mailx cheatsheet
1 mails (a.k.a. Postfix) vs sendmail
Sendmail is dead (essentially) As of August 2019, here is the market share of internet mail transfer agents (MTAs):
Exim : 57%\
Postfix : 34%
Other : 9%
So less than 9% of the market uses sendmail. However, the Exim
still follows
the sendmail design model
, where a single binary
controls the entire MTA.
Postfix
and Qmail
deliver mail in parallel sessions
.
Sendmail
and Exim
make one connection at a time
. Performance is increased by
sending limited batches of mail in parallel, by a different process.
Exim
is highly configurable and so has many features, all of which are set in
a single configuration file
(but with clear sections). It does NOT have a
central queue manager as Postfix does
. Therefore there is no centralized
load balancing. Exim was designed to deliver each message immediately,
with
queueing only as a fall-back.
Exim uses PCRE
(Perl compatible regular expressions
) which are more powerful
than standard POSIX regexp.
Postfix is simpler
, with fewer features, but performs very well. It does have
a centralized queue manager and so handles bursts of messages very well.
Postfix is considered more secure and stable
because it is architected as a
system of small microservices daemons, each of which does only one thing.
2 SMTP
RFC 821 (1982) RFC 5321 (2008) All mail transfered between internet systems use SMTP. Within a single system there might be proprietary protocols being used, such as MS Exchange, IBM Notes outlook.com, gmail.com, yahoo mail. but when they transfer to another domain, they all use SMTP.
2.1 Simple Mail Transfer Protocol
SMTP-transfer-model.png
3 mailx
On my Centos host, mail was symlinked to mailx, i.e. /usr/bin/mail pointed to /usr/bin/mailx. So, I could use mail and mailx interchangeably.
mail -s "My musings on OPS335" Zintis.Perkons@senecacollege.ca C-d (EOF) after message body has been entered.
enter copies if needed, then C-d again.
Note that the command mail is actually a symoblic link to mailx.
3.1 mail -s "Subject" userid@[172.28.105.6]
You should also be able to send mail via an ip address using square brackets.
3.2 single command to send a message:
3.3 single command to send contents of a file in a message:
3.4 commands (second argument to command "mail")
- -s~ subject "Covid 19 report"
- -c~ email-addresses # sends a cc to email-addresses list
- -b~ email-addresses2 # sends a blind copy to email-addresses2 list
- -r~ "myreturnaddress@hacker.com The Right Honouralbe Justin Trudeau "
- -a~ file attach a file to the message
- -d~ debugging mode (for developers)
- -v~ verbose mode
- -V~ version (shows version and quits)
- -u~ user reads mailbox of user
3.4.1 Syntax
mailx [-BDdEFintv~] [-s subject] [-a attachment ] [-c cc-addr] [-b bcc-addr] [-r from-addr] [-h hops] [-A account] [-S variable[=value]] to-addr . . .
3.5 Example
mail -s "Feb 24th app3 logs" sysadmins@senecacollege.ca -c zintis@senecacollege.ca \ -b security-team@senecacollege.ca < ~/var/log/app3-messages
3.6 In a bash script
#!/bin/bash df -h | mail -s "disk free for today" Zintis.Perkons@senecacollege.ca
3.7 In a better bash script
#!/bin/bash df -h > /tmp/todays-report.log free -m >> /tmp/todays-report.log mail -s "disk and memory free for today" zperk@senecacollege.ca < /tmp/todays-report.log
Then put that in a cron job and bob's your uncle. df -h –total | mail -s "vm2 disk free report" zintis@zintis.ops
3.8 Attachements
mail -s "my cv" -a ~/joestudent.cv jstudent@seneca.ca < ~/JoeStudent.cv
This becomes an inline file, but gmail will see it as an attachement.
4 mailx setup with google
Will actually act as if a gmai l client, so will login to gmail and send outgoing messages as if sent from google, and not your ops server.
