Resolved Postfix port 25 not working on fresh installed Onyx Server

[D4NY]

New server just installed, CentOs 7.3 and Plesk 17.5.3, mail server DoveCoat + PostFix.
After migration of some domains we got "None of the authentication methods supported by this client on this server" Outlook error code: 0x800ccc80. We are sending on port 25 with None option. Also webmail can't send with "authentication faild" error. With the same configuration on previous server CentOs 6.8 and Plesk 12.5 we are sending mails on both Outlook and Webmail without problems.
I tried also to send via 587 SSL or TLS but not working also.
Lastly we switched to Qmail and.... perfectly working without any other workaround.
We have no problem using Qmail but should be interesting to understand what is this problem and to find a solution.

Thank you!

 

[UFHH01]

Hi D4NY,

... but should be interesting to understand what is this problem and to find a solution.

We are as well interested in understanding possible issues/errors/problems, but unfortunately, you don't provide enough informations ( as for example corresponding log - entries from your mail - log(s), or/and from the log of your used webmail - software and corresponding configuration files from postfix/dovecot ), which makes it nearly impossible to start any investigations.

 

[D4NY]

Well the problem seems to be deeper in real. Update: on the new server (Onyx 17.5) i have migrated 10 domains from old server (Plesk 12.5). Websites and db are ok. Some customers are ok also with mail with the same configuration using Outlook. One is not ok using Mail on Apple pc (port 25 no ssl, but working with 25 ssl). Another is not ok using Ms Live Mail (port 25 no ssl, but working on 465 ssl). I've tried on a clean pc the same account not working of the last user with 25 no ssl and it works!! Can't understand why. Then.... smartphone with imap port 143 before migration was working fine, after migration can't connect to the server. Tried with TLS/any and it works. Same customer can't connect to the webspace via ftp, while on my pc no problem, no ssl, no tls, no passive mode....

The question is, what's the difference between plesk 12.5 and Onyx 17.5 ? My configuration is an OVH preinstalled O.S. image so i think it's ok. It's possible i've clicked on Protect Plesk with certificate, can that be the cause of the problem? How to solve?

Look at the attached image, please

I'm going crazy, just want to use the server as the previous one (that is Let's enscrypt for https on websites, port 25 no ssl for smtp, port 110 no ssl for pop3, port 143 no encryption for imap). Who can help me?

 

[Bitpalast]

Yes, with Apple Mail and iPhone mail software, a self-signed SSL certificate is problematic. Apple mail drops the connection and does not tell you the real reason why it does not want to connect to the outgoing mail server. It is often not connecting, because it does not trust the self-signed certificate.

 

[D4NY]

How can i remove my choice to protect plesk and mail server?

ATTACHED: last lines of my mail log (please delete if cointains not allowed data)

 

[D4NY]

Or how can i have a working certificate with let's encrypt?

All our customers are working with POP3 110 no ssl + SMTP 25 no ssl + IMAP 143 no encyption + WEBMAIL roundcube and at the moment we want to keep this configuration for all of them

 

[Cike76]

Yo can get some really cheap ssl certificates on ssls (dot) com.
I used the cheapest one ( something like 8 usd) for my Plesk server name ( it has to be the name of the server because the postfix identifies as the name of the server) and configured the iphone clients to that name... no problems about it... working like a charm..

 

[D4NY]

We have more than hundred domains. Each of them should authenticate on his own domain mail server to send mails. Changing thounsands of mail account configuration is not possible at the moment... so the question now is... if we don't choose the "protect plesk with ssl" option can we continue to use smtp port 25 without SSL and pop3 port 110 without SSL ?

 

[UFHH01]

Hi D4NY,

the option to secure port 25 ( smtp ) and port 110/143 ( pop3/imap ) with a certificate is OPTIONAL and is setup in your depending configuration files ( postfix/qmail - dovecot/courier-imap ), while port 465 ( smtps ), port 587 ( submission ) port 993 ( imaps ) and port 995 ( pop3s ) requires a certificate. As asked before ( => #2 ) , you should consider to post your corresponding configuration files, so that people willing to help you can point you to possible configuration issues/failures/problems. If you don't provide these configuration files, we are only able to point you to the basic manuals, as for example:

=> Postfix Basic Configuration
=> http://www.postfix.org/STANDARD_CONFIGURATION_README.html
=> Postfix Configuration Parameters

=> https://www.dovecot.org/doc/dovecot-example.conf​

 

[D4NY]

Thank you very much for your reply.
I posted at #5 an image of the last lines of my mail log. Full version in plain text is needed? How can i send it to you?

