Unable to receive e-mail on Squirrelmail (and Postfix).

[TEC]

 

 

Hello,

 

I am working on a mail server for my company and have set up Postfix, Dovecot and Squirrelmail. However I am unable to receive mails on Squirrelmail. I am able to send e-mails though.

 

/etc/squirrelmail/apache.conf:

Alias /squirrelmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>

# users will prefer a simple URL like http://webmail.example.com
#<VirtualHost 1.2.3.4>
#  DocumentRoot /usr/share/squirrelmail
#  ServerName webmail.example.com
#</VirtualHost>

# redirect to https when available (thanks omen@descolada.dartmouth.edu)
#
#  Note: There are multiple ways to do this, and which one is suitable for
#  your site's configuration depends. Consult the apache documentation if
#  you're unsure, as this example might not work everywhere.
#
#<IfModule mod_rewrite.c>
#  <IfModule mod_ssl.c>
#    <Location /squirrelmail>
#      RewriteEngine on
#      RewriteCond %{HTTPS} !^on$ [NC]
#      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
#    </Location>
#  </IfModule>
#</IfModule>

/etc/dovecot/dovecot.conf:

## Dovecot configuration file

# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration

# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  "

# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }

# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol

# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = *

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =

# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =

# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server

# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ

##
## Dictionary server settings
##

# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

/etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Raspbian)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = arcanerealms.ga
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = arcanerealms.ga, server, localhost.localdomain, localhost
# relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = /var/mail/
mailbox_command =
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks

smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname,
        check_helo_access hash:/etc/postfix/helo_access

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes

 

If anyone knows why this happens please let me know!

 

Yours,

 

Marijn.

[Trikein]

I don't know much about coding, but one thing I do notice is it doesn't look like you are allowing POP or IMAP into your mail server. The connection is there, but filtered. I would check your firewall. Is arcanerealms.ga your domain? If so your MX record is same as domain and it points to 83.128.48.12. When I do a port scan on that IP, I see POP and IMAP filtered.

 

On top of that, your IP is blacklisted and your PTR(012-048-128-083.dynamic.caiway.nl) doesn't match your MX (arcanerealms.ga) which probably caused you to be blacklisted.

 

So in general, you have a lot of work to do. Are you in charge of the whole project or just the software side? If so, you might want to talk to your IT because lots of things are broke. 

[TEC]

18 hours ago, Trikein said:

I don't know much about coding, but one thing I do notice is it doesn't look like you are allowing POP or IMAP into your mail server. The connection is there, but filtered. I would check your firewall. Is arcanerealms.ga your domain? If so your MX record is same as domain and it points to 83.128.48.12. When I do a port scan on that IP, I see POP and IMAP filtered.

 

On top of that, your IP is blacklisted and your PTR(012-048-128-083.dynamic.caiway.nl) doesn't match your MX (arcanerealms.ga) which probably caused you to be blacklisted.

 

So in general, you have a lot of work to do. Are you in charge of the whole project or just the software side? If so, you might want to talk to your IT because lots of things are broke. 

I have opened the port 143 (IMAP), I chose IMAP because POP3 is blocked by our ISP. Also, it might also be something in Squirrelmail, as I don't get a 'mail not delivered' message from Google. You said PTR(012-048-128-083.dynamic.caiway.nl) didn't match my MX but what do I put in instead? The blacklisting isn't too big of a problem.

[Trikein]

Your Business ISP blocks port 25? Before I help someone possible breach ToS, who is the ISP?

[TEC]

1 minute ago, Trikein said:

Your Business ISP blocks port 25? Before I help someone possible breach ToS, who is the ISP?

It is still a very small company, we don't earn money from this. We are hosted on a consumer network. IMAP is not blocked so it should be fine.

[Trikein]

Just now, TEC said:

It is still a very small company, we don't earn money from this. We are hosted on a consumer network. IMAP is not blocked so it should be fine.

Nope, sounds like you are trying to run a mail server on a consumer ISP (something against TOS most of the time) and you don't care your IP is blacklisted. Too black for my hat. Maybe someone else can help. Good luck.

