Difference between revisions of "Set up your mail server for sending"
imported>WikiSysop (New page: = Sender verification = Now you do not want anyone to be able to use your mail server as spam-catapult. So you need ''sender verification'' in your postfix service. Make sure your authen...) |
imported>ThorstenStaerk |
||
(21 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | = | + | = Overview = |
− | + | When you have [[set up a mail server]] you can by default send mails within your own domain (e.g. linuxintro.org) but not to the outside. What you probably want is that internet users can connect via a mail client, e.g. Thunderbird to your mail server. If they know a valid username and password, they are allowed to read and send mails. | |
+ | = Configure it = | ||
+ | Authentication is done by saslauthd. So install saslauthd, in this case for SUSE Linux: | ||
+ | [[yast]] -i cyrus-sasl-saslauthd | ||
+ | Start the service: | ||
+ | /etc/init.d/saslauthd start | ||
Make sure your authentication service is running: | Make sure your authentication service is running: | ||
/etc/init.d/saslauthd status | /etc/init.d/saslauthd status | ||
has to deliver | has to deliver | ||
running | running | ||
+ | Make sure the service starts on boot | ||
+ | chkconfig saslauthd on | ||
In /etc/postfix/main.cf, set | In /etc/postfix/main.cf, set | ||
− | |||
smtpd_sasl_auth_enable = yes | smtpd_sasl_auth_enable = yes | ||
+ | In /etc/postfix/main.cf, add permit_sasl_authenticated to smtpd_recipient_restrictions. The resulting line may look like this: | ||
+ | smtpd_recipient_restrictions = permit_mynetworks, | ||
+ | permit_sasl_authenticated, | ||
+ | reject_unauth_destination, | ||
+ | check_policy_service inet:127.0.0.1:60000 | ||
+ | |||
Restart Postfix | Restart Postfix | ||
/etc/init.d/postfix restart | /etc/init.d/postfix restart | ||
− | |||
− | == TroubleShooting | + | = Test it = |
+ | To test it, find out your plain authentication string. To do this, [[open a console]] and do a base64 encoding of your username (''myuser'' in this example) and your password (''mypassword'' in this example): | ||
+ | # perl -MMIME::Base64 -e 'print encode_base64("''myuser''\0''myuser''\0''mypassword''");' | ||
+ | You get a string that we will need again soon, it looks like | ||
+ | ''bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk'' | ||
+ | Now connect to your mail server (in this example linuxintro.org): | ||
+ | # telnet ''linuxintro.org'' 25 | ||
+ | The server responds: | ||
+ | Trying ''108.166.126.74''... | ||
+ | Connected to ''linuxintro.org''. | ||
+ | Escape character is '^]'. | ||
+ | 220 ''mail.linuxintro.org'' ESMTP Postfix | ||
+ | If you are missing the response "Connected to...", your internet provider is probably blocking port 25. In this case read [[setting up a mail server on port 587]]. Otherwise you write | ||
+ | EHLO hostname | ||
+ | Now the server responds like | ||
+ | 250-mail.linuxintro.org | ||
+ | 250-PIPELINING | ||
+ | 250-SIZE | ||
+ | 250-VRFY | ||
+ | 250-ETRN | ||
+ | 250-AUTH LOGIN PLAIN | ||
+ | 250-ENHANCEDSTATUSCODES | ||
+ | 250-8BITMIME | ||
+ | 250 DSN | ||
+ | Now you write | ||
+ | AUTH PLAIN ''bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk'' | ||
+ | The server writes | ||
+ | 235 2.7.0 Authentication successful | ||
+ | This means it has worked. So write | ||
+ | QUIT | ||
+ | And you see the response | ||
+ | 221 2.0.0 Bye | ||
+ | Connection closed by foreign host. | ||
+ | |||
+ | = mail is refused = | ||
+ | Sometimes it happens that you get mails like this one: | ||
+ | |||
+ | Delayed Mail (still being retried) | ||
+ | [...] | ||
+ | <name@domain.net>: host mail.domain.com[87.16.52.149] said: 450 4.7.1 Client host | ||
+ | rejected: cannot find your hostname, [109.167.135.66] (in reply to RCPT TO | ||
+ | command) | ||
+ | |||
+ | This means sending of your mail worked but the receiving mail server refuses to accept it. This is most probably because your mail server name resolves to an IP address, but this IP address does not resolve to your mail server name: | ||
+ | # ping mail.domain.de | ||