 

[UFHH01]

Hi D4NY,

I posted at #5 an image of the last lines of my mail log

Yes, I saw that, but do you want us to TYPE from your screenshot now, in order to be able to point you to issues/errors/problems?

Full version in plain text is needed?

Not necessarily "needed", but rather "recommended", if you desire people willing to help you to point you to issues/errors/problems.

How can i send it to you?

You are able to attach logs and configuration files to a forum post, by UPLOADING the files ( pls. have a look at the blue button "Upload a File", directly below each forum textbox! ).


As stated before, pls. note, that the log itself only points to a possible issue/error/problem, while the configuration file(s) are needed to point you to the corresponding settings!


Additional informations:

=> Plesk for Linux services logs and configuration files ( KB - article: 213403509 )​

 

[D4NY]

I've reinstalled the server with the same O.S. image. This time i've not protected Plesk as asked just after the first login to the panel, but the problem is the same so it's not related to the SSL certificate.

Here is the content of the /etc/postfix/main.cf as requested

readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains

virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual

virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox

transport_maps = , hash:/var/spool/postfix/plesk/transport

smtpd_tls_cert_file = /etc/pki/ns303035.ip-94-23-203.eu.pem

smtpd_tls_key_file = $smtpd_tls_cert_file

smtpd_tls_security_level = may

smtpd_use_tls = yes

smtp_tls_security_level = may

smtp_use_tls = no

smtpd_timeout = 3600s

smtpd_proxy_timeout = 3600s

disable_vrfy_command = yes

mynetworks =

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated

smtp_send_xforward_command = yes

smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

virtual_mailbox_base = /var/qmail/mailnames

virtual_uid_maps = static:30

virtual_gid_maps = static:31

smtpd_milters = , inet:127.0.0.1:12768

sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps

virtual_transport = plesk_virtual

plesk_virtual_destination_recipient_limit = 1

mailman_destination_recipient_limit = 1

mailbox_size_limit = 0

virtual_mailbox_limit = 0

smtpd_tls_ciphers = medium

smtpd_tls_mandatory_ciphers = medium

tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3

smtpd_tls_protocols = SSLv3, TLSv1

smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem

smtpd_tls_exclude_ciphers = aNULL

smtpd_sasl_security_options = noplaintext

smtpd_tls_auth_only = yes

tls_ssl_options = NO_COMPRESSION

 

[D4NY]

And this is the full new maillog...

 

[UFHH01]

Hi D4NY,

mynetworks =

You missed to configure this. Recommended example:

mynetworks = , 127.0.0.0/8 [::1]/128 XXX.XXX.XXX.XXX/32

... where "XXX.XXX.XXX.XXX" has to be replaced with YOUR server IP(s).​

From your mail.log:

warning: not set-gid or not owner+group+world executable: /usr/sbin/postdrop

... could be solved with ( logged in as user "root" over SSH ):

postfix set-permissions

service postfix restart

After your changes, pls. consider to send a new eMail and pls. post again your "main.cf" and the "master.cf" ( as attachments ) AND as well the NEW mail.log ( starting from "Jul 3 16:10:04" ).

 

[D4NY]

i set mynetworks line as follow:
mynetworks = 127.0.0.0/8 xx.yy,zzz.www/32

then form ssh root:

postfix set-permissions

/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt

service postfix restart

Redirecting to /bin/systemctl restart postfix.service

 

[D4NY]

still can't send mail via port 25... here is the log

 

[UFHH01]

Hi D4NY,

/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_opt ions=NO_COMPRESSION

To remove this WARNING ( no error - so no issue, but you might like to get rid of these messages in your log! ), pls. consider to REMOVE ( or comment out ) the setting:

tls_ssl_options = NO_COMPRESSION

here is the log

Thank you, but you missed the NEW configuration files, as requested above.

post again your "main.cf" and the "master.cf" ( as attachments )

AND as well the NEW mail.log ( starting from "Jul 3 16:10:04" )

 

[UFHH01]

mynetworks = 127.0.0.0/8 xx.yy,zzz.www/32

... if you set it this way, then you missed the ( correct ) above suggestion!

 

[D4NY]

Here is the main.cf

readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/pki/ns303035.ip-94-23-203.eu.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , 127.0.0.0/8 [::1]/128 XX.XX.XXX.XXX/32
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_dh1024_param_file = /usr/local/psa/etc/dhparams2048.pem
smtpd_tls_exclude_ciphers = aNULL
smtpd_sasl_security_options = noplaintext
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION

 

[D4NY]

here maillog and master.cf as requested