# Postfix - Dovecot problem sending mail

## NismoC32

Hi I followed this guide to setup postfix and dovecot

https://forums.gentoo.org/viewtopic-t-1057474.html.

Reciving mail works fine bu sending is not perfect.

I can send mail from my workstation (Gentoo using kmail),

But using my Androis phone, Roudcube or Nextcloud mail does not work.

This is what tho log says when I try to send a mail from one of there clients:

 *Quote:*   

> Dec 20 20:15:46 fserver postfix/smtp[1195]: 9D3995A700: to=<myaddress@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.162.27]:25, delay=0.37, delays=0.07/0.01/0.28/0.01, dsn=5.0.0, status=bounced (host gmail-smtp-in.l.google.com[64.233.162.27] said: 550 Relay not permitted (in reply to RCPT TO command)

 

This email is sendt to me from my mailserver:

```
This is the mail system at host mail.mydomain.com.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

                   The mail system

<myaddress@gmail.com>: host gmail-smtp-in.l.google.com[64.233.162.27] said: 550

    Relay not permitted (in reply to RCPT TO command)
```

I'm using the Bluemail Client on my Android Phone, but I also tried Sony's default mail client.

So what is it that makes kmail work and nothing else ?

Let me know if more info is needed.

----------

## magic919

That's the kind of error I'd expect if the client doesn't authenticate.

----------

## NismoC32

Ok but why ?

this is my Postfix configuration files:

main.cf

```
soft_bounce = no

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

myhostname = mail.mydomain.com

mydomain = mydomian.com

myorigin = $myhostname

inet_interfaces = all

mydestination = $myhostname, localhost

unknown_local_recipient_reject_code = 550

mynetworks_style = host

debug_peer_level = 2

debugger_command =

    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

    ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

readme_directory = no

inet_protocols = ipv4

meta_directory = /etc/postfix

shlib_directory = /usr/lib64/postfix/${mail_version}

virtual_transport = dovecot

dovecot_destination_recipient_limit = 1

smtp_tls_mandatory_ciphers = high

smtp_tls_security_level = may

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = mydomain.com

broken_sasl_auth_clients = yes

smtpd_sender_restrictions = reject_non_fqdn_sender

smtpd_reject_unlisted_sender = yes

smtpd_recipient_restrictions =

   permit_mynetworks

   permit_sasl_authenticated

   reject_unauth_destination

   reject_invalid_helo_hostname

   reject_non_fqdn_recipient

   reject_unknown_recipient_domain

 

smtpd_use_tls = yes

smtpd_tls_security_level = may

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem

smtpd_tls_loglevel = 0

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 10800s

virtual_alias_maps   = mysql:/etc/postfix/sql_virtual_alias_maps.cf

virtual_mailbox_domains = mysql:/etc/postfix/sql_virtual_domain_maps.cf

virtual_mailbox_maps   = mysql:/etc/postfix/sql_virtual_mailbox_maps.cf

sample_directory   =/etc/postfix

message_size_limit   = 104857600

compatibility_level = 2

```

my master.cf:

```
smtp      inet  n       -       n       -       -       smtpd

submission inet n       -       n       -       -       smtpd

  -o smtpd_enforce_tls=yes

  -o smtpd_sasl_auth_enable=yes

smtps     inet  n       -       n       -       -       smtpd

 -o smtpd_tls_wrappermode=yes

 -o smtpd_sasl_auth_enable=yes

pickup    unix  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      unix  n       -       n       300     1       qmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

retry     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache

dovecot      unix  -       n       n       -       -       pipe

   flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

```

And this is my Dovecot files:

10-auth.conf

```
disable_plaintext_auth = yes

auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

auth_mechanisms = plain login cram-md5

!include auth-sql.conf.ext