[TEC]

Just now, Trikein said:

Nope, sounds like you are trying to run a mail server on a consumer ISP (something against TOS most of the time) and you don't care your IP is blacklisted. Too black for my hat. Maybe someone else can help. Good luck.

I read the ToS, and we are not violating it at all.

[Trikein]

So a ISP that blocks outgoing port 25 doesn't have a problem with customer running their own mail server? Sorry, I don't buy it. No offense meant, I am just cautious who I help and what I help them do. Not saying your post is not legitimate, I just prefer not to help now. Apologies. I am sure someone else will be willing.

[unijab]

Do you have an A record for the hostname of the server and an MX record for it as well?

[TEC]

1 hour ago, unijab said:

Do you have an A record for the hostname of the server and an MX record for it as well?

I have an A record linked to my IP address (83.128.48.12) with no name and TTL set to 300 and I have an MX record with priority 1 linked to my domain (arcanerealms.ga) also without a name and the TTL set to 300.

[TEC]

3 hours ago, Trikein said:

So a ISP that blocks outgoing port 25 doesn't have a problem with customer running their own mail server? Sorry, I don't buy it. No offense meant, I am just cautious who I help and what I help them do. Not saying your post is not legitimate, I just prefer not to help now. Apologies. I am sure someone else will be willing.

Turns out Caiway (CAIW) (my ISP) does not block any ports, it does not block port 25. So it is completely legal, I can link you the official documents via PM if you prefer that.

[unijab]

Have you forwarded port 25 from your modem to your email server?

[Trikein]

6 hours ago, TEC said:

Turns out Caiway (CAIW) (my ISP) does not block any ports, it does not block port 25. So it is completely legal, I can link you the official documents via PM if you prefer that.

I wasn't concerned about the legality. I am not a lawyer and you are in a different country from me. I don't even know what laws the Netherlands have. But I also couldn't understand their ToS. They have like 8 and google translate only goes so far. 

 

::Editr:: I actually looked at your website and and your ISP and I would like to reconsider. I made a gut judgement, between the blacklist and questionable TOS, I thought you may have been trying to set up a spam server. I feel this now not to be true.

 

 Allow me set a base line and correct anything I may say that is wrong. Typically a email server starts with the domain. You buy the domain from a register and then they point to who ever you are using for DNS. In that DNS file you have a MX record. The MX should point to your mail server address, which typically points to a different domain because usually the web server is a different server then the email server.Then that mail server domain is assigned to the IP of your mail server. Example: Someone sends a email to user@tec.com. Their SMTP server looks up the DNS from the register, which gets the MX, which gets them the mail server IP, and then their SMTP server starts a IMAP communication with your POP server on port either 143 or 993. I see both are now open on your server, when before they were not. See scan below.

 

Spoiler

 

Status	Port	Name	Result	Time (ms)
	21	ftp	Filtered	0
	22	ssh	Filtered	0
	23	telnet	Filtered	0
	25	smtp	Open	125
	53	dns	Filtered	0
	80	http	Open	125
	110	pop3	Refused (RST)	0
	111	portmapper, rpcbind	Filtered	0
	135	Microsoft RPC services	Filtered	0
	139	netbios	Filtered	0
	143	imap	Open	125
	389	ldap	Filtered	0
	443	https	Open	141
	445	SMB directly over IP	Filtered	0
	587	msa-outlook	Filtered	0
	1025	IIS, NFS, or listener RFS remote_file_sharing	Filtered	0
	1352	lotus notes	Filtered	0
	1433	sql server	Filtered	0
	1723	Point-to-point tunnelling protocol	Filtered	0
	3306	my sql	Filtered	0
	3389	remote desktop	Filtered	0
	5060	Session Initiation Protocol (SIP)	Filtered	0
	5900	Virtual Network Computer display 0	Filtered	0
	6001	X Window server	Filtered	0
	8080	webcache	Filtered	0

 

I was able to telnet into your server on 143 with the results being:

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE START
TLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a1 login test test12345
a1 NO [AUTHENTICATIONFAILED] Authentication failed.

