This is the second part of a five part tutorial that will show you how to install a full featured email server on your Raspberry Pi. This tutorial covers Dovecot, which provides SASL authentication and IMAP capabilities.
The parts are:
The Introduction & Contents Page (read first)
Raspberry Pi Email Server Part 1: Postfix
Raspberry Pi Email Server Part 2: Dovecot
Raspberry Pi Email Server Part 3: Squirrelmail
Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin
Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve
Fixing the errors that appeared during dovecot installation
In part 1, when you installed Dovecot I mentioned that you might see some errors like this:
Creating config file /etc/dovecot/conf.d/20-imap.conf with new version [....] Restarting IMAP/POP3 mail server: dovecotError: socket() failed: Address family not supported by protocol Error: service(imap-login): listen(::, 143) failed: Address family not supported by protocol Error: socket() failed: Address family not supported by protocol Error: service(imap-login): listen(::, 993) failed: Address family not supported by protocol Fatal: Failed to start listeners failed! invoke-rc.d: initscript dovecot, action "restart" failed. dpkg: error processing dovecot-imapd (--configure): subprocess installed post-installation script returned error exit status 1 Setting up dovecot-ldap (1:2.1.7-7) ...
These errors are caused by the lack of IPv6 support, which I mentioned in the previous tutorial. To remove the errors, open the main dovecot configuration file (/etc/dovecot/dovecot.conf
) and find this line:
listen = *, ::
And change it to:
listen = *
The *
means “all IPv4 addresses”, the ::
means “all IPv6 addresses”. Now restart Dovecot, and you shouldn’t get any errors:
sudo service dovecot restart
Note: since I wrote this tutorial, there have been a few small changes to the default configuration file - you may find that the line is commented (with a # at the start of the line). If so, remember to uncomment it when you make your changes!
Tell Dovecot where your Mailbox is
Open /etc/dovecot/conf.d/10-mail.conf
and find this line:
mail_location = mbox:~/mail:INBOX=/var/mail/%u
Change it to this:
mail_location = maildir:~/Maildir
Instruct Postfix to use Dovecot SASL
Now we need to tell Postfix that we would like to use Dovecot for SASL authentication. Open /etc/postfix/main.cf
and add these lines:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes
Now tell Dovecot to listen for SASL authentication requests from Postfix. Open /etc/dovecot/conf.d/10-master.conf
and comment out the current block that begins with service auth
(place a #
at the start of each line). Replace it with this:
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }
Now you want to enable plain text logins. Do it by adding these two lines to /etc/dovecot/conf.d/10-auth.conf
. Make sure they are not already present in the file, or your settings may be overwritten with the default ones if the default is declared later in the file than the lines you add. If the parameters are already present, you can either modify the existing lines or comment them out and add these new ones:
disable_plaintext_auth = no auth_mechanisms = plain login
Note that although the logins are in plain text, we will be setting Postfix up later so that it only allows you to use plaintext logins from within SSL/TLS. This means that your login and password will sent in an encrypted session - you wouldn't see them in plain text if you used a packet sniffer, for example. For now, we’re allowing unencrypted plain text logins so that we can test logging in with Telnet. Since the connection is local (from the Pi to the Pi), your password isn’t being sent over any insecure networks so this is fine.
Testing SASL
Creating a new user for testing purposes is a good idea. Let’s call this temporary user testmail
and give it the password test1234
Use this command to add the user, and follow the prompts including setting a password.
