mailx cheatsheet

1 mails (a.k.a. Postfix) vs sendmail

Sendmail is dead (essentially) As of August 2019, here is the market share of internet mail transfer agents (MTAs):

Exim : 57%\
Postfix : 34%
Other : 9%

So less than 9% of the market uses sendmail. However, the Exim still follows the sendmail design model, where a single binary controls the entire MTA.

Postfix and Qmail deliver mail in parallel sessions. Sendmail and Exim make one connection at a time. Performance is increased by sending limited batches of mail in parallel, by a different process.

Exim is highly configurable and so has many features, all of which are set in a single configuration file (but with clear sections). It does NOT have a central queue manager as Postfix does. Therefore there is no centralized load balancing. Exim was designed to deliver each message immediately, with queueing only as a fall-back.

Exim uses PCRE (Perl compatible regular expressions) which are more powerful than standard POSIX regexp.

Postfix is simpler, with fewer features, but performs very well. It does have a centralized queue manager and so handles bursts of messages very well.

Postfix is considered more secure and stable because it is architected as a system of small microservices daemons, each of which does only one thing.

2 SMTP

RFC 821 (1982) RFC 5321 (2008) All mail transfered between internet systems use SMTP. Within a single system there might be proprietary protocols being used, such as MS Exchange, IBM Notes outlook.com, gmail.com, yahoo mail. but when they transfer to another domain, they all use SMTP.

2.1 Simple Mail Transfer Protocol

SMTP-transfer-model.png

3 mailx

On my Centos host, mail was symlinked to mailx, i.e. /usr/bin/mail pointed to /usr/bin/mailx. So, I could use mail and mailx interchangeably.

mail -s "My musings on OPS335" Zintis.Perkons@senecacollege.ca C-d (EOF) after message body has been entered.

enter copies if needed, then C-d again.

Note that the command mail is actually a symoblic link to mailx.

3.1 mail -s "Subject" userid@[172.28.105.6]

You should also be able to send mail via an ip address using square brackets.

3.2 single command to send a message:

3.3 single command to send contents of a file in a message:

3.4 commands (second argument to command "mail")

-s~ subject "Covid 19 report"
-c~ email-addresses # sends a cc to email-addresses list
-b~ email-addresses2 # sends a blind copy to email-addresses2 list
-r~ "myreturnaddress@hacker.com The Right Honouralbe Justin Trudeau "
-a~ file attach a file to the message
-d~ debugging mode (for developers)
-v~ verbose mode
-V~ version (shows version and quits)
-u~ user reads mailbox of user

3.4.1 Syntax

mailx [-BDdEFintv~] [-s subject] [-a attachment ] [-c cc-addr] 
   [-b bcc-addr] [-r from-addr] [-h hops] [-A account] 
   [-S variable[=value]] to-addr . . .

3.5 Example

mail -s "Feb 24th app3 logs" sysadmins@senecacollege.ca -c zintis@senecacollege.ca \
 -b security-team@senecacollege.ca  < ~/var/log/app3-messages

3.6 In a bash script

#!/bin/bash
df -h | mail -s "disk free for today" Zintis.Perkons@senecacollege.ca

3.7 In a better bash script

#!/bin/bash
df -h > /tmp/todays-report.log
free -m >> /tmp/todays-report.log
mail -s "disk and memory free for today" zperk@senecacollege.ca < /tmp/todays-report.log

Then put that in a cron job and bob's your uncle. df -h –total | mail -s "vm2 disk free report" zintis@zintis.ops

3.8 Attachements

mail -s "my cv" -a ~/joestudent.cv jstudent@seneca.ca < ~/JoeStudent.cv

This becomes an inline file, but gmail will see it as an attachement.

4 mailx setup with google

Will actually act as if a gmai l client, so will login to gmail and send outgoing messages as if sent from google, and not your ops server.

