Solved

postfix setup

Posted on 2006-10-20
9
422 Views
Last Modified: 2013-12-16
I am trying to set up my first postfix server and have been running into hurdles all along the way.
my latest hurdle is this... email is not showing up.
i switched my mx record to point mail.domain.com to the external ip of my firewall.
i have set up the rules on my fw to allow pop and smtp traffic to the internal ip of the postfix server.
in the main.cf file i have added 'mail.domain.com' to the 'mydestination =' line
if i ping mail.domain.com it returns the value 'unknown host' its been  >24hrs since i changed the mx record so could this be dns just not being updated yet?
also i know my fw blocks icmp but i don't see anything in the logs and 'unknown host'  doesn't lead me to believe it has even got that far. the more i type the more it sounds like dns.
thanks.

0
Comment
Question by:-pH
9 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17777688
Hi,

Unknown host is dfinitely means you can not resolve the name.

Please check

nslookup mail.domain.com

or

dig domain.com MX

manually..

This is the DNS part. But if all you ant to do is to chek you don't need to wait for DNS to kick-in

Just issue a telnef from a sysemte outside of your firewall like that:

telnet <ip addresss of your mail.domain.com> 25

if you get a response like that:
220 mail.domain.com ESMTP PostFix 2.3.0

Then you did it. Here's how to manually send a mail to your mail server:

# telnet 24.123.93.243 25
Trying 24.123.93.243...
Connected to rrcs-24-123-93-243.central.biz.rr.com (24.123.93.243).
Escape character is '^]'.
-->220 w2k3srv1.Buckstaff.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Mon, 16 Oct 2006 19:30:30 -0500
<--ehlo xx.com
-->250-w2k3srv1.Buckstaff.local Hello [zz.yy.ww.tt]
-->250-TURN
-->250-SIZE
-->250-ETRN
-->250-PIPELINING
-->250-DSN
-->250-ENHANCEDSTATUSCODES
-->250-8bitmime
-->250-BINARYMIME
-->250-CHUNKING
-->250-VRFY
-->250-X-EXPS GSSAPI NTLM LOGIN
-->250-X-EXPS=LOGIN
-->250-AUTH GSSAPI NTLM LOGIN
-->250-AUTH=LOGIN
-->250-X-LINK2STATE
-->250-XEXCH50
-->250 OK
<--mail from: <xxx@yy.com>
-->250 2.1.0 xxx@yy.com....Sender OK
<--rcpt to: <requestinfo@buckstaff.com>
-->250 2.1.5 requestinfo@buckstaff.com
<--DATA
-->354 Start mail input; end with <CRLF>.<CRLF>
<--Subject: Test for EE
<--
<--Test
<--.
-->250 2.6.0 <W2K3SRV1YFSrAuWiqJm0000026b@w2k3srv1.Buckstaff.local> Queued mail for delivery
<--QUIT
-->221 2.0.0 w2k3srv1.Buckstaff.local Service closing transmission channel
Connection closed by foreign host.

--> denotes the following text is sent by the server
<-- denotes the following server is typed by me.

Your SMTP is working perfectly well. Dont dforget to logon to your mail server and check your logs at:
/var/log/maillog
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17778028
Some other options you'd like to play with:

mydomain = name.com   (your domain generally your domain that is visible from outside)

myorigin = $mydomain (it is etiher your FQDN i.e., hostname.domain or just your domain, generally your ouside visible host+domain)

inet_interfaces = all  or $myhostname or $localhost (generally all interfaces or for just to accept local connections localhost)

proxy_interfaces = 1.2.3.4 (1.2.3.4 represents adress. To prevent mail loops if you area secondary MX for lots of domains, otherwise mails will bounce with a configuration error. Another way to do it is using virtual file)

mydestination = $myhostname, $mydomain, $myhostname.$mydomain, localhost.$mydomain, localhost, /etc/postfix/domains (it indicates for want domains this mail server is configured o accept mail. notice the /etc/postfix/domains file. This will contain domains and hostnames one at a line. such as:

x.com
host.x.com

mynetworks = 10.0.0.0/8, 127.0.0.0/8 , 1.2.3.4/32, 5.6.7.8/32 (it will include all the networks and addresses taht you will accept mail from. If you specify your whole sintranet sbunet then all your users will be in "trusted" network and they will not be queried for a valid reverse DNS as it is common with sendmail)



smtpd_banner = $myhostname ESMTP mailer  (it is better to use it this way not to give out much detail about your server to the people which queries your system. Otherwise it is possible to use variables like $mail_name, $mail_version.)

There are several otherd for seder, receiver and helo restrictions or querying the sending end server to see if the sender is a valid user at the sending end etc.

for more information pleae visit :
http://www.postfix.org




0
 
LVL 6

Expert Comment

by:collins23
ID: 17786943
from what i gather you seem to manage your dns yourself. are you using bind ? have you chaned the serial ? and reloaded the zones.

otherwise is your firewall set to access dns queries from internal machines ?

on the host where you are doing the dns tests, which is its' dns server ?

try "dig mail.domain.com @dnsserver"
0
 
LVL 14

Assisted Solution

by:ygoutham
ygoutham earned 100 total points
ID: 17787798
before trying a testing from other machines do the following.