Good link I found on this is systutorials.com
4.1 Using the just the command line
$ mailx -v -s "$EMAIL_SUBJECT" \ -S smtp-use-starttls \ -S ssl-verify=ignore \ -S smtp-auth=login \ -S smtp=smtp://smtp.gmail.com:587 \ -S from="$FROM_EMAIL_ADDRESS($FRIENDLY_NAME)" \ -S smtp-auth-user=$FROM_EMAIL_ADDRESS \ -S smtp-auth-password=$EMAIL_ACCOUNT_PASSWORD \ -S ssl-verify=ignore \ $TO_EMAIL_ADDRESS
4.2 Saving that configuration on bootup
You can save that configuration to /etc/mail.rc to make use much easier.
4.2.1 First /etc/mail.rc
- set smtp-use-starttls
- set ssl-verify=ignore
- set smtp=smtp://smtp.gmail.com:587
- set smtp-auth=login
- set smtp-auth-user=zintis@gmail.com
- set smtp-auth-password=$gmails-app-specific-password
- set from="Zintis Perkons (zintis@gmail.com)"
4.2.2 Then using mailx with gmail.com once this has been set up.
When sending mails, use this command:
mailx -v -s "$EMAIL_SUBJECT" $TO_EMAIL_ADDRESS
Or
echo "The mail content" | mail -v -s "$EMAIL_SUBJECT" $TO_EMAIL_ADDRESS
5 mailx to read mail
Single command mail
will show a list of messages with a message number
- to view a mail, enter the
number
- to delete/discard a mail, enter
d
followed by thenumber
- to quit, enter the letter
q
- to show all the messages in your inbox,
headers
- to show next
next
- to reply
reply
, or one of the following:replyall, replysender, respond
- or also
Followup, followup, followupall, followupsender
- or
next
- or
headers
to see list of messages in my inbox
5.1 From
Here’s how to use the mail program to manage your mailbox.
- To read the first email message, type
1
. You will see both the email headers and email body. If only parts of the message is displayed,hammer
to show the remaining part of the message. - To display message headers starting from message
1
, typeh
. - To show the last screenful of messages, type
h$
orz
. - To read the next email message, type
n
. - To delete message 1, type
d 1
. - To delete message 1, 2 and 3, type
d 1 2 3
. - To delete messages from 1 to 10, type
d 1-10
. - To replay to message 1, type
reply 1
. - To exit out of mail,
type q
.
6 mailx and attachments
Nope. Any file has to be part of the body of the message, as shown above. That means no binary files can be attached. Fix? Use something like mutt
7 mailx setup
From man page:
7.1 FILES
~/.mailrc
File giving initial commands.
/etc/mail.rc
System wide initialization file.
~/.mime.types
Personal MIME types.
/etc/mime.types
System wide MIME types.
So, just to remind you, mailx does NOT need any other MTA, or MDA to run Simply edit /etc/mail.rc, add two lines:
- set smtp=your.smtp.server
- set from="zintis@continents.earth.ops"
set smtp=your.smtp.server set from="zintis@continents.earth.ops" set smtp=asia.continents.earth.ops set from="zintis@continents.earth.ops"
And bob's your uncle. Well, for sending mail, but that is still quite useful as you can now run crontabs like:
30 22 * * * lsblk | mail -s "Block Report from VM1" zeus@zintis.ops
x`** Example mail.rc
vim /etc/mail.rc
#–——— add the below lines and append as per your credentials.
Set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=youremailadderess set smtp-auth-password=YOURPASSWORD set ssl-verify=ignore set nss-config-dir=/etc/pki/nssdb/
Update the gmail account credentails over here and save Possibly look up dzone.com for instructions to setup gmail with mailx
echo "Test Email" | mail -v -s "Send an email via mailx" xxxxxxxx@gmail.com
.
8 Using just mailx with gmail:
mailx accepts most configuration in the command line directly from the -S options in format -S variable[=value] (check more in mailx manual).