Good link I found on this is systutorials.com

4.1 Using the just the command line

   $ mailx -v -s "$EMAIL_SUBJECT" \
-S smtp-use-starttls \
-S ssl-verify=ignore \
-S smtp-auth=login \
-S smtp=smtp://smtp.gmail.com:587 \
-S from="$FROM_EMAIL_ADDRESS($FRIENDLY_NAME)" \
-S smtp-auth-user=$FROM_EMAIL_ADDRESS \
-S smtp-auth-password=$EMAIL_ACCOUNT_PASSWORD \
-S ssl-verify=ignore \
$TO_EMAIL_ADDRESS

4.2 Saving that configuration on bootup

You can save that configuration to /etc/mail.rc to make use much easier.

4.2.1 First /etc/mail.rc

set smtp-use-starttls
set ssl-verify=ignore
set smtp=smtp://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user=zintis@gmail.com
set smtp-auth-password=$gmails-app-specific-password
set from="Zintis Perkons (zintis@gmail.com)"

4.2.2 Then using mailx with gmail.com once this has been set up.

When sending mails, use this command:

mailx -v -s "$EMAIL_SUBJECT" $TO_EMAIL_ADDRESS

echo "The mail content" | mail -v -s "$EMAIL_SUBJECT" $TO_EMAIL_ADDRESS

5 mailx to read mail

Single command mail will show a list of messages with a message number

to view a mail, enter the number
to delete/discard a mail, enter d followed by the number
to quit, enter the letter q
to show all the messages in your inbox, headers
to show next next
to reply reply, or one of the following: replyall, replysender, respond
or also Followup, followup, followupall, followupsender
or next
or headers to see list of messages in my inbox

5.1 From

Here’s how to use the mail program to manage your mailbox.

To read the first email message, type 1. You will see both the email headers and email body. If only parts of the message is displayed, hammer to show the remaining part of the message.
To display message headers starting from message 1, type h.
To show the last screenful of messages, type h$ or z.
To read the next email message, type n.
To delete message 1, type d 1.
To delete message 1, 2 and 3, type d 1 2 3.
To delete messages from 1 to 10, type d 1-10.
To replay to message 1, type reply 1.
To exit out of mail, type q.

6 mailx and attachments

Nope. Any file has to be part of the body of the message, as shown above. That means no binary files can be attached. Fix? Use something like mutt

7 mailx setup

From man page:

7.1 FILES

~/.mailrc
       File giving initial commands.

/etc/mail.rc
       System wide initialization file.

~/.mime.types
       Personal MIME types.

/etc/mime.types
       System wide MIME types.

So, just to remind you, mailx does NOT need any other MTA, or MDA to run Simply edit /etc/mail.rc, add two lines:

set smtp=your.smtp.server
set from="zintis@continents.earth.ops"

set smtp=your.smtp.server
set from="zintis@continents.earth.ops"

set smtp=asia.continents.earth.ops
set from="zintis@continents.earth.ops"

And bob's your uncle. Well, for sending mail, but that is still quite useful as you can now run crontabs like:

30 22 * * * lsblk | mail -s "Block Report from VM1" zeus@zintis.ops

x`** Example mail.rc

vim /etc/mail.rc

#–——— add the below lines and append as per your credentials.

   Set smtp=smtps://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user=youremailadderess
set smtp-auth-password=YOURPASSWORD
set ssl-verify=ignore
set nss-config-dir=/etc/pki/nssdb/

Update the gmail account credentails over here and save Possibly look up dzone.com for instructions to setup gmail with mailx

echo "Test Email" | mail -v -s "Send an email via mailx" xxxxxxxx@gmail.com .

8 Using just mailx with gmail:

mailx accepts most configuration in the command line directly from the -S options in format -S variable[=value] (check more in mailx manual).

Sets the internal option variable and, in case of a string option, assigns value to it. Note, that when setting from variable, domain name of host is automatically added if value does not contain any. If you want to enter from address with owner’s name, you can use, for example, the following format:

-S "from=System User "

This is an all-in-one command that sends email to $TO_EMAIL_ADDRESS

$ mailx -v -s "$EMAIL_SUBJECT" \
-S smtp-use-starttls \
-S ssl-verify=ignore \
-S smtp-auth=login \
-S smtp=smtp://smtp.gmail.com:587 \
-S from="$FROM_EMAIL_ADDRESS($FRIENDLY_NAME)" \
-S smtp-auth-user=$FROM_EMAIL_ADDRESS \
-S smtp-auth-password=$EMAIL_ACCOUNT_PASSWORD \
-S ssl-verify=ignore \

$TO_EMAIL_ADDRESS

Replace the $… above with the value that is actually used.