sudo adduser testmail
Now restart Postfix and Dovecot:
sudo service postfix restart sudo service dovecot restart
We’re now going to try and send an email after authenticating with SASL. The server is expecting to see a base64 encoded version of your username and password, so we have to convert it first. There are three ways of doing this, so I've given examples below using the testmail
username and test1234
password:
#Method No.1 echo -ne '\000testmail\000test1234' | openssl base64 #Method No.2 perl -MMIME::Base64 -e 'print encode_base64("\0testmail\0test1234");' #Method No.3 printf '\0%s\0%s' 'testmail' 'test1234' | openssl base64
I have discovered that if your password starts with a number, methods 1 and 2 don’t work. Assuming the username and password are testmail
and test1234
, the commands produce this:
AHRlc3RtYWlsAHRlc3QxMjM0
WARNING: If you’re having problems with authentication and you paste examples to forums or mailing lists, be aware that it is really easy to convert this back into your username and password (hence the creation of a test user). If you're using your real username and password to test, redact it before posting! Now, still logged into the Pi via SSH, you can telnet port 25 to test whether or not SASL is working. There’s only one extra step, which is the AUTH PLAIN
command that comes after ehlo
but before mail from
. For testing, the permit_mynetworks
parameter should be commented out under your postfix smtpd_recipient_restrictions
block in /etc/postfix/main.cf
. If you’re following on from Raspberry Pi Email Server Part 1: Postfix then this should already be the case. If you have to change it, remember to reload postfix (sudo service postfix reload
) after you change the value. Here’s an example:
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 samhobbs ESMTP Postfix (Debian/GNU) ehlo facebook.com 250-samhobbs 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN AHRlc3RtYWlsAHRlc3QxMjM0 235 2.7.0 Authentication successful mail from:testmail 250 2.1.0 Ok rcpt to:me@externalemail.com 250 2.1.5 Ok data 354 End data with. Subject: This is my first email that has been authenticated with Dovecot SASL Woop woop . 250 2.0.0 Ok: queued as B87133F768 quit 221 2.0.0 Bye Connection closed by foreign host.
Now try again but enter the username/password incorrectly (base64 encode something random) – you should get an error message and the email won’t send. If everything went to plan, then SASL is working properly! You can now uncomment permit_mynetworks
again.
Separating Incoming email (unauthenticated) from Outgoing Email (SASL authenticated)
It’s probably a good idea to have a dedicated port for sending outgoing email…here’s why: Port 25 doesn’t require (but does offer) SSL/TLS encryption. If you mess up configuring your mail client you could end up letting it authenticate with SASL over insecure connections. Using a different port that only accepts SSL/TLS connections removes the risk that a poorly configured email client could be sending your password unencrypted over dodgy networks. There are two ports you can use for this:
- 465: SMTP over SSL
- 587: Email submission
587 is the “official” port for email clients (like K9 mail, Thunderbird and Outlook) to use when submitting messages to the Mail Submission Agent (your email server) – the submission may be encrypted or unencrypted depending on the server configuration. 465 was a port that was assigned for SMTP with SSL/TLS before the STARTTLS protocol was introduced, back in the days when you chose your port and that decided on the type of connection you were going to get (encrypted or unencrypted). STARTTLS
changed things because it allows you to connect with an unencrypted connection (like the one you get with Telnet), and then upgrade to an encrypted connection without changing port… so when STARTTLS was introduced, SMTPS on port 465 was removed from the standard because you could do the same thing with a single port (25). However, I think there is some value in specifying a port for submission that only accepts SSL/TLS encrypted connections, and won’t work if the connection isn’t encrypted. This means that if you misconfigure your email client it just won’t work, instead of working and sending your password in an unencrypted format. So, anyway… Here’s how to set up Postfix to listen on port 465 for encrypted connections. The first step is telling Postfix to listen on port 465, so open /etc/postfix/master.cf
and uncomment the line:
smtps inet n - - - - smtpd
Now restart Postfix:
sudo service postfix restart
Test whether Postfix is listening on port 465:
telnet localhost 465 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 samhobbs.co.uk ESMTP Postfix (Debian/GNU) ehlo samhobbs.co.uk 250-samhobbs 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
OK, so now it’s listening on the right port, but it’s allowing unencrypted connections. Here’s how you force TLS on port 465: open /etc/postfix/master.cf
and find the line you uncommented earlier. Below it are some options, you want to edit them so that they look like this (i.e. uncomment lines 2 and 3):
smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes
Line 3 is forcing TLS on port 465, and line 2 means that connections to port 465 have a different label in the logs, which can be useful for debugging.
sudo service postfix restart
Now try connecting with Telnet again… you should be able to establish a connection, but not receive any prompts from the server:
telnet localhost 465 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. exit exit Connection closed by foreign host.
