1 (edited by different 2013-04-19 01:54:49)

Topic: cannot receive mail

==== Required information ====
- iRedMail version: 0.8.4
- Store mail accounts in which backend (MySQL):
- Linux/BSD distribution name and version: CentOS6
- Related log if you're reporting an issue:
====

I cannot receive email in iRedMail.

After installation and configuration,
I was able to create IMAP mail account connection setting in PC mailer for my iRedMail VPS server.

But I have problem.

I can send mail to postmaster@mydomain.net from PC mailer but never receives mail at outside mail service.
I can send mail from iRedMail Roundcube interface (postmaster@mydomain.net) but never receives at outside mail service.

I can send mail from outside mail service but never receives mail at postmaster@domain.net,
neither Roundcube web interface nor in PC mailer.

It seemed to happen after configuring DKIM and SPF...?


Below are the mail log.

Would someone suggest which file or setting I should look into?


Apr 19 02:21:03 mydomain postfix/smtpd[30917]: connect from myisp1234567890987.domain.net[127.6.45.123]
Apr 19 02:21:03 mydomain postfix/smtpd[30919]: connect from myisp1234567890987.domain.net[127.6.45.123]
Apr 19 02:21:04 mydomain postfix/smtpd[30917]: SSL_accept error from myisp1234567890987.domain.net[127.6.45.123]: -1
Apr 19 02:21:04 mydomain postfix/smtpd[30917]: lost connection after STARTTLS from myisp1234567890987.domain.net[127.6.45.123]
Apr 19 02:21:04 mydomain postfix/smtpd[30917]: disconnect from myisp1234567890987.domain.net[127.6.45.123]
Apr 19 02:21:04 mydomain postfix/smtpd[30917]: connect from myisp1234567890987.domain.net[127.6.45.123]
Apr 19 02:21:04 mydomain postfix/smtpd[30919]: SSL_accept error from myisp1234567890987.domain.net[127.6.45.123]: -1
Apr 19 02:21:04 mydomain postfix/smtpd[30919]: lost connection after STARTTLS from myisp1234567890987.domain.net[127.6.45.123]
Apr 19 02:21:04 mydomain postfix/smtpd[30919]: disconnect from myisp1234567890987.domain.net[126.5.15.248]
Apr 19 02:21:04 mydomain postfix/smtpd[30917]: SSL_accept error from myisp1234567890987.domain.net[127.6.45.123]: -1
Apr 19 02:21:04 mydomain postfix/smtpd[30917]: lost connection after STARTTLS from myisp1234567890987.domain.net[127.6.45.123]
-- -- --
Apr 19 02:21:04 mydomain postfix/smtpd[30917]: disconnect from myisp1234567890987.domain.net[127.6.45.123]
Apr 19 02:21:23 mydomain roundcube: PHP Warning:  include_once(): Unable to allocate memory for pool. in /var/www/roundcubemail-0.8.6/program/include/iniset.php on

Apr 19 02:12:26 mydomain roundcube: PHP Warning:  include_once(): Unable to allocate memory for pool. in /var/www/roundcubemailXXX/program/include/iniset.php on line 113
Apr 19 02:12:26 mydomain roundcube: PHP Warning:  include(): Unable to allocate memory for pool. in /var/www/roundcubemailXXX/program/include/rcube_plugin_api.php on line 177
Apr 19 02:12:29 mydomain amavis[29614]: (29614-08) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /tmp/clamd.socket (Can't connect to UNIX socket /tmp/clamd.socket: Connection refused) at (eval 102) line 375.\n
Apr 19 02:12:29 mydomain amavis[29614]: (29614-08) (!!)WARN: all primary virus scanners failed, considering backups
Apr 19 02:12:34 mydomain postfix/smtpd[30860]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
Apr 19 02:12:35 mydomain postfix/master[30545]: warning: process /usr/libexec/postfix/smtpd pid 30860 exit status 1
Apr 19 02:12:35 mydomain postfix/master[30545]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

2

Re: cannot receive mail

different wrote:

Apr 19 02:12:29 mydomain amavis[29614]: (29614-08) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /tmp/clamd.socket (Can't connect to UNIX socket /tmp/clamd.socket: Connection refused) at (eval 102) line 375.\n

Your ClamAV service is not running.
Please make sure you have the latest clamav db with command "freshclam", then try to restart it again, if still not work, please check its log file to see what the problem is.

3

Re: cannot receive mail

Thank you.