Sets the internal option variable and, in case of a string option, assigns value to it. Note, that when setting from variable, domain name of host is automatically added if value does not contain any. If you want to enter from address with owner’s name, you can use, for example, the following format:
-S "from=System User "
This is an all-in-one command that sends email to $TOEMAILADDRESS
$ mailx -v -s "$EMAIL_SUBJECT" \ -S smtp-use-starttls \ -S ssl-verify=ignore \ -S smtp-auth=login \ -S smtp=smtp://smtp.gmail.com:587 \ -S from="$FROM_EMAIL_ADDRESS($FRIENDLY_NAME)" \ -S smtp-auth-user=$FROM_EMAIL_ADDRESS \ -S smtp-auth-password=$EMAIL_ACCOUNT_PASSWORD \ -S ssl-verify=ignore \ $TO_EMAIL_ADDRESS
Replace the $… above with the value that is actually used.
This command will ask for the email content. Type in the mail content and after finishing the email, use “Ctrl+d” to tell mailx you have finished. Then this mail will be sent out through gmail’s smtp server. You can also use pipe like this:
echo "The mail content" | mail -v -s ...
9 Using google's "app password" setup
Security notes on passwords you may consider not setting -S smtp-auth-password
and input it each time you use this command. Passwords in the command line can
be seen by other users on the system. Gmail now supports "App Password" if
you are using Google’s 2-Step verification and you will need to use it instead
of your Gmail’s password. You can generate an "App Password" for mailx so it
can be easily revoked in case it leaked out. Go to this URL:
https://myaccount.google.com/apppasswords . Click on “Select App” → “Other”,
type “mailx”, and hit “Generate”. You will get a password used by
mailx. (thanks to Ben for the notes).
10 postfix setup
we are using postfix, but another MTA could be ssmtp for ubuntu. then have to edit /etc/ssmtp/ssmtp.conf and proceed as before but use ssmtp in place of postfix.
10.1 files
Configuration /etc/postfix/main.cf
- Logs /var/log/maillog or /var/log/mail.log
- Logs /var/log/maillog or /var/log/mail.log
- Logs /var/log/maillog or /var/log/mail.log
10.2 Minimum customizataion parameters in main.cf
Each
inet_interfaces=all
# allows the MTA to listen on all interfaces for incoming messagesmydomain=zintis.ops
# who mail knows what domain to append to user mail. For example: zintis@zintis.opsmyorigin
# This defines the hostname for this server, so that will correctly specify the hostname in the From: head in a sent mail message.myorigin=$myhostname
If you want the messages to be from zintis@europe.continents.earth.opsmyorigin=$mydomain
If you want the messages to be from zintis@continents.earth.ops This is the setting you would want in production. Then no matter which server a message was sent from, it would have zintis@continents.earth.ops as the return address.
mydestination
# what addresses that the server will receive email for.mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
This would accept mail for the following (in order listed):- zintis@continents.earth.ops
- zintis@myserver.continents.earth.ops
- zintis@myserver.continents.earth.ops
- zintis@myserver
Note: this will work as long as your MX record is set properly, pointing to a mail server that is configured to accept mail for $mydomain
relayhost
Direct your outgoing MTA to relay mail through the mail server designnated as your MX mail server. That way messages going outbound from a host that is NOT the MX server, will still get sent via the MX server and the remote mail serversmynetworks
tells the mail server which servers are allowed to use it as a relayost.- With the above two settings, you can have all your mail delivered to a
centralized location. The non-MX mail servers need to have
relayhost
set to point to the MX server, and the MX server needs to havemynetworks
set to accept these relayed mail messages and from who to accept it. i.e. 172.28.105.0/24 myhostname=europe.continents.earth.ops
this does NOT need to be set if you server has the proper hostnamectl and domain values set.hostname domainname nmcli -f ip4 device show ens33 less /etc/sysconfig/network-scripts/ifcfg-ens3
- tip: /etc/postfix/main.cf is typically extensive. When setting a value make sure there isn't another spot in the file that has that value uncommented. Postfix will take the LAST instance a parameter is set. Of course you can use postconf -d | grep value to double check as well.
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
Themailbox_command
tells postfixsudo postconf -e "home_mailbox = Maildir/"
sudo postconf -e "home_mailbox = Maildir/"
10.3 Other mail configurations to consider
alias_maps
# to specify email aliaseslocal_recipient_maps
# to accept messages for local usersmydestination
# to restrict where to send mailrelay_domains
# to restrict where to send mailhome_mailbox
# set the mail message store (different from default /var/spool/mail
10.4 iptables to allow incoming port 25 to your mail server
Or port 587
for modern encrypted mail, or port 465
for older encrypted mail.