This command will ask for the email content. Type in the mail content and after finishing the email, use “Ctrl+d” to tell mailx you have finished. Then this mail will be sent out through gmail’s smtp server. You can also use pipe like this:

echo "The mail content" | mail -v -s ...

9 Using google's "app password" setup

Security notes on passwords you may consider not setting -S smtp-auth-password and input it each time you use this command. Passwords in the command line can be seen by other users on the system. Gmail now supports "App Password" if you are using Google’s 2-Step verification and you will need to use it instead of your Gmail’s password. You can generate an "App Password" for mailx so it can be easily revoked in case it leaked out. Go to this URL: https://myaccount.google.com/apppasswords . Click on “Select App” → “Other”, type “mailx”, and hit “Generate”. You will get a password used by mailx. (thanks to Ben for the notes).

10 postfix setup

we are using postfix, but another MTA could be ssmtp for ubuntu. then have to edit /etc/ssmtp/ssmtp.conf and proceed as before but use ssmtp in place of postfix.

10.1 files

Configuration /etc/postfix/main.cf

Logs /var/log/maillog or /var/log/mail.log
Logs /var/log/maillog or /var/log/mail.log
Logs /var/log/maillog or /var/log/mail.log

10.2 Minimum customizataion parameters in main.cf

Each

inet_interfaces=all # allows the MTA to listen on all interfaces for incoming messages
mydomain=zintis.ops # who mail knows what domain to append to user mail. For example: zintis@zintis.ops
myorigin # This defines the hostname for this server, so that will correctly specify the hostname in the From: head in a sent mail message.
- myorigin=$myhostname If you want the messages to be from zintis@europe.continents.earth.ops
- myorigin=$mydomain If you want the messages to be from zintis@continents.earth.ops This is the setting you would want in production. Then no matter which server a message was sent from, it would have zintis@continents.earth.ops as the return address.
mydestination # what addresses that the server will receive email for. mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost This would accept mail for the following (in order listed):
- zintis@continents.earth.ops
- zintis@myserver.continents.earth.ops
- zintis@myserver.continents.earth.ops
- zintis@myserver
Note: this will work as long as your MX record is set properly, pointing to a mail server that is configured to accept mail for $mydomain
relayhost Direct your outgoing MTA to relay mail through the mail server designnated as your MX mail server. That way messages going outbound from a host that is NOT the MX server, will still get sent via the MX server and the remote mail servers
mynetworks tells the mail server which servers are allowed to use it as a relayost.
With the above two settings, you can have all your mail delivered to a centralized location. The non-MX mail servers need to have relayhost set to point to the MX server, and the MX server needs to have mynetworks set to accept these relayed mail messages and from who to accept it. i.e. 172.28.105.0/24
myhostname=europe.continents.earth.ops this does NOT need to be set if you server has the proper hostnamectl and domain values set.
```
hostname
domainname
nmcli -f ip4 device show ens33
less /etc/sysconfig/network-scripts/ifcfg-ens3 
```
tip: /etc/postfix/main.cf is typically extensive. When setting a value make sure there isn't another spot in the file that has that value uncommented. Postfix will take the LAST instance a parameter is set. Of course you can use postconf -d | grep value to double check as well.
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" The mailbox_command tells postfix
sudo postconf -e "home_mailbox = Maildir/"
sudo postconf -e "home_mailbox = Maildir/"

10.3 Other mail configurations to consider

alias_maps # to specify email aliases
local_recipient_maps # to accept messages for local users
mydestination # to restrict where to send mail
relay_domains # to restrict where to send mail
home_mailbox # set the mail message store (different from default /var/spool/mail

10.4 iptables to allow incoming port 25 to your mail server

Or port 587 for modern encrypted mail, or port 465 for older encrypted mail. Port 587 is almost always used by Message Sumbission Agents, MSA.

