Re: Need help with mail server configuration

2023-11-11 Thread Thomas Bohl 



I received it (even in Thunderbird)! May I ask how did you do that? I 
tried so many ways today but none worked...


I clicked "New Message" in Thunderbird, entered your email and hit send. 
:-) Have you tried sending from your nogafam.eu address?




telnet mail.ivanroth.fr 25 times out, same for nc -4 mail.ivanroth.fr 25

mail command sends no error but no message is received.


To little information to help. Don't know what you entered, nor what the 
corresponding service logs were. What I would do at this stage is, I 
would run smtpd in the foreground with verbose output, to see it live 
reacting to inputs.

"smtpd -dvvv"



I changed the smtpd.conf to listen to 465:

-listen on 0.0.0.0 tls pki mail.ivanroth.fr filter { check_dyndns, 
check_rdns, check_fcrdns, senderscore, rspamd }
-listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


+listen on 0.0.0.0 port 25 tls pki mail.ivanroth.fr filter { 
check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
+listen on 0.0.0.0 port 465 smtps pki mail.ivanroth.fr auth filter { 
check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
+listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


does this looks good to you?


You have two different filter sets for 465 and 587. Both ports a for 
you/your users to send mail. (Aka with Thunderbird) So I wouldn't use 
check_dyndns/etc. for 465. All public mail will be over 25.


Also, you aren't forcing the right hostname. Did you change the 
computers hostname instead?




When restarting the opensmtpd service, I noticed the following warnings:

warn: invalid envelope e84235315f00364e: unknown dispatcher

warn: invalid envelope b6797a98aad69976: unknown dispatcher

what do they mean?


You have two mails in the queue that can't be send/delivered. Happens 
when you have unfinished config and testing around.

"smtpctl show queue"
"smtpctl remove e84235315f00364e"
"smtpctl remove b6797a98aad69976"

Re: Need help with mail server configuration

2023-11-10 Thread Thomas Bohl 

Hi,

Thank you for your reply. I spent a couple of hours on this today with 
not much luck. Please find my replies below.




Than check what is blocking port 25. Is it your Debian firewall or 
your VPS provider.


There is no VPS provider firewall. The one I can use is disabled. I 
asked support if there were any firewall beyond mine and their answer is 
no. I should get full access to any port I may need.


On the VPS, iptables is set to ACCEPT in every way, INPUT, OUTPUT and 
FORWARD. I added explicit ACCEPT rules for testing but did not get 
better results.


But everything looks good now, all ports are publicly reachable. I did 
send you a test mail and your sever accepted it. (In plaintext but still.)


I also gave http://www.antispam-ufrj.pads.ufrj.br/test-relay.html a 
shot. It reached your server. It couldn't do it the last time.




Still, I can reach port 587 in addition do 143 but no 25 nor 465 and 993.


I can reach all, except for 465. But that is ok because according to 
your smtpd.conf the server isn't listening on it.




Here is my smtpd.conf:

pki mail.ivanroth.fr cert 
"/etc/letsencrypt/live/mail.ivanroth.fr/fullchain.pem"
pki mail.ivanroth.fr key 
"/etc/letsencrypt/live/mail.ivanroth.fr/privkey.pem"


filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', 
'.*\.dsl\..*' } junk


filter check_rdns phase connect match !rdns junk

filter check_fcrdns phase connect match !fcrdns junk

filter senderscore proc-exec "filter-senderscore -junkBelow 70 
-slowFactor 5000"


filter rspamd proc-exec "filter-rspamd"

table aliases file:/etc/aliases

listen on 0.0.0.0 tls pki mail.ivanroth.fr \
     filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }

listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


Your sever greets the world with

220 ivanroth.fr ESMTP OpenSMTPD

which is the wrong hostname, which leads to "opportunistic TLS failed, 
downgrading to plain". Try forcing the right hostname:


listen on 0.0.0.0 hostname mail.ivanroth.fr tls pki mail.ivanroth.fr \
 filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }

listen on 0.0.0.0 port submission tls-require \
 hostname mail.ivanroth.fr pki mail.ivanroth.fr auth \
 filter rspamd



#listen on ens3 tls pki mail.ivanroth.fr filter { check_dyndns, 
check_rdns, check_fcrdns, senderscore, rspamd }
#listen on ens3 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


action "local_mail" maildir junk alias 
action "outbound" relay helo mail.ivanroth.fr

match from any for domain "ivanroth.fr" action "local_mail"
match for local action "local_mail"

match from any auth for any action "outbound"
match for any action "outbound"


If I'm not mistaken, the last line is redundant. (Without a "from", 
"from local" is implied, which intern implies "auth". Which is covered 
by the line "from any auth" before it.)




$ nmap localhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-10 21:58 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00028s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 993 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps


Every port is reachable from the public now. (For me at least.) Only you 
can tell if you went overboard with opening up everything.

Re: Need help with mail server configuration

2023-11-08 Thread Thomas Bohl 

Hello,

I am running a Debian 12 server hosted at OVH. It's a fresh VPS, and the 
domain I'm using for that test is ivanroth.fr, with the subdomain 
mail.ivanroth.fr as advised in the article.


DNS and rDNS seems fine, host and dig reply what they are supposed to.

On the server, I created an account with my first name (ivan) and I am 
using i...@ivanroth.fr as the test mail address.



  * I cannot send a mail to myself (i...@ivanroth.fr) using mutt from
the server
  * I cannot send from the outside to that address
  * I cannot send from that address using Thunderbird

When looking at systemctl status opensmtpd, I see some errors I don't 
understand like :


debian opensmtpd smtp-out: No valid route for 
[connector:[]->[relay:ivanroth.fr,smtp],0x0]


Your smtp server can't be reached by others.

$ nc -4 mail.ivanroth.fr 25

Closes immediately: Server isn't running or firewall answers with 
REJECT. It could be a iptables firewall on your VPS as well as one from 
OVH. (I don't know OVH but I do know that some VPS providers have a 
extra firewall you need to configure separately.)



$ nc -6 mail.ivanroth.fr 25
Eventually times out: IPv6 not working or a firewall is configured to 
just DROP incoming packages. (I can't even ping your IPv6 address, while 
IPv4 works.)



From all the ports(25, 465, 587, 143, 993) I have tested only IPv4 
IMAP(143) is reachable. (Which is consistent with you saying Thunderbird 
reading works.)

$ nc -4 mail.ivanroth.fr 143
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Debian) ready.

^C




I don't really know where to start digging. If someone could point me to 
some direction, it would be nice.


I would first suggest to get IPv4 working and therefore temporarily 
removing the  record from mail.ivanroth.fr.
Than check what is blocking port 25. Is it your Debian firewall or your 
VPS provider.
You than most likely want to unblock port 465 or 587 for mail submission 
with Thunderbird.


If after that you still have problems post your entire smptd.conf please.

Last step. Fix IPv6.