Port 587 is almost always used by Message Sumbission Agents, MSA.
10.5 /etc/postfix/mail.cf for gmail.com
The folllowing tells Postfix to hand off all messages to Gmail, and never do direct delivery.
relayhost = [smtp.gmail.com]:587 # This enables TLS (SMTPS) certificate verification, because # Gmail has a valid one. smtp_tls_security_level = verify smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache # This tells Postfix to provide the username/password when Gmail asks for one. smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous
10.6 OPS332 vm2 /etc/postfix/mail.cf
This tells postfix to use the self-signed certificate, vm2.zintis.ops.crt for TLS to any guest using vm2 for outgoing smtp (In OPS335 it was the c8host).
# Settings to enable secure SMTP using my self-signed certificate: smtpd_tls_auth_only = no smtpd_tls_auth_only = no smtpd_use_tls = yes smtp_use_tls = yes smtpd_tls_key_file = /etc/ssl/private/vm2.zintis.ops.key smtpd_tls_cert_file = /etc/ssl/certs/vm2.zintis.ops.crt smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem tls_random_source = dev:/dev/urandom smtpd_tls_loglevel = 1
10.7 corresponding thunderbird setup for vm2
10.8 add alias for root email user
- Edit /etc/aliases
- At the bottom, last entry, is for a user who shoudl get root's mail:
root: zintis
10.9 add MX records to your domain to point to your mail servers
example.com. IN NS ns1.example.com.example.com. example.com. IN NS ns2.example.com. example.com. IN MX 5 mail.example.com.
10.10 restart systemctl restart postfix / systemctl status postfix
sudo systemctl restart postfix
Options from the web link on systutorials.com
11 testing using netcat (nc)
From wikipedia, netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.
Usually nc is symlinked to netcat, so you can use either. But check which one CentOS uses.
- Syntax:
nc [options] host port
So for examplenc asia 587
By default, nc will try a TCP connection. If you want udp, you need:
nc -u host port
11.1 port scanning using nc
You can scan a signel port, or a range of ports for example:
nc -z -v asia 20-80
- z option will scan only open ports
- v option for verbose.
To filter just the successful open ports try:
nc -z -v asia 20-80 | grep succeeded
11.2 Use nmap for more detailed scanning
nmap also scans, so see the nmap section of nmap.org
bjaerris.com and allgoodbits.org have some good examples of testing mail using a commandline netcat utility
From southamerica server, I can =nc asia
12 SMTP protocol testing using telnet
If you mail transfer agent, MTA, accepts it you can try to telnet to port 25 and try these commands. (test whether this works on both MTA and MUA, or only one or the other)
When on vm2, I can nc vm3 25
which is like a telnet to port 25.
Here vm3 I already knew that it was running POSTFIX MTA, but if not I could lookup the MX record using DNS
12.1 testing imap using nc
You can also run nc with port 143.
For example on c8host, I ran nc eu 143
(eu is the cname for europe.continents.earth.ops)
nc eu 143
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
- BYE Disconnected for inactivity.