Now try openssl:
openssl s_client -connect localhost:465 -quiet depth=0 CN = samhobbs verify error:num=18:self signed certificate verify return:1 depth=0 CN = samhobbs verify return:1 220 samhobbs.co.uk ESMTP Postfix (Debian/GNU) quit 221 2.0.0 Bye
Good: we are able to start a TLS encrypted connection. We got some errors because the certificate is self-signed (it's not signed by a certificate that is in the trusted root store on the server) but this is OK because we're just using the certificate for testing for now. When you come back later to set up a proper certificate, you can use this command to verify it. The -CApath
option tells openssl where the trusted certificates are stored on your system:
openssl s_client -connect localhost:465 -quiet -CApath /etc/ssl/certs
Successful validation looks something like this:
sam@samhobbs:~$ openssl s_client -connect localhost:465 -quiet -CApath /etc/ssl/certs depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = samhobbs.co.uk verify return:1 220 samhobbs.co.uk ESMTP Postfix (Ubuntu) quit 221 2.0.0 Bye
There are a couple more changes we want to make here: first, tell Postfix to only advertise SASL authentication over encrypted connections (so that you don’t accidentally send your password in the clear). Open /etc/postfix/main.cf
and add this line:
smtpd_tls_auth_only = yes
sudo service postfix reload
Now connect to port 25 and you shouldn’t see AUTH advertised:
telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 samhobbs.co.uk ESMTP Postfix (Debian/GNU) ehlo samhobbs.co.uk 250-samhobbs.co.uk 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Lastly, we want to override the smtp_recipient_restrictions
for port 465 so that it doesn't accept incoming messages from unauthenticated users. At first, I didn't make this change and I noticed that some spam emails were coming in on port 465 and bypassing my spam filter, which I configured to scan all incoming email on port 25, but not 465 because I only expected it to be used for outgoing email. We can do this by overriding the smtp_recipient_restrictions
list for port 465 in /etc/postfix/master.cf
. Open master.cf and find the smtps line. Add a new recipient restrictions list option like this:
smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
Now reload postfix:
sudo service postfix reload
Perfect! Postfix configuration is now complete.
Testing IMAP
There are two main protocols for fetching mail: POP and IMAP. The main difference between them is what they do with emails when they collect them: a POP client will fetch email from your server and remove it from the server when it’s done. This is inconvenient if you want to connect with two or more devices (like a phone and a computer) and have complete copies of all your emails on both. IMAP, on the other hand, makes a copy of the emails on the server and leaves the originals there. For this reason, I think IMAP is much more useful than POP and I didn’t even bother to set up POP on my server. We can now test the IMAP server with Telnet in a similar way to SMTP & SASL testing earlier. This time, we’ll be using port 143, the standard port for IMAP. The stages are:
- establish a connection with
telnet localhost 143
- log in with
a login "USERNAME" "PASSWORD"
" (not base64 encoded this time) - select inbox to see messages inside
b select inbox
- logout with
c logout
In case you're wondering, the "a b c" thing is done because a client can send multiple commands to the server at once, and they might not come back in the same order depending on what they are. So, the responses have the same letter as the commands they are responding to so that the client doesn't get muddled. Here’s an example, using the testmail
user we created earlier:
telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. a login "testmail" "test1234" a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in b select inbox * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted. * 1 EXISTS * 0 RECENT * OK [UNSEEN 1] First unseen. * OK [UIDVALIDITY 1385217480] UIDs valid * OK [UIDNEXT 2] Predicted next UID * OK [NOMODSEQ] No permanent modsequences b OK [READ-WRITE] Select completed. c logout * BYE Logging out c OK Logout completed. Connection closed by foreign host.
