Proper way to configure email on VPS

10 posts / 0 new
Last post
#1 Mon, 03/21/2016 - 08:35
agsh

Proper way to configure email on VPS

Hi all,

Sorry for another question about how to configure email but I've spent the whole last three days trying to do it with no success. I was able to correctly receive email using IMAP but wasn't able to send emails through SMTP. I read a lot of tutorials and changed so many things that I decided to start with a new fresh installation (Ubuntu 15.10, Webmin 1.791) and start asking.

I've created a new virtual server with domain name "agsh.net" and default parameters. I've created a MX record "mail.agsh.net" pointing to the server using the VPS provider (Contabo) user console. I've also created a test user "prueba.agsh" with email address "prueba@agsh.net".

Following the instructions in http://wiki.dovecot.org/TestInstallation, if I make a local telnet connection I get (not the real password):

root@vmi67186:~# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
a login "prueba.agsh" "password"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
e logout
* BYE Logging out
e OK Logout completed.
Connection closed by foreign host.

However, when I make a telnet from a external PC I get:

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LOGIN
DISABLED] Dovecot ready.
a login "prueba.agsh" "password"
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your cli
ent did it anyway. If anyone was listening, the password was exposed.
a NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TL
S) connections.

I've notice there is a small difference in the response when connected locally with respect to the instructions in http://wiki.dovecot.org/TestInstallation. Instead of

...LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN]...

I get

...LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN]...

So I decided to enable SSL connections (Dovecot networking and mail protocol options > Accept SSL connections? > Yes). However, after reloading Dovecot, the telnet connection is closed when I try to connect to the server.

root@vmi67186:~# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

This is what the log says about it:

ar 21 13:35:15 vmi67186 dovecot: imap-login: Fatal: Can't load ssl_cert: There is no valid PEM certificate. (You probably forgot '<' from ssl_cert=<)
Mar 21 13:35:15 vmi67186 dovecot: master: Error: service(imap-login): command startup failed, throttling for 4 secs

To solve the error I've uncommented the lines:

ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem

in file /etc/dovecot/conf.d/10-ssl.conf

However, when restarting Dovecot:

doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/dovecot/dovecot.pem: No such file or directory

I've managed to solve this error by using /etc/webmin/miniserv.pem as ssl_cert and ssl_key, but I guess this is not secure. Where is the default certificate? Do I need to generate one?

Any help will be greatly appreciated.

Mon, 03/21/2016 - 10:02
andreychek

Howdy,

Hmm, Ubuntu 15.10 isn't actually one of the supported distributions by the Virtualmin installer. I'm wondering if you're seeing some issues related to that. The Virtualmin installer only supports the Ubuntu LTS releases -- 14.04 is the most recent, though 16.04 will be supported in April.

However, to resolve the SSL issues you're seeing there, what you could always do is enable SSL for a particular domain on your server (in Edit Virtual Server -> Enabled features), and once you've done that, go into Server Configuration -> Manage SSL Certificates, and choose the "Copy to Dovecot" option.

Dovecot is used for receiving email though... so that wouldn't be related to any issues you had sending an email.

When trying to send an email, what error message did you receive in your email client, as well as in the email logs? You can view the email logs in /var/log/mail.log.

-Eric

Mon, 03/21/2016 - 19:57 (Reply to #2)
agsh

Thank you very much for your help. I never thought about that. I don't mind to work with 14.04, although following your instructions I've been able to read email using IMAP and "partially" send emails using SMTP. This are the steps I've done:

Activate SSL module in Apache Webserver -> Configure Apache Modules. Apply changes.

Enable option "SSL website" in Virtualmin -> System Settings -> Features and Plugins.

Enable option "SSL website" in Edit Virtual Server -> Enabled features.

Go to Server Configuration -> Manage SSL Certificates, and choose the "Copy to Dovecot" option.