12.2 Commands to enter in mail server (for testing)
Escape character is ' ^]' HELO (or is it EHLO) HELO zintis@zintis.ops MAIL FROM:president@acme.com RCPT TO:zintis@vm3.zintis.ops DATA Subject: Test message multiple lines, ending in hammer hammer .hammer QUIT
Looks like there is at least some rule checking when doing this:
zintis@vm3 /var/spool/mail $ nc vm2 25 220 vm2.zintis.ops ESMTP Postfix HELO 501 Syntax: HELO hostname EHLO 501 Syntax: EHLO hostname HELO 501 Syntax: HELO hostname MAIL FROM:president@acme.com 250 2.1.0 Ok RCPT:zintis@vm2.zintis.ops 221 2.7.0 Error: I can break rules, too. Goodbye. ^C
Another look at an example session for testing port 25 Destination SMTP server: mail1.fabrikam.com
Source domain: contoso.com Sender's e-mail address: chris@contoso.com Recipient's e-mail address: kate@fabrikam.com Message subject: Test from Contoso Message body: This is a test message -------- C:\Windows\System32> telnet Microsoft Telnet> set localecho Microsoft Telnet> set logfile c:\TelnetTest.txt Microsoft Telnet> OPEN mail1.fabrikam.com 25 220 mail1.fabrikam.com Microsoft ESMTP MAIL Service ready at Fri, 5 Aug 2016 16:24:41 -0700 EHLO contoso.com 250-mail1.fabrikam.com Hello [172.16.0.5] 250-SIZE 37748736 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-X-ANONYMOUSTLS 250-AUTH NTLM 250-X-EXPS GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 XRDST MAIL FROM: <chris@contoso.com> 250 2.1.0 Sender OK RCPT TO: <kate@fabrikam.com> NOTIFY=success,failure 250 2.1.5 Recipient OK DATA 354 Start mail input; end with <CRLF>.<CRLF> Subject: test This is a test message. . 250 2.6.0 <c89b4fcc-3ad1-4758-a1ab-1e820065d622@mail1.fabrikam.com> [InternalId=5111011082268, Hostname=mail1.fabrikam.com] Queued mail for delivery QUIT 221 2.0.0 Service closing transmission channel
13 Native postfix interactions
Telnet to port 25, i.e. telnet 127.0.0.1 25
Trying 127.0.0.1... Connected to mail.fossedu.org. Escape character is '^]'. 220 localhost.localdomain ESMTP Postfix (Ubuntu) Type the following code segment in Postfix's prompt. ehlo localhost mail from: root@localhost rcpt to: fmaster@localhost data Subject: My first mail on Postfix Hi, Are you there? regards, Admin . (Type the .[dot] in a new Line and press Enter ) quit
This is a way to check how postfix is running.
14 Maildir-style Mailboxes
Maildir is a format for an e-mail spool that does not require file locking
to maintain message integrity because the messages are kept in separate files
with unique names. A Maildir is a directory (often named Maildir
) with three
subdirectories named tmp, new, and cur. The subdirectories should all reside
on the same filesystem.
Another reason to use Maildir format is that Courier IMAP/POP3 servers only work with Maildir format of mailboxes. See more about Maildir on wikip.
14.1 Instruct Postfix to use Maildirs instead of mboxes:
sudo postconf -e "home_mailbox = Maildir/"
The command postconf will add that command in the /etc/postfix/main.cf file
Ensure Procmail isn't used: (if the step was taken during dpkg-reconfigure, by mistake)
sudo postconf -e "mailbox_command = "
Restart Postfix to make changes effect, and check the mailbox of fmaster
su - fmaster MAIL=/home/fmaster/Maildir mail
Check out a good example configuring postfix with imap on notblog.org Step 3 – Change spool format to Maildir sudo postconf -e "homemailbox = Maildir/" sudo postconf -e "homemailbox = Maildir/"
Yet another source on tutorialspoint.com suggests using dovecot for IMAP.
15 postconf
The postconf linux command can edit and display the actual values of configuration parameters on your system.
15.1 postconf -d
This displays ALL the config values. There are a lot of them. Most of them are taken from the default settings, but each of them can be modified. Most do not need to be modified.
15.2 postconf -e vs native editing of /etc/postfix/main.cf
sudo postconf -e "home_mailbox = Maildir/"= sudo postconf -e "mynetworks = 127.0.0.0/8, 192.168.1.0/24" sudo postconf -e "inet_interfaces = all" sudo postconf -e "inet_protocols = all"
15.3 From help.ubuntu.com
See: Installing courier IMAP and POP3 Link in this link: help.ubuntu.com
sudo apt-get install courier-pop sudo apt-get install courier-imap
Adding your local domains to postfix:
Add your domains to mydestination: (my destination is a value in the postfix configuration file. to view your existing setting, type sudo postconf mydestination)
sudo postconf -e "mydestination = mail.fossedu.org, localhost.localdomain, localhost, yourdomain.com"
(note that command above will overwrite your previous settings of mydestination, so make note of your previous entries)
Add your local networks, too:
Postfix comes with the localhost (127.0.0.1) entry; you may have others, here we assume your LAN is on 192.168.1.0/24. Make changes to suit your situation.
