Postfix/Dovecot: Can't send mail via Thunderbird
I've just recently bought a Linode and am teaching myself web server admin by trial and error. I'm working through learning how to install and configure the basics to run the small site I want (to begin with:LAMP, WordPress, email, log admin, backups). I'm currently up to email, and I've hit a small problem that has me stumped.
At the moment, I've got Postfix running with Dovecot using SASL authentication, as per this tutorial I found at debianadmin.com:
It's almost working. I can send mail to my accounts and read them via Thunderbird, but I can't send mail via Thunderbird. If I try (using SSL and default port 465), I instantly get an error message "The server may be unavailable or is refusing SMTP connections". If I try different ports like 25, the sending hangs when it connects to my server.
If instead I ssh into my linode and send mail via the command line mail, it works without problem. So I'm assuming there's a connection problem between my server and my computer.
My gut feeling is that this is really simple, and I've forgotten to do something like turn on a setting in the command line settings in Postfix, Dovecot or SASL. Or it's something even more obvious and I've just misconfigured Thunderbird. I've tried modifying some of the settings in Postfix's main.cf config file, but nothing seems to work.
Strangely I also can't seem to find reference to my failed attempts to send emails in the log files in /var/log. Learning the logging system was after email on my checklist so I'm pretty in the dark for what to look for here.
While a solution is needed, I'd mainly like to know where I should be looking. I'm spending this week with my Linode learning the ropes, so learning how to do basic admin is just as important as getting it working. Once I figure out how to do all the basics I'm probably going to nuke everything and build it up again a bit better anyway (plus a good test of the backups!), so I don't mind making a bit of a mess.
Thanks!
Edit: Forgot to mention: I'm using Debian as my OS.
8 Replies
It may be that your ISP is blocking somg ports.
Here's the last lines from my mail.log file. I've mangled up the email addresses a bit to fox any spambots (all sent mail is from my site trazoi.com), but it should be pretty clear:
Apr 27 10:37:11 postfix/master[10547]: reload configuration /etc/postfix
Apr 27 10:37:51 postfix/master[10547]: terminating on signal 15
Apr 27 10:37:51 postfix/master[10708]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 10:42:19 postfix/master[10708]: terminating on signal 15
Apr 27 10:42:20 postfix/master[10859]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 10:53:36 postfix/pickup[10865]: 0DBA9C120: uid=1000 from= <test>Apr 27 10:53:36 postfix/cleanup[10900]: 0DBA9C120: message-id=<20090427105336.0DBA9C120-at-example.com>
Apr 27 10:53:36 postfix/qmgr[10864]: 0DBA9C120: from=<test-at-example.com>, size=353, nrcpt=1 (queue active)
Apr 27 10:53:36 postfix/smtp[10903]: 0DBA9C120: to=<david-at-gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.221.82]:25, delay=0.51, delays=0.01/0.01/0.12/0.37, dsn=2.0.0, status=sent (250 2.0.0 OK 1240829616 14si5293947qyk.37)
Apr 27 10:53:36 postfix/qmgr[10864]: 0DBA9C120: removed
Apr 27 10:56:44 postfix/master[10859]: terminating on signal 15
Apr 27 10:56:44 postfix/master[10989]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 10:57:29 postfix/master[10989]: terminating on signal 15
Apr 27 10:57:29 postfix/master[11071]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 11:00:38 postfix/master[11071]: terminating on signal 15
Apr 27 11:00:39 postfix/master[11155]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 11:09:02 postfix/master[11155]: terminating on signal 15
Apr 27 11:09:02 postfix/master[11294]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 13:59:01 postfix/master[11294]: terminating on signal 15
Apr 27 13:59:02 postfix/master[11576]: daemon started -- version 2.5.5, configuration /etc/postfix</david-at-gmail.com></test-at-example.com></test>
I think the one email sent was via (the command line) mail in a ssh session. All the demon restarting lines were from me making changes and resetting the email system. There would have been a lot of Thunderbird message attempts in that time, but I don't see them in the logs.
