# how do I recieve incoming mail? [solved]

## jedsen

I have postfix running as an smtpd, and it's refusing to accept mail. I get this error in /var/log/mail.log: *Quote:*   

> 
> 
> May 13 01:47:50 frank postfix/smtpd[19204]: NOQUEUE: reject: RCPT from smtp-prod-mx1.ucsc.edu[128.114.125.43]: 554 <jedsen@guhnoo.org>: Recipient address rejected: Access denied; from=<bcochran@ucsc.edu> to=<jedsen@guhnoo.org> proto=ESMTP helo=<smtp-prod-mx1.ucsc.edu>

 

Here's my /etc/postfix/main.cf:

 *Quote:*   

> # Global Postfix configuration file. This file lists only a subset
> 
> # of all 300+ parameters. See the postconf(5) manual page for a
> 
> # complete list.
> ...

 

Any ideas?

Thanks for reading.Last edited by jedsen on Sun May 14, 2006 6:57 am; edited 1 time in total

----------

## SoylentGreen

a) you have no hostname defined

b) is the user "jedsen" in your alias list, and you did run "newaliases"?

if not, i guess you read one of the HOWTOS how to setup postfix first  :Wink: 

----------

## jedsen

 *SoylentGreen wrote:*   

> a) you have no hostname defined
> 
> b) is the user "jedsen" in your alias list, and you did run "newaliases"?
> 
> if not, i guess you read one of the HOWTOS how to setup postfix first 

 

Thank you, I made those changes, but mail is still rejected from my computer with the same error in my logs.

----------

## SoylentGreen

well, almost everything in your config is disabled, so please read a howto how to setup postfix coorrectly.

and dont forget to run "postfix reload" after you did changes, otherwise they want take affect.

this: http://gentoo-wiki.com/Postfix should get you started

----------

## jedsen

Okay, I read through that guide, and it didn't help at all. Most of my postfix main.cf is not configured because most options have defaults.

I know this is sort of a vague problem, but I really have no idea how to nail it down. To sum up:

local => internet     works

local => local           works, though only if both sender and recipient are at "localhost", as I am behind a router

internet => local     doesn't work

Thanks for the suggestion, though!

----------

## SoylentGreen

yes, some options do have defaults, but obviously not to your pleasure, infact noone cant send mail from outside.

you need at least those set (yourdomain.com = your domain name):

```

myhostname = yourdomain.com

mydomain = yourdomain.com

myorigin = $mydomain

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, yourdomain.com

```

of course your domain has to be known to the outside (DNS entry), etc..

btw:

```

hds ~ # telnet guhnoo.org 25

Trying 24.7.181.77...

Connected to guhnoo.org.

Escape character is '^]'.

220 frank.guhnoo.org ESMTP Postfix (GNU/Linux)

mail from:xxx@xxx.de

250 Ok

rcpt to:postmaster@guhnoo.org

554 <postmaster@guhnoo.org>: Recipient address rejected: Access denied

```

looks like your system is not configured to accept *any* mail from outside your LAN. not even to postmaster

and you didnt define your subdomain(s) either. your system is answering as "frank.guhnoo.org", but:

```

hds ~ # telnet frank.guhnoo.org 25

Trying 81.169.139.246...

Connected to frank.guhnoo.org.

Escape character is '^]'.

220 mail.legal.de ESMTP Postfix

mail from:xxx@xxx.de

250 Ok

rcpt to:postmaster@guhnoo.org

554 <postmaster@guhnoo.org>: Relay access denied

quit

221 Bye

Connection closed by foreign host.

```

PS: smtpd_sasl_local_domain                                 = $myhostname

not localhost!

----------

## SoylentGreen

```

hds ~ # telnet guhnoo.org 25

Trying 24.7.181.77...

Connected to guhnoo.org.

Escape character is '^]'.

220 frank.guhnoo.org ESMTP Postfix (GNU/Linux)

mail from:xxx@xxx.de

250 Ok

rcpt to:postmaster

250 Ok

data

354 End data with <CR><LF>.<CR><LF>

Testmail to ensure Postfix is working.

.

250 Ok: queued as BD46B1C3888

quit

221 Bye

Connection closed by foreign host.

hds ~ #                            

```

see? works. now setup your domainname(s) correctly and everything is fine.

----------

## jedsen

I set my domainname (guhnoo.org), though it doesn't seem to make any difference for incomming mail.

Again, thanks.

----------

## SoylentGreen

like i posted here:

https://forums.gentoo.org/viewtopic-p-3315000.html#3315000

 :Shocked: 

you changed all of those fields accordingly?

also, your domain is in yours /etc/hosts defined *correctly* ?

```

24.7.181.77          guhno.org           guhno

24.7.181.77          frank.guhno.org   frank

```

something like that above?

so to speak: is your very own machine aware about its additional domainnames apart from localhost?

----------

## thepustule

My advice:  Don't assume the defaults.  Fill out every section in the config file.  If you do that, postfix will work even if you have a blank hosts file and malfunctioning DNS.

