Postfix TLS unable to send (but can receive) mail
Using Roundcube (1.3.10) with Postfix (3.4.3) and Dovecot (2.2.36) on CentOS 7 VPS.
I can login and receive emails, but I cannot send them. Trying to send mail results in it hanging: "Waiting for webmail.mydomain.com..." in the bottom browser status bar, while Roundcube displays "Sending message..." for 2-3 minutes.
What could be causing this behavior? I had the server working until I switched to "secure" ports/services/config. Obviously STARTTLS is not working, but as to why or how to fix it I have no clue.
/var/log/maillog displays the following.
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: initializing the server-side TLS engine
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: connect from localhost[127.0.0.1]
Oct 6 20:13:10 hwsrv-579344 opendmarc[1060]: ignoring connection from localhost
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: setting up TLS connection from localhost[127.0.0.1]
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:before/accept initialization
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE90] (11 bytes => 6 (0x6))
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 52 53 45 54 0d 0a RSET..
Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => 5 (0x5))
Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 51 55 49 54 0d QUIT.
Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:error in SSLv2/v3 read client hello A
Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept error from localhost[127.0.0.1]: -1
Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: lost connection after STARTTLS from localhost[127.0.0.1]
Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
Oct 6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: initializing the server-side TLS engine
Oct 6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: connect from unknown[4.5.6.7]
Oct 6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: lost connection after AUTH from unknown[4.5.6.7]
Oct 6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: disconnect from unknown[4.5.6.7] ehlo=1 auth=0/1 commands=1/2
[...]/roundcubemail-1.3.10/logs/errors
[06-Oct-2019 16:36:00 -0400]: <a3dq5vv5> SMTP Error: Authentication failure: STARTTLS failed (Code: ) in [...]/roundcubemail-1.3.10/program/lib/Roundcube/rcube.php on line 1667 (POST /?_task=mail&_unlock=loading1570394100604&_lang=en&_framed=1&_action=send)
Below are my configuration settings for Postfix, Dovecot and Roundcube:
postconf -n
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = unix:/var/run/opendkim/opendkim.socket,
unix:/var/run/opendmarc/opendmarc.socket,
unix:/var/run/spamass-milter/spamass-milter.socket
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = *
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = no
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_milters = unix:/var/run/opendkim/opendkim.socket,
unix:/var/run/opendmarc/opendmarc.socket,
unix:/var/run/spamass-milter/spamass-milter.socket
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/vmail.crt
smtpd_tls_key_file = /etc/ssl/private/vmail.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/www/mail/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:2000
/etc/postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=spamassassin
spamassassin unix - n n - - pipe user=spamassassin argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
submission inet n - n - - smtpd
-o smtpd_tls_wrappermode=no
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-o smtpd_sasl_security_options=noanonymous
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
dovecot.conf
auth_mechanisms = plain login
disable_plaintext_auth = yes
default_login_user = vmail
first_valid_uid = 2000
first_valid_gid = 2000
listen = *
mail_access_groups = vmail
mail_location = maildir:/var/www/mail/vmail/%d/%n
protocols = imap lmtp pop3
verbose_ssl = yes
namespace inbox {
type = private
separator = /
prefix =
inbox = yes
}
namespace inbox {
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
}
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
userdb {
driver = static
args = /etc/dovecot/dovecot-sql.conf
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service auth {
unix_listener auth-client {
group = postfix
mode = 0660
user = postfix
}
user = root
}
service imap-login {
inet_listener imaps {
port = 993
}
process_min_avail = 1
user = vmail
}
service pop3-login {
inet_listener pop3s {
port = 995
}
process_min_avail = 1
user = vmail
}
ssl = required
ssl_cert = </etc/ssl/private/vmail.crt
ssl_key = </etc/ssl/private/vmail.key
[...]/roundcubemail-1.3.10/config/config.inc.php
// SQL DATABASE
$config['db_dsnw'] = 'mysql://roundcube:myassword@localhost/roundcubemail_db';
// IMAP
$config['default_host'] = 'imaps://mydomain.com/';
$config['default_port'] = 993;
//SMTP
$config['smtp_server'] = 'tls://localhost/';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['support_url'] = '[email protected]';
$config['smtp_auth_type'] = 'PLAIN';
$config['smtp_auth_cid'] = null;
$config['smtp_auth_pw'] = null;
$config['smtp_helo_host'] = '';
$config['smtp_timeout'] = 0;
$config['smtp_conn_options'] = array (
'ssl' =>
array (
'verify_peer' => true,
'verify_peer_name' => false,
'verify_depth' => 3,
'cafile' => '/etc/letsencrypt/live/mydomain.com/fullchain.pem',
),
);
//PLUGINS
$config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'enigma', 'help', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'password', 'subscriptions_option', 'vcard_attachments', 'zipdownload');
$config['language'] = 'en_US';
$config['spellcheck_engine'] = 'pspell';
$config['draft_autosave'] = 60;
firewall-cmd --list-all
services: dhcpv6-client http https imap imaps pop3 pop3s smtp smtps ssh
ports: 587/tcp 143/tcp 110/tcp 465/tcp 993/tcp 995/tcp
Thanks in advance for any help!
Solution 1:
Got a reply on howtoforge (props to Steini86). Thanks to everyone else for helping me get there.
TL;DR
$config['smtp_server'] = 'tls://localhost/';
should have been
$config['smtp_server'] = 'tls://domain.in.your.certificatefile/';
And reverting almost everything else back to the Roundcube default fixed it.