My Postfix main.cf currently looks like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = trazoi.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost, localhost.localdomain, localhost
relayhost =
# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# SASL SUPPORT FOR CLIENTS
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# some settings to make life easier
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client bl.spamcop.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
reject_unauth_destination
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access, reject_unknown_sender_domain
#getting rid of slow hosts
transport_maps = hash:/etc/postfix/transport
deadbeats_destination_concurrency_limit = 50
The stuff at the end are various commands I've seen on guides that I've meshed together.
I haven't touched the defaults in master.cf save for adding a "deadbeats" line from one set of tips I found.
The dovecot config file is large, and I'm not sure if that's the issue. The main change was the one that's in the tutorial I linked to, which I've typed in verbatim:
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Are there any other files that might help?
Edit: Oh, and if there any other glaring problems with those config files, I'd be grateful if you pointed them out. Understanding how to configure the email system nicely is turning out to be a lot harder than Apache.
If you want to use SSL on port 465 instead, need to add an entry to master.cf for smtps service type. On my system (gentoo) it is already there but commented out.
@Stever:
It looks to me like you have not set up postfix to listen on anything other than port 25.
You can check what TCP ports that daemons are listening on with the command netstat -nvlpt. You'll see something similar to the following:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2351/master
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 2488/cupsd
tcp6 0 0 :::22 :::* LISTEN 2153/sshd
If you don't see something ending in :465 under "Local Address," you don't have anything listening on that port. (Also, perhaps Thunderbird is trying to use port 587 for mail submission?)
It turns out I was looking at the wrong port, but I didn't have another port activated. With a bit of reconfiguring I've got it working with the same connection as GMail (port 587, TSL).
The steps were something like this:
* Add in lines smtpdtlssecuritylevel=may and smtpdtlsauthonly=yes into the Postfix main.cf file, to help with encryption.
REMOVE the line I had earlier: "rejectrblclient relays.ordb.org". Unfortunately my source for that was several years out of date. ordb.org has died and that line will block everything.
In master.cf, uncomment the line for submission. This will activate port 587. I also uncommented the lines for the flags that looked like they were useful. I haven't yet uncommented the flag for smtpdtlssecurity_level=encrypt but I'm unsure - sources suggest that's bad for receiving email as it blocks anyone with an incompatible client, but I'm not sure about receiving email.
Optional: make a new SSL certificate for your mail subdomain. I don't think this is necessary, but apparently if your certificate is for example.com but your mail is at mail.example.com then email clients will complain at every opportunity, even if they've accepted the certificate.
Well, now it works. I still don't know for sure how secure the system is, and I've also got to figure out how to archive the mail nicely, but it works.
To check that nothing funny is happening with the mail, I should regularly check mail.log and the other similarly named log files, right?
@trazoi:
In master.cf, uncomment the line for submission. This will activate port 587. I also uncommented the lines for the flags that looked like they were useful. I haven't yet uncommented the flag for smtpdtlssecurity_level=encrypt but I'm unsure - sources suggest that's bad for receiving email as it blocks anyone with an incompatible client, but I'm not sure about receiving email.
The "-o smtpdtlssecurity_level=encrypt" line sets it to only allow encrypted sessions on the submission port (587). This only applies to email you are originating - it has no effect on your receiving of email which should always be on port 25.
As far as leaving it commented out, sending passwords in-the-clear is just a bad idea. IMHO, anyone with an incompatible client shouldn't be allowed to send email in this day and age.
@Stever:
@trazoi:
In master.cf, uncomment the line for submission. This will activate port 587. I also uncommented the lines for the flags that looked like they were useful. I haven't yet uncommented the flag for smtpdtlssecurity_level=encrypt but I'm unsure - sources suggest that's bad for receiving email as it blocks anyone with an incompatible client, but I'm not sure about receiving email.
The "-o smtpdtlssecurity_level=encrypt" line sets it to only allow encrypted sessions on the submission port (587). This only applies to email you are originating - it has no effect on your receiving of email which should always be on port 25.
As far as leaving it commented out, sending passwords in-the-clear is just a bad idea. IMHO, anyone with an incompatible client shouldn't be allowed to send email in this day and age.
Thanks for the clarification. I thought it was just on the submission port, but given the warnings I read in the manual about setting that flag to encrypt in main.cf I was hesitant to set it in master.cf.
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Use port 465 for SSL with Outlook or Thunderbird.