So looks like it was able to talk to your server and do a user lookup, so that looks good. Obviously my test failed because no such user exist on your server. So now the question is why you are not getting the emails. Can you try to telnet into the server with a real test user/password and see if that works? Because then after that it's just connecting TO your IMAP server to download the email. See here on how to check email on the server via telnet, or you can check locally if access. If you see the email on the server, enable logging on your email client then try to connect to it like you would any server in Thunderbird:See suggested settings below. If that doesn't, check logs for errors. 

Spoiler

 

IMAP Server:arcanerealms.ga

Port:143

SSL: No

Username/password.

 

 

Also, you mentioned 143, any reason your not using SSL with 993? I understand the SSL certificate process can be a pain, but was just making sure you knew of that possibility.

[TEC]

14 hours ago, Trikein said:

<snip>

These are the outputs from Telnet 25:

Spoiler

pi@server:~ $ telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 arcanerealms.ga ESMTP Postfix (Debian)
ehlo arcanerealms.ga
250-arcanerealms.ga
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <private>
250 2.1.0 Ok
rcpt to: <private>@gmail.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Telnet Test
Hello! This is a test E-Mail using Telnet for LTT!
.
250 2.0.0 Ok: queued as <private>
quit
221 2.0.0 Bye
Connection closed by foreign host.
 

 

I was unable to do Telnet 110, it gave the error 'Telnet: Unable to connect to remote host: Connection refused.

 

However, I tried 'Telnet Localhost 143' which did work, output of which can be found here:

 

Spoiler

telnet localhost 143
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login "<private>" "<private>"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
b select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1455468614] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
b OK [READ-WRITE] Select completed (0.001 secs).
c logout
* BYE Logging out
c OK Logout completed.
Connection closed by foreign host.
 

 

 

[Trikein]

I meant test if you can telnet from off site. We now know your server is working internally so now the question is if people connect to it. If you can't get off site you could use a VPN. Or if your open to it, you could PM me the test user/password and you could just delete it after. Also do you have a Web GUI for users to access email? Or just doing IMAP? 

 

Also try to send yourself a email to that test username then see if you can log into the servers CLI and check to see if the email is stored on the server. Then test with a email client. Can the client connect to the server? If not, what error.

 

Also why don't you care if your IP is black listed. Do you not send out any mail to people? If those people's ISP use the spam lists your black listed from, you won't be able to send email to them. Its not too hard to become blacklisted. How do you think it happened to start with?

[TEC]

20 hours ago, Trikein said:

I meant test if you can telnet from off site. We now know your server is working internally so now the question is if people connect to it. If you can't get off site you could use a VPN. Or if your open to it, you could PM me the test user/password and you could just delete it after. Also do you have a Web GUI for users to access email? Or just doing IMAP? 

 

Also try to send yourself a email to that test username then see if you can log into the servers CLI and check to see if the email is stored on the server. Then test with a email client. Can the client connect to the server? If not, what error.

 

Also why don't you care if your IP is black listed. Do you not send out any mail to people? If those people's ISP use the spam lists your black listed from, you won't be able to send email to them. Its not too hard to become blacklisted. How do you think it happened to start with?

I have 'telnetted' my address and port via my school's network and it works fine, same output as localhost. The web GUI I am using is Squirrelmail (if you go to my website and click in the bottom right corner you can access it). When I first opened Squirrelmail I got this error:

"Error:Could not complete request. Query:Select "Inbox"., Reason Given:[ServerBug]internal error occur. Refer to sever log more information.[<private>]

^Turned out to be a permission error.

 

I created a test account and send a e-mail to that account. I checked if it was stored on the server which it was NOT, using Mozilla Thunderbird, I was able to connect to the server and send out e-mails, I tried sending one to it but Thunderbird wasn't able to receive it.

To be honest, at first I didn't really know what it meant to be on a blacklist. Now I do, however as we will mostly be receiving mail it is not TOO big of a problem. I have no clue why we are blacklisted on those 4 server, but my best guess is either a virus on my PC (unlikely) or some stupid mistake I made while configuring my mailserver causing it to think I was a spam account. How do I get my IP off of those blacklists?

 

P.S. I have PM'ed you the test account. I will remove it in 48 hours.