Resolved smtp not working after upgrade to onyx

[Tempest]

Hi,
I've had an issue with sending mail after onyx upgrade. Or, to be more precise, after trying to have my mail server secured with ssl.

Incoming mail is fine through all channels (webmail, firefox), but for some reason I cannot send anything, as if the smtp is not responding.

The error I get in webmail (roundcube) is:
SMTP Error (535): Authentication failed.

I made sure that the mail certificate I installed is correct, so I bought a separate certificate for mail.mydomain.com (is that how it's supposed to be?).

Any clues?

 

[UFHH01]

Hi Tempest,

pls. post the output of the example command:

find /usr/share/psa-roundcube/config -type f -name "defaults.inc.php" -exec grep --color -Hni "smtp_user"  {} \;

If the result is:

$config['smtp_user'] = '%u';

pls. try a change to :

$config['smtp_user'] = '';

at "/usr/share/psa-roundcube/config/defaults.inc.php" and retry again, if this setting works on your server.

 

[Tempest]

Thank you UFHH01!

I did that, but it looks like we're digging in deeper.

The error coming up now is:

SMTP Error (454): Failed to add recipient "[email protected]" (4.7.1 <[email protected]>: Relay access denied).

 

[UFHH01]

Hi Tempest,

pls. find the corresponding error from "/var/log/maillog" from your last roundcube - sending - attempt now and paste it here.
Second, pls. consider to post your postfix or qmail - configuration files for further investigations.
Third, it might as well help, when you provide your current operating system for investigations.

=> Plesk for Linux services logs and configuration files ( KB - article: 213403509 )​

 

[Tempest]

OK, here you are
Here's a snapshot of the maillog

 

[Tempest]

and here are the postfix files

 

[Tempest]

oh, and the server is running Ububntu 14 LTS

 

[UFHH01]

Hi Tempest,

sorry, Tempest, but pls. have a closer look to your postfix-snapshots.... master.cf has 134 missing lines, main.cf has 77 missing lines - people willing to help you can't investigate the issue with you this way. Normally, you would add these two files ( downloaded from your server to your computer ) as attachment in your post, after renaming them to TXT - files.

Screenshots are not the best way, if you would provide informations for people willing to help you, consider to add attachments instead and keep in mind, that you could even use an ".zip" - archive, if you have several files, which makes the attachment upload in your posts easier ( you don't have to rename files in *.zip - archives! ).


In addition, you stated

I've had an issue with sending mail after onyx upgrade. Or, to be more precise, after trying to have my mail server secured with ssl.

Could you pls. tell us, HOW you secured the mail - server ( step-by-step, pls. ).

 

[UFHH01]

Hi Tempest,

in addition to my above post, pls. have a closer look at "/usr/share/psa-roundcube/config/defaults.inc.php". You might notice, that you have the option to use "tls://" or "ssl://" in front of your default host configuration ( sometimes, it might even be helpfull to remove "localhost", depending to your operating system and it's mail - server configuration! ).

I would like to help you a bit with the possible options, which could be changed, by pointing out the essential parts from the roundcube - configuration file:

...

// ----------------------------------
// IMAP
// ----------------------------------

// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
//          required to match old user data records with the new host.
$config['default_host'] = 'localhost';
@include "/etc/psa-webmail/roundcube/mailhosts.php";

// TCP port used for IMAP connections
$config['default_port'] = 143;

// IMAP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or null to use
// best server supported one)
$config['imap_auth_type'] = null;

// IMAP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation
//$config['imap_conn_options'] = array(
//  'ssl'         => array(
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ),
// );
...

and

...

// ----------------------------------
// SMTP
// ----------------------------------

// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_server'] = 'localhost';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 25;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
$config['smtp_auth_type'] = '';

// Optional SMTP authentication identifier to be used as authorization proxy
$config['smtp_auth_cid'] = null;

// Optional SMTP authentication password to be used for smtp_auth_cid
$config['smtp_auth_pw'] = null;

// SMTP HELO host
// Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages
// Leave this blank and you will get the server variable 'server_name' or
// localhost if that isn't defined.
$config['smtp_helo_host'] = '';

// SMTP connection timeout, in seconds. Default: 0 (use default_socket_timeout)
// Note: There's a known issue where using ssl connection with
// timeout > 0 causes connection errors (https://bugs.php.net/bug.php?id=54511)
$config['smtp_timeout'] = 0;

// SMTP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation, and
// requires 'smtp_timeout' to be non zero.
// $config['smtp_conn_options'] = array(
//   'ssl'         => array(
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ),
// );
$config['smtp_conn_options'] = null;
...

 

[Tempest]

Hi UFHH01,

My apologies, I was rushing too much and overlooked that most of the file was missing.
Here are both files attached.

Regarding the steps to secure the server:
- I can't be certain now, but just after the upgrade, the smtp may have been working fine
- then I tried to select a certificate for the 'Certificate for securing mail' section in Tools&Settings/SSL-TLS Certificates
- then I noticed that smtp isn't working, so then created a subdomain mail.mydomain.com so that I can create a Let'sEncryptcertificate for it, then I selected it as the one to secuire the server mail
- that still didn't work. I wasn't sure if the Let'sEncrypt cert is any good, so to be sure it's not cert's fault (as other thereads on the forum suggested) I decided to buy a proper certificate for the mail.domain.com,installed it, selected as the 'Certificate for securing mail.' No change.
- In the meantime, following another forum thread, I ran commands: postconf -e smtpd_tls_security_level=may and postconf -e smtpd_use_tls=no (that's because I also will want to use gmail to send mail, and could never do that with Plesk 12.0)


Tomorrow, I'll look into the /usr/share/psa-roundcube/config/defaults.inc.php configuration you kindly suggested.