10.5 /etc/postfix/mail.cf for gmail.com

The folllowing tells Postfix to hand off all messages to Gmail, and never do direct delivery.

relayhost = [smtp.gmail.com]:587
# This enables TLS (SMTPS) certificate verification, because
#   Gmail has a valid one.
smtp_tls_security_level = verify
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
# This tells Postfix to provide the username/password when Gmail asks for one.
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

10.6 OPS332 vm2 /etc/postfix/mail.cf

This tells postfix to use the self-signed certificate, vm2.zintis.ops.crt for TLS to any guest using vm2 for outgoing smtp (In OPS335 it was the c8host).

# Settings to enable secure SMTP using my self-signed certificate: smtpd_tls_auth_only = no
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/vm2.zintis.ops.key
smtpd_tls_cert_file = /etc/ssl/certs/vm2.zintis.ops.crt 
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem 
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 1

10.7 corresponding thunderbird setup for vm2

10.8 add alias for root email user

Edit /etc/aliases
At the bottom, last entry, is for a user who shoudl get root's mail:

root: zintis

10.9 add MX records to your domain to point to your mail servers

example.com.  IN  NS   ns1.example.com.example.com.
example.com.  IN  NS   ns2.example.com.
example.com.  IN  MX 5 mail.example.com.

10.10 restart systemctl restart postfix / systemctl status postfix

sudo systemctl restart postfix

Options from the web link on systutorials.com

11 testing using netcat (nc)

From wikipedia, netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.

Usually nc is symlinked to netcat, so you can use either. But check which one CentOS uses.

Syntax:

nc [options] host port So for example nc asia 587

By default, nc will try a TCP connection. If you want udp, you need: nc -u host port

11.1 port scanning using nc

You can scan a signel port, or a range of ports for example: nc -z -v asia 20-80

z option will scan only open ports
v option for verbose.

To filter just the successful open ports try:

nc -z -v asia 20-80 | grep succeeded

11.2 Use nmap for more detailed scanning

nmap also scans, so see the nmap section of nmap.org

bjaerris.com and allgoodbits.org have some good examples of testing mail using a commandline netcat utility

From southamerica server, I can =nc asia

12 SMTP protocol testing using telnet

If you mail transfer agent, MTA, accepts it you can try to telnet to port 25 and try these commands. (test whether this works on both MTA and MUA, or only one or the other)

When on vm2, I can nc vm3 25 which is like a telnet to port 25.

Here vm3 I already knew that it was running POSTFIX MTA, but if not I could lookup the MX record using DNS

12.1 testing imap using nc

You can also run nc with port 143. For example on c8host, I ran nc eu 143 (eu is the cname for europe.continents.earth.ops)

nc eu 143

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
BYE Disconnected for inactivity.

12.2 Commands to enter in mail server (for testing)

Escape character is ' ^]'

HELO (or is it EHLO)  
HELO zintis@zintis.ops
MAIL FROM:president@acme.com
RCPT TO:zintis@vm3.zintis.ops
DATA
Subject:  Test message
multiple lines, ending in hammer
hammer
.hammer
QUIT

Looks like there is at least some rule checking when doing this:

zintis@vm3 /var/spool/mail $
nc vm2 25
220 vm2.zintis.ops ESMTP Postfix
HELO
501 Syntax: HELO hostname
EHLO
501 Syntax: EHLO hostname
HELO
501 Syntax: HELO hostname
MAIL FROM:president@acme.com
250 2.1.0 Ok
RCPT:zintis@vm2.zintis.ops
221 2.7.0 Error: I can break rules, too. Goodbye.
^C

Another look at an example session for testing port 25 Destination SMTP server: mail1.fabrikam.com

Source domain: contoso.com
Sender's e-mail address: chris@contoso.com
Recipient's e-mail address: kate@fabrikam.com
Message subject: Test from Contoso
Message body: This is a test message

