Postfix to receive mail from Internet

grob115 · 12-03-2010, 09:44 AM

Hi, I've set up both Postfix and Dovecot on my server. I can currently send mail via Outlook to Postfix over Port 587 (rather than Port 25), and receive mail from Dovecot on Outlook.

However, the only mails I am able to receive are those originated from within the server itself. If I attempt to send an e-mail to the address my Outlook listens to, the mail will never reach my Outlook. In other words, no one on the Internet is able to send mail to me.

Can someone tell me:
1) If setting Postfix to listen over Port 587 for my Outlook to send mail outwards is preventing me to have Postfix to listen to mails coming from the Internet? Would I have to turn on both Ports 25 and 587 in /etc/postfix/master.cf?
2) I have configured my Postfix to use saslauthd by authenticating those who are on /etc/passwd. This means I can enter my Linux account details into Outlook in order to connect and download messages. However, does this mean other MTA servers on the Internet who doesn't know my account details are unable to authenticate with my Postfix server and send mails to it?

Noway2 · 12-03-2010, 12:14 PM

Port 25 is used for SMTP, which servers use to relay mail from one to another. Port 587 is used for submission of email to a server. In order to properly function, I believe that you will need to use port 25 for some aspects of your system. In this case, I think the lack of port 25 is preventing your server from sending mail out and also preventing other servers from sending mail in. You are able to work locally, because your Postfix recognizes mail that is sent from within your domain as a local recipient and performs local delivery, via Dovecot. Your outlook then connects to Dovecot to receive your mail. Your outlook is able to communicate with your server via port 587 to submit mesages into the outbound queue. This is where the saslauth comes into play, permitting authenticated users to use your server as a relay host (accept messages that are not for a local recipient and pass them on to the next hop) while banning unauthorized users from doing so.

grob115 · 12-04-2010, 08:03 PM

I've tried sending test e-mails from various accounts to the accounts hosted by the mail server. In every case, I haven't received any fail deliver messages. Is there an equivalent to traceroute for mails?

Reuti · 12-05-2010, 07:17 AM

What is the setting of inet_interfaces and mynetworks, and the various *_restrictions in main.cf? There are several files in /var/log/mail* which could give you more information.

Noway2 · 12-06-2010, 04:26 AM

The messages may be sitting in a queue. If they are able to resolve a server MX record, but unable to establish a connection they may be in a deferred state, awaiting transfer. Unless the transmitting server gets a hard 500 level error or the message times out, you may not.

The closest thing I am aware of to a traceroute for email would be the header information, which you don't have or to telnet into your system and send them mail that way. There are lots of examples of how to telnet test your smtp server, of varying quality, so take your pick.

Reuti brings up a good point. Look very carefully at your mail.log, mail.info, and mail.error files. Syslog may also be of help here. Postfix and dovecot both support a debug mode which you may want to turn on. I can't recall the exact commands off hand, but in dovecot there are like two or three places where you set a verbosity or debug flat to yes. Postfix logging is pretty good, out of the box, but I am pretty sure you can increase its logging (debug) level too.

Also, run a netstat and verify that the processes are running and are listening on the ports. Make sure that you have properly forwarded the necessary ports on your router too.

grob115 · 12-06-2010, 07:26 AM

Hi, thanks for the replies. Here's what I have in /etc/postfix/main.cf.

Code:

inet_interfaces = 123.456.789.010, 127.0.0.1
mynetworks = 127.0.0.1
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination.

Here are the steps of what I've done:
1) Enable port 25 in addition to 587 for SMTP.

Code:

view /etc/postfix/master.cf
#smtp      inet  n       -       n       -       -       smtpd
587      inet  n     -     n     -     -     smtpd
25      inet  n     -     n     -     -     smtpd

2) Restart Postfix to load the above values.

Code:

service postfix restart

3) Check for ports opened. Not sure what's the diff b/t "mail.server.com:submission", "localhost:smtp", and "mail.server.com:smtp". Not sure which one is Port 25 and which is Port 587.