 

[UFHH01]

Hi Tempest,

first... the good news: Your certificate is valid and could be used for the domain "tuina.scot" on your server.
But ( !!! ), there is NO NEED to actually buy a certificate by now, because these certificates are not better than any of the Let's Encrypt - certificates. Plesk will even update/upgrade the "Plesk Let's Encrtypt Extension" very soon, which should make it easier to create/manage certificates for "mail.YOUR-DOMAIN.COM" and "webmail.YOUR-DOMAIN.COM".


Now, the results of my investigations for you:

At the moment, there is NO SPF - entry, no DKIM and no DMARC - entry on your nameserver for the domain "tuina.scot". This might and will cause issues with serveral corresponding mail - servers.

=> Pls. check your nameservers from your domain registrar and add missing entries that you see over your Plesk Control Panel for your domain. Consider to use the SEARCH options at this forum, to inform yourself about these entries.
​

Your main.cf contains and should be corrected:

mynetworks =

which should be:

mynetworks = , 127.0.0.0/8 [::1]/128 151.80.151.185/32

smtpd_tls_auth_only = yes

which should be:

smtpd_tls_auth_only = no

smtpd_sasl_security_options = noplaintext

which should be:

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

which should be:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

 

[Tempest]

Thank you UFHH01!

That's amazing, a lot of effort you've made, thank you so much!
Also good news about the Let'sEncrypt.

Now, I've updated my missing DNS records with what my plesk indicated, and implemented your suggestions to the file (however, I think you meant main.cf rather than master.cf - I couldn't find these in 'master', but did so in 'main').

The result is that I am now able to send from webmail/roundcube, but still no joy via other channels (thunderbird, mobile, adding account to gmail). I'll keep trying different combinations of ports, encryption, password types, but so far, the most mail clients have trouble logging in to the mail server.

 

[UFHH01]

(however, I think you meant main.cf rather than master.cf - I couldn't find these in 'master', but did so in 'main')

sorry... you are correct. I updated/edited my previous post.

The result is that I am now able to send from webmail/roundcube, but still no joy via other channels (thunderbird, mobile, adding account to gmail). I'll keep trying different combinations of ports, encryption, password types, but so far, the most mail clients have trouble logging in to the mail server.

Pls. consider to investigate issues/errors/problems always with the help of you log - files and if you need help with that, pls. attach the ( new ) configuration files and the corresponding log - files, so people willing to help you don't have to guess!

 

[Tempest]

Oki doki, I get that! Here are the current files, and screenshots of the maillog (I downloaded the maillog file but couldn't read it so I made the screenshots).

Thank you for your patience!

 

[UFHH01]

Hi Tempest,

your previous setting ( smtpd_sasl_security_options = noplaintext ), which I included, when I suggested some additional modifications to your "main.cf", is now interfering, as you can see in your log files ( pls. for further investigations, DON'T use screenshots for log - files, especially, when you are going to split them into pieces. It makes investigations more complicated and confusing and it's just not possible to "copy&paste" - log - file entries, to point out to issues/errors/problems, or to quote them! ), as you can see in error - messages, including => "Error: authentication failed: encryption needed to use mechanism"

Current setting:

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

Pls. change to:

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

 

[Tempest]

Thank you for the advice.
I have change the record, but not much change can be noticed, I'm afraid. Is there another angle of approach?

 

[UFHH01]

Hi Tempest,

pls. notice the different error - messages now, as for example:

Mar 14 14:18:14 vps157857 postfix/smtpd[10470]: connect from mail-vk0-x22d.google.com[2607:f8b0:400c:c05::22d]
Mar 14 14:18:14 vps157857 postfix/smtpd[10470]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Mar 14 14:18:14 vps157857 postfix/smtpd[10470]: warning: SASL authentication failure: Password verification failed
Mar 14 14:18:14 vps157857 postfix/smtpd[10470]: warning: mail-vk0-x22d.google.com[2607:f8b0:400c:c05::22d]: SASL PLAIN authentication failed: generic failure
Mar 14 14:18:14 vps157857 postfix/smtpd[10470]: lost connection after AUTH from mail-vk0-x22d.google.com[2607:f8b0:400c:c05::22d]
Mar 14 14:18:14 vps157857 postfix/smtpd[10470]: disconnect from mail-vk0-x22d.google.com[2607:f8b0:400c:c05::22d]

Pls. READ and follow:

=> SMTP authentication is not working in Postfix: SASL authentication failure: cannot connect to saslauthd server ( Plesk KB - article 213413769 )​

 

[Tempest]

You're a star UFHH01! It's all honky dory now! yeeaay! Thank you!

I followed the thread, although step 3 wasn't necessary - the autoinstaller must have removed the files itself.

 

[UFHH01]

Hi Tempest,

as a final step, pls. compare now your current main.cf and master.cf with the ones you created a backup for and add ( possible ) missing entries from your backups and modify the configurations files to YOUR needs.