Adding TLS support
Now that we know IMAP is working, we need to enable IMAPS (imap with SSL/TLS). The standard port for this is 993. Many other tutorials that were written for older versions of dovecot will tell you to do this in different ways that won’t work, I tried 3 different methods before I ended up with a working one. First, edit /etc/dovecot/conf.d/10-master.conf
, find the “service imap-login” block and uncomment the port and SSL lines so that it looks like this:
service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } }
Edit 14/10/2015: the default dovecot configuration files changed recently after Jessie became the new stable distribution of Debian, which caused some users problems; TLS on port 993 used to be enabled by default but now it isn't. We need to re-enable it. In /etc/dovecot/conf.d/10-ssl.conf
, find ssl = no
and change it to:
ssl = yes
There have been some security vulnerabilities discovered in older versions of the SSL protocol in recent times. SSLv2 is disabled by default, but it doesn't harm to explicitly disable it again. SSLv3 is vulnerable to an attack called POODLE, so we will disable it too. In the same file, find the ssl_protocols
parameter line, uncomment it and add !SSLv3
to the end, like this:
ssl_protocols = !SSLv2 !SSLv3
Edit 02/09/2017: if you're using Debian Stretch or later, or one of its derivatives, then you will need to edit that line to match the following. The SSLv2 option is no longer recognised as an option for ssl_protocols because it has been removed entirely:
ssl_protocols = !SSLv3
For some bizarre reason, the Dovecot package for Raspberry Pi (and possibly newer versions of Ubuntu) does not create a self-signed certificate during installation like it used to. So, we have to create one manually. If you look in /usr/share/dovecot/
you will find the script that used to be used to generate the certificate; we can use it ourselves to simplify the process. The script is located at /usr/share/dovecot/mkcert.sh
and looks like this:
#!/bin/sh # Generates a self-signed certificate. # Edit dovecot-openssl.cnf before running this. OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} CERTDIR=/etc/dovecot KEYDIR=/etc/dovecot/private CERTFILE=$CERTDIR/dovecot.pem KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then echo "$SSLDIR/certs directory doesn't exist" exit 1 fi if [ ! -d $KEYDIR ]; then echo "$SSLDIR/private directory doesn't exist" exit 1 fi if [ -f $CERTFILE ]; then echo "$CERTFILE already exists, won't overwrite" exit 1 fi if [ -f $KEYFILE ]; then echo "$KEYFILE already exists, won't overwrite" exit 1 fi $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
If you were going to use this certificate for any significant length of time, it would be worth editing the parameters in the config file it uses (/usr/share/dovecot/dovecot-openssl.cnf
) to set the proper common name and contact details on the certificate. However, I suggest you leave the defaults as they are, use this certificate just for testing, and then come back later and generate a new cert when everything is working (more on that later). You must be in the same folder as the configuration file when you run the script, or it will not find the config and the certificate generation will fail. The following two commands will change to the right folder and then execute the script:
cd /usr/share/dovecot sudo ./mkcert.sh
You should see a message "writing new private key to '/etc/dovecot/private/dovecot.pem'" and then some details about the certificate. Next, find the following two lines in /etc/dovecot/conf.d/10-ssl.conf
and uncomment them:
#ssl_cert = </etc/dovecot/dovecot.pem #ssl_key = </etc/dovecot/private/dovecot.pem
Now reload dovecot to apply the changes:
sudo service dovecot reload
Since IMAPS is a connection over SSL/TLS, we can’t use Telnet to test it. Instead, we use openssl to create a secure connection. There are two versions of the command, one will show you LOADS of information about the certificate used to encrypt the connection, and the other will suppress this info. I recommend trying the long version out of interest, but both will work the same for the test: For full information:
openssl s_client -connect localhost:993
For minimal information:
openssl s_client -connect localhost:993 -quiet
I won’t print the output of the first command, because it’s ridiculously long. Here’s an example of the second, including a login test:
admin@samhobbs /etc/dovecot/conf.d $ openssl s_client -connect localhost:993 -quiet depth=0 O = Dovecot mail server, OU = samhobbs, CN = samhobbs, emailAddress = root@samhobbs.co.uk verify error:num=18:self signed certificate verify return:1 depth=0 O = Dovecot mail server, OU = samhobbs, CN = samhobbs, emailAddress = root@samhobbs.co.uk verify return:1 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. a login "testmail" "test1234" a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in b logout * BYE Logging out b OK Logout completed. Connection closed by foreign host.
