Why doesn't postfix/dovecot receiving mails from Gmail?

I'm setting up a Postfix server that uses Dovecot SASL Authentication on a EC2 virtual machine with an ubuntu 16.04 Xenial. I can send mails to my Gmail account but I cannot receive them. It supposed to store mails in 'usr/Maildir'. I'm also available to receive mails if I send it from a telnet session.

My settings are the fallowing:

In /etc/postfix/main.cf

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/mycrt.crt
smtpd_tls_key_file = /etc/postfix/ssl/mymail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydomain = domain.com
mydestination = localhost.$mydomain, localhost, $mydomain
relayhost =
relay_domains = $mydestination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = mydomain.com
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_CAfile = /etc/ssl/certs/mycert.pem
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command =
smtp_use_tls = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_auth_only = no

In /etc/dovecot/10-master.conf

# Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix }

In /conf.d/10-auth.conf

# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Error messages in /var/log/mail.err

Jul 3 19:29:46 ip-172-31-0-124 dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Jul 3 19:29:46 ip-172-31-0-124 dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied

And /var/log/mail.log

Jul 3 22:41:38 ip-172-31-0-124 postfix/smtpd[18851]: connect from unknown[45.13.39.19]
Jul 3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: connect from mail-vs1-f46.google.com[209.85.217.46]
Jul 3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: lost connection after STARTTLS from mail-vs1-f46.google.com[209.85.217.46]
Jul 3 22:41:40 ip-172-31-0-124 postfix/cleanup[19071]: A305E4651D: message-id=<>
Jul 3 22:41:40 ip-172-31-0-124 postfix/qmgr[18850]: A305E4651D: from=<>, size=920, nrcpt=1 (queue active)
Jul 3 22:41:40 ip-172-31-0-124 postfix/smtpd[18976]: disconnect from mail-vs1-f46.google.com[209.85.217.46] ehlo=1 starttls=0/1 commands=1/2
Jul 3 22:41:40 ip-172-31-0-124 postfix/local[19073]: A305E4651D: to=<>, orig_to=<postmaster>, relay=local, delay=0.01, delays=0/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Jul 3 22:41:40 ip-172-31-0-124 postfix/qmgr[18850]: A305E4651D: removed
Jul 3 22:41:46 ip-172-31-0-124 postfix/smtpd[18851]: warning: unknown[45.13.39.19]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 3 22:41:47 ip-172-31-0-124 postfix/smtpd[18851]: disconnect from unknown[45.13.39.19] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

Executing 'openssl s_client -connect mydomain:25 -starttls smtp' OUTPUT:

CONNECTED(00000003)
139707798795928:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 285 bytes and written 340 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1562190493 Timeout : 300 (sec) Verify return code: 0 (ok)
---

I've already checked the MX registry and is everthing OK. I've spend a lot of time with this issue. Hope you can help

7

1 Answer

The basic problem here is that you announce that you use starttls:

smtp_use_tls = yes

Yet you do not have a valid certificate configured. This means that starttls will actually fail.

You either have to disable TLS (set smtp_use_tls = no) or install proper certificates. Let's encrypt certificates will work great for this.

#Install certbot
sudo apt install certbot
#Get certificate
sudo certbot certonly --domain example.org

Edit the following parameters in main.cf:

smtpd_tls_cert_file = /etc/letsencrypt/live/
smtpd_tls_key_file = /etc/letsencrypt/live/

Comment out the smtpd_tls_CAfile line, as the CA certificate is bundled with the server certificate in the fullchain.pem.

5

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like