sudo postconf -e "mynetworks = 127.0.0.0/8, 192.168.1.0/24"
Make Postfix to receive mail from the Internet
Instruct Postfix to receive on all interfaces:
sudo postconf -e "inet_interfaces = all"
(optional) Make Postfix accept IPv4, IPv6 protocols
If you're not using IPv6 yet, and you're paranoid, use "ipv4" instead of "all". Again, this is to suit your own network sensibilities.
sudo postconf -e "inet_protocols = all"
Start courier-authdaemon
The courier-authdaemon isn't started after installation. Without it, imap authentication will fail:
sudo service courier-authdaemon start
Configure courier-authdaemon to start on boot:
sudo systemctl enable courier-authdaemon
Finally, restart Postfix;
sudo /etc/init.d/postfix restart
Test your setup again using following code:
netcat mail.yourdomain.com 25 ehlo yourdomain.com mail from: root@yourdomain.com rcpt to: fmaster@yourdomain.com data Subject: My first mail for my domain Hi, Are you there? regards, Admin . (and Enter In a new Line) quit Check the mailbox of fmaster
And:
su - fmaster cd Maildir/new ls
Now you will see mail has a separate file.
Testing Courier POP3: Type in a terminal:
netcat mail.yourdomain.com 110
Use the following example code segment for your test. Be intelligent to tweak the changes appropriately to your environment. An output like follows will display in your terminal.
#+BEGINEXAMPLE
Connected to mail.yourdomain.com (208.77.188.166). Escape character is '^]'. +OK Hello there. Type the following code segment in the prompt provided by the Courier POP3 server. I assume that you are intelligent enough not to type the lines which starts from +OK
user fmaster +OK Password required. pass password +OK logged in. quit Testing Courier IMAP Type in a terminal: #+ENDEXAMPLE
netcat mail.yourdomain.com 143 Use the following example code segment for your test. Be intelligent and tweak the changes appropriately to your environment. An output like follows will display in your terminal.
OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS XCOURIEROUTBOX=INBOX.Outbox] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information. Type the following code segment in the prompt provided by the Courier IMAP server.
a login fmaster password a OK LOGIN Ok. a logout
==================================================================
15.4 nc is that like netcat?
netcat mail.yourdomain.com 25 ehlo yourdomain.com mail from: root@yourdomain.com rcpt to: fmaster@yourdomain.com data Subject: My first mail for my domain Hi, Are you there? regards, Admin . (and Enter In a new Line) quit
16 Notes from dustplanet.de
Check versions by : #+BEGINEXAMPLE postconf -d | grep mailversion dovecot –version aptitude versions amavisd-new # I was not using this. #+ENDEXAMPLE
Postfix v2.11.0 Dovecot v2.2.9 Roundcube v1.1.2 amavisd-new v2.7.1
16.1 /etc/dovecot/dovecot.conf
You can issue the command dovecot -n
to find where the dovecot configuraiton
file is.
protocols imaps # is old ??
Our /var/log/messages error:
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:25: 'imaps' protocol can no longer be specified (use protocols=imap). to disable non-ssl imap, use service imap-login { inet_listenerimap { port=0 } }
Now we get a hint!
Navigate to /etc/dovecot/conf.d/10-master.conf and change the port of the inetlistener imap to 0
service imap-login { inetlistener imap { port = 0 } … } Now restart your dovecot via
service dovecot And test that your server responds via SSL/TLS and port 993 and refuses port 143
nc vm3 143 # should return "Ncat Connection refused." nc vm3 993 # should return a blank line and waiting for something, (no prompt)
I also added /etc/dovecot/dh.pem by issuing the following command: openssl
dhparam -out /etc/dovecot/dh.pem 4096 -days 3650
17 Turning on TLS to postfix on vm2
More detail to come, but here is my /var/log/maillog on vm2 (postfix server) before and after I got my certs and keys properly installed.