```

10-mail.conf

```
mail_location = maildir:/var/mail/%n/Maildir/:INDEX=/var/mail/%n/indexes

namespace inbox {

  # Namespace type: private, shared or public

  #type = private

  # Hierarchy separator to use. You should use the same separator for all

  # namespaces or some clients get confused. '/' is usually a good one.

  # The default however depends on the underlying mail storage format.

  #separator = 

  # Prefix required to access this namespace. This needs to be different for

  # all namespaces. For example "Public/".

  #prefix = 

  # Physical location of the mailbox. This is in same format as

  # mail_location, which is also the default for it.

  #location =

  # There can be only one INBOX, and this setting defines which namespace

  # has it.

  inbox = yes

  # If namespace is hidden, it's not advertised to clients via NAMESPACE

  # extension. You'll most likely also want to set list=no. This is mostly

  # useful when converting from another server with different namespaces which

  # you want to deprecate but still keep working. For example you can create

  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".

  #hidden = no

  # Show the mailboxes under this namespace with LIST command. This makes the

  # namespace visible for clients that don't support NAMESPACE extension.

  # "children" value lists child mailboxes, but hides the namespace prefix.

  #list = yes

  # Namespace handles its own subscriptions. If set to "no", the parent

  # namespace handles them (empty prefix should always have this as "yes")

  #subscriptions = yes

  # See 15-mailboxes.conf for definitions of special mailboxes.

}

  #type = shared

  #separator = /

  # Mailboxes are visible under "shared/user@domain/"

  # %%n, %%d and %%u are expanded to the destination user.

  #prefix = shared/%%u/

  # Mail location for other users' mailboxes. Note that %variables and ~/

  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the

  # destination user's data.

  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

  # Use the default namespace for saving subscriptions.

  #subscriptions = no

  # List the shared/ namespace only if there are visible shared mailboxes.

  #list = children

mail_uid = 8

mail_gid = 12

first_valid_uid = 8

last_valid_uid = 8

first_valid_gid = 12

last_valid_gid = 12

mail_plugins = quota

protocol !indexer-worker {

  # If folder vsize calculation requires opening more than this many mails from

  # disk (i.e. mail sizes aren't in cache already), return failure and finish

  # the calculation via indexer process. Disabled by default. This setting must

  # be 0 for indexer-worker processes.

  #mail_vsize_bg_after_count = 0

}

```

10-master.conf

```
service imap-login {

  inet_listener imap {

    #port = 143

  }

  inet_listener imaps {

    #port = 993

    #ssl = yes

  }

  # Number of connections to handle before starting a new process. Typically

  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0

  # is faster. <doc/wiki/LoginProcess.txt>

  #service_count = 1

  # Number of processes to always keep waiting for more connections.

  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.

  #vsz_limit = $default_vsz_limit

}

service pop3-login {

  inet_listener pop3 {

    #port = 110

  }

  inet_listener pop3s {

    #port = 995

    #ssl = yes

  }

}

service lmtp {

  unix_listener lmtp {

    #mode = 0666

  }

  # Create inet listener only if you can't use the above UNIX socket

  #inet_listener lmtp {

    # Avoid making LMTP visible for the entire internet

    #address =

    #port = 

  #}

}

service imap {

  # Most of the memory goes to mmap()ing files. You may need to increase this

  # limit if you have huge mailboxes.

  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)

  #process_limit = 1024

}

service pop3 {

  # Max. number of POP3 processes (connections)

  #process_limit = 1024

}

service auth {

  # auth_socket_path points to this userdb socket by default. It's typically

  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have

  # full permissions to this socket are able to get a list of all usernames and

  # get the results of everyone's userdb lookups.

  #

  # The default 0666 mode allows anyone to connect to the socket, but the

  # userdb lookups will succeed only if the userdb returns an "uid" field that

  # matches the caller process's UID. Also if caller's uid or gid matches the

  # socket's uid or gid the lookup succeeds. Anything else causes a failure.

  #

  # To give the caller full permissions to lookup all users, set the mode to

  # something else than 0666 and Dovecot lets the kernel enforce the

  # permissions (e.g. 0777 allows everyone full permissions).

  unix_listener auth-userdb {

    mode = 0600

    user = mail

    group = mail

  }

  # Postfix smtp-auth

  unix_listener /var/spool/postfix/private/auth {

    mode = 0660

    user = postfix

    group = postfix

  }

  # Auth process is run as this user.

  #user = $default_internal_user

}

service auth-worker {

  # Auth worker process is run as root by default, so that it can access

  # /etc/shadow. If this isn't necessary, the user should be changed to

  # $default_internal_user.

  user = mail

}

service lmtp {

  unix_listener /var/spool/postfix/private/dovecot-lmtp {

    mode = 0660

    user = postfix

    group = postfix

 }

}

service dict {

  # If dict proxy is used, mail processes should have access to its socket.

  # For example: mode=0660, group=vmail and global mail_access_groups=vmail

  unix_listener dict {

    #mode = 0600

    #user = 

    #group = 

  }

}