Good stuff: SSL/TLS is working on port 993, and you can log in successfully. Note that by default Dovecot uses a “snakeoil” self-signed certificate. SSL/TLS certificates are used for two purposes: encryption and verification. The “snakeoil” certificate will encrypt your content but it won’t verify that you’re talking to your server – you could be talking to someone imitating your server (anyone can create a self-signed certificate claiming to be any website). If you’d like to get your certificate signed without forking out loads of money to a cert signing authority, I’d recommend CAcert. I've written a tutorial explaining how to generate your own cert and get it signed here. If you opt for a commercial certificate, you can use the CAcert tutorial to generate the certificate and then this tutorial will explain the differences in the installation/configuration of commercial certificates once you have it signed. If you're testing a proper certificate, use this command to tell openssl where the trusted root certificates are stored:
openssl s_client -connect localhost:993 -quiet -CApath /etc/ssl/certs
Tidying up and enabling WAN access
Before opening the ports on your router to the world, it’s a good idea to delete that test user because the password is so easy to guess.
sudo userdel testmail
Also, if you still use the "pi" login, for goodness' sake change the password from "raspberry"! You can do this using the passwd command when logged in as pi:
passwd
Or you can achieve the same thing when logged in as another user by using sudo to gain root privileges:
sudo passwd pi
Now you can open a few ports on your router’s firewall. Make sure your Pi has a static LAN IP address and then forward these ports from WAN to its LAN IP address:
- Port 25 for SMTP (used for receiving emails)
- Port 465 for secure SMTP (used for sending emails after SASL authentication)
- Port 993 for IMAPS (used to receive emails on your phone/tablet/computer)
Here’s an example on my router, running OpenWrt:
Setting up IMAP Email Clients
I’m now going to run through setting up IMAP email clients quickly, using K9 Mail on Android and Thunderbird on GNU/Linux as examples. The setup for Thunderbird on Windows and Mac OSX should be very similar. The basics are this:
- Select an IMAP connection
- Your login is your username only (omit @yourdomain.com), and you password is…your password!
- For incoming emails: select use SSL/TLS always and the program should automatically select port 993
- For outgoing emails: select SSL/TLS always. The program may suggest port 587, but you want port 465
K9 Mail
Open K9 Mail and select add new account. Type in your account information (you@yourdomain.com and password) and then select manual setup. Select IMAP and then enter your information as follows… Incoming email: Outgoing email:
Thunderbird
Open Thunderbird, and then click Account Actions –> Add Mail Account. Fill in your password and email address, which is your username followed by your fully qualified domain name (FQDN), i.e. username@yourdomain.com: Thunderbird will try to auto-detect settings and fail. Don’t worry, this is normal. Select “manual config”: Now edit the settings as appropriate. I had to remove a period (.) from in front of my “server hostname”, and edit the SSL and Authentication settings. If you select “SSL/TLS” for both incoming and outgoing, ports 993 and 465 are automatically selected: Now try emailing yourself from your external email address, and see if your email gets through. If you are having problems, be sure to check you’ve set up an MX record as well as a DNS A record.
Stuck in spam filters?
A few people have contacted me recently to say that their email server is working fine but their emails are getting sent to Gmail's spam folder. If you are experiencing problems like this (or even if you're not), try setting up an SPF and/or PTR record as explained in my DNS basics tutorial. You might also want to check if your domain name or IP address are on any blacklists. There's a handy website called MX toolbox that lets you do this (choose blacklist check from the dropdown menu).
Almost done…
Good news! If you’ve reached this far and everything is working, then you’re almost done. The next step (Webmail with Squirrelmail) is optional but by far the easiest of the three steps. If you’ve hit a rut, please post a comment and I’ll try and help you out. If not… continue to Raspberry Pi Email Server Part 3: Squirrelmail
Comments
Accesss denied when sending mail
I've gone through the tutorial and everything was entered OK (and working at the end of part 1), however when I try to send mail using SSL I always get his with 554 5.7.1 Recipient address rejected: Access denied.
Any thoughts?
Which client?
