I followed Linode's guide:
https://www.linode.com/docs/email/postf ... -and-mysql

Server Information
Account Type: (POP3)
Incoming mail server: (mail.example.com)
Outgoing mail server (SMTP): (mail.example.com)

Logon Information
User Name: (someone@example.com)
Password:

Require logon using Secure Password Authentication (SPA) ?

Outgoing Server
My outgoing server (SMTP) requires authentication (Yes)

Server Port Numbers
Incoming server (POP3): (995)
This server requires an encrypted connection (SSL) Yes
Outgoing server (SMTP): (25)
Use the following type of encrypted connection: (TLS)

What am I missing?

It's hard to tell. What problem are you having?

I followed these Linode guides:

Running a Mail Server
https://www.linode.com/docs/email/runni ... il-server/

Email with Postfix, Dovecot, and MySQL
https://www.linode.com/docs/email/postf ... -and-mysql

How to Make a Self-Signed SSL Certificate
https://www.linode.com/docs/security/ss ... rtificate/

and even did the double checks with no errors -Troubleshooting Problems with Postfix, Dovecot, and MySQL
https://www.linode.com/docs/email/postf ... and-mysql/

and I cannot connect to the 'mail.example.com' in my mail client.

I can connect to mail.example.com just fine, maybe you made a typo.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

sudo netstat -plantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:42575 0.0.0.0:* LISTEN 2785/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2754/rpcbind
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 23222/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6475/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 23222/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 23686/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 23686/dovecot
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3749/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 23222/master
tcp 0 288 106.185.45.57:22 75.196.59.40:57669 ESTABLISHED 23631/sshd: username
tcp6 0 0 :::111 :::* LISTEN 2754/rpcbind
tcp6 0 0 :::465 :::* LISTEN 23222/master
tcp6 0 0 :::22 :::* LISTEN 6475/sshd
tcp6 0 0 :::25 :::* LISTEN 23222/master
tcp6 0 0 :::443 :::* LISTEN 19833/apache2
tcp6 0 0 :::993 :::* LISTEN 23686/dovecot
tcp6 0 0 :::995 :::* LISTEN 23686/dovecot
tcp6 0 0 :::46569 :::* LISTEN 2785/rpc.statd
tcp6 0 0 :::587 :::* LISTEN 23222/master
udp 0 0 0.0.0.0:58421 0.0.0.0:* 2785/rpc.statd
udp 0 0 0.0.0.0:68 0.0.0.0:* 2951/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 2754/rpcbind
udp 0 0 106.185.45.57:123 0.0.0.0:* 4735/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 4735/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 4735/ntpd
udp 0 0 0.0.0.0:809 0.0.0.0:* 2754/rpcbind
udp 0 0 127.0.0.1:841 0.0.0.0:* 2785/rpc.statd
udp 0 0 0.0.0.0:54165 0.0.0.0:* 2951/dhclient
udp6 0 0 :::5596 :::* 2951/dhclient
udp6 0 0 :::111 :::* 2754/rpcbind
udp6 0 0 2400:8900::f03c:91f:123 :::* 4735/ntpd
udp6 0 0 fe80::f03c:91ff:fe5:123 :::* 4735/ntpd
udp6 0 0 ::1:123 :::* 4735/ntpd
udp6 0 0 :::123 :::* 4735/ntpd
udp6 0 0 :::809 :::* 2754/rpcbind
udp6 0 0 :::45948 :::* 2785/rpc.statd

hahaa
mail.harris.hk

Are you running a firewall such as iptables? I ask because your mail ports are not available. When I check mail.harris.hk for open mail ports (25,587,993,995) I get no response.

Your mail.harris.hk 'A' records resolve, but there doesn't seem to be a 'MX' record for your domain.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 106.185.45.57 0.0.0.0/0 tcp dpt:22
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* Allow loopback connections */
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* Allow Ping to work as expected */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22,25,53,80,443,465,993,995,5222,5269,5280,8999:9003
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

How can I check the MX record? Where would I look locally in the server to verify?

Your IPTABLE rules are messed up - you have a REJECT ALL several lines ABOVE your ACCEPT 22,25,53,80,443,465,993,995,5222,5269,5280,8999:9003 rule.

You also have multiple rules for TCP22

MX records are setup in your DNS manager (so in the Linode DNS manager). You want to point your MX record to mail, then have a A record for mail.harris.hk (which you already have).

In the future, remember it's always a good test to TEMPORARILY disable your firewall rules, test your problem, if it works, then it's a firewall rule, if it still doesn't work, then it's not a firewall rule. Just remember to re-enable your firewall after you complete your tests.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

How can I do this carefully, without locking myself out of my own server? I am thinking if I DROP 22 it will take out all the rules. Any suggestions, ideas?

Okay, I edited the subdomain to 'mail' on the MX records for 'mail.harris.hk'
I was following all the Linode tutorial guides and following them. *oops* To re-enable, I think that means restarting the service then testing, then re-edit?

Use Lish: https://www.linode.com/docs/networking/ ... shell-lish

You can completely disable network access and still access a Linode server with Lish.

Thanks Which iptables commands should I be using to DROP and ACCEPT?
I am new to self-managed webservers and feel if I really mess this up, I will not know how to fix it.

This is in a chain? Okay, so what command would I use first and last that would not kill my chain?

Sorry for all the questions.

I find it's easiest to edit the rules in their saved config file - that way you can put them in the EXACT order you need (versus typing in your rules one at a time via a terminal session).

In CentOS, that file is located /etc/sysconfig/iptables, I'm not sure where it's located in DEB based systems.

After you edit the config file, either restart IPTABLES or just reboot the server to load the new ruleset.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Reset securing my Server:
https://www.linode.com/docs/security/se ... ur-server/

sudo iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
s3r3na@kalos:~$ sudo nano /etc/network/if-pre-up.d/firewall
s3r3na@kalos:~$ sudo chmod +x /etc/network/if-pre-up.d/firewall
s3r3na@kalos:~$ sudo iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Looked over Prerequisites:
https://www.linode.com/docs/email/postf ... -and-mysql

Troubleshot - Telnet, which I cannot check:
https://www.linode.com/docs/email/postf ... and-mysql/

sudo telnet 106.185.45.57
Trying 106.185.45.57...
telnet: Unable to connect to remote host: Connection refused

"Checking Port Availability

Sometimes email problems occur because the mail server and mail client aren’t talking to each other on the same ports. For mail to get from client to server, or vice versa, both have to be using the same ports, and those ports also have to be open along the internet route between the two. If you are following the accompanying Postfix, Dovecot, and MySQL installation guide, you should be using the following ports:

25, 465, or 587 with TLS encryption for outgoing mail (SMTP)
993 with SSL encryption for incoming IMAP
995 with SSL encryption for incoming POP3

First, check your mail client settings and make sure that you have the correct ports and security settings selected.

Next, use the Telnet tool to check that ports are open both on your Linode and on the route between your client and your Linode. The same test should be run on both your Linode and your home computer. First we’ll present how to run the test from both locations, and then we’ll discuss the implications."