Problème avec Postfix + Dovecote sous debian 10

Tags: #<Tag:0x00007f509ca97ab0> #<Tag:0x00007f509ca979e8> #<Tag:0x00007f509ca978f8>

Bonjour à tous !

J’ai réinstaller un VPS sous debian 10, en gardant mon ancienne installation de postfix, j’ai juste changé l’utilisateur de postfix et mis « datahosting » j’ai bien changer l’utilisateur postfix en datahosting sur ma configuration dovecot.

Le premier problème était un relay acces denied, que j’ai corrigé en mettant l’IP 0.0.0.0/0 mais je me demande si c’est un bon fix, car ca bypass tout d’après ce que j’ai compris.

Le second est que je n’arrive pas à envoyer des mails, j’ai beau m’identifier avec l’utilisateur postfix ou l’utilisateur datahosting, sans ne change rien, le serveur indique que c’est envoyé, mais je n’ai rien dans ma boite de destination.

Dernier problème: sur roundcube, si je met en utilisateur %u et en mot de passe %p en identifiant SMTP ou un utilisateur unix avec son mot de passe, ça met toujours la connexion à échouer, ou impossible de se connecter au serveur de stockage, je pense que c’est lié à mon deuxième, mais on sait jamais …

Les deux sites que j’utilise pour tester mon SMTP: https://www.smtper.net/ et SMTP Test Tool
Les deux disent que le message s’est bien envoyé mais rien à faire.

J’aimerais aussi savoir si il est possible de lier l’auth SASL avec le compte mail, par exemple que le compte contact@datahosting.fr puisse se connecter au SMTP avec son mot de passe, et ne pas passer par un utilisateur Unix (j’ai trouvé un post datant de 2013 qui ne marchait pas pour moi :unamused:)

Merci de votre aide ! :slight_smile:

Voici mon main.cf:

# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.

# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing.  When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no

# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix

# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin

# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/lib/postfix/sbin

# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix

# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes.  Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = datahosting


# Enable IPv4, and IPv6 if supported
inet_protocols = all



# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550



# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
# 
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible.  Use
# "postfix reload" to eliminate the delay.
#
alias_maps = hash:/etc/aliases

# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 4

# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain

# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5

# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
#	PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
#	echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
#	>$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
#	PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
#	-dmS $process_name gdb $daemon_directory/$process_name
#	$process_id & sleep 1

# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
# 
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
# 
sendmail_path = /usr/sbin/sendmail.postfix

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix

# mailq_path: The full pathname of the Postfix mailq command.  This
# is the Sendmail-compatible mail queue listing command.
# 
mailq_path = /usr/bin/mailq.postfix

# setgid_group: The group for mail submission and queue management
# commands.  This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop

# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no

# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man

# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix/samples

# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix/README_FILES

myhostname = datahosting.fr
mydomain = datahosting.fr
myorigin = $myhostname
home_mailbox = mail/
mynetworks = 0.0.0.0/0, 127.0.0.0/8

inet_interfaces = all
smtpd_sasl_auth_enable = yes
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
smtpd_banner = $mydomain ESMTP
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

#Vu sur des sites, mais ne marche pas
#smtp_sasl_auth_enable = yes
#smtp_sasl_type = dovecot

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:9999
non_smtpd_milters = $smtpd_milters


relay_domains = $mydestination
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/datahosting/mail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
#local_recipient_maps = $virtual_mailbox_maps
#transport_maps = hash:/etc/postfix/transport

smtp_use_tls = yes
# smtpd : SMTP entrant
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level = may

# smtp : SMTP sortant
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high

smtp_tls_security_level = may

smtp_tls_key_file = /home/datahosting/manager/ssl/privkey.pem
smtp_tls_CAfile = /home/datahosting/manager/ssl/ca.pem
smtp_tls_cert_file = /home/datahosting/manager/ssl/cert.pem

# Définies les méthodes de cryptographie à utiliser (HIGH)
#tls_high_cipherlist = HIGH:!aNULL:!MD5:!ADH:!RC4:!DH 

#smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /home/datahosting/manager/ssl/privkey.pem
smtpd_tls_CAfile = /home/datahosting/manager/ssl/ca.pem
smtpd_tls_cert_file = /home/datahosting/manager/ssl/cert.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

compatibility_level = 2

le master.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassi
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_authenticated_header=yes
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
dovecot       unix        -              n             n             -              -             pipe
  flags=DRhu user=datahosting:datahosting argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

Les logs:

Jun 14 17:06:53 datahosting-main postfix/smtpd[5458]: connect from ns511807.ip-167-114-117.net[167.114.117.203]
Jun 14 17:06:53 datahosting-main postfix/smtpd[5458]: E46C73810AB: client=ns511807.ip-167-114-117.net[167.114.117.203], sasl_method=login, sasl_username=postfix
Jun 14 17:06:54 datahosting-main postfix/cleanup[5465]: E46C73810AB: message-id=<>
Jun 14 17:06:54 datahosting-main opendkim[30340]: E46C73810AB: DKIM-Signature field added (s=mail, d=datahosting.fr)
Jun 14 17:06:54 datahosting-main postfix/qmgr[5424]: E46C73810AB: from=<contact@datahosting.fr>, size=848, nrcpt=1 (queue active)
Jun 14 17:06:54 datahosting-main postfix/qmgr[5424]: warning: connect to transport private/spamassassi: No such file or directory
Jun 14 17:06:54 datahosting-main postfix/smtpd[5458]: disconnect from ns511807.ip-167-114-117.net[167.114.117.203] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jun 14 17:06:54 datahosting-main postfix/error[5471]: E46C73810AB: to=<sskyford@gmail.com>, relay=none, delay=1.2, delays=0.94/0.02/0/0.2, dsn=4.3.0, status=deferred (mail transport unavailable)
Jun 14 17:07:34 datahosting-main postfix/smtpd[5458]: connect from ns511807.ip-167-114-117.net[167.114.117.203]
Jun 14 17:07:35 datahosting-main postfix/smtpd[5458]: Anonymous TLS connection established from ns511807.ip-167-114-117.net[167.114.117.203]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 14 17:07:35 datahosting-main postfix/smtpd[5458]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1544:SSL alert number 48:
Jun 14 17:07:35 datahosting-main postfix/smtpd[5458]: lost connection after STARTTLS from ns511807.ip-167-114-117.net[167.114.117.203]
Jun 14 17:07:35 datahosting-main postfix/smtpd[5458]: disconnect from ns511807.ip-167-114-117.net[167.114.117.203] ehlo=1 starttls=1 commands=2
Jun 14 17:10:56 datahosting-main postfix/smtpd[5700]: connect from ns511807.ip-167-114-117.net[167.114.117.203]
Jun 14 17:10:56 datahosting-main postfix/smtpd[5700]: Anonymous TLS connection established from ns511807.ip-167-114-117.net[167.114.117.203]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 14 17:10:56 datahosting-main postfix/smtpd[5700]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1544:SSL alert number 48:
Jun 14 17:10:56 datahosting-main postfix/smtpd[5700]: lost connection after STARTTLS from ns511807.ip-167-114-117.net[167.114.117.203]
Jun 14 17:10:56 datahosting-main postfix/smtpd[5700]: disconnect from ns511807.ip-167-114-117.net[167.114.117.203] ehlo=1 starttls=1 commands=2
Jun 14 17:11:11 datahosting-main postfix/smtpd[5700]: connect from ns511807.ip-167-114-117.net[167.114.117.203]
Jun 14 17:11:12 datahosting-main postfix/smtpd[5700]: 844E2380FC6: client=ns511807.ip-167-114-117.net[167.114.117.203], sasl_method=login, sasl_username=postfix
Jun 14 17:11:12 datahosting-main postfix/cleanup[5712]: 844E2380FC6: message-id=<>
Jun 14 17:11:12 datahosting-main opendkim[30340]: 844E2380FC6: DKIM-Signature field added (s=mail, d=datahosting.fr)
Jun 14 17:11:13 datahosting-main postfix/qmgr[5424]: 844E2380FC6: from=<contact@datahosting.fr>, size=848, nrcpt=1 (queue active)
Jun 14 17:11:13 datahosting-main postfix/qmgr[5424]: warning: connect to transport private/spamassassi: No such file or directory
Jun 14 17:11:13 datahosting-main postfix/smtpd[5700]: disconnect from ns511807.ip-167-114-117.net[167.114.117.203] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jun 14 17:11:13 datahosting-main postfix/error[5713]: 844E2380FC6: to=<sskyford@gmail.com>, relay=none, delay=1.3, delays=0.89/0.02/0/0.42, dsn=4.3.0, status=deferred (mail transport unavailable)

Encore merci à vous d’avoir tout lu et de l’aide que vous m’apporterez :smiley:

bonjour,

D’après tes logs en fin de message, tu as un problème de négociation TLS à cause d’un problème de certificat.

Malheureusement ca n’a rien à voir je pense, car je n’ai pas mis que TLS est obligatoire, par contre, si vous savez comment résoudre, je serais preneur, le certificat est délivré par cloudflare et le path vers les chemin (ca, cert, et privkey) sont correcte et malgré ça, ça continue à m’afficher l’erreur :frowning:

J’ai réussi à résoudre les soucis en suivant ce tuto: https://www.linode.com/docs/guides/email-with-postfix-dovecot-and-mysql/ en reprenant tout de zéro, avec un tuto plus jeune ca marche !