Start Dovecot server (was stopped)

Using the following parameters I'm able to read email in Thunderbird:

- Email account: prueba@agsh.net
- User: prueba.agsh
- Server name: imap.agsh.net
- Port: 143
- Security: STARTTLS (plain password)

However, I got the following error in log:

Mar 21 23:56:59 vmi67186 dovecot: imap(prueba.agsh): Error: file_dotlock_create(/var/mail/prueba.agsh) failed: Permission denied (euid=1001(prueba.agsh) egid=1000(agsh) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) (set mail_privileged_group=mail)

So, following the instructions in http://wiki.dovecot.org/QuickConfiguration, I set mail_privileged_group = mail and mbox_very_dirty_syncs = yes in file /etc/dovecot/conf.d/10-mail.conf and applied configuration for Dovecot (restart).

I wasn't able to send emails using SMTP so I decided to also copy the SSL certificate to postfix (Configuration -> Manage SSL Certificates) and enable client email autoconfiguration in Virtualmin -> Email Messages -> Mail Client Configuration.

I visited http://agsh.net/cgi-bin/autoconfig.cgi with browser but it seems that the script was not being executed (I can see its source code), so I enabled the cgi module in Apache webserver -> Configure Apache Modules. Changes applied.

The script autoconfig.cgi is now working. If I visit http://agsh.net/cgi-bin/autoconfig.cgi?emailaddress=prueba@agsh.net I get the following parameters:

hostname (imap): mail.agsh.net
port: 993
socket type: SSL
authentication: password-cleartext
username: prueba.agsh

hostname (smtp): mail.agsh.net
port: 25
socket type: plain
authentication: password-cleartext
username: prueba.agsh

The email account is now automatically configured in Thunderbird. I can read and send emails, but only to local addresses. If I try to send an email to prueba@agsh.net everything work but if I try to send an email to emaildeprueba@gmail.com I get the following error in the log.

Mar 22 01:20:37 vmi67186 postfix/smtpd[2816]: NOQUEUE: reject: RCPT from 44.60.221.87.dynamic.jazztel.es[87.221.60.44]: 454 4.7.1 &lt;emaildeprueba@gmail.com&gt;: Relay access denied; from=&lt;prueba@agsh.net&gt; to=&lt;emaildeprueba@gmail.com&gt; proto=ESMTP helo=&lt;[192.168.1.150]&gt;

It seems that Postfix only sends emails to external server when using a secure connection, but if I manually change the smtp to STARTTLS in Thunderbird I get:

Mar 22 01:50:23 vmi67186 postfix/smtpd[3444]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1472:SSL alert number 48:

Tue, 03/22/2016 - 10:06 (Reply to #3)
agsh

Reinstalled everything on Ubuntu 14.04 and I'm at the exact same situation. I can send emails to local addresses but not to external accounts. . :-(

I've notice that both the field "TLS certificate authority file" and "Send outgoing mail via host" in Postfix -> SMTP Authentication And Encryption are set to empty values. Do I need to get a certificate for the authority? Do I need to set "Send outgoing mail via host" to "Deliver directly"?

Edit: I can send emails to external domains using Squirrel, so I guess something is filtering external emails not using a secure connection. But I don't no what or how to enabled secure connections in smtp (preferred).

Tue, 03/22/2016 - 10:38
andreychek

Howdy,

I'm glad to hear you're using Ubuntu 14.04 now, that should resolve a bunch of things, and make it easier to troubleshoot.

When sending an email, are you still getting a relay access denied error?

If so, that may just meant that the email client wasn't configured to authenticate when sending an outgoing email.

-Eric

Tue, 03/22/2016 - 18:58 (Reply to #5)
agsh

Thanks a lot for your time, Eric.

Yes. I'm getting the exact same errors. I've tried all combinations of security and authentication methods in Thunderbird and Gmail. Nothing seems to work :-(

Mon, 03/28/2016 - 12:09
agsh

Hi again,

I recorded a video (https://youtu.be/fRDFJlUA91Q) showing all the steps. Maybe I'm doing something wrong...

Regards, Alberto

Mon, 03/28/2016 - 12:23
andreychek

Howdy,

Well, the video didn't seem to want to start for me, but I'll take a look at it later.

Just to verify though -- is your email client setup to authenticate outgoing email? Some email clients don't do that by default, which can cause a relay access denied error. It's often just a matter of choosing a checkbox that tells it to authenticate emails being sent.

Edit: Also, I see you mentioned you tried different authentication methods. What are you seeing in your email logs when this occurs? Just that same relay access denied error? Are any other errors showing up there?

