Can't send email to mail server


#1

I have an email server running using postfix and dovecot. I am using mail.domain.com for my mx record, and have different sites on domain.com and various other subdomains (using nginx to serve different services). I am able to send emails to my gmail, but I am unable to send emails from gmail to my mail server, and I don’t understand why. I generated the appropriate certifications for mail.domain.com

Here is what my /stc/postfix/main.fc looks like:
myhostname = mail.domain.com

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.domain.com/cert.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.domain.com/privkey.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/mail.domain.com/chain.pem

Here is what my /etc/dovecot/dovecot.conf looks like:
ssl=required
ssl_cert = < /etc/letsencrypt/live/mail.domain.com/fullchain.pem
ssl_key = < /etc/letsencrypt/live/mail.domain.com/privkey.pem

I have read through all of the posts similar to mine, and nothing worked so far. If anyone wants more information, I will gladly post it. Am I missing something?


#2

if you included the real domain i could look at your server on port 25 to confirm/deny any of the below

mail should not ‘require’ ssl normally
its opportunistic ssl (starttls) on smtp port 25 if your server offers it as an option
ie if your server advertises tls is available, the connecting server will run the starttls command and upgrade the connection
but for it to work it has to always start the connection unencrypted to accept mail from public servers that will only work with standard servers that will expect the tls/ssl negotiation to work in this order

(later rules can decide to reject mail from certain fomains if the connecting server did not switch to tls before sending the mail) but even this should onlt be for domains where you have verified their systems can/will upgrade to tls normally
but as a non postfix user i couldnt tell you the specific issue with your config
but recommend you follow one of the excellent guides for enabling postfix to offer tls online


#3

Yeah, my domain is kepler.ai

Also, my stmp port is on 587, not 25. And imap is on 143. My setup is for STARTTLS

Thanks.


#4

The ssl=required was for Dovecot, an IMAP daemon :wink:


#5

Port 587 is for ‘submission’, i.e., what “your clients” use to send e-mail to the big wide world. Everything what comes from that big bad world and uses the MX-record of your domain to find your mailserver, uses port 25.


#6

simply put if you dont listen for inbound smtp on port 25 google and everyone else cant send you mail

as its the only port used for server<>server smtp
and the only one pointed to by mx records

25 accepts from any > to local only (should offer tls not auth)
587 accepts from local (if authenticated) > any (should require tls, then after tls offer/require auth)

port 597 is for submission (smtp via submission port) and only used for client>smart-host-server connections (outbound from your desktop to your server)

my mistake on the dovecot (i said i dont know postfix) but what has a pop3/imap config got to do with inbound mail issues?


#7

Ah thanks for clearing up what port 25 is used for.

I used:
telnet kepler.ai 25

and I am able to make a successful connection. I think the issue leis in which ssl certs I am using. When I receive a mail in gmail, Google tells me “Gmail couldn’t actually verify that kepler.ai actually sent this message” I tried using the certification for kepler.ai instead, and restarted postfix/dovecot and I still get the same error.

Maybe I didn’t generate the certificates correctly? I generated them using “certonly --webroot”


#8

I’d recommend using http://dkimvalidator.com/ to test for other issues first.


#9

I’d agree with @pfg I suspect this is related to SPF and DKIM rather than the SSL cert - see https://gmail.googleblog.com/2016/02/making-email-safer-for-you-posted-by.html and https://support.google.com/mail/answer/180707?hl=en&ref_topic=3404236


#10

Using dkimvalidator, I got:

Message is NOT marked as spam
Points breakdown: 
0.0 HTML_MESSAGE           BODY: HTML included in message
0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

I setup DKIM and SPF, and the goodnews is that gmail no longer thinks I’m untrusted. However, I am still unable to send my server emails from gmail. Is this an SPF issue?


#11

I am not:

─( 19:21:34 )─< ~ >───────────────────────────────────────────────────────[ 0 ]─
$ host -t MX kepler.ai
kepler.ai mail is handled by 50 mail.kepler.ai.
─( 19:21:36 )─< ~ >───────────────────────────────────────────────────────[ 0 ]─
$ nc mail.kepler.ai 25
nc: unable to connect to address mail.kepler.ai, service 25
─( 19:21:39 )─< ~ >───────────────────────────────────────────────────────[ 1 ]─

And using nmap to see around:

─( 19:21:39 )─< ~ >───────────────────────────────────────────────────────[ 1 ]─
admin@grenade $ nmap mail.kepler.ai

Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-22 19:23 CET
Nmap scan report for mail.kepler.ai (104.131.86.90)
Host is up (0.074s latency).
Not shown: 991 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
587/tcp  open     submission
993/tcp  open     imaps
3000/tcp open     ppp
8081/tcp open     blackice-icecap

The port 25 is definitely not accessible from the internet.


#12

Sending from gmail to your server isn’t an SPF issue, no.

This is ast @nit also said - your server isn’t accepting connections on port 25

$ telnet kepler.ai 25
Trying 104.131.86.90…
telnet: Unable to connect to remote host: Connection refused


#13

Does anyone know how exactly is that accomplished on latest Postfix?


#14

I am also getting a “connection refused” error:

$ openssl s_client -starttls smtp -connect kepler.ai:25
connect: Connection refused
connect:errno=111

#15

You could add
smtpd_tls_received_header = yes
to the postfix/main.cf

which will add a header showing that TLS was used - and you can then use that to sieve / filter


#16

That’s strange, when I do

netstat -plnt |grep :25

I get:

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      27865/master    
tcp6       0      0 :::25                   :::*                    LISTEN      27865/master

I can’t telnet to my server either.

Now I can’t seem to send or receive mail either. I changed

smtp unix   -    -    -   -   - smtp

to

smtp inet   n    -    n   -   - smtp

In /etc/postfix/master.cf


#17

Is there a firewall running somewhere that might be blocking inbound port 25 traffic?


#18

Perhaps your ISP blocks it? Many do.