Hallo Community,
ich habe meinen Mailserver umgezogen bzw. umgebaut. Vor dem Update lief der Mailserver ohne Probleme. Vorgegangen bin ich folgendermaßen nach dieser Anleitung.
Mein System besitzt die folgenden specs:
OS: Debian 8
Architektur: arm
Benutzte Ports 143+587
Software: Iptables mit entsprechend geöffneten Ports
Vor dem Umbau wurde der Server über Port 25 betrieben. Dies wurde am Router entsprechend angepasst. Der Server läuft an einem normalen DSL Anschluss mit einem SMTP Relay Server. Ein senden einer Nachricht erfolgt ohne Probleme, lediglich das Empfangen bereitet mir zurzeit ein wenig Probleme und ich hoffe auf eure Unterstützung.
Das Problem bildet sich wie folgt im Log dargestellt ab:
Meine Konfigurationsdateien:
Postfix:
Dovecot
Ich hoffe ihr könnt mir bei meinem Problem weiterhelfen!
Gruß
Pascal
ich habe meinen Mailserver umgezogen bzw. umgebaut. Vor dem Update lief der Mailserver ohne Probleme. Vorgegangen bin ich folgendermaßen nach dieser Anleitung.
Mein System besitzt die folgenden specs:
OS: Debian 8
Architektur: arm
Benutzte Ports 143+587
Software: Iptables mit entsprechend geöffneten Ports
Vor dem Umbau wurde der Server über Port 25 betrieben. Dies wurde am Router entsprechend angepasst. Der Server läuft an einem normalen DSL Anschluss mit einem SMTP Relay Server. Ein senden einer Nachricht erfolgt ohne Probleme, lediglich das Empfangen bereitet mir zurzeit ein wenig Probleme und ich hoffe auf eure Unterstützung.
Das Problem bildet sich wie folgt im Log dargestellt ab:
Code:
Oct 15 20:51:22 Hostname postfix/error[7161]: B4B1C5FD40: to=<webmaster@xxx.de>, orig_to=<root@xxx.de>, relay=none, delay=2764, delays=2764/0.47/0/0.01, dsn=4.7.4, status=deferred (delivery temporarily suspended: TLS is required, but was not offered by host FQDN[private/dovecot-lmtp])
Meine Konfigurationsdateien:
Postfix:
Code:
# SMTPd greeting banner: You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
smtpd_banner = $myhostname
# Disable local biff service
biff = no
# Do not append the string $mydomain to -locally- submitted email.
append_dot_mydomain = no
# Readme directory
readme_directory = /usr/share/doc/postfix
# HTML directory
html_directory = /usr/share/doc/postfix/html
# Certificates
smtpd_tls_cert_file = /etc/letsencrypt/live/www.xxx.de/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/www.xxxx.de/privkey.pem
# Opportunistic TLS. TLS auth only.
smtpd_tls_security_level=may
smtpd_tls_auth_only=yes
# TLS session cache for SMTPd
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Disallow SSLv2 and SSLv3, only accept secure ciphers
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
# Log TLS handling
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
# Delay reject until RCPT TO
smtpd_delay_reject = yes
# Enable elliptic curve cryptography, "ultra" needs more cpu time
smtpd_tls_eecdh_grade = strong
# Sender, recipient, client and data restrictions
# !! non-FQDN HELOs are rejected on Port 25 only, see master.cf
# Auth. Benutzer dürfen auch innerhalb der "mynetworks" nur von den Adressen senden, die ihnen zugehörig sind.
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
# Erst jetzt werden "mynetworks" zugelassen
# Unauth. Benutzer wie der Cron-Dienst können so weiterhin Mails versenden, etwa
# als cron@fqdn
permit_mynetworks,
# Anderen unauth. Benutzern das Benutzen jeder Adresse verbieten.
reject_sender_login_mismatch,
# Alle auth. jetzt zulassen.
permit_sasl_authenticated,
# Nicht im System vorhandene Absender jetzt ablehnen
reject_unlisted_sender,
# Ablehnen, wenn die Sender-Domäne nicht existiert
reject_unknown_sender_domain
# Akzeptiere alle Empfänger, die ein authentifizierter Absender oder ein Absender aus "mynetworks" angibt
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
# Schnittstelle zu Dovecot, um die Quota live zu überprüfen (verhindert Bounces)
check_policy_service unix:private/quota-status,
# Ablehnen, wenn der HELO FQDN nicht aufzulösen ist
reject_unknown_helo_hostname,
# Ablehnen, wenn KEIN PTR zu dieser IP existiert
# Verhindert nicht, dass ein FALSCHER PTR abgelehnt wird!
# Hierfür würde "reject_unknown_client_hostname" verwendet.
reject_unknown_reverse_client_hostname,
# Kein offenes Relay
reject_unauth_destination
# Unauth. Benutzer dürfen ihre Befehle nicht "pipen"
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
# Eine Art Tabelle mit vorhanden Identitäten und ihren Zugehörigkeiten
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_alias_maps.cf
# Certificates
smtp_tls_cert_file = /etc/letsencrypt/live/www.xxx.de/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/www.xxx.de/privkey.pem
# Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
smtp_tls_security_level=may
# TLS session cache for SMTP
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# A custom list with secure ciphers.