And what output do you see if you run the command "postconf -n"?

-Eric

Thu, 03/31/2016 - 11:39
agsh

Thanks again Eric,

This is what I get when I execute the command "postconf -n":

> postconf -n
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = vmi67186.contabo.host, localhost.contabo.host, , localhost
myhostname = vmi67186.contabo.host
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

Following are the messages written in the log when Outlook autoconfigures the email account (user --> prueba.agsh; IMAP --> mail.agsh.net, 993, SSL; SMTP --> mail.agsh.net, 25, SSL, require authentication):

Mar 31 18:00:40 vmi67186 dovecot: imap-login: Error: connect(ssl-params) failed: Connection refused
Mar 31 18:00:40 vmi67186 dovecot: imap-login: Login: user=&lt;prueba.agsh&gt;, method=PLAIN, rip=213.143.61.144, lip=213.136.88.149, mpid=8965, TLS, session=&lt;w7syXVov4wDVjz2Q&gt;
Mar 31 18:00:40 vmi67186 dovecot: imap(prueba.agsh): Disconnected: Disconnected in IDLE in=11 out=366
Mar 31 18:00:40 vmi67186 postfix/smtpd[8966]: warning: hostname 213-143-61-144-mxul-undef.orange.es does not resolve to address 213.143.61.144
Mar 31 18:00:40 vmi67186 postfix/smtpd[8966]: connect from unknown[213.143.61.144]
Mar 31 18:00:41 vmi67186 postfix/smtpd[8966]: lost connection after UNKNOWN from unknown[213.143.61.144]
Mar 31 18:00:41 vmi67186 postfix/smtpd[8966]: disconnect from unknown[213.143.61.144]

Without SMTP authentication:

Mar 31 17:54:15 vmi67186 dovecot: imap-login: Error: connect(ssl-params) failed: Connection refused
Mar 31 17:54:16 vmi67186 dovecot: imap-login: Login: user=&lt;prueba.agsh&gt;, method=PLAIN, rip=213.143.61.144, lip=213.136.88.149, mpid=8812, TLS, session=&lt;dh1MRlov/QDVjz2Q&gt;
Mar 31 17:54:16 vmi67186 dovecot: imap(prueba.agsh): Disconnected: Disconnected in IDLE in=11 out=366
Mar 31 17:54:16 vmi67186 postfix/smtpd[8813]: warning: hostname 213-143-61-144-mxul-undef.orange.es does not resolve to address 213.143.61.144
Mar 31 17:54:16 vmi67186 postfix/smtpd[8813]: connect from unknown[213.143.61.144]
Mar 31 17:54:16 vmi67186 postfix/smtpd[8813]: lost connection after UNKNOWN from unknown[213.143.61.144]
Mar 31 17:54:16 vmi67186 postfix/smtpd[8813]: disconnect from unknown[213.143.61.144]
Mar 31 17:54:25 vmi67186 postfix/smtpd[8813]: connect from 97-82-188-165.dhcp.hckr.nc.charter.com[97.82.188.165]
Mar 31 17:54:25 vmi67186 postfix/smtpd[8813]: disconnect from 97-82-188-165.dhcp.hckr.nc.charter.com[97.82.188.165]

Wiht TLS (user --> prueba.agsh; IMAP --> mail.agsh.net, 993, SSL; SMTP --> mail.agsh.net, 25, TSL, require authentication):

Mar 31 18:24:30 vmi67186 dovecot: imap-login: Error: connect(ssl-params) failed: Connection refused
Mar 31 18:24:31 vmi67186 dovecot: imap-login: Login: user=&lt;prueba.agsh&gt;, method=PLAIN, rip=213.143.61.144, lip=213.136.88.149, mpid=9492, TLS, session=&lt;DDx2slovzQDVjz2Q&gt;
Mar 31 18:24:31 vmi67186 dovecot: imap(prueba.agsh): Disconnected: Disconnected in IDLE in=11 out=366
Mar 31 18:24:31 vmi67186 postfix/smtpd[9493]: warning: hostname 213-143-61-144-mxul-undef.orange.es does not resolve to address 213.143.61.144
Mar 31 18:24:31 vmi67186 postfix/smtpd[9493]: connect from unknown[213.143.61.144]
Mar 31 18:24:32 vmi67186 postfix/smtpd[9493]: lost connection after EHLO from unknown[213.143.61.144]
Mar 31 18:24:32 vmi67186 postfix/smtpd[9493]: disconnect from unknown[213.143.61.144]