+ | PING '''''mail.domain.de''''' (109.167.135.66) 56(84) bytes of data. | ||
+ | 64 bytes from '''''suse-256''''' (109.167.135.66): icmp_seq=1 ttl=64 time=0.031 ms | ||
+ | In this case you ping to ''mail.domain.de'', but the answer comes from the server ''suse-256''. | ||
+ | ;Solution: At your IP address' provider, set the reverse DNS entry to deliver the correct hostname, in this example ''mail.domain.de''. Here is an example for RackSpace: http://www.rackspace.com/knowledge_center/article/rackspace-cloud-essentials-6-creating-a-reverse-dns-record Some things can go wrong here. For example I had the respective IP address in /etc/hosts and as name server I was using my [[Fritz!Box]] that cached the DNS record. | ||
+ | |||
+ | = TroubleShooting = | ||
− | + | == Authentication not enabled == | |
+ | ;Symptom: | ||
+ | You get | ||
Sending failed: Your SMTP server does not support authentication. The server responded: "5.5.1 Error: authentication not enabled" | Sending failed: Your SMTP server does not support authentication. The server responded: "5.5.1 Error: authentication not enabled" | ||
+ | ;Solution: | ||
You will need to modify /etc/postfix/main.cf, set | You will need to modify /etc/postfix/main.cf, set | ||
smtp_sasl_auth_enable = yes | smtp_sasl_auth_enable = yes | ||
Line 24: | Line 88: | ||
/etc/init.d/postfix restart | /etc/init.d/postfix restart | ||
− | + | == generic failure == | |
+ | ;Symptom: | ||
+ | You get | ||
Sending failed. Most likely the password is wrong. The server responded: "5.7.8 Error: authentication failed: generic failure" | Sending failed. Most likely the password is wrong. The server responded: "5.7.8 Error: authentication failed: generic failure" | ||
+ | |||
+ | ;Solution: | ||
You need to make sure your authentication service has been started: | You need to make sure your authentication service has been started: | ||
/etc/init.d/saslauthd status | /etc/init.d/saslauthd status | ||
Line 31: | Line 99: | ||
running | running | ||
− | + | == no authentication mechanism available == | |
+ | ;Symptom: | ||
+ | You get | ||
Sending failed: Your SMTP server does not support The server responded: "5.7.8 Error: authentication failed: no mechanism available" | Sending failed: Your SMTP server does not support The server responded: "5.7.8 Error: authentication failed: no mechanism available" | ||
+ | |||
+ | ;Reson: | ||
You may have | You may have | ||
* plain | * plain | ||
* digest-md5 | * digest-md5 | ||
* cram-md5 | * cram-md5 | ||
− | as authentication method in kmail | + | as authentication method in kmail. |
− | + | ;Solution: | |
+ | Change this to Login. | ||
+ | |||
+ | == no worthy mechanisms found == | ||
+ | ;Symptom: | ||
+ | You get | ||
Sending failed: An error occurred during authentication: SASL(-4):no mechanism available: No worthy mechs found | Sending failed: An error occurred during authentication: SASL(-4):no mechanism available: No worthy mechs found | ||
+ | |||
+ | ;Reason: | ||
You may have | You may have | ||
* GSSAPI | * GSSAPI | ||
− | as authentication method in kmail. Change this to Login. | + | as authentication method in kmail. |
+ | |||
+ | ;Solution: | ||
+ | Change this to Login. | ||
− | + | == no mail is sent == | |
+ | ;Symptom: | ||
+ | Nothing happens and no mail is sent | ||
+ | |||
+ | ;Reason: | ||
+ | You may have | ||
* NTLM | * NTLM | ||
− | as authentication method in kmail. Change this to Login. | + | as authentication method in kmail. |
+ | |||
+ | ;Solution: | ||
+ | Change this to Login. | ||
+ | |||
+ | = See also = | ||
+ | * [[Set_up_a_mail_server_on_port_587]] | ||
+ | * http://samcaldwell.net/index.php/technical-articles/3-how-to-articles/15-creating-tls-certificate-using-openssl | ||
+ | * http://www.adomas.org/2006/08/postfix-dovecot/ |
Latest revision as of 15:59, 28 November 2015
Contents
Overview
When you have set up a mail server you can by default send mails within your own domain (e.g. linuxintro.org) but not to the outside. What you probably want is that internet users can connect via a mail client, e.g. Thunderbird to your mail server. If they know a valid username and password, they are allowed to read and send mails.
