Discussion:
[SOGo] TB31 Issue with Outgoing Mail . . .
Steve Ankeny
2015-01-19 22:57:30 UTC
Permalink
I am having trouble sending mail from Thunderbird to outside recipients.

I have no problems receiving mail or sending internally, and I have no
problems sending mail from the SOGo web interface whether inside or
outside the mail domain. I am using a Samba AD with virtual mailboxes.

Thunderbird 31.1.2, SOGo Integrator/Connector 31.0.1

Here are the contents of "postconf -n" . . .

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
mailbox_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = sogo.sambaAD.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains = virtual.domain.local
virtual_transport = dovecot
virtual_uid_maps = static:5000

I am using Dovecot with virtual domains (/var/vmail/user/)

I am not using SASL (mentioned in "smtpd_relay_restrictions") but I am
using STARTTLS in TB

"ldap_alias.cf" points to users in the Samba AD

Here are the relevant lines in "/var/log/mail.log" . . .

Jan 19 17:27:32 sogo postfix/master[15410]: terminating on signal 15
Jan 19 17:27:32 sogo postfix/master[15601]: daemon started -- version
2.11.0, configuration /etc/postfix
Jan 19 17:27:41 sogo postfix/smtpd[15606]: connect from
unknown[192.168.121.179]
Jan 19 17:27:41 sogo postfix/smtpd[15606]: E4E9B2102F:
client=unknown[192.168.121.179]
Jan 19 17:27:41 sogo postfix/smtpd[15606]: E4E9B2102F: reject: RCPT from
unknown[192.168.121.179]: 454 4.7.1 <***@outsidedomain.net>: Relay
access denied; from=<***@sambaAD.com> to=<***@outsidedomain.net>
proto=ESMTP helo=<[192.168.121.179]>
Jan 19 17:27:47 sogo postfix/smtpd[15606]: disconnect from
unknown[192.168.121.179]

The line that seems incongruent contains "unknown[192.168.121.179]"
which is our Windows Server.

It's as though SOGo can correctly use Postfix to send mail internally or
externally, and SOGo can correctly receive mail, but when I use
Thunderbird, it cannot recognize my the Windows Server as an "origin"

Any suggestions would be helpful. Thx.

I am working from
http://www.postfix.org/BASIC_CONFIGURATION_README.html#myorigin
--
***@sogo.nu
https://inverse.ca/sogo/lists
Steve Ankeny
2015-01-20 13:17:41 UTC
Permalink
I have tested server side and via the SOGo web interface, and I see no
problems with SMTP

The problem is in the connection between Thunderbird and the mail server.

[ see attached image ]

I've deleted the existing exemption certificates from the "old" mail
server (different IP, same name) to eliminate confusion, and I've
accepted a "new" exemption certificate from the "new" mail server.

The "old" server is running with no services active (again, to eliminate
confusion)

I've tried the various SMTP settings in TB -- None, STARTTLS, SSL/TLS

*Should I be using Port 587?* It is not currently active on the mail
server.

I tried setting Port 587 in "inet_listener lmtp" but it required Port 24
(and, that's proper for receiving mail)

*Where would I set Port 587 in Dovecot/Postfix**?* And, would that help?

SOGo Integrator is set to HTTP://ip_address not HTTPS (although it will
work both ways) We will have to set it to HTTPS when we configure
Outlook (once we receive updated "ocsmanager-rpcproxy" packages)

*Should I set it to HTTPS now?* Here's the relevant "mail.log" entries:

(1) using STARTTLS

Jan 20 07:13:08 sogo postfix/smtpd[17495]: connect from
unknown[192.168.121.179]

Jan 20 07:13:09 sogo postfix/smtpd[17495]: NOQUEUE: reject: RCPT from
unknown[192.168.121.179]: 454 4.7.1 <***@cinergymetro.net>: Relay
access denied; from=<***@sambaAD.com>
to=<***@cinergymetro.net> proto=ESMTP helo=<[192.168.121.179]>

Jan 20 07:13:14 sogo postfix/smtpd[17495]: disconnect from
unknown[192.168.121.179]


(2) using SSL/TLS

Jan 20 07:14:15 sogo postfix/smtpd[17495]: connect from
unknown[192.168.121.179]

Jan 20 07:15:05 sogo postfix/smtpd[17495]: lost connection after UNKNOWN
from unknown[192.168.121.179]

Jan 20 07:15:05 sogo postfix/smtpd[17495]: disconnect from
unknown[192.168.121.179]

Jan 20 07:16:27 sogo dovecot: imap-login: Disconnected (no auth attempts
in 1 secs): user=<>, rip=192.168.121.179, lip=192.168.121.149, TLS:
SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca: SSL alert number 48, session=<YWN8aBQNEwDAqHmz>


(3) using None

Jan 20 07:17:55 sogo postfix/smtpd[17512]: connect from
unknown[192.168.121.179]

Jan 20 07:17:55 sogo postfix/smtpd[17512]: NOQUEUE: reject: RCPT from
unknown[192.168.121.179]: 454 4.7.1 <***@cinergymetro.net>: Relay
access denied; from=<***@sambaAD.com>
to=<***@cinergymetro.net> proto=ESMTP helo=<[192.168.121.179]>

Jan 20 07:17:58 sogo postfix/smtpd[17512]: disconnect from
unknown[192.168.121.179]


(4) using STARTTLS Port 587

Jan 20 07:19:28 sogo postfix/smtpd[17512]: connect from
unknown[192.168.121.179]

Jan 20 07:19:28 sogo postfix/smtpd[17512]: NOQUEUE: reject: RCPT from
unknown[192.168.121.179]: 454 4.7.1 <***@cinergymetro.net>: Relay
access denied; from=<***@sambaAD.com>
to=<***@cinergymetro.net> proto=ESMTP helo=<[192.168.121.179]>

Jan 20 07:19:34 sogo postfix/smtpd[17512]: disconnect from
unknown[192.168.121.179]


NOQUEUE generally signifies SMTP cannot identify the domain as a
legitimate domain, but as we've seen, it works perfectly from the SOGo
web interface, and the domain checks out perfectly with SMTP telnet tools.

It's strictly when trying to connect FROM Thunderbird.

*What am I overlooking?* Thanks for any help/hints any one might have.
Post by Steve Ankeny
I am having trouble sending mail from Thunderbird to outside recipients.
I have no problems receiving mail or sending internally, and I have no
problems sending mail from the SOGo web interface whether inside or
outside the mail domain. I am using a Samba AD with virtual mailboxes.
Thunderbird 31.1.2, SOGo Integrator/Connector 31.0.1
heupink
2015-01-20 13:47:02 UTC
Permalink
Hi,

You need to enable relay (perhaps authenticated) on your SOGo server,
and configure that in thunderbird.

MJ
Post by Steve Ankeny
I have tested server side and via the SOGo web interface, and I see no
problems with SMTP
The problem is in the connection between Thunderbird and the mail server.
[ see attached image ]
I've deleted the existing exemption certificates from the "old" mail
server (different IP, same name) to eliminate confusion, and I've
accepted a "new" exemption certificate from the "new" mail server.
The "old" server is running with no services active (again, to eliminate
confusion)
I've tried the various SMTP settings in TB -- None, STARTTLS, SSL/TLS
*Should I be using Port 587?* It is not currently active on the mail
server.
I tried setting Port 587 in "inet_listener lmtp" but it required Port 24
(and, that's proper for receiving mail)
*Where would I set Port 587 in Dovecot/Postfix**?* And, would that help?
SOGo Integrator is set to HTTP://ip_address not HTTPS (although it will
work both ways) We will have to set it to HTTPS when we configure
Outlook (once we receive updated "ocsmanager-rpcproxy" packages)
(1) using STARTTLS
Jan 20 07:13:08 sogo postfix/smtpd[17495]: connect from
unknown[192.168.121.179]
Jan 20 07:13:09 sogo postfix/smtpd[17495]: NOQUEUE: reject: RCPT from
Jan 20 07:13:14 sogo postfix/smtpd[17495]: disconnect from
unknown[192.168.121.179]
(2) using SSL/TLS
Jan 20 07:14:15 sogo postfix/smtpd[17495]: connect from
unknown[192.168.121.179]
Jan 20 07:15:05 sogo postfix/smtpd[17495]: lost connection after UNKNOWN
from unknown[192.168.121.179]
Jan 20 07:15:05 sogo postfix/smtpd[17495]: disconnect from
unknown[192.168.121.179]
Jan 20 07:16:27 sogo dovecot: imap-login: Disconnected (no auth attempts
SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca: SSL alert number 48, session=<YWN8aBQNEwDAqHmz>
(3) using None
Jan 20 07:17:55 sogo postfix/smtpd[17512]: connect from
unknown[192.168.121.179]
Jan 20 07:17:55 sogo postfix/smtpd[17512]: NOQUEUE: reject: RCPT from
Jan 20 07:17:58 sogo postfix/smtpd[17512]: disconnect from
unknown[192.168.121.179]
(4) using STARTTLS Port 587
Jan 20 07:19:28 sogo postfix/smtpd[17512]: connect from
unknown[192.168.121.179]
Jan 20 07:19:28 sogo postfix/smtpd[17512]: NOQUEUE: reject: RCPT from
Jan 20 07:19:34 sogo postfix/smtpd[17512]: disconnect from
unknown[192.168.121.179]
NOQUEUE generally signifies SMTP cannot identify the domain as a
legitimate domain, but as we've seen, it works perfectly from the SOGo
web interface, and the domain checks out perfectly with SMTP telnet tools.
It's strictly when trying to connect FROM Thunderbird.
*What am I overlooking?* Thanks for any help/hints any one might have.
Post by Steve Ankeny
I am having trouble sending mail from Thunderbird to outside recipients.
I have no problems receiving mail or sending internally, and I have no
problems sending mail from the SOGo web interface whether inside or
outside the mail domain. I am using a Samba AD with virtual mailboxes.
Thunderbird 31.1.2, SOGo Integrator/Connector 31.0.1
--
***@sogo.nu
https://inverse.ca/sogo/lists
Charles Marcus
2015-01-20 13:50:45 UTC
Permalink
Post by Steve Ankeny
I've tried the various SMTP settings in TB -- None, STARTTLS, SSL/TLS
*Should I be using Port 587?* It is not currently active on the mail
server.
I tried setting Port 587 in "inet_listener lmtp" but it required Port
24 (and, that's proper for receiving mail)
*Where would I set Port 587 in Dovecot/Postfix**?* And, would that help?
You seem to be confused.

Sending email with Thunderbird has nothing to do with SOGo

Yes, you should be using port 587 with STARTTLS, but this must be
configured in your MTA (postfix), not dovecot.
--
***@sogo.nu
https://inverse.ca/sogo/lists
Alessandro Briosi
2015-01-20 14:01:31 UTC
Permalink
Post by Steve Ankeny
I have tested server side and via the SOGo web interface, and I see no
problems with SMTP
The problem is in the connection between Thunderbird and the mail server.
Steve,

the problem here is not Sogo. It's postfix/dovecot configuration.

Mail sent from Sogo which is on the same machine is accepted and works
because you have 127.0.0.1 in mynetworks.

You either have to:
check the bits missing/not working in smtp authentication (what are
you using? cyrus_sasl or dovecot?)
or add your networks to mynetworks (192.168.121.0/24) which should be a
comma separated list

In previous mail it seems the following line is wrong
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination

it should be comma separated
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination

but maybe you want to use:

smtpd_recipient_restrictions and/or smtp_sender_restrictions

3. Dovecot seems to have some troubles with the SSL certificates.

4. Port 587 can be enabled in postfix in master.cf , but this won't fix
your problems.

Hope this helps,
Alessandro
--
***@sogo.nu
https://inverse.ca/sogo/lists
Steve Ankeny
2015-01-20 14:42:11 UTC
Permalink
comments below . . .
Post by Alessandro Briosi
Post by Steve Ankeny
I have tested server side and via the SOGo web interface, and I see
no problems with SMTP
The problem is in the connection between Thunderbird and the mail server.
Steve,
the problem here is not Sogo. It's postfix/dovecot configuration.
Mail sent from Sogo which is on the same machine is accepted and works
because you have 127.0.0.1 in mynetworks.
check the bits missing/not working in smtp authentication (what are
you using? cyrus_sasl or dovecot?)
or add your networks to mynetworks (192.168.121.0/24) which should be
a comma separated list
I am using Dovecot 2.2.9 . . .

(1) currently --

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

(2) proposed --

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.121.0/24

I'm not sure about the commas, as it was configured this way when I
installed Postfix.

"nmblookup" on the mail server finds the server by name but not IP
(might need to work on reverse DNS)
Post by Alessandro Briosi
In previous mail it seems the following line is wrong
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
it should be comma separated
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, defer_unauth_destination
smtpd_recipient_restrictions and/or smtp_sender_restrictions
I'm currently looking at the following . . .

http://www.postfix.org/SASL_README.html#server_dovecot

I am using "inet_listener lmtp" port 24 for receipt of mail, so I'm
unsure about the "unix_listener"

One thing that confuses me is "/var/spool/postfix/auth" does not exist

"/var/spool/postfix/private/dovecot" does exist, so why not use that as
the listener?

As for "smtpd_recipient_restrictions" I see it handles SASL authentication

https://wiki.archlinux.org/index.php/PostFix_Howto_With_SASL

I've followed those instructions but it didn't fix the problem (yet)
Post by Alessandro Briosi
3. Dovecot seems to have some troubles with the SSL certificates.
Dovecot is using Port 993 but the only certificates are of the
"snakeoil" variety.

I don't need or want SSL at the IMAP/SMTP level but only at the
Apache/RPC level.
Post by Alessandro Briosi
4. Port 587 can be enabled in postfix in master.cf , but this won't
fix your problems.
I've done that by uncommenting the lines in "master.cf"
Post by Alessandro Briosi
Hope this helps,
Alessandro
--
***@sogo.nu
https://inverse.ca/sogo/lists
Alessandro Briosi
2015-01-20 15:32:42 UTC
Permalink
Post by Steve Ankeny
comments below . . .
As other have stated, you should get your mail server running first.

Martin gave you a good link
https://workaround.org/ispmail/wheezy

which basically explains a lot about setting up the mail server.

Anyway if it's only for testing or at least to get started, simply avoid
authentication for now.
Add your Network (192.168.121.0/24) to mynetworks and disable
authentication on thunderbird side.

Also if you don't want SSL in SMTP or IMAP (though thunderbird might
complain), simplify and avoid that too.

P.S. Looking at postfix documentation the list can be "white-space or
comma separated list" so either is correct.

Ciao.
Alessandro
--
***@sogo.nu
https://inverse.ca/sogo/lists
Steve Ankeny
2015-01-20 18:28:43 UTC
Permalink
I settled for the "mynetworks" fix and no authentication on the TB side.

I'll continue implementing SASL authentication in Dovecot because most
of the pieces are already in place. The mail server is working well
with only an "autocreate plugin is deprecated, use mailbox setting" error.
Post by Alessandro Briosi
Post by Steve Ankeny
comments below . . .
As other have stated, you should get your mail server running first.
Martin gave you a good link
https://workaround.org/ispmail/wheezy
which basically explains a lot about setting up the mail server.
Anyway if it's only for testing or at least to get started, simply
avoid authentication for now.
Add your Network (192.168.121.0/24) to mynetworks and disable
authentication on thunderbird side.
Also if you don't want SSL in SMTP or IMAP (though thunderbird might
complain), simplify and avoid that too.
P.S. Looking at postfix documentation the list can be "white-space or
comma separated list" so either is correct.
Ciao.
Alessandro
--
***@sogo.nu
https://inverse.ca/sogo/lists
Steve Ankeny
2015-01-20 15:23:24 UTC
Permalink
BINGO!

mynetworks = 192.168.121.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

STARTTLS Port 587 No authentication
Post by Alessandro Briosi
Post by Steve Ankeny
I have tested server side and via the SOGo web interface, and I see
no problems with SMTP
The problem is in the connection between Thunderbird and the mail server.
Steve,
the problem here is not Sogo. It's postfix/dovecot configuration.
Mail sent from Sogo which is on the same machine is accepted and works
because you have 127.0.0.1 in mynetworks.
check the bits missing/not working in smtp authentication (what are
you using? cyrus_sasl or dovecot?)
or add your networks to mynetworks (192.168.121.0/24) which should be
a comma separated list
In previous mail it seems the following line is wrong
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
it should be comma separated
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, defer_unauth_destination
smtpd_recipient_restrictions and/or smtp_sender_restrictions
3. Dovecot seems to have some troubles with the SSL certificates.
4. Port 587 can be enabled in postfix in master.cf , but this won't
fix your problems.
Hope this helps,
Alessandro
--
***@sogo.nu
https://inverse.ca/sogo/lists
Martin Simovic
2015-01-20 16:15:26 UTC
Permalink
Post by Steve Ankeny
BINGO!
mynetworks = 192.168.121.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
STARTTLS Port 587 No authentication
This will work only from your local network … e.g. if you are connecting to your mail server from internet (road-warrior) you’ll get relay access denied. Working SMTP authentication is what you want.

Regards
Martin.
--
***@sogo.nu
https://inverse.ca/sogo/lists
Steve Ankeny
2015-01-20 18:33:46 UTC
Permalink
We connect through Remote Desktop Server, so once the person
authenticates through vpn, they login to a Windows 2008R2 Server, and
launch Thunderbird (in essence, everything is inside the local network)

However, I understand your comment. As I said in another e-mail, I will
continue to implement SASL in Dovecot, as I've already configured most
of the pieces, but for now, we'll let the users work as needed.

This is an accounting office, so we need to work through the U.S. tax
season.

We were having calendar issues on the "old" mail server, and we had no
Active Directory, so in the near future, we'll gain some benefit by
having a Samba AD that hosts the mail/calendar server as well.

And, we're up-to-date with Trusty 14.04 and all the current packages for
the other services.

It's been an experience! And, other than the fact I'm confused many
times (and have to read and reread the documentation -- and ask
questions), there's been no "stem-to-stern" documentation, it's done for
now!

The tutorial for 12.04 by Oliver Bitsch was my inspiration, though I
worked from "newer" documentation. Thanks to everyone for their
patience! I try to be specific in my questions so as not to trouble the
list.
Post by Martin Simovic
Post by Steve Ankeny
BINGO!
mynetworks = 192.168.121.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
STARTTLS Port 587 No authentication
This will work only from your local network … e.g. if you are connecting to your mail server from internet (road-warrior) you’ll get relay access denied. Working SMTP authentication is what you want.
Regards
Martin.
--
***@sogo.nu
https://inverse.ca/sogo/lists
Tanstaafl
2015-01-20 18:37:16 UTC
Permalink
Post by Steve Ankeny
However, I understand your comment. As I said in another e-mail, I will
continue to implement SASL in Dovecot, as I've already configured most
of the pieces, but for now, we'll let the users work as needed.
Which still requires postfix to be fully functional on port 587.
--
***@sogo.nu
https://inverse.ca/sogo/lists
Martin Simovic
2015-01-20 14:23:50 UTC
Permalink
I have tested server side and via the SOGo web interface, and I see no problems with SMTP
The problem is in the connection between Thunderbird and the mail server.
Hi Steve,

I believe you are asking in wrong mailing list. That is, your problem has nothing to do with SOGo, it has to do with your MTA configuration. You can send emails from SOGo only because it connects to your MTA from localhost.

Nice thing about SOGo is that it plugs into your existing infrastructure and enhances it (adds calendars and contacts support). That mens that it expects working mail system BEFORE you even start installing SOGo.

I have read quite a lot of emails from you regarding postfix/dovecot setup that are totally unrelated to SOGO 
 May be it’d help if you started with well configured email server and added SOGo only afterwards. A VERY NICE tutorial can be found here https://workaround.org/ispmail/wheezy <https://workaround.org/ispmail/wheezy> good thing about it that it also explains why things work the way they do, and provide deep understanding of what happens when talking about email in general 
 Mailing list is also available, most of your questions are answered there.

I have adapted above tutorial to SAMBA4/AD setup (original uses mysql as authentication source) and enhanced it in some ways .. I am happy to help should you choose the same way.

Best Regards
Martin.
--
***@sogo.nu
https://inverse.ca/sogo/lists
Steve Ankeny
2015-01-20 14:47:12 UTC
Permalink
thx, Martin . . .

I used Oliver's documentation here --
http://iabsis.com/EN/article/35-3/Samba4-installation -- and adapted it
to Trusty and newer packages. I used the Installation Guide and Outlook
Configuration manuals to tweak.

Unfortunately, some things were not clearly discussed, and yes, I've
been "cornfused"

The Arch Wiki was very helpful, as were the portions re: Dovecot,
Postfix and LMTP

I'll take a deeper look at the documentation below before proceeding.
Post by Martin Simovic
I have tested server side and via the SOGo web interface, and I see no problems with SMTP
The problem is in the connection between Thunderbird and the mail server.
Hi Steve,
I believe you are asking in wrong mailing list. That is, your problem
has nothing to do with SOGo, it has to do with your MTA configuration.
You can send emails from SOGo only because it connects to your MTA
from localhost.
Nice thing about SOGo is that it plugs into your existing
infrastructure and enhances it (adds calendars and contacts support).
That mens that it expects working mail system BEFORE you even start
installing SOGo.
I have read quite a lot of emails from you regarding postfix/dovecot
setup that are totally unrelated to SOGO 
 May be it’d help if you
started with well configured email server and added SOGo only
afterwards. A VERY NICE tutorial can be found here
https://workaround.org/ispmail/wheezy good thing about it that it also
explains why things work the way they do, and provide deep
understanding of what happens when talking about email in general 

Mailing list is also available, most of your questions are answered there.
I have adapted above tutorial to SAMBA4/AD setup (original uses mysql
as authentication source) and enhanced it in some ways .. I am happy
to help should you choose the same way.
Best Regards
Martin.
--
***@sogo.nu
https://inverse.ca/sogo/lists
Loading...