With TLS on port 587 (user --> prueba.agsh; IMAP --> mail.agsh.net, 993, SSL; SMTP --> mail.agsh.net, 587, TSL, require authentication):

Mar 31 18:29:17 vmi67186 dovecot: imap-login: Error: connect(ssl-params) failed: Connection refused
Mar 31 18:29:18 vmi67186 dovecot: imap-login: Login: user=&lt;prueba.agsh&gt;, method=PLAIN, rip=213.143.61.144, lip=213.136.88.149, mpid=9589, TLS, session=&lt;+n+Qw1ovHQDVjz2Q&gt;
Mar 31 18:29:18 vmi67186 dovecot: imap(prueba.agsh): Disconnected: Disconnected in IDLE in=11 out=366

Using Gmail with TLS (user --> prueba.agsh; IMAP --> mail.agsh.net, 993, SSL; SMTP --> mail.agsh.net, 25, TSL, require authentication) I get the error:

Unspecified Error (SENT_SECOND_EHLO): Smtp server does not advertise AUTH capability code(0)

Log:

Mar 31 18:32:15 vmi67186 postfix/smtpd[9667]: connect from mail-lf0-f46.google.com[209.85.215.46]
Mar 31 18:32:15 vmi67186 postfix/smtpd[9667]: lost connection after EHLO from mail-lf0-f46.google.com[209.85.215.46]
Mar 31 18:32:15 vmi67186 postfix/smtpd[9667]: disconnect from mail-lf0-f46.google.com[209.85.215.46]
Mar 31 18:32:19 vmi67186 dovecot: doveadm(nobody): Error: sync: User has no mail_replica in userdb
Mar 31 18:32:19 vmi67186 dovecot: doveadm(agsh): Error: sync: User has no mail_replica in userdb

Using Gmail with SSL (user --> prueba.agsh; IMAP --> mail.agsh.net, 993, SSL; SMTP --> mail.agsh.net, 25, SSL, require authentication) I get the error:

Cannot connect to the server

Log:

Mar 31 18:35:35 vmi67186 postfix/anvil[9669]: statistics: max connection rate 1/60s for (smtp:209.85.215.46) at Mar 31 18:32:15
Mar 31 18:35:35 vmi67186 postfix/anvil[9669]: statistics: max connection count 1 for (smtp:209.85.215.46) at Mar 31 18:32:15
Mar 31 18:35:35 vmi67186 postfix/anvil[9669]: statistics: max cache size 1 at Mar 31 18:32:15
Mar 31 18:35:42 vmi67186 postfix/smtpd[9764]: connect from mail-lf0-f46.google.com[209.85.215.46]
Mar 31 18:35:42 vmi67186 postfix/smtpd[9764]: lost connection after UNKNOWN from mail-lf0-f46.google.com[209.85.215.46]
Mar 31 18:35:42 vmi67186 postfix/smtpd[9764]: disconnect from mail-lf0-f46.google.com[209.85.215.46]

By the way, I'm getting the following errors in the log every five minutes, but I can read emails with no problems:

Mar 31 17:37:18 vmi67186 dovecot: doveadm(nobody): Error: sync: User has no mail_replica in userdb
Mar 31 17:37:18 vmi67186 dovecot: doveadm(agsh): Error: sync: User has no mail_replica in userdb

Regards,
Alberto

Thu, 03/31/2016 - 15:34
agsh

I finally got it working. It seems to be a problem with the webmin installer of Contabo, the VPS provider. I manually installed Virtualmin on a clean Centos 7 image and I'm now able to send (TSL, 587) and receive (SSL, 465) messages from Outlook and Gmail. I had to fix a small problem with MySQL default root password and copy SSL certificate to Postfix and Dovecot.

The only problem is that messages are classified as SPAM by Gmail. I guess it is because the custom certificate.

Regards, Alberto