/var/log/mail.log
and post anything that looks interesting from there. SamSorry I should have mentioned
Sorry I should have mentioned. Thunderbird wouldn't accept a config on 465/993 so I connected directly via the command line on the pi:
pi@raspberrypi ~ $ openssl s_client -connect localhost:465 -quiet
depth=0 CN = raspberrypi
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = raspberrypi
verify return:1
220 habilitation.solutions ESMTP Postfix (Debian/GNU)
ehlo habilitation.solutions
250-habilitation.solutions
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: testmail
250 2.1.0 Ok
rcpt to: testmail@habilitation.solutions
554 5.7.1 <testmail@habilitation.solutions>: Recipient address rejected: Access denied
^C
Looking in the logs you suggested the only message that seems to stand out is
Jul 10 07:58:34 raspberrypi postfix/smtps/smtpd[2413]: connect from localhost[127.0.0.1]
Jul 10 07:59:26 raspberrypi postfix/smtps/smtpd[2413]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <testmail@habilitation.solutions>: Recipient address rejected: Access denied; from=<testmail> to=<testmail@habilitation.solutions> proto=ESMTP helo=<habilitation.solutions>
Jul 10 07:59:45 raspberrypi postfix/smtps/smtpd[2413]: lost connection after RCPT from localhost[127.0.0.1]
Jul 10 07:59:45 raspberrypi postfix/smtps/smtpd[2413]: disconnect from localhost[127.0.0.1]
Looks like the Pi doesn't think it is a valid email address
Yes but I also have a .co.uk
Yes but I also have a .co.uk TLD which I've added to the mydestination field of postfix/main.cf. Attempting to send mail to .co.uk users also gives the same response:
554 5.7.1 <testmail@habilitation.co.uk>: Recipient address rejected: Access denied
Also, in my hast I highlighted the wrong log output that was of interest, it should have been:
Jul 10 07:59:26 raspberrypi postfix/smtps/smtpd[2413]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <testmail@habilitation.solutions>: Recipient address rejected: Access denied; from=<testmail> to=<testmail@habilitation.solutions> proto=ESMTP helo=<habilitation.solutions>
Which has now become:
Jul 10 08:56:44 raspberrypi postfix/smtps/smtpd[2802]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <testmail@habilitation.co.uk>: Recipient address rejected: Access denied; from=<testmail> to=<testmail@habilitation.co.uk> proto=ESMTP helo=<habilitation.co.uk>
Does this change anything?
You need to authenticate (I should have noticed this before)
AUTH PLAIN
command). Note the last line here: This overrides the defaultsmtpd_recipient_restrictions
on port 465 and means you can only send mail if you have authenticated, regardless of whether the destination is local or remote. SamFacepalm
That'll be that then! Thanks for pointing out my obvious mistake. For what it's worth it didn't work straight away then either but a quick check in the logs showed me why:
Jul 10 16:26:42 raspberrypi postfix/smtpd[4355]: warning: non-null host address bits in "x.x.x.49/29", perhaps you should use "x.x.x.48/29" instead
I connect remotely so added my subnet into the mynetworks field for testing. Some systems want the network address in the CIDR notation, others don't and go for the 1st IP instead. Seems that this is one that does. Easily fixed and all looking much better, thanks a lot for your help!
OpenSSL connection port 465 failure
So, I've gotten to the port with SMTPS,
openssl s_client -connect localhost:465 -quiet
. But I get the following error:root@rry:~# openssl s_client -connect localhost:465 -quiet
3069916368:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
Upon removing the -quiet flag, I've discovered that it's looking for a cert, that doesn't appear to exist. Have I missed something out?
root@rry:~# openssl s_client -connect localhost:465
CONNECTED(00000003)
3069629648:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
root@rry:~#
Haven't seen that error before!
Same problem
Hi, I'm not Harry but I'm having the same issue at the same point in the installation. I've not had any issues up to this point. Hope you might be able to help. Thanks for the guide, it's excellent!
Do you get any messages about
Hi Sam, Really sorry but I
Hi Sam, Really sorry but I thought that I was supposed to enter the openssl command from within the telnet session. I've tried it from the bare terminal and it's working fine now. Thanks for the help and apologies for my confusion!