Aug 7 15:35:59 vm2 postfix/postfix-script[2551]: stopping the Postfix mail system Aug 7 15:35:59 vm2 postfix/master[2526]: terminating on signal 15 Aug 7 15:36:00 vm2 postfix/postfix-script[2628]: starting the Postfix mail system Aug 7 15:36:00 vm2 postfix/master[2630]: daemon started -- version 3.3.1, configuration /etc/postfix Aug 7 15:36:13 vm2 postfix/smtpd[2633]: warning: cannot get RSA private key from file "/etc/ssl/private/vm2.zintis.ops.key": disabling TLS support Aug 7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:543:while reading strings: Aug 7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59: Aug 7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:crypto/pem/pem_lib.c:434: Aug 7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:556: Aug 7 15:36:13 vm2 postfix/smtpd[2633]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 15:36:13 vm2 postfix/cleanup[2636]: 31D144592B1: message-id=<20200807193613.31D144592B1@vm2.zintis.ops> Aug 7 15:36:13 vm2 postfix/qmgr[2632]: 31D144592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active) Aug 7 15:36:13 vm2 postfix/smtpd[2633]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3 Aug 7 15:36:13 vm2 postfix/smtp[2638]: 31D144592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.17, delays=0.04/0.01/0.09/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 25252CA2147) Aug 7 15:36:13 vm2 postfix/qmgr[2632]: 31D144592B1: removed Aug 7 15:37:10 vm2 postfix/postfix-script[2649]: stopping the Postfix mail system Aug 7 15:37:10 vm2 postfix/master[2630]: terminating on signal 15 Aug 7 15:37:10 vm2 postfix/postfix-script[2726]: starting the Postfix mail system Aug 7 15:37:10 vm2 postfix/master[2728]: daemon started -- version 3.3.1, configuration /etc/postfix Aug 7 15:37:34 vm2 postfix/smtpd[2731]: warning: cannot get RSA private key from file "/etc/ssl/private/vm2.zintis.ops.key": disabling TLS support Aug 7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:543:while reading strings: Aug 7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59: Aug 7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:crypto/pem/pem_lib.c:434: Aug 7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:556: Aug 7 15:37:34 vm2 postfix/smtpd[2731]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 15:37:34 vm2 postfix/cleanup[2734]: 6EB414592B1: message-id=<20200807193734.6EB414592B1@vm2.zintis.ops> Aug 7 15:37:34 vm2 postfix/qmgr[2730]: 6EB414592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active) Aug 7 15:37:34 vm2 postfix/smtpd[2731]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3 Aug 7 15:37:34 vm2 postfix/smtp[2736]: 6EB414592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.14, delays=0.04/0.01/0.08/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5A7BACA2147) Aug 7 15:37:34 vm2 postfix/qmgr[2730]: 6EB414592B1: removed Aug 7 15:51:41 vm2 postfix/postfix-script[2773]: stopping the Postfix mail system Aug 7 15:51:41 vm2 postfix/master[2728]: terminating on signal 15 Aug 7 15:51:41 vm2 postfix/postfix-script[2851]: starting the Postfix mail system Aug 7 15:51:41 vm2 postfix/master[2853]: daemon started -- version 3.3.1, configuration /etc/postfix Aug 7 15:52:13 vm2 postfix/smtpd[2856]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 15:52:13 vm2 postfix/smtpd[2856]: SSL_accept error from c8host.zintis.ops[192.168.111.1]: -1 Aug 7 15:52:13 vm2 postfix/smtpd[2856]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1543:SSL alert number 42: Aug 7 15:52:13 vm2 postfix/smtpd[2856]: lost connection after STARTTLS from c8host.zintis.ops[192.168.111.1] Aug 7 15:52:13 vm2 postfix/smtpd[2856]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 commands=1/2 Aug 7 15:52:59 vm2 postfix/smtpd[2856]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 15:52:59 vm2 postfix/smtpd[2856]: Anonymous TLS connection established from