postfix + tls = broken port 25 ?

[fvsoftdev]

Hi folks

many problems:

i have a running debian 8 system, sendmail was installed, i switched to postfix cuz i heard it is "easier", now i wanted the following options:

- the system can send emails. Example: the server is a webserver with a homepage, if someone leaves a message on the homepage an email goes out to my private adress (WORKING)
- the system can receive emails for the domain (admin@myhomepage.com) (WORKING)
- the users can get their emails from outside via via pop3 / imap (WORKING)
- the users can send emails from outside (NOT WORKING)

the users can send emails if they log in to the server via ssh or a webmail systen ON the server ( squirrelmail ) but i never managed to let users use android app

example: if i telnet to my debian server to port 25 SMTP and say

Code: Select all

MAIL FROM:mymail@mail.de 
RCPT TO:someone@yahoo.com

it is not allowed, relay is not allowed, its only allowed to send emails to this server ( RCPT TO: admin@myhomepage.com is allowed ) thats totally ok. i dont want to have an open relay spamming machine, but how do i manage to let AUTHENTICATED users send emails from outside the system via android apps etc.

next thing is: in my stupidity i started trying around with postfix settings and this:

https://workaround.org/ispmail/jessie/r ... entication

and now my port 25 is totally blocked from outside, i can "nc localhost 25" from inside the system (localhost) but port 25 seems to be open outside, but not reachable / connection refused, like its blocked by a firewall, but it isnt blocked

my settings:

Code: Select all

netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      18734/master
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      870/mysqld
tcp        0      0 0.0.0.0:13322           0.0.0.0:*               LISTEN      386/sshd
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      400/dovecot
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      1/init
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      1144/perl
tcp6       0      0 :::88                   :::*                    LISTEN      1892/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      1892/apache2
tcp6       0      0 :::13321                :::*                    LISTEN      466/proftpd: (accep
tcp6       0      0 :::13322                :::*                    LISTEN      386/sshd
tcp6       0      0 :::110                  :::*                    LISTEN      400/dovecot
tcp6       0      0 :::143                  :::*                    LISTEN      1/init
tcp6       0      0 :::80                   :::*                    LISTEN      1892/apache2
tcp6       0      0 :::20                   :::*                    LISTEN      1892/apache2
udp        0      0 0.0.0.0:10000           0.0.0.0:*                           1144/perl

Code: Select all

iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination

Code: Select all

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = fv-soft.com, localhost, localhost.localdomain, localhost
myhostname = localhost
mynetworks =
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailserver.pem
smtpd_tls_key_file = /etc/ssl/private/mailserver.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

i already googled for days now, before i messed around with this TLS settings and before port 25 was reachable from outside, i was able to telnet into the system and receive mails for all users.

i checked that postfix is listening on ALL devices, not only loopback or localhost
i checked firewall settings
i tried to disable TLS for SMTP (no luck, dont know if i know how to disable TLS again )
uninstall / reinstall sendmail ( classic ) and postfix

everything with no luck i can still send email from within the system but cant receive mails anymore nor telnet from a remote machine to myserver : 25

[dasein]

already googled for days now

No. You haven't. And the way I know you haven't is because a startpage query that's basically identical to your thread title (postfix tls port 25) returns at least one result on the very first page that explains the "problem" and identifies a solution.

Postfix has genuinely exemplary documentation. If something isn't working, then either you're not reading carefully, or not understanding what you read.

P.S. If your ISP/IPP doesn't block port 25 automatically, maybe consider switching.

[kedaha]

Hi,
I think you may have followed more than one set of instructions. I'm not an expert in postfix but I'd just like to comment that I managed to set up my email system by following the detailed instructions at workaround.org/ispmail/jessie —which wasn't exactly a walk in the park— with excellent results.

i tried to disable TLS for SMTP (no luck, dont know if i know how to disable TLS again )

Your website and squirrelmail are now only available via the http protocol. You must use https.

[fvsoftdev]

ok i think i found something, just windows cmd sais connection failed, linux "nc myhomepage 25" can connect but gets stuck,

but with ssh on the server i can

Code: Select all

nc localhost 25
220 localhost ESMTP Postfix (Debian/GNU)
HELO test
250 localhost
EHLO test
250-localhost
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

i can write and receive emails from my web interface on the server but not from local mailclients, thunderbird etc. its not my local firewall

[fvsoftdev]

ok, everything is solved now. my settings were correct. you wont believe this but its my dumbass server hoster (contabo).

it has a BAD reputation, i cannot send mails to many mail hosters (because ip ranges are blocked) i cannot connect or telnet to port 25 (blocked by ISP).

i just found out because i tried my mobile phone as mobile hotspot and then i can do everything.

Stay away from CONTABO

[kedaha]

Could be that a previous user of the server didn't configure it properly so the IP got blacklisted? If the email system was set up recently then it's unlikely to have been blacklisted so quickly.Then you should contact support.

[fvsoftdev]

the problem is: contabo is known for spam hosting and seems to be black listed by some mail providers.

but now I have even more problems: besides that contabo is black listed for some web hosters (i cannot send emails to them) it seems, that ISPs are blocking specific ports by default. no matter if i am at work or at home, i cannot configure my outlook to reach port 25 of my web-server. i can reach it if i use my mobile phone as wifi router, also my phone can connect with its mail apps, everything works there, but connection over PC is blocking