Hey everyone,

I've just recently bought a Linode and am teaching myself web server admin by trial and error. I'm working through learning how to install and configure the basics to run the small site I want (to begin with:LAMP, WordPress, email, log admin, backups). I'm currently up to email, and I've hit a small problem that has me stumped.

At the moment, I've got Postfix running with Dovecot using SASL authentication, as per this tutorial I found at debianadmin.com: http://www.debianadmin.com/debian-mail-server-setup-with-postfix-dovecot-sasl-squirrel-mail.html. The tutorial goes on to install Squirrel Mail, but I'm attempting to access my mail via Thunderbird locally so I can manage all my accounts together.

It's almost working. I can send mail to my accounts and read them via Thunderbird, but I can't send mail via Thunderbird. If I try (using SSL and default port 465), I instantly get an error message "The server may be unavailable or is refusing SMTP connections". If I try different ports like 25, the sending hangs when it connects to my server.

If instead I ssh into my linode and send mail via the command line mail, it works without problem. So I'm assuming there's a connection problem between my server and my computer.

My gut feeling is that this is really simple, and I've forgotten to do something like turn on a setting in the command line settings in Postfix, Dovecot or SASL. Or it's something even more obvious and I've just misconfigured Thunderbird. I've tried modifying some of the settings in Postfix's main.cf config file, but nothing seems to work.

Strangely I also can't seem to find reference to my failed attempts to send emails in the log files in /var/log. Learning the logging system was after email on my checklist so I'm pretty in the dark for what to look for here.

While a solution is needed, I'd mainly like to know where I should be looking. I'm spending this week with my Linode learning the ropes, so learning how to do basic admin is just as important as getting it working. Once I figure out how to do all the basics I'm probably going to nuke everything and build it up again a bit better anyway (plus a good test of the backups!), so I don't mind making a bit of a mess.

Thanks!

Edit: Forgot to mention: I'm using Debian as my OS.

_________________
David Shaw, a.k.a. "Trazoi"

Post logs (/var/log/mail.log) and configuration files.

It may be that your ISP is blocking somg ports.

Is there a good way to figure out which ports I can use? I know I can receive and send mail via GMail. I'm pretty sure I've tried the same port I use for that, but I don't know if I have to change something in the default settings in Postfix or Dovecot to handle that.

Here's the last lines from my mail.log file. I've mangled up the email addresses a bit to fox any spambots (all sent mail is from my site trazoi.com), but it should be pretty clear:

Apr 27 10:37:11 postfix/master[10547]: reload configuration /etc/postfix
Apr 27 10:37:51 postfix/master[10547]: terminating on signal 15
Apr 27 10:37:51 postfix/master[10708]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 10:42:19 postfix/master[10708]: terminating on signal 15
Apr 27 10:42:20 postfix/master[10859]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 10:53:36 postfix/pickup[10865]: 0DBA9C120: uid=1000 from=<test>
Apr 27 10:53:36 postfix/cleanup[10900]: 0DBA9C120: message-id=<20090427105336.0DBA9C120-at-example.com>
Apr 27 10:53:36 postfix/qmgr[10864]: 0DBA9C120: from=<test-at-example.com>, size=353, nrcpt=1 (queue active)
Apr 27 10:53:36 postfix/smtp[10903]: 0DBA9C120: to=<david-at-gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.221.82]:25, delay=0.51, delays=0.01/0.01/0.12/0.37, dsn=2.0.0, status=sent (250 2.0.0 OK 1240829616 14si5293947qyk.37)
Apr 27 10:53:36 postfix/qmgr[10864]: 0DBA9C120: removed
Apr 27 10:56:44 postfix/master[10859]: terminating on signal 15
Apr 27 10:56:44 postfix/master[10989]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 10:57:29 postfix/master[10989]: terminating on signal 15
Apr 27 10:57:29 postfix/master[11071]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 11:00:38 postfix/master[11071]: terminating on signal 15
Apr 27 11:00:39 postfix/master[11155]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 11:09:02 postfix/master[11155]: terminating on signal 15
Apr 27 11:09:02 postfix/master[11294]: daemon started -- version 2.5.5, configuration /etc/postfix
Apr 27 13:59:01 postfix/master[11294]: terminating on signal 15
Apr 27 13:59:02 postfix/master[11576]: daemon started -- version 2.5.5, configuration /etc/postfix

I think the one email sent was via (the command line) mail in a ssh session. All the demon restarting lines were from me making changes and resetting the email system. There would have been a lot of Thunderbird message attempts in that time, but I don't see them in the logs.

