Issue Webmail not working after switch from qmail to postfix

[Linulex]

Hi all,

I am testing to switch qmail for postfix but have a few problems. Some are fixed, others baffle me.

The newest is that webmail doesnt want to send to external addresses.

mail settings in plesk are
- smtp closed
- send from ip and use domainname in smtp
- 127.0.0.1/8 and ::1/128 are added to whitelist
I tried adding the servers ip address to the whitelist, but that doesnt work either
- no firewall is active on the server

no logging scripts, no extra milters, nothing added, a default postfix setup.

I can send to the email itself (internal). Thats due to whitelisting localhost, when not whitelisted i cant send internal either.
I can not send to an external email address.

It looks like both webmails dont authenticate

The errors are:

roundcube
SMTP Error (250): Authentication failed.

The log doesnt help either, all it says is:

Nov 26 13:45:57 kvmtest242 postfix/smtpd[1882]: connect from localhost[127.0.0.1]
Nov 26 13:45:57 kvmtest242 postfix/smtpd[1882]: disconnect from localhost[127.0.0.1]

Horde:
2016-11-26T14:12:31+01:00 ERR: HORDE [imp] Could not open secure TLS connection to the server. <[email protected]>: Relay access denied [pid 3240 on line 1160 of "/usr/share/psa-horde/imp/lib/Compose.php"]


Here the log gives a bit more information, but nothing helpful, i know relaying is denied, i need to know why:

Nov 26 14:02:28 kvmtest242 postfix/smtpd[3003]: connect from localhost[127.0.0.1]
Nov 26 14:02:28 kvmtest242 postfix/smtpd[3003]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<kvmtest242.linulex.net>
Nov 26 14:02:28 kvmtest242 postfix/smtpd[3003]: disconnect from localhost[127.0.0.1]
Nov 26 14:02:28 kvmtest242 /usr/lib64/plesk-9.0/psa-pc-remote[848]: Message aborted.

Sending via thunderbird via the submission ports works fine to both an internal and external email address.

regards
Jan

 

[UFHH01]

Hi Linulex,

i know relaying is denied, i need to know why

actually, you don't state, if you changed the smtp - port "25" in the depending webmail - configuration files to your submission port "587", when you closed port 25, as stated:

- smtp closed

Example searches:

find /etc/psa-webmail -type f -name "*.*" -exec grep --color -Hni "smtp_port"  {} \;

/etc/psa-webmail/horde/horde/php.ini:122:smtp_port = 25
/etc/psa-webmail/roundcube/php.ini:125:smtp_port = 25

find /etc/psa-webmail -type f -name "*.*" -exec grep --color -Hni "= 25"  {} \;

/etc/psa-webmail/horde/horde/php.ini:122:smtp_port = 25
/etc/psa-webmail/horde/horde/conf.php:104:$conf['mailer']['params']['port'] = 25;
/etc/psa-webmail/roundcube/php.ini:125:smtp_port = 25

 

[Linulex]

actually, you don't state, if you changed the smtp - port "25" in the depending webmail - configuration files to your submission port "587", when you closed port 25, as stated:

No, i didnt change that, i dont understand why i should be doing that? That doesnt make sence.
If i don't allow sending email and close submission also, then webmail would not work.

I didnt change it when i was using qmail and webmail worked fine.

plesk 12.5.30 qmail
smtp closed, submission open

> find /etc/psa-webmail -type f -name "*.*" -exec grep --color -Hni "= 25" {} \;
/etc/psa-webmail/horde/horde/conf.php:103:$conf['mailer']['params']['port'] = 25;

plesk 17.0.7 postfix
smtp closed, submission open

> find /etc/psa-webmail -type f -name "*.*" -exec grep --color -Hni "= 25" {} \;
/etc/psa-webmail/horde/horde/conf.php:104:$conf['mailer']['params']['port'] = 25;

In qmail and plesk 12.5 it works, in plesk 17, postfix, it doesnt.

this server was upgraded from 12.5.30 to 17.0.7 and after that qmail was changed to postfix.
before changing the MTA, webmail was working.
It seems that some things are not correct upgraded and/or changed when changing MTA

regards
Jan

 

[UFHH01]

Hi Linulex,

No, i didnt change that, i dont understand why i should be doing that? That doesnt make sence.

oki... let me re-question then, HOW are you going to authenticate, when you closed port "25" and don't provide an alternative port in configuration files for webmail?

Could you pls. explain, which steps you applied, to reach the goal "smtp closed" and "submission open"?

 

[Linulex]

oki... let me re-question then, HOW are you going to authenticate, when you closed port "25" and don't provide an alternative port in configuration files for webmail?

The same way webmail worked in 12.5.30 with qmail i guess and like any other php script on the server that sends mail, thats why 127.0.0.0/8 is in the whitelist.
So i re-question also: if i close 587 also, how would webmail work then?

I tested this by closing submission port on a plesk 12.5 and webmail still worked fine, the only difference is that the 12.5.30 has qmail and the 17.0.7 has postfix, not originally installed, (upgraded/changed) from qmail. mchk was run after the change, because nothing worked. I am starting to think changing the MTA isn't a good idea.

Could you pls. explain, which steps you applied, to reach the goal "smtp closed" and "submission open"?

Tools & Settings --> Mail Server Settings
Enable SMTP service on port 587 on all IP addresses = on
Relaying = closed
same as in plesk 12.5.30 and qmail, and webmail worked fine there.