1.  test for local users within the machine.  include a hostname, ip in the /etc/hosts file and assure yourself that mails withing the machine are getting delivered.  once this process is done, then you can test for pop/smtp access.

2.  do a telnet localhost 25 to see if port 25 is open on the machine.

3.  do a telnet localhost 110 to see if pop access is working

4.  try resolving a few domain names (google, yahoo, etc) so that you know that the machine is capable enough of understanding domain names when mails are received. a simple dig, nslookup, host command should give you the results.

5.  then do external testing from different machines to see if port 25 and 110 are accessible

if step 1 to 4 are successful then you need to look into your firewall rules.  if not, well the basic setup needs inspection.

do a netstat -tap or netstat -an and see if port 25 and 110 are open.

goutham
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:-pH
ID: 17805123
update to your answers...
<the domain is a real domain i am using as practice before i do this with our business domain so feel free to do any of the look ups>
the results for nslookup and dig are below.

- i do not manage my own dns. i do have admin access to change any entry though.
- i have sent a successful mail from an internal machine using telnet and internal ip address of mail server
- when i telnet from an outside machine i get:
421 Cannot connect to SMTP server xxx.xx.xx.xxx (xxx.xx.xx.xxx:25), connect error 10060
Connection to host lost.
-how do i test for local users in the machine?
-telnet localhost 25 works 110 does not
-i can resolve outside names from the machine
-i see port 25 is open..."tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN"
-how can i open port 110 on the mail server?
-i think i may have dns set up wrong... i added mail.funisstupid.com as an mx record and pointed it to the outside fw address should i have another or should the entry be different? i just added funisstupid.com as an entry also to see if that changes anything.
they are set to priority 10 & 0 respectively with a ttl of 3600.

thank you for all the help with this.


####################################################################################
nslookup --
nslookup mail.funisstupid.com
Server:         192.168.0.50
Address:        192.168.0.50#53
####################################################################################

dig --
Non-authoritative answer:
mail.funisstupid.com    canonical name = mail.funisstupid.com.
; <<>> DiG 9.3.2 <<>> funisstupid.com MX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10536
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;funisstupid.com.               IN      MX

;; AUTHORITY SECTION:
funisstupid.com.        2769    IN      SOA     park13.secureserver.net. dns.jomax.net. 2004111500 28800 7200 604800 3600

;; Query time: 4 msec
;; SERVER: 192.168.0.50#53(192.168.0.50)
;; WHEN: Tue Oct 24 17:13:18 2006
;; MSG SIZE  rcvd: 102
#########################################################################################

0
 
LVL 1

Author Comment

by:-pH
ID: 17805846
update...
a dig now points to the correct ip of my firewall after updating my mx record to funisstupid.com instead of mail.funisstupid.com

; <<>> DiG 9.3.2 <<>> funisstupid.com MX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29974
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;funisstupid.com.               IN      MX

;; ANSWER SECTION:
funisstupid.com.        3600    IN      MX      0 216.75.21.186.

;; Query time: 166 msec
;; SERVER: 192.168.0.50#53(192.168.0.50)
;; WHEN: Wed Oct 25 11:19:40 2006
;; MSG SIZE  rcvd: 62
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 400 total points
ID: 17806693
Hi,

I guess I understand why mail.funisstupid.com.

@     IN SOA fw.funisstupid.com. root.fw.funisstupid.com. (  
                    2006102901
                    3600
                    600
                    1209600                    
                    86400
                    )

        NS  ns01.xx.com.
        NS  ns02.xx.com.

        MX 10 mail

fw    A    1.2.3.4

I guess you did not add an A record for mail.funisstupid.com. If you had an entry like:
mail A   1.2.3.4
or
mial cname fw

then it would be able to return an IP adrress for the MX.

For you can not get a response from 110 port and there's no service bound to port 110 it means that there's no daemon listenin to this port. I don't know what distro you are using.
But as a general rule it is fired in the inetd / xinetd (depending on which one you are using).

If you are using inetd it is simple as editing /etc/inetd.conf and removing the "#" before pop3 service and restart inet "killall -HUP inetd" .

If you are using xinetd it is as simple as editing your /etc/xinetd.d/pop3 and change tthis identifier:
disable = no
to yes save the file and reload configuration with "killall -HUP xinetd"

It is possible to use customised service query and istall scripts accompanying in different distributions.
0
 
LVL 1

Author Comment

by:-pH
ID: 17815879
so should i add for an A record that points to the mail ip? just like i have set up in an mx record?
port 110 was not responding as i had not installed courrier yet. that has been remedied and i can now see that port.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 17817791
In fact for the address to get resolved it should point to an address. But if you point it to a CNAME, after resolve the MTA at the other end would aways log "The address may be forged" because the MX record is only a CNAME. So it is the best if you provide an A record for MX.


        MX 10 mail

mail   A    1.2.3.4


I was looking at your dig output and noticed that the real promlem there was it was not pointing to any address so that it was not resolved.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now