Configure it
Authentication is done by saslauthd. So install saslauthd, in this case for SUSE Linux:
yast -i cyrus-sasl-saslauthd
Start the service:
/etc/init.d/saslauthd start
Make sure your authentication service is running:
/etc/init.d/saslauthd status
has to deliver
running
Make sure the service starts on boot
chkconfig saslauthd on
In /etc/postfix/main.cf, set
smtpd_sasl_auth_enable = yes
In /etc/postfix/main.cf, add permit_sasl_authenticated to smtpd_recipient_restrictions. The resulting line may look like this:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000
Restart Postfix
/etc/init.d/postfix restart
Test it
To test it, find out your plain authentication string. To do this, open a console and do a base64 encoding of your username (myuser in this example) and your password (mypassword in this example):
# perl -MMIME::Base64 -e 'print encode_base64("myuser\0myuser\0mypassword");'
You get a string that we will need again soon, it looks like
bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk
Now connect to your mail server (in this example linuxintro.org):
# telnet linuxintro.org 25
The server responds:
Trying 108.166.126.74... Connected to linuxintro.org. Escape character is '^]'. 220 mail.linuxintro.org ESMTP Postfix
If you are missing the response "Connected to...", your internet provider is probably blocking port 25. In this case read setting up a mail server on port 587. Otherwise you write
EHLO hostname
Now the server responds like
250-mail.linuxintro.org 250-PIPELINING 250-SIZE 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Now you write
AUTH PLAIN bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk
The server writes
235 2.7.0 Authentication successful
This means it has worked. So write
QUIT
And you see the response
221 2.0.0 Bye Connection closed by foreign host.
mail is refused
Sometimes it happens that you get mails like this one:
Delayed Mail (still being retried) [...] <name@domain.net>: host mail.domain.com[87.16.52.149] said: 450 4.7.1 Client host rejected: cannot find your hostname, [109.167.135.66] (in reply to RCPT TO command)
This means sending of your mail worked but the receiving mail server refuses to accept it. This is most probably because your mail server name resolves to an IP address, but this IP address does not resolve to your mail server name:
# ping mail.domain.de PING mail.domain.de (109.167.135.66) 56(84) bytes of data. 64 bytes from suse-256 (109.167.135.66): icmp_seq=1 ttl=64 time=0.031 ms
In this case you ping to mail.domain.de, but the answer comes from the server suse-256.
- Solution
- At your IP address' provider, set the reverse DNS entry to deliver the correct hostname, in this example mail.domain.de. Here is an example for RackSpace: http://www.rackspace.com/knowledge_center/article/rackspace-cloud-essentials-6-creating-a-reverse-dns-record Some things can go wrong here. For example I had the respective IP address in /etc/hosts and as name server I was using my Fritz!Box that cached the DNS record.
TroubleShooting
Authentication not enabled
- Symptom
You get
Sending failed: Your SMTP server does not support authentication. The server responded: "5.5.1 Error: authentication not enabled"
- Solution
You will need to modify /etc/postfix/main.cf, set
smtp_sasl_auth_enable = yes smtpd_sasl_auth_enable = yes
and restart postfix:
/etc/init.d/postfix restart
generic failure
- Symptom
You get
Sending failed. Most likely the password is wrong. The server responded: "5.7.8 Error: authentication failed: generic failure"
- Solution
You need to make sure your authentication service has been started:
/etc/init.d/saslauthd status
has to deliver
running
no authentication mechanism available
- Symptom
You get
Sending failed: Your SMTP server does not support The server responded: "5.7.8 Error: authentication failed: no mechanism available"
- Reson
You may have
- plain
- digest-md5
- cram-md5
as authentication method in kmail.
- Solution
Change this to Login.
no worthy mechanisms found
- Symptom
You get
Sending failed: An error occurred during authentication: SASL(-4):no mechanism available: No worthy mechs found
- Reason
You may have
- GSSAPI
as authentication method in kmail.
- Solution
Change this to Login.
no mail is sent
- Symptom
Nothing happens and no mail is sent
- Reason
You may have
- NTLM
as authentication method in kmail.
- Solution
Change this to Login.