----------

## SoylentGreen

 *thepustule wrote:*   

> My advice:  Don't assume the defaults.  Fill out every section in the config file.  If you do that, postfix will work even if you have a blank hosts file and malfunctioning DNS.

 

well, DNS is OK because i get to his webpage from here, so this is probably not a new domain.

OTOH i agree.

well, i could post my configs, but that would pretty much confuse him because i am using perlgrey and whatnot, and additionally run multiple domains. hmm..

well, he has to adjust /etc/hosts and this part:

```

myhostname = guhnoo.org

 mydomain = guhnoo.org

 myorigin = $mydomain 

 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, guhnoo.org

```

oh, btw.. there is not only main.cf, also master.cf  :Wink: 

----------

## langthang

you have

```
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
```

means reject every mail except from mynetworks and sasl authenticated users.

Change it to

```
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
```

read `man 5 postconf` for more info.

----------

## SoylentGreen

good shot, langthang!

though.. as pointed out already - he should setup step by step in his configs. and there *are* howtos all and all over in these forums.

----------

## jedsen

Okay, I changed the myhostname parameter in postfix's main.cf to what SoylentGreen suggested, as well as the smtpd_recipient_restrictions parameter to what langthang suggested, and all is working! Thanks, guys, for helping a lazy noob like me out.

Some quotes from man 5 postconf that clarifies things for others with this problem:

 *Quote:*   

> IMPORTANT: If you change this parameter setting, you must specify at least one of the following restrictions. Otherwise  Postfix  will refuse to receive mail:
> 
>            reject, defer, defer_if_permit, reject_unauth_destination

 

 *Quote:*   

>  reject_unauth_destination
> 
>               Reject the request unless one of the following is true:
> 
>        o      Postfix is mail forwarder: the resolved RCPT TO address matches $relay_domains or a subdomain thereof, and contains no  sender-
> ...

 

----------

## Kattsand

bumping this thread since I have a similar problem with my Postfix + Dovecot + Squirrelmail setup:

After implementing the changes in the thread to my setup I´m now getting status=Deferred in postfix / mail.log

I can mail from local mailserver with squirrelmail to a hotmail email but I cant retrieve any mail =/

this is what postconf -n gives:

```

alias_database = dbm:/etc/mail/aliases

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

home_mailbox = .maildir/

html_directory = /usr/share/doc/postfix-2.5.5/html

inet_interfaces = all

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost

mydomain = domain.net

myhostname = domain.net

mynetworks = 127.0.0.0/8

mynetworks_style = host

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.5.5/readme

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

unknown_local_recipient_reject_code = 550
```

NOTE: domain.net is ofc replaced.

and this is a portion of mail.log:

```

Sep 15 23:27:25 meow postfix/smtp[28623]: connect to mx1.hotmail.com[65.54.244.136]:25: Connection timed out

Sep 15 23:27:55 meow postfix/smtp[28622]: connect to mx4.hotmail.com[65.54.244.232]:25: Connection timed out

Sep 15 23:27:55 meow postfix/smtp[28623]: connect to mx2.hotmail.com[65.54.244.168]:25: Connection timed out

Sep 15 23:27:55 meow postfix/smtp[28623]: 49AC076136: to=<jmz@live.se>, relay=none, delay=3397, delays=3246/0.01/150/0, dsn=4.4.1, status=deferred (connect to mx2.hotmail.com[65.54.244.168]:25: Connection timed out)
```

postqueue -p shows 4 mails in queue.

EDIT:

Oh well, seems to be a missconfiguration with either Dovecot and/or Squirrelmail 2..

when I added a new user and tried to login I got dovecot error: mkdir failed : Permission denied.

and I can now recieve mail to postfix but they dont show up in Squirrelmail but are marked as recieved in log.

any help would be really appreciated.

----------

## jamapii

Hi Kattsand,

only reading your last post, 

the question is where the mails finally go. They should be delivered to a local user (let's call it $user), with a line containing "to=$user" being logged (at least in sendmail). From the log file, it looks as if they're sent back to the provider (unless it has been fixed now).

When you have determined the user that gets the mail, you have to find it. Depending on if you have mbox or maildir, it will be in /var/spool/mail/$user or ~$user/.maildir or possibly .Maildir or ~$user/Mail (Im not sure what all the different mailers may do)

When you have found the mail, you must configure dovecot's imap server and squirrelmail's imap client, this may be tricky, when I did it I was always unsure if and where the prefix was to be included in the config (I used uw-imap for mbox and bincimap for maildir). I used trial and error to configure it  :Wink: 

----------

## Kattsand

Hi, thanks for your time and answer.

I actually solved this the same night, spent MANY hours non-stop trying to solve this (including installation,configuration) and I´ve got it to work, it was the maildirs who differed between dovecot/squirrelmail and some other minor missconfigs.

But I´ve encountered another strange problem now, outgoing mails are not logged in /var/log/mail.log anymore .. cant recall any modifications I´ve done that could made this effect.

also.. not so kind of the fact that anyone can telnet into my postfix..

