postfix + tls = broken port 25 ?

[Frank Völker]

Hi folks

many problems: :(

i have a running debian 8 system, sendmail was installed, i switched to postfix cuz i heard it is "easier", now i wanted the following options:

• the system can send emails. Example: the server is a webserver with a homepage, if someone leaves a message on the homepage an email goes out to my private adress (WORKING)
• the system can receive emails for the domain (admin@myhomepage.com) (WORKING)
• the users can get their emails from outside via via pop3 / imap (WORKING)
• the users can send emails from outside (NOT WORKING)

the users can send emails if they log in to the server via ssh or a webmail systen ON the server ( squirrelmail ) but i never managed to let users use android app

example: if i telnet to my debian server to port 25 SMTP and say

MAIL FROM:mymail@mail.de 
RCPT TO:someone@yahoo.com

it is not allowed, relay is not allowed, its only allowed to send emails to this server ( RCPT TO: admin@myhomepage.com is allowed ) thats totally ok. i dont want to have an open relay spamming machine, but how do i manage to let AUTHENTICATED users send emails from outside the system via android apps etc.

next thing is: in my stupidity i started trying around with postfix settings and this:

https://workaround.org/ispmail/jessie/relaying-smtp-authentication

and now my port 25 is totally blocked from outside, i can "nc localhost 25" from inside the system (localhost) but port 25 seems to be open outside, but not reachable / connection refused, like its blocked by a firewall, but it isnt blocked

my settings:

netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      18734/master
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      870/mysqld
tcp        0      0 0.0.0.0:13322           0.0.0.0:*               LISTEN      386/sshd
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      400/dovecot
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      1/init
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      1144/perl
tcp6       0      0 :::88                   :::*                    LISTEN      1892/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      1892/apache2
tcp6       0      0 :::13321                :::*                    LISTEN      466/proftpd: (accep
tcp6       0      0 :::13322                :::*                    LISTEN      386/sshd
tcp6       0      0 :::110                  :::*                    LISTEN      400/dovecot
tcp6       0      0 :::143                  :::*                    LISTEN      1/init
tcp6       0      0 :::80                   :::*                    LISTEN      1892/apache2
tcp6       0      0 :::20                   :::*                    LISTEN      1892/apache2
udp        0      0 0.0.0.0:10000           0.0.0.0:*                           1144/perl

iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = fv-soft.com, localhost, localhost.localdomain, localhost
myhostname = localhost
mynetworks =
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailserver.pem
smtpd_tls_key_file = /etc/ssl/private/mailserver.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

i already googled for days now, before i messed around with this TLS settings and before port 25 was reachable from outside, i was able to telnet into the system and receive mails for all users.

i checked that postfix is listening on ALL devices, not only loopback or localhost
i checked firewall settings
i tried to disable TLS for SMTP (no luck, dont know if i know how to disable TLS again :D )
uninstall / reinstall sendmail ( classic ) and postfix

everything with no luck :( i can still send email from within the system but cant receive mails anymore nor telnet from a remote machine to myserver : 25 :(
fvsoftdev

Posts: 1
Joined: 2017-01-14 09:17

[Simon Hobson]

Cut-n-paste from forum description :
This is not a general Postfix help forum - this is for the separate package PostfixAdmin which configures/maintains virtual domains & mailboxes using Postfix (plus MySQL or PostgreSQL, optionally maildrop, and Courier or Dovecot).
For Postfix help you should head over to postfix.org and check out the Postfix mailing lists.

You need two things set up : an authentication system, and appropriate rules to permit authenticated users to relay.
On the latter, in smtpd_recipient_restrictions you need (amongst other things) permit_sasl_authenticated which will bypass later checks.
On the authentication, can't rememebr much other than having installed libsasl2-modules, libsasl2-2, and sasl2-bin - it's a long tiem since I set this up !
NOTE: This is spearate to TLS config which is a matter of pointing Postfix at valid certificate chain file and key files. Optionally you can configure which ciphers to support to improve security. IIRC the stock installation supports TLS, but with a locally generated certificate.