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Use the FQDN for the local hostname!
myhostname = FQDN
# Alias maps and database for -local- delivery only
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to.
myorigin = xxx.de
# The list of domains that are delivered via the -local- mail delivery transport. No external domains like "domain.tld" belong here! "mail.domain.tld" is fine.
mydestination = FQDN, Interne IP des Servers
#Relay
relayhost = relay.mailjet.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
# Trusted SMTP clients with more privileges. Trusted clients can relay mail.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# The maximal size of any -local- individual mailbox
mailbox_size_limit = 0
# The maximal size of any -virtual- individual mailbox
virtual_mailbox_limit = 0
# Handle Postfix-style extensions
recipient_delimiter = +
# The network interface addresses that this mail system receives mail on.
inet_interfaces = all
# Specifies what protocols Postfix will use when it makes or accepts network connections, and also controls what DNS lookups Postfix will use when it makes network connections.
inet_protocols = ipv4
# VRFY command is not really needed anymore
disable_vrfy_command = yes
# Please say hello first...
smtpd_helo_required = yes
# The SASL plug-in type that the Postfix SMTP server should use for authentication.
smtpd_sasl_type=dovecot
# Where to passthrough our authentication information for the above plug-in
smtpd_sasl_path=private/auth_dovecot
# Enable SASL authentication in the Postfix SMTP server.
smtpd_sasl_auth_enable = yes
# Report the SASL authenticated user name in the smtpd Received message header.
smtpd_sasl_authenticated_header = yes
# Have Postfix advertise AUTH support in a non-standard way.
broken_sasl_auth_clients = yes
# The lookup tables that the proxymap server is allowed to access for the read-only service.
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
## Virtual transport configuration
# A prefix that the virtual delivery agent prepends to all pathname results from $virtual_mailbox_maps
virtual_mailbox_base = /
# THIS contains a list of domains we are the final destination for (unlike "mydestination").
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_domains_maps.cf
# Alias specific mail addresses or domains to other local or remote address.
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_alias_maps.cf
# Specify a left-hand side of "@domain.tld" to match any user in the specified domain
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_mailbox_maps.cf
# The minimum user ID value that the virtual delivery agent accepts
virtual_minimum_uid = 5000
# We use "vmail" user with UID/GID 5000 to lookup tables
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
# The default mail delivery transport and next-hop destination for final delivery to domains listed with "virtual_mailbox_domains"
virtual_transport = lmtps:unix:private/dovecot-lmtp
transport_maps = mysql:/etc/postfix/mysql/postfix-mysql-virtual_transport_maps.cf
## Queue configuration
# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
maximal_queue_lifetime = 1d
# Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
bounce_queue_lifetime = 1d
# The time between deferred queue scans by the queue manager.
queue_run_delay = 300s
# The maximal/minimal time between attempts to deliver a deferred message.
maximal_backoff_time = 1800s
minimal_backoff_time = 300s
# Maximum mail size (500 MiB)
message_size_limit = 524288000
# This tarpits a client after 3 erroneous commands for 10s
smtpd_soft_error_limit = 3
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}
postscreen_access_list = permit_mynetworks
# Drop connections from blacklisted servers with a 521 reply
postscreen_blacklist_action = drop
# Clean Postscreen cache after 24h
postscreen_cache_cleanup_interval = 24h
postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7
bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.[10;11;12]*4
dnsbl.sorbs.net=127.0.0.10*8
dnsbl.sorbs.net=127.0.0.5*6
dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.4*1
hostkarma.junkemailfilter.com=127.0.1.2*1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_greet_banner = $smtpd_banner
postscreen_greet_action = enforce
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_bare_newline_enable = no
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
Code:
# Postscreen on Port 25/tcp, filters zombies (spam machines) on first level with lowest costs.
smtp inet n - n - 1 postscreen
# Postscreen passes sane clients to the real SMTP daemon here.
smtpd pass - - n - - smtpd
# Reject non-FQDN HELOs on Port 25 (after passing postscreen process)
-o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=10
-o smtpd_proxy_options=speed_adjust
# For mail submitting users. Authenticated clients and known networks only.
submission inet n - - - - smtpd
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
-o smtpd_proxy_options=speed_adjust
# Handles TLS connections for postscreen to make them readable
tlsproxy unix - - n - 0 tlsproxy
# This implements an ad-hoc DNS white/blacklist lookup service
dnsblog unix - - n - 0 dnsblog
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
# LMTP with STARTTLS support, needs newer Dovecot versions
lmtps unix - - - - - lmtp
-o lmtp_use_tls=yes
-o lmtp_tls_loglevel=1
-o lmtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
-o lmtp_enforce_tls=yes
-o lmtp_tls_mandatory_protocols=!SSLv2,!SSLv3
-o lmtp_tls_protocols=!SSLv2,!SSLv3
-o lmtp_tls_mandatory_ciphers=high
-o lmtp_tls_ciphers=high
-o lmtp_send_xforward_command=yes
-o lmtp_tls_security_level=encrypt
-o lmtp_tls_note_starttls_offer=yes
# Amavis reinjection, maximal 5 smtpd Prozesse, muss den Amavis Prozessen entsprechen!
127.0.0.1:10035 inet n - - - 5 smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
Dovecot
Code:
auth_mechanisms = plain login
disable_plaintext_auth = yes
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/Maildir:LAYOUT=fs
mail_uid = vmail
mail_gid = vmail
# notify wird von mail_log benötigt. mail_log informiert in diesem Fall über DELETE und EXPUNGE (weiter unten)
mail_plugins = quota acl mail_log notify
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
ssl_protocols = !SSLv3 !SSLv2
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
log_timestamp = "%Y-%m-%d %H:%M:%S "
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
# Der "namespace separator" sollte "/" lauten, da es zusammen mit der ACL zu Konflikten käme, wenn der Benutzername das Zeichen "." enthält.
namespace inbox {
inbox = yes
location =
separator = /
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox "Deleted Messages" {
special_use = \Trash
}
mailbox "Gelöschte Objekte" {
special_use = \Trash
}
mailbox "Papierkorb" {
special_use = \Trash
}
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Archiv {
special_use = \Archive
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox "Gesendet" {
special_use = \Sent
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Entwürfe {
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
prefix =
}
# Dieser Namespace wird für die ACL Erweiterung benötigt.
# Freigegebene Ordner erscheinen automatisch in der Ordnerliste.
namespace {
type = shared
separator = /
prefix = Shared/%%u/
location = maildir:%%h/Maildir:LAYOUT=fs:INDEXPVT=~/Maildir/Shared/%%u
subscriptions = yes
list = yes
}
protocols = imap sieve lmtp
service dict {
unix_listener dict {
mode = 0660
user = vmail
group = vmail
}
}
service auth {
unix_listener /var/spool/postfix/private/auth_dovecot {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0600
user = vmail
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = root
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
process_min_avail = 2
vsz_limit = 128M
}
service managesieve {
process_limit = 256
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
user = vmail
}
listen = *
ssl_cert = </etc/letsencrypt/live/www.xxx.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/www.xxx.de/privkey.pem
userdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
protocol imap {
mail_plugins = quota imap_quota imap_acl acl mail_log notify
}
protocol lmtp {
mail_plugins = quota sieve acl notify
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmaster@xxx.de
}
protocol sieve {
managesieve_logout_format = bytes=%i/%o
}
protocol lda {
mail_plugins = sieve quota acl notify
postmaster_address = postmaster@xxx.de
}
plugin {
mail_log_events = delete undelete expunge
# Um quasi-öffentliche Ordner für authentifizierte Benutzer via ACL zu erstellen
acl_anyone = allow
# Wird automatisch verwaltet und beinhaltet eine Ãœbersicht der Freigaben
acl_shared_dict = file:/var/vmail/shared-mailboxes.db
# In jeder Mailbox wird von Dovecot eine Datei gepflegt, die die Freigaben regelt
acl = vfile
quota = maildir:User quota
# Die Ordner Trash und Sent erhalten +10% auf die Quota
quota_rule = Trash:storage=+10%%
quota_rule = Sent:storage=+10%%
# Eigene Sieve Filter liegen im Heimverzeichnis
sieve = ~/sieve/dovecot.sieve
sieve_dir = ~/sieve
# Der globale Filter außerhalb
sieve_before = /var/vmail/before.sieve
sieve_max_script_size = 1M
sieve_quota_max_scripts = 0
sieve_quota_max_storage = 0
# Auch dann weitermachen, wenn die Quota nicht ermittelt werden kann
# Gilt für den von Dovecot bereitgestellten Postfix policy service
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is over quota"
}
service quota-status {
executable = quota-status -p postfix
unix_listener /var/spool/postfix/private/quota-status {
group = postfix
mode = 0660
user = postfix
}
client_limit = 1
}
Code:
driver = mysql
connect = "host=localhost dbname=vimbadmin user=vimbadmin password=abdcasadfahdfasdv"
default_pass_scheme = SHA512-CRYPT
password_query = SELECT username as user, password as password, \
homedir AS home, \
maildir AS mail, uid, gid, \
concat('*:bytes=', quota) as quota_rule \
FROM mailbox WHERE username = '%Lu' AND active = '1' \
AND ( access_restriction = 'ALL' OR LOCATE( '%Us', access_restriction ) > 0 )
user_query = SELECT homedir AS home, \
maildir AS mail, uid, gid, \
concat('*:bytes=', quota) as quota_rule \
FROM mailbox WHERE username = '%u'
iterate_query = SELECT username FROM mailbox;
Ich hoffe ihr könnt mir bei meinem Problem weiterhelfen!
Gruß
Pascal