----------

## jamapii

 *Kattsand wrote:*   

> But I´ve encountered another strange problem now, outgoing mails are not logged in /var/log/mail.log anymore .. cant recall any modifications I´ve done that could made this effect.

 

sorry, can't make a good guess, everything should be logged. maybe sending mails is broken?

 *Quote:*   

> also.. not so kind of the fact that anyone can telnet into my postfix..

 

If you don't need to accept mails as an SMTP server, you can filter it with iptables or possibly configure postfix to not bind to the external interface. It can still send mails as a client.

Alternatively, make sure it's not an "open relay".

----------

## Kattsand

Nah both outgoing and incoming mail is working just fine  :Smile:  , I can confirm now that outgoing mail is not logged but incoming are.

Also.. mailing between local mails via Telnet session (postfix) works but not outgoing mails:

220 domain.net ESMTP Postfix

MAIL FROM:<ageha@domain.net>

250 2.1.0 Ok

RCPT TO:<jmz@live.se>

554 5.7.1 <jmz@live.se>: Relay access denied

This is in some way good because I dont want anyone to be able to use my postfix to mail to other servers via telnet.

I just want my email setup to allow users from squirrelmail to mail and not via telnet session.

Found some other threads around the net with the same issue and it seems like there is no way to stop telnet sessions to postfix because postfix is to stupid to know if the connection comes from Telnet or a legitimate mailclient but there must be some kind of workaround for this, like some kind of encrypted auth that could be implemented?!

Should mention that I use my ISP´s SMTP server.

So my issues now before I can leave the server alone with postfix online is:

* Outgoing mail is not logged.

* Telnet postfix must be protected in someway

this is how my confs goes atm:

postconf -n:

```
command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

home_mailbox = .maildir/

html_directory = /usr/share/doc/postfix-2.5.5/html

inet_interfaces = all

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain

mydomain = domain.net

myhostname = domain.net

mynetworks = 127.0.0.0/8

mynetworks_style = host

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.5.5/readme

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_sasl_local_domain = $myhostname

unknown_local_recipient_reject_code = 550
```

dovecot -n

```
base_dir: /var/run/dovecot/

log_path: /var/log/dovecot.log

info_log_path: /var/log/dovecot.info

protocols: imap

ssl_cert_file: /etc/ssl/dovecot/server.pem

ssl_key_file: /etc/ssl/dovecot/server.key

disable_plaintext_auth: no

login_dir: /var/run/dovecot/login

login_executable: /usr/libexec/dovecot/imap-login

mail_privileged_group: mail

mail_location: maildir:~/.maildir

mail_debug: yes

auth default:

  mechanisms: plain login

  passdb:

    driver: pam

    args: -session *

  userdb:

    driver: passwd
```

thanks for the help so far.

----------

## jamapii

 *Kattsand wrote:*   

> 
> 
> So my issues now before I can leave the server alone with postfix online is:
> 
> * Outgoing mail is not logged.
> ...

 

Hi Kattsand,

outgoing mail cannot be logged if squirrelmail, or whatever email client you use, sends directly to your ISP. This bypasses postfix. 

To send through postfix, you must enable relaying (selectively) - FROM inside TO outside, but never FROM outside TO outside (this would make an open relay).

The problem of protecting telnet to postfix is more complex. Everything (as far as I know) uses TCP port 25 to send email, there may be alternatives, but they end up being just as accessible as telnet to port 25. So, someone using "telnet localhost 25" and speaking proper SMTP is, in a way, a legitimate email client. What can they do with it? From a security viewpoint - 1. send email 2. send spam 3. exploit security holes. What can they do with an email client? exactly the same - 1. send email 2. send spam 3. exploit security holes. 

So, I wouldn't try to block it, but instead, make sure relaying works/is denied as intended.

You can also look into SMTP AUTH to make users use passwords before they send mail.

If you want to protect telnet to postfix anyway, here are some options:

First, you can use iptables to block incoming requests from the network. The command will look similar to 

```
iptables -A INPUT -i ! lo -p tcp --dport 25 --syn -j DROP
```

REJECT is preferable over DROP - if it works. The command might simply go into the preup() function of /etc/conf.d/net, there are ways to make sure it is executed only once.

Blocking external requests is good if you don't want your box to act as a mailserver to the outside. If you tell people to email to ageha@domain.net (and your box is known as domain.net on the global internet), your box is the mailserver, and you can't block it. If you don't know what all this is about, you can safely block it.

Blocking local users might work, but it also might disable mail completely. I don't know how you receive email and store it locally, fetchmail or whatever, or can postfix do it all by itself? I don't know, I use sendmail. If fetchmail sends to postfix (your binaries will be called sendmail) it possibly needs the "telnet" access. squirrelmail might need it too.

To block access to the smtp port internally, the command looks like

```
iptables -A OUTPUT -o lo -p tcp --dport 25 --syn -j DROP
```

Maybe you want to block access selectively, then you need to enable "owner" matching, this must be enabled in the kernel, then read "man iptables" and search for "owner" (type /owner in the manpage). The --cmd-owner will not work with recent kernels.

----------

