Argthtjtr

So far I have an email server set up using postfix / dovecot on a raspberry pi (debian). I can send emails externally and internally no problem however can only receive emails from within my server.

I think it is because I have everything setup for TLS but do not have a valid certificate yet for my server however in order to get a valid certificate, I need a valid email address for my server (admin@myserver.com). Kind of a loop I am stuck in if I need an email address for the cert and require a cert for the email address!

For this reason, how can I temporarily allow my server to accept connections and emails NOT requiring TLS (essentially no security until I get my cert)? Is this the right way to go at it? Perhaps I am in left field, but all I am trying for is to receive emails....

Here is my setup below:

My main.cf file:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version





# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default    

# is /etc/mailname.

#myorigin = /etc/mailname



smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no



# appending .domain is the MUA's job.

append_dot_mydomain = no



# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h



readme_directory = no



# TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

#smtpd_tls_CAfile = /etc/postfix/ssl/caroot.crt

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache



# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.



myhostname = finendale.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = localhost, finendale.com, localhost.finendale.com

smtp_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

smtp_sasl_security_options = noanonymous

relayhost = [relay.dynu.com]:2525

smtp_generic_maps = hash:/etc/postfix/generic

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = ipv4

smtpd_recipient_restrictions =

permit_sasl_authenticated,

 permit_mynetworks,

 reject_unauth_destination

smtpd_helo_required = yes

smtpd_helo_restrictions = 

permit_mynetworks,

permit_sasl_authenticated,

reject_invalid_helo_hostname,

reject_non_fqdn_helo_hostname,

reject_unknown_help_hostname

check_helo_access hash:/etc/postfix/helo_access

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

#smtpd_tls_auth_only = yes

home_mailbox = Maildir/

My master.cf file:

#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

2525      inet  n       -       -       -       -       smtpd

#smtp      inet  n       -       -       -       1       postscreen

#smtpd     pass  -       -       -       -       -       smtpd

#dnsblog   unix  -       -       -       -       0       dnsblog

#tlsproxy  unix  -       -       -       -       0       tlsproxy

submission inet n       -       y       -       -       smtpd

#  -o syslog_name=postfix/submission

#  -o smtpd_tls_security_level=encrypt

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

smtps     inet  n       -       -       -       -       smtpd

 -o syslog_name=postfix/smtps

 -o smtpd_tls_wrappermode=yes

#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject 

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#628       inet  n       -       -       -       -       qmqpd

pickup    fifo  n       -       -       60      1       pickup

cleanup   unix  n       -       -       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       -       1000?   1       tlsmgr

rewrite   unix  -       -       -       -       -       trivial-rewrite

bounce    unix  -       -       -       -       0       bounce

defer     unix  -       -       -       -       0       bounce

trace     unix  -       -       -       -       0       bounce

verify    unix  -       -       -       -       1       verify 

flush     unix  n       -       -       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       -       -       -       smtp

relay     unix  -       -       -       -       -       smtp

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       -       -       -       showq

error     unix  -       -       -       -       -       error

retry     unix  -       -       -       -       -       error

discard   unix  -       -       -       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       -       -       -       lmtp

anvil     unix  -       -       -       -       1       anvil

scache    unix  -       -       -       -       1       scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

#

# ====================================================================

#

# Recent Cyrus versions can use the existing "lmtp" master.cf entry.

#

# Specify in cyrus.conf:

#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 

#

# Specify in main.cf one or more of the following:

#  mailbox_transport = lmtp:inet:localhost

#  virtual_transport = lmtp:inet:localhost

#

# ====================================================================

#

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

#

#cyrus     unix  -       n       n       -       -       pipe

#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

#

# ====================================================================

# Old example of delivery via Cyrus.

#

#old-cyrus unix  -       n       n       -       -       pipe

#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

#

# ====================================================================

#

# See the Postfix UUCP_README file for configuration details.

#

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# Other external delivery methods.

#

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient

scalemail-backend unix  -   n   n   -   2   pipe

  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

mailman   unix  -       n       n       -       -       pipe

  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

  ${nexthop} ${user}

I think it is because I have everything setup for TLS but do not have a valid certificate yet

You should first check Postfix logs – and your firewall logs – to make sure that actually is the problem.

For this reason, how can I temporarily allow my server to accept connections and emails NOT requiring TLS (essentially no security until I get my cert)?

That depends on how Dynu delivers mail to you. Note that according to your diagram and DNS records, your server is not supposed to receive any direct connections from mail senders, only from the Dynu relay.

Your diagram says that you've configured Dynu to relay mail to your server on port 465. Because it's an TLS-only port, you must first check the configuration at Dynu to not expect a valid certificate. Depending on what options it offers, either configure the Dynu service to accept invalid certificates (which you already have), or to relay mail on a different port (port 2525 is non-TLS in your configuration).

• If Dynu is configured to deliver mail to port 465 on your server, the existing self-signed certificate should work well enough to speak TLS.




• If Dynu is configured to deliver mail to port 2525 on your server, remove the "require TLS" parameters that you've added, specifically smtpd_use_tls. Actually, it should not be set globally in the first place – different ports have different requirements on whether to enforce TLS. (Note how the 'submission' and 'smtps' services already have -o option lines to enforce TLS per port.)

Note that the certificate's name needs to match the actual (sub)domain that other SMTP clients are connecting to – it is not compared against the @domain in your email address. It is fine if both are identical in your case, but for most people's domains they aren't.

In direct delivery, the certificate would need to match the name in MX records. For example, if you had MX 0 mail.finendale.com., you would need a cert for "mail.finendale.com".

But because you're only receiving mail via the Dynu relay, the certificate needs to match whatever hostname is entered within Dynu's configuration.

Here is my setup below

The port labels in the diagram don't make sense. Your domain doesn't receive mail on any port nor forward it on any other port. The MX records on finendale.com instead tell senders to directly deliver inbound mail to mx1.dynu.com port 25.