--------
C:\Windows\System32> telnet
Microsoft Telnet> set localecho
Microsoft Telnet> set logfile c:\TelnetTest.txt
Microsoft Telnet> OPEN mail1.fabrikam.com 25
220 mail1.fabrikam.com Microsoft ESMTP MAIL Service ready at Fri, 5 Aug 2016 16:24:41 -0700
EHLO contoso.com
250-mail1.fabrikam.com Hello [172.16.0.5]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
MAIL FROM: <chris@contoso.com>
250 2.1.0 Sender OK
RCPT TO: <kate@fabrikam.com> NOTIFY=success,failure
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: test


This is a test message.
.
250 2.6.0 <c89b4fcc-3ad1-4758-a1ab-1e820065d622@mail1.fabrikam.com> [InternalId=5111011082268, Hostname=mail1.fabrikam.com] Queued mail for delivery
QUIT
221 2.0.0 Service closing transmission channel

13 Native postfix interactions

Telnet to port 25, i.e. telnet 127.0.0.1 25

Trying 127.0.0.1...
Connected to mail.fossedu.org.
Escape character is '^]'.
220 localhost.localdomain ESMTP Postfix (Ubuntu)
Type the following code segment in Postfix's prompt.


ehlo localhost
mail from: root@localhost
rcpt to: fmaster@localhost
data
Subject: My first mail on Postfix

Hi,
Are you there?
regards,
Admin
. (Type the .[dot] in a new Line and press Enter )
quit

This is a way to check how postfix is running.

14 Maildir-style Mailboxes

Maildir is a format for an e-mail spool that does not require file locking to maintain message integrity because the messages are kept in separate files with unique names. A Maildir is a directory (often named Maildir) with three subdirectories named tmp, new, and cur. The subdirectories should all reside on the same filesystem.

Another reason to use Maildir format is that Courier IMAP/POP3 servers only work with Maildir format of mailboxes. See more about Maildir on wikip.

14.1 Instruct Postfix to use Maildirs instead of mboxes:

sudo postconf -e "home_mailbox = Maildir/" The command postconf will add that command in the /etc/postfix/main.cf file

Ensure Procmail isn't used: (if the step was taken during dpkg-reconfigure, by mistake)

sudo postconf -e "mailbox_command = "

Restart Postfix to make changes effect, and check the mailbox of fmaster

su - fmaster
MAIL=/home/fmaster/Maildir
mail

Check out a good example configuring postfix with imap on notblog.org Step 3 – Change spool format to Maildir sudo postconf -e "home_mailbox = Maildir/" sudo postconf -e "home_mailbox = Maildir/"

Yet another source on tutorialspoint.com suggests using dovecot for IMAP.

15 postconf

The postconf linux command can edit and display the actual values of configuration parameters on your system.

15.1 postconf -d

This displays ALL the config values. There are a lot of them. Most of them are taken from the default settings, but each of them can be modified. Most do not need to be modified.

15.2 postconf -e vs native editing of /etc/postfix/main.cf

sudo postconf -e "home_mailbox = Maildir/"=

sudo postconf -e "mynetworks = 127.0.0.0/8, 192.168.1.0/24"

sudo postconf -e "inet_interfaces = all"

sudo postconf -e "inet_protocols = all"

15.3 From help.ubuntu.com

See: Installing courier IMAP and POP3 Link in this link: help.ubuntu.com

     sudo apt-get install courier-pop
sudo apt-get install courier-imap

Adding your local domains to postfix:

Add your domains to mydestination: (my destination is a value in the postfix configuration file. to view your existing setting, type sudo postconf mydestination)

sudo postconf -e "mydestination = mail.fossedu.org, localhost.localdomain, localhost, yourdomain.com"

(note that command above will overwrite your previous settings of mydestination, so make note of your previous entries)

Add your local networks, too:

Postfix comes with the localhost (127.0.0.1) entry; you may have others, here we assume your LAN is on 192.168.1.0/24. Make changes to suit your situation.

sudo postconf -e "mynetworks = 127.0.0.0/8, 192.168.1.0/24"

Make Postfix to receive mail from the Internet

Instruct Postfix to receive on all interfaces:

sudo postconf -e "inet_interfaces = all"