No problem,
PLAIN AUTH credentials
Thanks for a clear and thorough blog, I'm working through it just now.
I did get stuck when I tried to telnet onto the mail server with authentication using AUTH PLAIN. I used the three methods to generate Base64 credentials strings but the server rejected them saying that the format was invalid or that there was a dodgy character (space) in one of the usernames (there wasn't). I got it to work by using a perl script, auth-gen, to generate the Base64 strings. That script can be obtained here: http://www.jetmore.org/john/code/gen-auth
Just in case others have the same problem.
Postfix handover incoming mail to Dovecot
Hi again Sam
I'm not seeing Postfix handing over incoming mail to Dovecot for delivery to mailboxes, it seems to be trying to do it itself but is leaving the mail sitting in /var/spool/mail. In mail.log it says that the mail was delivered to the mailbox, but it claims that "local" relayed it instead of dovecot.
So I tried doing this (see https://workaround.org/ispmail/squeeze/postfix-dovecot):
added this to /etc/postfix/master.cf:
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
and added these lines to /etc/postfix/main.cf:
postconf -e virtual_transport=dovecot
postconf -e dovecot_destination_recipient_limit=1
The config is all otherwise as you describe.
Is it your intention not to use dovecot as the LDA? I guess I should be turning that arrangement off, but can't see how.
Strange... Postfix should know where your mailbox is
/var/spool/mail
. At the start of part 1 we tell Postfix that the mailbox is at/home/user/Maildir
with this line in/etc/postfix/main.cf
: Can you check you have that line? Also, which stage of the tutorial did you get to before you had this problem? Dovecot is only used for delivery after setting up Spamassassin and Sieve - there's some discussion of the choice of Local Delivery Agent (LDA) vs Local Mail Transport Protocol (LMTP), both provided by Dovecot, in the intro to part 5. Seems like you had a Postfix config problem and solved it by using Dovecot for delivery (i.e. Postfix is probably still misconfigured, it just shouldn't matter any more). SamDoh!
Apologies. I hadn't looked for the Mailbox line in postfix config because I had it in my head that Dovecot was doing this since we pointed it at the mailboxes in part 2.
That's ok!
Problems on testing with telnet.
I'm stuck at "Testing SASL" where running with Telnet up until "rcpt to:me@externalemail.com" is giving me a "451 4.3.5 Server configuration error" result. I've googled for this error and so went on to read the mail.log file where an error log is written to, There are many lines stating "raspberrypi postfix/sendmail[29063]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol". I'm not sure if this is the right line of the log that I should be looking at, though. If there is any comment on this issue, I'd be much appreciated!
Start of this tutorial
AUTH PLAIN
stage! SamSure thing. Just so you know,
Sure thing. Just so you know, I've read the the tutorial from the start. I don't know how I could be missing something. I've made telnet tests before the Dovecot part of the Tutorial without much annoyance (just the fact that Gmail rejected to receive my e-mail, rather returning a response that it was to filter spam; this:).
I've used placeholders for domain name and password and such, as it is a private thing. Here's the SSH dump:
root@raspberrypi:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mydomain.com ESMTP Postfix (Debian/GNU)
ehlo google.com
250-mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN hashassinated_password
235 2.7.0 Authentication successful
mail from:testmail
250 2.1.0 Ok
rcpt to:myaddress@gmail.com
451 4.3.5 Server configuration error
quit
221 2.0.0 Bye
Connection closed by foreign host.
Thanks... try restarting postfix and dovecot
I went to pay attention to
I went to pay attention to the timestamps and also noticed to be there 4 different log files (the postfix documentation is somewhat misleading...): "mail.log", "mail.info", "mail.err", "mail.warn".
Anyway, I see now that the error message I told about initially is outdated. So, restarting services gives no warning message, but the logs do notice the restart among other things. I hope I'm not spamming this comment section. I just think it's worth sharing these excerpts from the logs for future reference.
From /var/log/mail.log
From /var/log/mail.info
From /var/log/mail.err there is nothing at the same timestamps.
