt and you can check the firewall using sudo iptables -L -n -v

@sweh:

% telnet posta.whaletrue.com 25

Trying 109.74.198.44…

And it hangs there.

So it looks like you haven't opened any firewall rule to allow incoming port 25. Eventually the sending server will time out and move onto the next server, which is the secureserver.net machine, which is rejecting mail.

So you need to allow incoming port 25 mail. You should probably also remove the secureserver stuff if they're not accepting mail for you.

Thanks for your answer, to open the port 25 i have do this:

sudo nano /etc/iptables.firewall.rules

i have add this rule:

# Allows SMTP access
-A INPUT -p tcp --dport 25 -j ACCEPT 

# Allows pop and pops connections 
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# Allows imap and imaps connections 
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

i have apply the new rules using the following command:

sudo iptables-restore < /etc/iptables.firewall.rules

then this command sudo iptables -L give me this:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps

then i have do this:

iptables-save > /etc/iptables.firewall.rules

so i can't understand why is not reachable, i don't know if it's useful but i have checked this file:

sudo tail /var/log/mail.err

and this is the log:

Mar 30 19:00:54 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:01:16 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:01:16 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:01:16 whaletrue citserver[8883]: client_write(32 bytes) failed: Broken pipe (32)
Mar 30 19:01:16 whaletrue citserver[8883]: client_write(137 bytes) failed: Broken pipe (32)
Mar 30 19:01:16 whaletrue citserver[8883]: IMAPCC[32] client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: POP3 client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:01:16 whaletrue citserver[8883]: client_write(47 bytes) failed: Broken pipe (32)
Mar 30 19:01:16 whaletrue citserver[8883]: client_read_blob() failed: Connection reset by peer
Mar 30 19:01:16 whaletrue citserver[8883]: XMPP: client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: managesieve: client disconnected: ending session.
Mar 30 19:01:55 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:02:56 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:03:57 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:04:58 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:05:18 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:05:18 whaletrue citserver[8883]: client_write(32 bytes) failed: Broken pipe (32)
Mar 30 19:05:18 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:05:18 whaletrue citserver[8883]: client_write(137 bytes) failed: Broken pipe (32)
Mar 30 19:05:18 whaletrue citserver[8883]: IMAPCC[39] client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: POP3 client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: managesieve: client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:05:18 whaletrue citserver[8883]: client_write(47 bytes) failed: Broken pipe (32)
Mar 30 19:05:18 whaletrue citserver[8883]: client_read_blob() failed: Connection reset by peer
Mar 30 19:05:18 whaletrue citserver[8883]: XMPP: client disconnected: ending session.
Mar 30 19:05:59 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:07:00 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:08:01 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:09:02 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:10:43 whaletrue citserver[2008]: Failed to adjust ownership of: /etc/citadel/netconfigs/7 [No such file or directory]
Mar 30 19:10:43 whaletrue citserver[2008]: Failed to adjust ownership of: /etc/citadel/netconfigs/7 [No such file or directory]
Mar 30 19:10:44 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:11:45 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:12:46 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:13:47 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:14:48 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:15:49 whaletrue citserver[2008]: No external notifiers configured on system/user

@Whale:

then this command sudo iptables -L give me this:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps


That is not the complete output of the command. Other stuff is missing. I still can not access that SMTP port on 109.74.198.44 (nor any of the other ports). Your firewall config is not correct. But because you're not showing the complete output we can not diagnose the problem.

thanks for all your answers, before i hadn't mention that i have two server with one domain, the first server has my website in which i have whaletrue.com domain and reverse DNS, inside the second server (109.74.198.44) i have installed citadel connected with posta.whaletrue.com, so in my DNS Manager i have created an A record that point posta.whaletrue.com to 109.74.198.44, i don't think that this is the problem but I still wanted to write it for clarity.