My Postfix main.cf currently looks like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = trazoi.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost, localhost.localdomain, localhost
relayhost = 
# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# SASL SUPPORT FOR CLIENTS
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# some settings to make life easier
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client relays.ordb.org,
        reject_rbl_client sbl.spamhaus.org,
        reject_unauth_destination
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access, reject_unknown_sender_domain

#getting rid of slow hosts
transport_maps = hash:/etc/postfix/transport
deadbeats_destination_concurrency_limit = 50

The stuff at the end are various commands I've seen on guides that I've meshed together.

I haven't touched the defaults in master.cf save for adding a "deadbeats" line from one set of tips I found.

The dovecot config file is large, and I'm not sure if that's the issue. The main change was the one that's in the tutorial I linked to, which I've typed in verbatim:

auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}

Are there any other files that might help?

Edit: Oh, and if there any other glaring problems with those config files, I'd be grateful if you pointed them out. Understanding how to configure the email system nicely is turning out to be a lot harder than Apache.

_________________
David Shaw, a.k.a. "Trazoi"

It looks to me like you have not set up postfix to listen on anything other than port 25. You will need to set thunderbird to use TLS on port 25, not SSL when you send with the server configured like this. I also highly recommend adding "smtpd_tls_auth_only = yes" to prevent SASL from being done without encryption.

If you want to use SSL on port 465 instead, need to add an entry to master.cf for smtps service type. On my system (gentoo) it is already there but commented out.

You can check what TCP ports that daemons are listening on with the command netstat -nvlpt. You'll see something similar to the following:

Proto Recv-Q Send-Q Local Address   Foreign Address  State   PID/Program name
tcp        0      0 0.0.0.0:25      0.0.0.0:*        LISTEN  2351/master
tcp        0      0 0.0.0.0:631     0.0.0.0:*        LISTEN  2488/cupsd
tcp6       0      0 :::22           :::*             LISTEN  2153/sshd

If you don't see something ending in :465 under "Local Address," you don't have anything listening on that port. (Also, perhaps Thunderbird is trying to use port 587 for mail submission?)

Thanks, everyone. After a few too many hours work on this I think I've got it sorted out now.

It turns out I was looking at the wrong port, but I didn't have another port activated. With a bit of reconfiguring I've got it working with the same connection as GMail (port 587, TSL).

The steps were something like this:

• Add in lines smtpd_tls_security_level=may and smtpd_tls_auth_only=yes into the Postfix main.cf file, to help with encryption.
• REMOVE the line I had earlier: "reject_rbl_client relays.ordb.org". Unfortunately my source for that was several years out of date. ordb.org has died and that line will block everything.
• In master.cf, uncomment the line for submission. This will activate port 587. I also uncommented the lines for the flags that looked like they were useful. I haven't yet uncommented the flag for smtpd_tls_security_level=encrypt but I'm unsure - sources suggest that's bad for receiving email as it blocks anyone with an incompatible client, but I'm not sure about receiving email.
• Optional: make a new SSL certificate for your mail subdomain. I don't think this is necessary, but apparently if your certificate is for example.com but your mail is at mail.example.com then email clients will complain at every opportunity, even if they've accepted the certificate.

Well, now it works. I still don't know for sure how secure the system is, and I've also got to figure out how to archive the mail nicely, but it works.

To check that nothing funny is happening with the mail, I should regularly check mail.log and the other similarly named log files, right?

_________________
David Shaw, a.k.a. "Trazoi"

The "-o smtpd_tls_security_level=encrypt" line sets it to only allow encrypted sessions on the submission port (587). This only applies to email you are originating - it has no effect on your receiving of email which should always be on port 25.
As far as leaving it commented out, sending passwords in-the-clear is just a bad idea. IMHO, anyone with an incompatible client shouldn't be allowed to send email in this day and age.

Thanks for the clarification. I thought it was just on the submission port, but given the warnings I read in the manual about setting that flag to encrypt in main.cf I was hesitant to set it in master.cf.

_________________
David Shaw, a.k.a. "Trazoi"

Try this in master.cf:

smtps   inet    n       -       -       -        -      smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING

Use port 465 for SSL with Outlook or Thunderbird.