From /var/log/mail.warn
So, it seems the problem was in the main.cf file with a typo in the line:
I had made a typo before with the «auth_mechanisms = plain login» line in 10-auth.conf, but restarting the service had warned me that time.
Asking for help about this is a bit embarrassing, so thanks for supporting!
Well done for figuring it out!
Indeed that's true!
Indeed that's true!
Hey there
Hey,
first I want to thanks Sam Hobbs for his very helpful tuto.
Secondly I'm here to say that I succesfully have a new adress that can recieve mails... But I can't send any !
That's what I'm getting (example.org is my server):
01:38:53] SMTP< 220 example.org ESMTP Postfix (Debian/GNU)
[01:38:53] ESMTP> EHLO localhost
[01:38:53] ESMTP< 250-example.org
[01:38:53] ESMTP< 250-PIPELINING
[01:38:53] ESMTP< 250-SIZE 10240000
[01:38:53] ESMTP< 250-VRFY
[01:38:53] ESMTP< 250-ETRN
[01:38:53] ESMTP< 250-AUTH PLAIN LOGIN
[01:38:53] ESMTP< 250-ENHANCEDSTATUSCODES
[01:38:53] ESMTP< 250-8BITMIME
[01:38:53] ESMTP< 250 DSN
[01:38:53] ESMTP> MAIL FROM: SIZE=360
[01:38:53] SMTP< 250 2.1.0 Ok
[01:38:53] SMTP> RCPT TO:
[01:38:53] SMTP< 504 5.5.2 : Helo command rejected: need fully-qualified hostname
Any idea ?
Localhost isn't fully qualified
Hey there
Oops. Forget about my last entry. It was just me missing a step in my mail client (just not checked the loging before sending trough SMTP).
Now I've got another issue. I can send and recieve. BUT. What I send is stuck in the mailserver.
I can see logs :
Aug 17 09:09:00 localhost postfix/smtp[2019]: connect to gmail-smtp-in.l.google.com[64.233.167.26]:25: Connection timed out
Aug 17 09:09:30 localhost postfix/smtp[2019]: connect to alt1.gmail-smtp-in.l.google.com[64.233.164.26]:25: Connection timed out
Aug 17 09:10:00 localhost postfix/smtp[2019]: connect to alt2.gmail-smtp-in.l.google.com[74.125.130.26]:25: Connection timed out
Aug 17 09:10:30 localhost postfix/smtp[2019]: connect to alt3.gmail-smtp-in.l.google.com[74.125.203.26]:25: Connection timed out
Aug 17 09:11:00 localhost postfix/smtp[2019]: connect to alt4.gmail-smtp-in.l.google.com[173.194.72.26]:25: Connection timed out
Thats because I'm trying to send a mail to a gmail account. It does the same at laposte.net or hotmail.fr
Any clue, then ? :p
Could your ISP be blocking outgoing email on port 25?
Well, I really though so. So
Well, I really though so. So I did the following :
>>>
[otyugh@armServ ~]$ traceroute alt1.gmail-smtp-in.l.google.com -p 25
traceroute to alt1.gmail-smtp-in.l.google.com (64.233.164.26), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.952 ms 2.868 ms 3.154 ms
2 net1lo3.bsren251.Rennes.francetelecom.net (193.253.171.101) 154.826 ms 155.513 ms 155.834 ms
3 10.123.192.10 (10.123.192.10) 162.234 ms 162.909 ms 163.594 ms
4 ae20-0.ncren101.Rennes.francetelecom.net (193.253.150.190) 164.070 ms 164.403 ms 164.918 ms
5 ae44-0.nista301.Paris.francetelecom.net (193.252.159.158) 180.438 ms 181.162 ms 181.525 ms
6 81.253.184.94 (81.253.184.94) 188.629 ms 195.072 ms 164.964 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 64.233.164.26 (64.233.164.26) 240.759 ms * *
>>>
Doesn't this means that my ISP authorize the port being used ?
Thanks again Sam Hobbs for reactivity, and help. That's quite amazing. IRC on freenode wasn't helpful at all, for this one time. I guess it's a too specific domain.
Add new comment