```

dovecot.conf

```
protocols = imap lmtp

listen = *

dict {

  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext

  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext

}

!include conf.d/*.conf

!include_try local.conf

```

auth.sql.conf.ext

```
passdb {

  driver = sql

  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext

  args = /etc/dovecot/dovecot-sql.conf.ext

}

userdb {

  driver = sql

  args = /etc/dovecot/dovecot-sql.conf.ext

}

  #driver = static

  #args = uid=vmail gid=vmail home=/var/vmail/%u

```

KMail on my workstation works fine.

Roundcube who is installed on the same server as postfix/dovecot is not able to send emails.

BlueMail on my Android phone regardless of using IP address or domain address cant send mail ether

BluMail do a check when you configure the server settings and it does not complain that anything is wrong

All clinets gets access to mails just fine so i can read delete move etc.

This is my setting in kmail for sending e-mail:

Outgoing mail server: 192.168.1.101 (Works also when using domain name)

Login: ****@*****.com

Password: **********

Encryption: TLS

Port: 587

Authentication: CRAM-MD5 (PLAIN works fine too)

Bluemail:

SMTPServer: mydomain.com (192.168.1.101 while connected to my WLAN AP does not help)

Security: STARTTLS (Changing to SSL/TLS gives error(3011))

Port: 587

Autentication: Automatic

And username password stuff.

If more configuration or log info is need let me know.Last edited by NismoC32 on Sat Dec 30, 2017 11:34 pm; edited 2 times in total

----------

## magic919

Run through the telnet testing in the source thread if you haven’t already. Check to see what Dovecot and Postfix are logging when it fails. 

If you trust the 192.168.1.x network, then set mynetworks appropriately in Postfix and it’ll avoid the need for SASL on that network. By opening up the Postfix restrictions (if only whilst testing) you should be able to isolate the problem area. SASL and TLS are the likely bits if Dovecot SASL is fully working. 

You might want to remove your domain name from those config files.

----------

## NismoC32

Tried out using telnet and this is the resault:

```
Trying ::1...

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.mydom.com ESMTP Postfix

ehlo mydom.com

250-mail.mydom.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250-DSN

250 SMTPUTF8

221 2.0.0 Bye

```

And:

```
Trying xx.126.xx.21x...

Connected to mydom.com.

Escape character is '^]'.

220 mail.mydom.com ESMTP Postfix

ehlo mydom.com

250-mail.mydom.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250-DSN

250 SMTPUTF8

221 2.0.0 Bye
```

So the question is why no 250-AUTH line?

I did add 192.168.1.0/24 to mynetworks line in postfix but it did not change anything

```
mynetworks = 192.168.1.0/24, 127.0.0.0/8
```

Last edited by NismoC32 on Sun Dec 31, 2017 1:05 am; edited 1 time in total

----------

## szatox

 *Quote:*   

> So the question is why no 250-AUTH line?

 

Because no TLS.

Postfix comes with a sane default that only allows authentication over secured connection.

----------

## NismoC32

So how do I fix this, whats missing ?

I have followed the howto and I'm out of Ideas.

It's strange that KMail can send email without any problems.

The only differences is that KMail uses TLS and the other clients uses STARTTLS.

STARTTLS is not available in KMail, you have this choices: none,ssl and tsl.

----------

## szatox

 *Quote:*   

> STARTTLS is not available in KMail, you have this choices: none,ssl and tsl.

 

I don't know kmail, I suppose "tls" means upgrading protocol to encrypted STARTTLS and "ssl" means opening connection that is already encrypted.

Also, you may see SMTP port change when you change the connection type.

You can expect AUTH to work on port 25 - smtp after starttls, and on port 465 -smtps (without starttls, you just open ssl connection up-front), and on port 587 - mail_submission, not sure whether is uses ssl or tls though.

Submission should not allow you send anything at all without providing your credentials, and unauthenticated smtp[s] should only allow local delivery.

----------