(optional) Make Postfix accept IPv4, IPv6 protocols

If you're not using IPv6 yet, and you're paranoid, use "ipv4" instead of "all". Again, this is to suit your own network sensibilities.

sudo postconf -e "inet_protocols = all"

Start courier-authdaemon

The courier-authdaemon isn't started after installation. Without it, imap authentication will fail:

sudo service courier-authdaemon start

Configure courier-authdaemon to start on boot:

sudo systemctl enable courier-authdaemon

Finally, restart Postfix;

sudo /etc/init.d/postfix restart

Test your setup again using following code:

netcat mail.yourdomain.com 25
ehlo yourdomain.com
mail from: root@yourdomain.com
rcpt to: fmaster@yourdomain.com
data
Subject: My first mail for my domain

Hi,
Are you there?
regards,
Admin
. (and Enter In a new Line)
quit
Check the mailbox of fmaster

And:

su - fmaster
cd Maildir/new
ls

Now you will see mail has a separate file.

Testing Courier POP3: Type in a terminal:

netcat mail.yourdomain.com 110

Use the following example code segment for your test. Be intelligent to tweak the changes appropriately to your environment. An output like follows will display in your terminal.

#+BEGIN_EXAMPLE

Connected to mail.yourdomain.com (208.77.188.166). Escape character is '^]'. +OK Hello there. Type the following code segment in the prompt provided by the Courier POP3 server. I assume that you are intelligent enough not to type the lines which starts from +OK

user fmaster +OK Password required. pass password +OK logged in. quit Testing Courier IMAP Type in a terminal: #+END_EXAMPLE

netcat mail.yourdomain.com 143 Use the following example code segment for your test. Be intelligent and tweak the changes appropriately to your environment. An output like follows will display in your terminal.

OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS XCOURIEROUTBOX=INBOX.Outbox] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information. Type the following code segment in the prompt provided by the Courier IMAP server.

a login fmaster password a OK LOGIN Ok. a logout

==================================================================

15.4 nc is that like netcat?

netcat mail.yourdomain.com 25 ehlo yourdomain.com mail from:
root@yourdomain.com rcpt to: fmaster@yourdomain.com data Subject: My first
mail for my domain

Hi, Are you there?  regards, Admin . (and Enter In a new Line) quit

16 Notes from dustplanet.de

Check versions by : #+BEGIN_EXAMPLE postconf -d | grep mail_version dovecot –version aptitude versions amavisd-new # I was not using this. #+END_EXAMPLE

Postfix v2.11.0 Dovecot v2.2.9 Roundcube v1.1.2 amavisd-new v2.7.1

16.1 /etc/dovecot/dovecot.conf

You can issue the command dovecot -n to find where the dovecot configuraiton file is.

protocols imaps # is old ??

Our /var/log/messages error:

doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:25: 'imaps'
    protocol can no longer be specified (use protocols=imap).  to disable
    non-ssl imap, use service imap-login { inet_listenerimap { port=0 } }

Now we get a hint!

Navigate to /etc/dovecot/conf.d/10-master.conf and change the port of the inet_listener imap to 0

service imap-login { inet_listener imap { port = 0 } … } Now restart your dovecot via

service dovecot And test that your server responds via SSL/TLS and port 993 and refuses port 143

nc vm3 143 # should return "Ncat Connection refused." nc vm3 993 # should return a blank line and waiting for something, (no prompt)

I also added /etc/dovecot/dh.pem by issuing the following command: openssl dhparam -out /etc/dovecot/dh.pem 4096 -days 3650

17 Turning on TLS to postfix on vm2

More detail to come, but here is my /var/log/maillog on vm2 (postfix server) before and after I got my certs and keys properly installed.