Now if i use the command sudo netstat -lpnt on 109.74.198.44 this is the complete result:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1797/sshd       
tcp        0      0 0.0.0.0:504             0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2024/webcit     
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 0.0.0.0:2020            0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 0.0.0.0:5222            0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      1890/amavisd-new (m
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1854/mysqld     
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      2582/citserver  
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      1906/spamd.pid  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2020/webcit     
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      2582/citserver  
tcp6       0      0 :::22                   :::*                    LISTEN      1797/sshd       
tcp6       0      0 ::1:783                 :::*                    LISTEN      1906/spamd.pid  

and the command sudo iptables -L -n -v give me this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7142  756K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
 6220  679K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
 1495  108K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            127.0.0.0/8          reject-with icmp-port-unreachable
 8745  972K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   97  5260 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  127  7480 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
  284 16316 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    5   188 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
  777 52587 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
  839 56275 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
    0     0 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
11146 2578K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (2 references)
 pkts bytes target     prot opt in     out     source               destination         
12412 1354K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

i hope this help to solve my problem, thanks.

This line

839 56275 DROP all – * * 0.0.0.0/0 0.0.0.0/0

It's there before the "allow SMTP, allow POP3" rules and so it's blocking all the traffic to those ports.

Order of rules is important in iptables. Make sure your "allow" rules are before this "drop" rule.

You save my day! Thank you soo much, i have a couple more question:

1) If my mail server where i have installed citadel i down, what happen at the messages?

2) Releated to the question above, if the messages are lost, there is a way to recover it, or to avoid this problem (i don't know maybe install citadel also on my first server)

With your original configuration of 2nd an 3rd MX, when people can't reach your first server then the sender will try the second. That would reject your message and so the person who sent the mail would get an error. So make sure your MX records are accurate and remove the bad ones.

If you only have 1 server and your server is down then the sender will normally queue the message and retry over a period of time. Eventually the sender will give up and send an error back to the person who sent the mail. What that timeout is depends on the sending server; it's typically over a day but really busy servers could bring that value down to hours.

Ok, thank you i will remove them soon, if i need a backup mail server (to avoid the problem of the timeout, if the server goes down for more than one day) there is a way to send this email to the backup mail server (that will be my first server with waletrue.com domain) and retrieve them when main mail server return on?

You have a second server with a really long queue time. So if the primary goes away it will all queue up on the second server. THen when the primary comes back the secondary will forward on the mail in its queue.

@sweh:

You have a second server with a really long queue time. So if the primary goes away it will all queue up on the second server. THen when the primary comes back the secondary will forward on the mail in its queue.

Thanks for the answer, i haven't installed any backup mail server yet on whaletrue.com, if i install it, how i can set a long queue time and the forward to the new server?

You know maybe a tutorial?

Thanks

I have no idea how you would do this with Citadel. I don't use it.

You probably want to analyze your email server needs. Most of the small shops I'm familiar with, only run a single server. First off, down time is usually rare and limited to a day (or less) when it happens (assuming you have a good install/config documentation, backups, and a recovery plan). Second, most email servers try for a day or three before bouncing the email, and most when they finally bounce will send a message back to the sender. Third, people are familiar with how email works, so a bounced mail just means they send it again, and a missing email is relatively common (lost in transmission, caught by some filter, etc) that if it's important they'll try another means of communicating. All that adds up such that a second backup email server is usually a waste of equipment/sysadmin time/money.

A good example is several of my associates turn their lab email servers OFF over the weekends. Some data (although I'm not yet convinced) seems to point to way less spam, because the spammers think it's a bad address (they don't resend ever).

So determine the value of the email your server (and users) deal with - then figure out if that's worth a second server (and remember that if you decide to run a second email server, it needs to be in a completely different data center then the first).

@vonskippy:

You probably want to analyze your email server needs. Most of the small shops I'm familiar with, only run a single server. First off, down time is usually rare and limited to a day (or less) when it happens (assuming you have a good install/config documentation, backups, and a recovery plan). Second, most email servers try for a day or three before bouncing the email, and most when they finally bounce will send a message back to the sender. Third, people are familiar with how email works, so a bounced mail just means they send it again, and a missing email is relatively common (lost in transmission, caught by some filter, etc) that if it's important they'll try another means of communicating. All that adds up such that a second backup email server is usually a waste of equipment/sysadmin time/money.

A good example is several of my associates turn their lab email servers OFF over the weekends. Some data (although I'm not yet convinced) seems to point to way less spam, because the spammers think it's a bad address (they don't resend ever).

So determine the value of the email your server (and users) deal with - then figure out if that's worth a second server (and remember that if you decide to run a second email server, it needs to be in a completely different data center then the first).

Thanks to all for all your answer

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct