Univention Kopano Mailrelay no outgoing external Mails (keine extern ausgehenden Mails)

UCS - Univention Corporate Server
,
#1

Hello together,

i’ve a problem with Univention + Kopano a Mailrelay and outgoing external Mails.
Sending internal mails to other Users is possible.
I’ve tested the konfiguration on another system, and except the IP adresses and Domainnames it seems to be eqaul.
On my Test PC i could send even though i change the relayhost and smtp_auth to what ever Mailhost i want.
On my live system this dosn’t work since the beginning and i don’t have any clou what i miss.

Livesystem specs.
Server : Servername.XXXXXX.intnetz
UCS-Version 4.4-6 errata750 (Blumenthal)
UMC-Version 11.0.5-1A~4.4.0.202009181251

Installation Prozess

  • Univention Server (and the usual things Domain IP etc.) NO Fetchmail NO UCS Mail
  • Kopano Core, WepApp, Z-Push
  • add external Maildomain .mydomain.de.
  • add smtp_auth with > relayserveradress test@mydomain.de:password
  • SSH > servcie postmap hash:/etc/postfix/smtp_auth and service postfix restart
  • UCR Mailrelayauth = yes
    -UCR Mailrelayhost = .XXXXXXX.XXXXXX.de (No Port)
    I have controlled the smtp_auth entry many times no mistake there (i tested even another, same issue)

On my testsystem the maillogs with tail -f /var/log/mail.log shows this:

Sep 24 23:14:27 XXXXtest postfix/smtp[24147]: C7E24E0380A: to=<-XXXXXf@XXXXX.eu->, relay=-XXXXXX.XXXXXXX.com-[85.13.156.46]:25, delay=0.43, delays=0.04/0.01/0.3/0.08, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 2994D47A008C)

On my Live system i get:

Sep 25 09:17:21 XXXXXX postfix/smtp[6893]: EE7C633F593: to=<-XXXXXXf@XXXXX.eu-> , relay=none, delay=29791, delays=29791/0.09/0.04/0, dsn=4.4.1, status=deferred (connect to XXXXXX.XXXXXXX.com-[85.13.156.46]:25: Connection refused)

Sep 25 10:21:52 XXXXXXXX-UCS kopano-server[1887]: SQL [00000017] info: Try to reconnect
Sep 25 10:21:52 XXXXXXXX-UCS kopano-spooler[18277]: Starting kopano-spooler version 8.7.1 (pid 18277 uid 998)
Sep 25 10:21:52 XXXXXXXX-UCS postfix/smtpd[18180]: connect from localhost[127.0.0.1]
Sep 25 10:21:53 XXXXXXXX-UCS postfix/smtpd[18180]: 007EB34202B: client=localhost[127.0.0.1]
Sep 25 10:21:53 XXXXXXXX-UCS postfix/cleanup[18281]: 007EB34202B: message-id=<kcis.F6D01BB9A8C24427BAD82F8357AF321C@XXXXXXX-UCS->
Sep 25 10:21:53 XXXXXXXX-UCS postfix/qmgr[30251]: 007EB34202B: from=<-XXXX@XXXXXX.de->, size=1636, nrcpt=1 (queue active)
Sep 25 10:21:53 XXXXX-UCS postfix/smtpd[18180]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 25 10:21:53 XXXXXXX-UCS kopano-server[1887]: SQL [00000016] info: Try to reconnect
Sep 25 10:21:53 XXXXXXX-UCS postfix/smtp[18282]: connect to -XXXXXXX.XXXXXXXX.com-[85.13.156.46]:25: Connection refused
Sep 25 10:21:53 XXXXXXX-UCS postfix/smtp[18282]: 007EB34202B: to=<-XXXXXf@XXXXXX.eu->, relay=none, delay=0.17, delays=0.1/0.03/0.04/0, dsn=4.4.1, status=deferred (connect to -XXXXXX.XXXXXXX.com-[85.13.156.46]:25: Connection refused)

I changed the Helo Name and Mynetworks, later i addet a letsencrypt certificate but the problem was bevor that either.

MINUS bevor domainnames = Link Restrictions because of new user

example: -XXXXXX.XXXX.com

Main.cf File

Warning: This file is auto-generated and might be overwritten by

univention-config-registry.

Please edit the following file(s) instead:

Warnung: Diese Datei wurde automatisch generiert und kann durch

univention-config-registry ueberschrieben werden.

Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):

/etc/univention/templates/files/etc/postfix/main.cf.d/10_general

/etc/univention/templates/files/etc/postfix/main.cf.d/30_maps

/etc/univention/templates/files/etc/postfix/main.cf.d/40_postscreen

/etc/univention/templates/files/etc/postfix/main.cf.d/50_restrictions

/etc/univention/templates/files/etc/postfix/main.cf.d/60_tls

/etc/univention/templates/files/etc/postfix/main.cf.d/80_delivery

/etc/univention/templates/files/etc/postfix/main.cf.d/99_local

The message_size_limit parameter limits the total size in bytes of

a message, including envelope information. Default is 10240000

message_size_limit = 10240000

mailbox_size_limit limits the max. size of local mailboxes. Default is 51200000

mailbox_size_limit = 51200000

some basic path definitions

command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin

some basic mail system settings

myhostname = XXXXXX.XXXXXX.intnetz

mydomain is unset - The default is to use $myhostname minus the first component.

myorigin = XXXXXX.XXXXX.intnetz
smtp_helo_name = -mail.XXXXXXXXX.de

append_dot_mydomain = no

inet_interfaces = all
inet_protocols = ipv4

mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 192.168.0.0/28
mynetworks_style = subnet

masquerade_domains = $mydomain
masquerade_exceptions = root

transport_maps = hash:/etc/postfix/transport
relay_domains = $mydestination

we need to name a smtp relay host to which we forward non-local

mails. smtp authentication is also possible.

relayhost = -XXXXXXX.XXXXXXX.com
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth

disable_vrfy_command = no

banner

smtputf8_enable = no

local_header_rewrite_clients =

virtual_alias_domains =

virtual_alias_maps = hash:/etc/postfix/virtual,
ldap:/etc/postfix/ldap.groups,
ldap:/etc/postfix/ldap.distlist,
ldap:/etc/postfix/ldap.virtual,
ldap:/etc/postfix/ldap.external_aliases,
ldap:/etc/postfix/ldap.sharedfolderremote,
ldap:/etc/postfix/ldap.sharedfolderlocal_aliases

virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains

virtual_mailbox_maps = ldap:/etc/postfix/ldap.virtual_mailbox,
ldap:/etc/postfix/ldap.sharedfolderlocal

virtual_transport = lmtp:127.0.0.1:2003

canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

postscreen settings

postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites =

postscreen_helo_required = no
postscreen_greet_action = drop
postscreen_greet_ttl = 1d

postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_action = ignore

postscreen_bare_newline_enable = no
postscreen_bare_newline_action = ignore

postscreen_blacklist_action = ignore
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr

smtpd_sender_restrictions is not defined since all relevant checks have been moved to

smtpd_recipient_restrictions (see below) and every mail has to pass smtpd_recipient_restrictions too.

#smtpd_sender_restrictions =

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient

special recipient_restrictions which may be used by smtps/submission services

(can be configured via UCR: mail/postfix/submission/restrictions/recipient/…)

submission_recipient_restrictions =

#TLS settings
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols =
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_cert_file = /etc/univention/letsencrypt/signed_chain.crt
smtpd_tls_key_file = /etc/univention/letsencrypt/domain.key
smtpd_tls_CAfile = /etc/univention/letsencrypt/signed_chain.crt

smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtp client

smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

Support broken clients like Microsoft Outlook Express 4.x which expect AUTH=LOGIN instead of AUTH LOGIN

broken_sasl_auth_clients = yes

tls logging

smtp_tls_loglevel = 0
smtpd_tls_loglevel = 0

EDH config

smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem

use the Postfix SMTP server’s cipher preference order instead of the remote client’s cipher preference order.

tls_preempt_cipherlist = yes

The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange

smtpd_tls_eecdh_grade = strong

if virus scanning is desired, all mails can be redirected through amavis.

I hope this informations help you to get me on the right track if someone is willing to help me with that.
Many Thanks

#3

Hi @XitXut,

the system running at 85.13.156.46 seems to have a firewall that accepts connections from the ip your test system uses, but not from your live system. When I use netcat to connect to it from here I get a “connection refused” as well.

#4

Thank you @fbartels

Problem solved i added Port 587 to mail/relayhost XXX.mydomain.de:587

I didn’t get it why i could sent with Port 25 on the testsystem but not on the livesystem both are fixed IPs from Provider. The Relay i used is nothing i set up except the email address for the authentication (normal Provider email domain, nothing special i think).

But you are right if i try it from me i can use both ports 25 and 587 if i try it from the livesystem (another place another fix IP) its only Port 587 allowed.

Then i changed the relyhost server and its the same Port 25 NO Port 587 YO. It works now and i am pissed i didnt get on it myself bevor i bother others.

MINUS bevor domainnames = Link restrictions because of new user

Testsystem

$ nc -v -secure.emailsrvr.com 587
Connection to -secure.emailsrvr.com 587 port [tcp/submission] succeeded!
220 -smtp17.relay.iad3a.emailsrvr.com ESMTP - VA Code Section 18.2-152.3:1 forbids use of this system for unsolicited bulk electronic mail (Spam)

$ nc -v -secure.emailsrvr.com 25
Connection to -secure.emailsrvr.com 25 port [tcp/smtp] succeeded!
220 -smtp16.relay.iad3a.emailsrvr.com ESMTP - VA Code Section 18.2-152.3:1 forbids use of this system for unsolicited bulk electronic mail (Spam)

Livesystem

$ nc -v -secure.emailsrvr.com 25
nc: connect to -secure.emailsrvr.com port 25 (tcp) failed: Connection refused
$ nc -v --secure.emailsrvr.com 587
Connection to -secure.emailsrvr.com 587 port [tcp/submission] succeeded!
220 -smtp4.relay.iad3a.emailsrvr.com ESMTP - VA Code Section 18.2-152.3:1 forbids use of this system for unsolicited bulk electronic mail (Spam)

Now comes part two: Email IN Kopano Push app an Mailstore

Mastodon