I updated clamAV and setup cronjob.
Now I get the following error in maillog:


Apr 21 01:34:20 myname postfix/smtpd[19468]: connect from myisp123456789012.myisp.net[126.7.89.012]
Apr 21 01:34:20 myname postfix/smtpd[19468]: SSL_accept error from myisp123456789012.myisp.net[126.5.15.248]: -1
Apr 21 01:34:20 myname postfix/smtpd[19468]: lost connection after STARTTLS from myisp123456789012.myisp
.net[126.5.15.248]
Apr 21 01:34:20 myname postfix/smtpd[19468]: disconnect from myisp123456789012.myisp.net[126.7.89.012
]
Apr 21 01:34:20 myname postfix/smtpd[19468]: connect from myisp123456789012.myisp.net[126.7.89.012
]
Apr 21 01:34:20 myname postfix/smtpd[19471]: connect from myisp123456789012.myisp.net[126.7.89.012
]
Apr 21 01:34:20 myname postfix/smtpd[19471]: disconnect from myisp123456789012.myisp.net[126.7.89.012
]
Apr 21 01:34:22 myname postfix/smtpd[19468]: warning: myisp123456789012.myisp.net[126.7.89.012
]: SASL PLAIN authentication failed:
Apr 21 01:34:22 myname postfix/smtpd[19468]: disconnect from myisp123456789012.myisp.net[126.7.89.012
]
Apr 21 01:34:26 myname postfix/smtpd[19472]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
Apr 21 01:34:27 myname postfix/master[30545]: warning: process /usr/libexec/postfix/smtpd pid 19472 exit status 1
Apr 21 01:34:27 myname postfix/master[30545]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling


Sorry, I'm a newbie.
One thing I've noticed was "the smtpd_recipient_restrictions" setting which seemed to be incorrect.
What would you suggest as a default setting?
I've set as
vim /etc/postfix/master.cf

-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_policy_service unix:private/spfpolicy,check_relay_domains,reject

4

Re: cannot receive mail

different wrote:

I've set as
vim /etc/postfix/master.cf

-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_policy_service unix:private/spfpolicy,check_relay_domains,reject

*) Default "smtpd_recipient_restrictions" should be set in /etc/postfix/main.cf, not master.cf.
*) iRedMail has default smtpd_recipient_restrictions, please show us output of command "postconf -n" here to help troubleshoot.

5 (edited by different 2013-04-23 09:00:14)

Re: cannot receive mail

ZhangHuangbin wrote:
different wrote:

I've set as
vim /etc/postfix/master.cf

-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_policy_service unix:private/spfpolicy,check_relay_domains,reject

*) Default "smtpd_recipient_restrictions" should be set in /etc/postfix/main.cf, not master.cf.
*) iRedMail has default smtpd_recipient_restrictions, please show us output of command "postconf -n" here to help troubleshoot.

Thank you.

My configuration seemed to be incorrect somewhere.
Where would you suggest?

I edited main.cf and changed to the following:

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = mail.blahblah.net
myorigin = $myhostname
mydomain = mail.blahblah.net

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/spfpolicy


and when I send email from my other email (outside my iRedMail server), I never receive email at postmaster@blahblah.net.
I get these maillog:

Apr 23 09:49:41 myhost postfix/smtpd[4186]: connect from unknown[16.143.82.248]
Apr 23 09:49:42 myhost postfix/spawn[4193]: warning: command /usr/bin/python exit status 1
Apr 23 09:49:42 myhost postfix/smtpd[4186]: warning: premature end-of-input on private/spfpolicy while reading input attribute name
Apr 23 09:49:43 myhost postfix/spawn[4193]: warning: command /usr/bin/python exit status 1
Apr 23 09:49:43 myhost postfix/smtpd[4186]: warning: premature end-of-input on private/spfpolicy while reading input attribute name
Apr 23 09:49:43 myhost postfix/smtpd[4186]: warning: problem talking to server private/spfpolicy: Connection reset by peer
Apr 23 09:49:43 myhost postfix/smtpd[4186]: NOQUEUE: reject: RCPT from unknown[16.143.82.248]: 451 4.3.5 Server configuration problem; from=<blah@my-other-email.com> to=<postmaster@blahblah.net> proto=ESMTP helo=<nk11p08mm-asmtp002.mac.com>
Apr 23 09:49:43 myhost postfix/smtpd[4186]: disconnect from unknown[16.143.82.248]


Output of postconf -n:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mail.blahblah.net
myhostname = mail.blahblah.net
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/spfpolicy
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

6

Re: cannot receive mail

different wrote:

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/spfpolicy

*) It's not recommended to modify smtpd_recipient_restrictions unless you exactly know what you're doing.
*) Amavisd provides SPF verification.

different wrote:

and when I send email from my other email (outside my iRedMail server), I never receive email at postmaster@blahblah.net. I get these maillog:

Apr 23 09:49:41 myhost postfix/smtpd[4186]: connect from unknown[16.143.82.248]
Apr 23 09:49:42 myhost postfix/spawn[4193]: warning: command /usr/bin/python exit status 1
Apr 23 09:49:42 myhost postfix/smtpd[4186]: warning: premature end-of-input on private/spfpolicy while reading input attribute name
Apr 23 09:49:43 myhost postfix/spawn[4193]: warning: command /usr/bin/python exit status 1
Apr 23 09:49:43 myhost postfix/smtpd[4186]: warning: premature end-of-input on private/spfpolicy while reading input attribute name
Apr 23 09:49:43 myhost postfix/smtpd[4186]: warning: problem talking to server private/spfpolicy: Connection reset by peer
Apr 23 09:49:43 myhost postfix/smtpd[4186]: NOQUEUE: reject: RCPT from unknown[16.143.82.248]: 451 4.3.5 Server configuration problem; from=<blah@my-other-email.com> to=<postmaster@blahblah.net> proto=ESMTP helo=<nk11p08mm-asmtp002.mac.com>
Apr 23 09:49:43 myhost postfix/smtpd[4186]: disconnect from unknown[16.143.82.248]

It's pretty clear that your spfpolicy has some problem. You should fix it yourself since iRedMail doesn't ship it.

7

Re: cannot receive mail

ZhangHuangbin wrote:
different wrote:

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/spfpolicy

*) It's not recommended to modify smtpd_recipient_restrictions unless you exactly know what you're doing.
*) Amavisd provides SPF verification.

It's pretty clear that your spfpolicy has some problem. You should fix it yourself since iRedMail doesn't ship it.

I was trying to follow instruction and I thought configuring spf policy was a "requirement" after installation by reading iRedMail documentation.
May I make things clear?

Are you saying SPF verification is optional and not necessary?
In that case, do I need to delete DNS records for SPF verification as well?

or you are saying better to configure, but use at own risk?

Are you also saying Amavisd in iRedMail includes SPF verification feature so I do not have to configure it at all?

http://www.iredmail.org/install_iredmail_on_rhel.html

Important things you should know after installation
Read file /root/iRedMail-x.y.z/iRedMail.tips first, it contains:
URLs, usernames and passwords of web-based applications
Location of mail serve related software configuration files
Some other important and/or sensitive information
Setup DNS record for SPF
Setup DNS record for DKIM

8

Re: cannot receive mail

different wrote:

I was trying to follow instruction and I thought configuring spf policy was a "requirement" after installation by reading iRedMail documentation.
May I make things clear?

SPF is simply a DNS record (TXT type), other mail servers will query your SPF record to see whether the email sent from "@your_domain.com" (in mail header "From:") is allowed or not. No addition setup required.

The same as above, to verify sender on iRedMail server, we use Amavisd with perl module perl-Mail-SPF.

different wrote:

Are you saying SPF verification is optional and not necessary?

Yes, but strongly recommended.

different wrote:

In that case, do I need to delete DNS records for SPF verification as well?

Please keep your SPF record.

different wrote:

Are you also saying Amavisd in iRedMail includes SPF verification feature so I do not have to configure it at all?

Yes, used to verify sender. But you still need SPF record to help others identity emails from your domain.
Please check what SPF is used for first (with Google).

Hope it's clear now.

9

Re: cannot receive mail

Thank you!
Receiving and sending mail --- both are working fine now.

I deleted spf configuration from setting and now I have:

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,permit

I hope iRedMail documentation would be updated so that avoids confusion for new user.
Thanks again.

10

Re: cannot receive mail

different wrote:

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,permit

This is not good enough. You should revert to the original setting which set by iRedMail during installation.
On CentOS 6, it should be:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031

11 (edited by different 2013-04-23 17:32:14)

Re: cannot receive mail

ZhangHuangbin wrote:
different wrote:

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,permit

This is not good enough. You should revert to the original setting which set by iRedMail during installation.
On CentOS 6, it should be:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031

Thank you very much for advice. It seems to work now.


My DNS setting for SPF are follows (for someone's reference):
DNS entry: @
DNS type and setting:
A 89.232.167.45

DNS entry: mail
DNS type and setting:
MX     10 mail.blahblah.net.
TXT     "v=spf1 mx a:mail.blahblah.net ?include:blahblah.net -all" (TTL:3600)


Accorging to your info, spf check is provided at default, so in summary I guess I didn't need to install Python version in the first place.

Summary

Using the Python version of SPF Policy Server for Postfix it is possible to implement checking of SPF of incoming messages in Postfix, with immediate reject or pass (if desired). This article will describe how to achieve this feature.

Notes

There is also a Perl version of the software, but it is not recommended because it does not scale well and should only be used for small scale servers.
This tutorial was written for a CentOS-based system. Please adapt it to fit your distro and configuration.
It is assumed that the user has good knowledge of the technologies used therein.

Should I also delete the following setting in master.cf?
I followed the instruction in iRedMail Wiki:
http://www.iredmail.org/wiki/index.php? … _SPF_check

4. Enable SPF check in Postfix

Edit your master.cf file and add at the end:
vim /etc/postfix/master.cf
# SPF check
spfpolicy unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

12

Re: cannot receive mail

different wrote:

Should I also delete the following setting in master.cf?
I followed the instruction in iRedMail Wiki:
http://www.iredmail.org/wiki/index.php? … _SPF_check

Please remove it if you don't have spfpolicy installed or enabled.