xeanto
By:
xeanto

Postfix not receiving mail or being connected to by email servers

May 7, 2017 305 views
Email Ubuntu 16.04

I have setup a postfix server with dovecot, and i can connect and send emails fine. The only problem i have is when i try and receive emails; Sometimes google (test account) connects, but when it does, i get an SSL-ACCEPT error.

main.cf:

myhostname = mail.[redacted].us
myorigin = /etc/mailname
mydestination = mail.[redacted].us, [redacted].us, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.[redacted].us/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.[redacted].us/privkey.pem

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

master.cf:

codesmtp      inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

An excerpt from my logs:

May  7 13:12:29 xeanto postfix/submission/smtpd[12746]: SSL_accept error from mail-wm0-f48.google.com[74.125.82.48]: lost connection
May  7 13:12:29 xeanto postfix/submission/smtpd[12746]: lost connection after CONNECT from mail-wm0-f48.google.com[74.125.82.48]
May  7 13:12:29 xeanto postfix/submission/smtpd[12746]: disconnect from mail-wm0-f48.google.com[74.125.82.48] commands=0/0
May  7 13:20:34 xeanto postfix/submission/smtpd[12967]: connect from mail-wm0-f45.google.com[74.125.82.45]
May  7 13:21:16 xeanto postfix/submission/smtpd[12973]: connect from mail-wm0-f53.google.com[74.125.82.53]
May  7 13:25:34 xeanto postfix/submission/smtpd[12967]: SSL_accept error from mail-wm0-f45.google.com[74.125.82.45]: lost connection
May  7 13:25:34 xeanto postfix/submission/smtpd[12967]: lost connection after CONNECT from mail-wm0-f45.google.com[74.125.82.45]
May  7 13:25:34 xeanto postfix/submission/smtpd[12967]: disconnect from mail-wm0-f45.google.com[74.125.82.45] commands=0/0
May  7 13:26:16 xeanto postfix/submission/smtpd[12973]: SSL_accept error from mail-wm0-f53.google.com[74.125.82.53]: lost connection
May  7 13:26:16 xeanto postfix/submission/smtpd[12973]: lost connection after CONNECT from mail-wm0-f53.google.com[74.125.82.53]
May  7 13:26:16 xeanto postfix/submission/smtpd[12973]: disconnect from mail-wm0-f53.google.com[74.125.82.53] commands=0/0

I suspect that it is because im using certs for

instead of
```[redacted].us```
3 Answers

Hi @xeanto

Did you edit your master.cf from the default configuration? I haven't used Postfix for a couple of years as SMTPD, only as SMTP, so I've never played with setting up Let's Encrypt.
Could you perhaps redo the default configurations and then try to follow this guide?
https://skippy.org.uk/lets-encrypt-postfix-and-dovecot/

Wow - sorry, but I have the exact same problem at around the same time! Googled to no avail so far. Also using LetsEncrypt, postfix, dovecot, spamassassin, and can successfully send/receive emails in general from a remote Thunderbird client...but emails from (at least) one server fails:
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mailbox_size_limit = 0
mydestination = localhost
mydomain = [redacted]
myhostname = mail.[redacted]
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $mydomain
recipient_delimiter = +
relayhost =
smtp_tls_loglevel = 2
smtpd_banner = $myhostname ESMTP
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.[redacted].chain.crt
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/mail.[redacted].key
smtpd_tls_loglevel = 2
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

and extract from logs:

May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: connect from [other-server-redacted][IP-redacted]
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: setting up TLS connection from [other-server-redacted][IP-redacted]
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: [other-server-redacted][IP-redacted]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH"
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: SSL_accept:before/accept initialization
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: SSL3 alert write:fatal:handshake failure
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: SSL_accept:error in error
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: SSL_accept:error in error
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: SSL_accept error from [other-server-redacted][IP-redacted]]: -1
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: warning: TLS library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417:
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: lost connection after STARTTLS from [other-server-redacted][IP-redacted]
May 10 13:28:49 ip-172-31-31-136 postfix/smtpd[19816]: disconnect from [other-server-redacted][IP-redacted] ehlo=1 starttls=0/1 commands=1/2

FWIW I note from https://www.checktls.com/ that the [other server] can use AES128--SHA.
Any ideas?

Found my problem at least, courtesy of https://moocat.me/other/smtp-error1408a0c1-no-shared-cipher-ecc-support/
My cert was an ECDSA certificate: I reapplied a RSA certificate and now there appears to be no problem receiving emails from other servers, and checktls.com reports are compliant.

Have another answer? Share your knowledge.