This vps is a originally 12.5.30 and i tested the upgrade to 17.0.7 first before started testing the postfix change. All the problems i see here on the forum and considering that plesk has a trackrecord about x.0 versions not being the best ones, upgrading might have to wait a bit.
I am thinking to restore 12.5.30 and start testing the postfix change in that version.

to be continued ....

regards
Jan

 

[UFHH01]

Hi Linulex,

maybe you are intersted in reading:

Quoted from : => /usr/share/psa-roundcube/config/defaults.inc.php

...
// ----------------------------------
// SMTP
// ----------------------------------

// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_server'] = 'localhost';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 25;
...

Quoted from : => /etc/psa-webmail/horde/horde/conf.php

...
// send email with authorization on SMTP server
$conf['mailer']['params']['host'] = 'localhost';
$conf['mailer']['params']['port'] = 25;
$conf['mailer']['params']['auth'] = true;
$conf['mailer']['type'] = 'smtp';
...

AND the KB - article:

Can I use an additional port other than port 25 for SMTP connections? I was told I should open up one more ports for SMTP because most ISPs block port 25 now. ( KB - article 837 )​

 

[Linulex]

hi UFHH01

I know these config snipets, i have compared them between 12.5.30 qmail and 17.0.7 postfix. As i said: it worked in 12.5.30/qmail. I have yet to figure out if its the change to postix, or the way plesk configure postfix different in 17 then 12.

I know that artickel, we have a few providers that close port 25 in Belgium and holland. Your in germany, so you know that T-Mobile also closes it. well, not completly, you can only send mail trough port 25 with a @t-mobile.nl address, not another. At least, thats how t-mob works in holland, i presume Germany is the same, don't shoot me if i wrong.

This is the reason why we opened port 587 in the first place all those years ago.
That article isn't historicly correct by sugjesting just any port like 10025 and so. port 25 was never intended to be the port to do communication between mailclient and mailserver. That was/is submission port 587 https://www.ietf.org/rfc/rfc6409.txt .
port 25 was always intended to be the port for communication between mailservers. But that are internet history semantics that are long overrulled by the defacto facts that became a defacto standard.

i know the rfc is from 2011 and the article from 2009, but last edited in 2016, so it should have been corrected.

anyway, i am restoring the vps as we speak as i type to be correct) to 12.5 and will update postfix there. The change to postfix only has 2 reasons:
- get rid of sslv3 at port 587
- maybe use the clamav milter

sslv3 is the only thing i cant resolve when using qmail, using clamav is simple, we do that already for more then 10 years now: just stick assp at the smtp port. I was going to use that again in postfix anyway because it has a lot of features plesk doesnt offer.

We change smtp to 125 in /etc/services and assp listens on 25 and forwards the mail to INBOUND:125

regards
Jan

 

[UFHH01]

Hi Linulex,

At least, thats how t-mob works in holland, i presume Germany is the same, don't shoot me if i wrong.

You won't get shot... it IS the same.

That article isn't historicly correct by sugjesting just any port like 10025 and so

I assume, that they choosed this specific port, because "amavisd" for example uses this port as standard content filter - port, but I might be completely wrong here.

i know the rfc is from 2011 and the article from 2009, but last edited in 2016, so it should have been corrected.

If you use the "Feedback form" at the bottom of each KB - article, you are able to inform the Plesk-Team about the discrepancies - they "normally" change/edit/modify KB - articles, when they agree that an update is needed.


It would be nice, if you keep this thread up-to-date with your testings and modifications, so that we are all able to learn from them.

 

[Linulex]

It would be nice, if you keep this thread up-to-date with your testings and modifications, so that we are all able to learn from them.

i am sad to say i am correct.

i reverted the vps back to 12.5.30 / qmail and it all worked again.

- 128.0.0.0/8 in the withlist
- webmail sends to an off-server email address

so it the way plesk configures webmail/or/qmail/postfix on 17.0

ill update qmail to postfix tomorrow and start testing from there.

I would be happy to give you login so you can test yourself if you like

regards
Jan

 

[Linulex]

After some more testing, i can now replicate the error and know what causes it.

I know this is the onyx forum, ill update and test again in onyx later today. these tests where don in plesk 12.5.30. But i dont believe the whole postix logic was re-written, so i have a strong feeling it will be the same in onyx

The setup:
centos 6.x latest
qmail changed to postfix
sending mail with roundcube to an offserver email address
127.0.0.1 and ::1 are in the whitelist.
smtp = closed
submission = opened
webmail config is not changed

after the change from qmail to postfix, mchk must be run or nothing works, no problem with that, seems reasonable

/usr/local/psa/admin/sbin/mchk --with-spam

sending mail via webmail works

Changing something via the tools & settings --> mail server settings page the webmail start giving authentication errors. You don't even have to actually change anything, just opening the page and saving (clicking OK) is enough to break webmail.

running mchk again will fix webmail. Mails can be send to any offserver email address again without errors.

Conclusion: it is something done by the mail server settings page in plesk. Saving changes something, that something is set right by mchk.

regards
Jan

 

[Linulex]

I have tested onyx now and its the same and its pretty easy repeatable:

Same setup, same server (updated to onyx)

sending mail via webmail works

Changing something via the "mail server settings" page or just opening the page and saving (clicking OK) breaks webmail.
Webmail can't/won't send to an offserver email address and gives an authentication error.

running mchk will fix the webmail. Mails can be send to any offserver email address again without errors.

regards
Jan