EMAIL: UCS + UCS email server not working external when deployed on AWS EC2

UCS - Univention Corporate Server
#1

Hello Support community, Greetings.

We did deploy a UCS Server Domain and UCS email server on a AWS EC2 instance and as well a Suite CRM.

Internal e-mail from Suite CRM e-mail settings outbound SMTP test is reported has delivered. Initial we had an issue related to connectivity when adding the SMTP server by IP and this was related to not match the CN name on the email server certificate. We are using the email server FQDN name and is working. It is even working using the email domain (external domain) as configured in the user accounts as the user e-mail.

We deploy UCS in an internal domain and we add email domain on it to match our e-mail external domains

We also configured the user domain accounts with proper e-mails and mail quotas.

On the AWS side we have our external domain registered with route 53 and MX records on the AWS DNS hosted zones pointing to a A record that point to external address of the UCS domain server IP.

Ports on the security group for TCP 25, 465 and 587 are opened and telnet from my local pc to the external mx recorded name show that communication is working and flowing.

Also nslookup using -type=MX email-domain AWS-DNS server do return the right records.

When try to setup e-mail account in Thunderbird we do not manage to get the settings from the email server account.

Can you please provide any guidance on what could be the issue ?

It would be highly appreciated.

Regards

Pedro

#2

These ports are for outgoing mails. But for POP3s (995)/IMAPs (993) access the ports in brackets need to be opened, too

#3

Hello Mornsgrans

You were right did swap inbound and outbound configuration and got it wrong. Now i got an ok on getting the settings from the server (when re-test) but when checking the password do get unable to log in at server. I wonder what could be??

#4

Sorry, but all ports need to be opened:

  • Ports 25, 465 and 587 to send mail from mail-client to your server .
  • Ports 993 and 995 to request mails by mail-clients from server.
  • If your server shall be accessable from outside, all these ports also have to be opened to internet .
#5

Thanks, really appreciated but right all ports are opened both inbound and outbound, so there is no restrictions on the traffic flow there must be something else preventing the login. Already reviewed all UCS user Domain account settings and there is nothing wrong. Could it be the certificate? My MX and A records on AWS external DNS do have a different server name + domain name since the UCS and email server are on the internal domain. If you do have any ideas please let me know. Regards

The reason why I believe is a Certificate issue is that Thunderbird is requesting to add a security exception saying that the certificate is not trusted because it has not been verified as issued by a trust authority using a secure signature.

#6

Yes, indeed - it may be caused by the certificate.
You can test SSL connection with:

openssl s_client -connect  <mailserver-name>:993
openssl s_client -connect  <mailserver-name>:995
...

I didn’t test it, but maybe swaks may help you:

Package is part of the UCS repository, but needs to be installed via package administration.

#7

Hello Mornsgrans

I manage to progress a few on the deployment. I can now receive e-mail on my laptop outlook and also Thunderbird e-mail. Also got a Let’s Encrypt certificate that was added as security exception on the clients. However, cannot send e-mails. Both clients report e-mails as sent but cannot get them (Not even in Span) on Gmail or other e-mail accounts set up in the cloud.

I found this article that requests some settings on the UCR register of the UCS server and on what concerns the e-mail section of the article I did so (helo) variable. Do not know why cannot send e-mails or why e-mails are not being received.

https://itsfoss.com/univention-corporate-server-home-server/#:~:text=Port%2025%20is%20specified%20in,direct%20exchange%20between%20mail%20servers.

I can send e-mails to myself.

Any Suggestions?

#8

Hello hassepedro,
do you find any entries/error messages in /var/log/mail.log just after sending mail from a client?

#9

Yes look below . I Believe AWS is restricting port 25, already requested them to open it.

Also tried to change the port on the UCS var mail/smtpport to 465 or 578 and restart posix services but could not see any difference on the logs.

Jan 16 19:49:37 ucs-1420 postfix/smtp[17393]: connect to alt3.gmail-smtp-in.l.google.com[108.177.97.27]:25: Connection timed out

#10

Well, if you run the command

mailq

you will get shown all mails in outqueue.

A question about your infrastructure:
Do you use a DSL with dynamic or with a static IP address?

Mailservers block mails from dynamic IP addresses because of spam-protection. In this case you will need to use the mail-gateway of your provider as smarthost and authentication using SASL.

Mastodon