I have an email server running using postfix and dovecot. I am using mail.domain.com for my mx record, and have different sites on domain.com and various other subdomains (using nginx to serve different services). I am able to send emails to my gmail, but I am unable to send emails from gmail to my mail server, and I don’t understand why. I generated the appropriate certifications for mail.domain.com
Here is what my /stc/postfix/main.fc looks like:
myhostname = mail.domain.com
…
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.domain.com/cert.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.domain.com/privkey.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/mail.domain.com/chain.pem
Here is what my /etc/dovecot/dovecot.conf looks like:
ssl=required
ssl_cert = < /etc/letsencrypt/live/mail.domain.com/fullchain.pem
ssl_key = < /etc/letsencrypt/live/mail.domain.com/privkey.pem
I have read through all of the posts similar to mine, and nothing worked so far. If anyone wants more information, I will gladly post it. Am I missing something?
if you included the real domain i could look at your server on port 25 to confirm/deny any of the below
mail should not ‘require’ ssl normally
its opportunistic ssl (starttls) on smtp port 25 if your server offers it as an option
ie if your server advertises tls is available, the connecting server will run the starttls command and upgrade the connection
but for it to work it has to always start the connection unencrypted to accept mail from public servers that will only work with standard servers that will expect the tls/ssl negotiation to work in this order
(later rules can decide to reject mail from certain fomains if the connecting server did not switch to tls before sending the mail) but even this should onlt be for domains where you have verified their systems can/will upgrade to tls normally
but as a non postfix user i couldnt tell you the specific issue with your config
but recommend you follow one of the excellent guides for enabling postfix to offer tls online
Port 587 is for ‘submission’, i.e., what “your clients” use to send e-mail to the big wide world. Everything what comes from that big bad world and uses the MX-record of your domain to find your mailserver, uses port 25.
simply put if you dont listen for inbound smtp on port 25 google and everyone else cant send you mail
as its the only port used for server<>server smtp
and the only one pointed to by mx records
25 accepts from any > to local only (should offer tls not auth)
587 accepts from local (if authenticated) > any (should require tls, then after tls offer/require auth)
port 597 is for submission (smtp via submission port) and only used for client>smart-host-server connections (outbound from your desktop to your server)
my mistake on the dovecot (i said i dont know postfix) but what has a pop3/imap config got to do with inbound mail issues?
and I am able to make a successful connection. I think the issue leis in which ssl certs I am using. When I receive a mail in gmail, Google tells me “Gmail couldn’t actually verify that kepler.ai actually sent this message” I tried using the certification for kepler.ai instead, and restarted postfix/dovecot and I still get the same error.
Maybe I didn’t generate the certificates correctly? I generated them using “certonly --webroot”
Message is NOT marked as spam
Points breakdown:
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
I setup DKIM and SPF, and the goodnews is that gmail no longer thinks I’m untrusted. However, I am still unable to send my server emails from gmail. Is this an SPF issue?
─( 19:21:34 )─< ~ >───────────────────────────────────────────────────────[ 0 ]─
$ host -t MX kepler.ai
kepler.ai mail is handled by 50 mail.kepler.ai.
─( 19:21:36 )─< ~ >───────────────────────────────────────────────────────[ 0 ]─
$ nc mail.kepler.ai 25
nc: unable to connect to address mail.kepler.ai, service 25
─( 19:21:39 )─< ~ >───────────────────────────────────────────────────────[ 1 ]─
And using nmap to see around:
─( 19:21:39 )─< ~ >───────────────────────────────────────────────────────[ 1 ]─
admin@grenade $ nmap mail.kepler.ai
Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-22 19:23 CET
Nmap scan report for mail.kepler.ai (104.131.86.90)
Host is up (0.074s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
587/tcp open submission
993/tcp open imaps
3000/tcp open ppp
8081/tcp open blackice-icecap
The port 25 is definitely not accessible from the internet.