c8host.zintis.ops[192.168.111.1]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) Aug 7 15:52:59 vm2 postfix/smtpd[2856]: 4DDEE4592B1: client=c8host.zintis.ops[192.168.111.1] Aug 7 15:52:59 vm2 postfix/cleanup[2860]: 4DDEE4592B1: message-id=<b3bb8fe2-c1a6-355f-436f-e40fa5488496@zintis.ops> Aug 7 15:52:59 vm2 postfix/qmgr[2855]: 4DDEE4592B1: from=<zintis@zintis.ops>, size=625, nrcpt=1 (queue active) Aug 7 15:52:59 vm2 postfix/smtpd[2856]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Aug 7 15:52:59 vm2 postfix/smtp[2861]: 4DDEE4592B1: to=<zintis@zintis.ops>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.27, delays=0.04/0.02/0.17/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 521A1CA2147) Aug 7 15:52:59 vm2 postfix/qmgr[2855]: 4DDEE4592B1: removed Aug 7 16:20:19 vm2 postfix/smtpd[2912]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 16:20:19 vm2 postfix/smtpd[2912]: Anonymous TLS connection established from c8host.zintis.ops[192.168.111.1]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) Aug 7 16:20:19 vm2 postfix/smtpd[2912]: 848B54592B1: client=c8host.zintis.ops[192.168.111.1] Aug 7 16:20:19 vm2 postfix/cleanup[2915]: 848B54592B1: message-id=<a50a0505-2d0c-9400-d1ec-74d7a961eda1@zintis.ops> Aug 7 16:20:19 vm2 postfix/qmgr[2855]: 848B54592B1: from=<zintis@zintis.ops>, size=631, nrcpt=1 (queue active) Aug 7 16:20:19 vm2 postfix/smtpd[2912]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Aug 7 16:20:19 vm2 postfix/smtp[2916]: 848B54592B1: to=<zintis@zintis.ops>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.22, delays=0.03/0.01/0.13/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8163FCA2147) Aug 7 16:20:19 vm2 postfix/qmgr[2855]: 848B54592B1: removed Aug 7 16:22:14 vm2 postfix/smtpd[2918]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 16:22:14 vm2 postfix/smtpd[2918]: Anonymous TLS connection established from c8host.zintis.ops[192.168.111.1]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) Aug 7 16:22:14 vm2 postfix/smtpd[2918]: 9EB0B4592B1: client=c8host.zintis.ops[192.168.111.1] Aug 7 16:22:14 vm2 postfix/cleanup[2921]: 9EB0B4592B1: message-id=<104d827e-f548-9987-5833-9e311c7a2826@zintis.ops> Aug 7 16:22:14 vm2 postfix/qmgr[2855]: 9EB0B4592B1: from=<zintis@zintis.ops>, size=660, nrcpt=1 (queue active) Aug 7 16:22:14 vm2 postfix/smtpd[2918]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Aug 7 16:22:14 vm2 postfix/smtp[2922]: 9EB0B4592B1: to=<zintis@zintis.ops>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.17, delays=0.04/0.01/0.1/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 948C6CA2147) Aug 7 16:22:14 vm2 postfix/qmgr[2855]: 9EB0B4592B1: removed
In setting up ssl to dovecot getting this message in /var/log/messages: Aug 7 17:32:49 vm3 dovecot[1588]: config: Warning: please set ssldh=</etc/dovecot/dh.pem Aug 7 17:32:49 vm3 dovecot[1588]: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
18 Mail related ports:
Protocol | Usage | Plain text | Encrypted | Message |
---|---|---|---|---|
encrypted | session only | Store | ||
POP3 | incoming | 110 | 995 | messages deleted |
from server | ||||
IMAP | incoming | 143 | 993 | message stays on |
server | ||||
SMTP | outgoing | 25 | 465 | |
Submission | Outgoing | 587 | ||
19 dovecot debugging:
From iredmail.org : Turn on debug mode in Dovecot
Don't know where Dovecot config files are? check this tutorial: Locations of configuration and log files of major components.
To turn on debug mode in Dovecot, please update below parameter in Dovecot config file dovecot.conf:
mail_debug = yes
Restart Dovecot service.
If you need authentication and password related debug message, turn on related settings and restart dovecot service.
auth_verbose = yes auth_debug = yes auth_debug_passwords = yes auth_verbose_passwords = yes
If Dovecot service cannot start, please run it manually, it will print the error message on console:
dovecot -c /etc/dovecot/dovecot.conf