Code:

netstat -ultp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:pop3s                     *:*                         LISTEN      10701/dovecot
tcp        0      0 localhost:submission        *:*                         LISTEN      13877/master
tcp        0      0 mail.server.com:submission *:*                         LISTEN      13877/master
tcp        0      0 *:908                       *:*                         LISTEN      2846/rpc.statd
tcp        0      0 *:pop3                      *:*                         LISTEN      10701/dovecot
tcp        0      0 *:sunrpc                    *:*                         LISTEN      2811/portmap
tcp        0      0 *:ftp                       *:*                         LISTEN      10518/vsftpd
tcp        0      0 localhost:ipp               *:*                         LISTEN      3540/cupsd
tcp        0      0 localhost:smtp              *:*                         LISTEN      13877/master
tcp        0      0 mail.server.com:smtp       *:*                         LISTEN      13877/master
tcp        0      0 *:http                      *:*                         LISTEN      12077/httpd
tcp        0      0 *:ssh                       *:*                         LISTEN      3531/sshd
tcp        0      0 ::1:ipp                     *:*                         LISTEN      3540/cupsd
udp        0      0 *:ideafarm-chat             *:*                                     2846/rpc.statd
udp        0      0 *:905                       *:*                                     2846/rpc.statd
udp        0      0 *:58567                     *:*                                     3680/avahi-daemon:
udp        0      0 *:mdns                      *:*                                     3680/avahi-daemon:
udp        0      0 *:sunrpc                    *:*                                     2811/portmap
udp        0      0 *:ipp                       *:*                                     3540/cupsd
udp        0      0 mail.server.com:ntp        *:*                                     3556/ntpd
udp        0      0 localhost:ntp               *:*                                     3556/ntpd
udp        0      0 *:ntp                       *:*                                     3556/ntpd
udp        0      0 *:44464                     *:*                                     3680/avahi-daemon:
udp        0      0 *:mdns                      *:*                                     3680/avahi-daemon:
udp        0      0 fe80::20c:29ff:fe4a:ntp     *:*                                     3556/ntpd
udp        0      0 ::1:ntp                     *:*                                     3556/ntpd
udp        0      0 *:ntp                       *:*                                     3556/ntpd

4) Check to see if SELinux picks up anything. But the audit.log didn't return anything.

Code:

    setenforce 0
    <Do a telnet to server over port 25>
    tail -f /var/log/audit/audit.log

Reuti · 12-07-2010, 01:34 AM

Any entry like

Code:

relay_domains = $mydestination

and

Code:

mydestination = $myhostname, localhost.$mydomain, localhost

For any rejected email there should be an error message in one of the logfiles though. Or is there a firewall running preventing outside access?

Noway2 · 12-07-2010, 04:33 AM

With regards to, "mail.server.com:submission", "localhost:smtp", and "mail.server.com:smtp", the difference is that mail.server.com:smtp is your inbound mail port. It looks like the other two are used for a content filter, such as amavis.

Assuming you didn't obfuscate your address in the inet_interfaces in your last post, your port 25 is blocked. I attempted to telnet into it to see if I would receive an SMTP banner, just a connection refused, indicating that either no service is listening on this port or it has a firewall in front of it. It is also possible that your ISP is blocking it. This could be why you are not receiving any inbound mail.

grob115 · 12-07-2010, 05:45 AM

Reuti, the settings for the two variables in my cf file are. Basically I only want to accept mails destined for my domain, and send mails originated to my domain. I do not want to do any relay.

Code:

#relay_domains = $mydestination
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost

Norway2, there's a firewall in front of it indeed but that's managed by me. I've opened the port and confirmed with the manufacturer the logs indicate a request has been made but was timed out. That's why I was attempting to check with the SELinux audit log, which I did earlier on in order to open the other ports. However, I'm not sure why at this moment I'm not getting anything logged in the audit.log file. I'll follow up on this as well.

grob115 · 12-07-2010, 09:05 AM

Hello,

Okay found the issue. It's not the hardware firewall, it's not SELinux, it's not Postfix, it's the damn Linux iptables. It's now working! Thanks guys.