Aug  7 15:35:59 vm2 postfix/postfix-script[2551]: stopping the Postfix mail system
Aug  7 15:35:59 vm2 postfix/master[2526]: terminating on signal 15
Aug  7 15:36:00 vm2 postfix/postfix-script[2628]: starting the Postfix mail system
Aug  7 15:36:00 vm2 postfix/master[2630]: daemon started -- version 3.3.1, configuration /etc/postfix



Aug  7 15:36:13 vm2 postfix/smtpd[2633]: warning: cannot get RSA private key from file "/etc/ssl/private/vm2.zintis.ops.key": disabling TLS support
Aug  7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:543:while reading strings:
Aug  7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59:
Aug  7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:crypto/pem/pem_lib.c:434:
Aug  7 15:36:13 vm2 postfix/smtpd[2633]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:556:
Aug  7 15:36:13 vm2 postfix/smtpd[2633]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 15:36:13 vm2 postfix/cleanup[2636]: 31D144592B1: message-id=<20200807193613.31D144592B1@vm2.zintis.ops>
Aug  7 15:36:13 vm2 postfix/qmgr[2632]: 31D144592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active)
Aug  7 15:36:13 vm2 postfix/smtpd[2633]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3
Aug  7 15:36:13 vm2 postfix/smtp[2638]: 31D144592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.17, delays=0.04/0.01/0.09/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 25252CA2147)
Aug  7 15:36:13 vm2 postfix/qmgr[2632]: 31D144592B1: removed
Aug  7 15:37:10 vm2 postfix/postfix-script[2649]: stopping the Postfix mail system
Aug  7 15:37:10 vm2 postfix/master[2630]: terminating on signal 15
Aug  7 15:37:10 vm2 postfix/postfix-script[2726]: starting the Postfix mail system
Aug  7 15:37:10 vm2 postfix/master[2728]: daemon started -- version 3.3.1, configuration /etc/postfix


Aug  7 15:37:34 vm2 postfix/smtpd[2731]: warning: cannot get RSA private key from file "/etc/ssl/private/vm2.zintis.ops.key": disabling TLS support
Aug  7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:543:while reading strings:
Aug  7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59:
Aug  7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:crypto/pem/pem_lib.c:434:
Aug  7 15:37:34 vm2 postfix/smtpd[2731]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:556:
Aug  7 15:37:34 vm2 postfix/smtpd[2731]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 15:37:34 vm2 postfix/cleanup[2734]: 6EB414592B1: message-id=<20200807193734.6EB414592B1@vm2.zintis.ops>
Aug  7 15:37:34 vm2 postfix/qmgr[2730]: 6EB414592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active)
Aug  7 15:37:34 vm2 postfix/smtpd[2731]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3
Aug  7 15:37:34 vm2 postfix/smtp[2736]: 6EB414592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.14, delays=0.04/0.01/0.08/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5A7BACA2147)
Aug  7 15:37:34 vm2 postfix/qmgr[2730]: 6EB414592B1: removed
Aug  7 15:51:41 vm2 postfix/postfix-script[2773]: stopping the Postfix mail system
Aug  7 15:51:41 vm2 postfix/master[2728]: terminating on signal 15
Aug  7 15:51:41 vm2 postfix/postfix-script[2851]: starting the Postfix mail system
Aug  7 15:51:41 vm2 postfix/master[2853]: daemon started -- version 3.3.1, configuration /etc/postfix


Aug  7 15:52:13 vm2 postfix/smtpd[2856]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 15:52:13 vm2 postfix/smtpd[2856]: SSL_accept error from c8host.zintis.ops[192.168.111.1]: -1
Aug  7 15:52:13 vm2 postfix/smtpd[2856]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1543:SSL alert number 42:
Aug  7 15:52:13 vm2 postfix/smtpd[2856]: lost connection after STARTTLS from c8host.zintis.ops[192.168.111.1]
Aug  7 15:52:13 vm2 postfix/smtpd[2856]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 commands=1/2
Aug  7 15:52:59 vm2 postfix/smtpd[2856]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 15:52:59 vm2 postfix/smtpd[2856]: Anonymous TLS connection established from c8host.zintis.ops[192.168.111.1]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
Aug  7 15:52:59 vm2 postfix/smtpd[2856]: 4DDEE4592B1: client=c8host.zintis.ops[192.168.111.1]
Aug  7 15:52:59 vm2 postfix/cleanup[2860]: 4DDEE4592B1: message-id=<b3bb8fe2-c1a6-355f-436f-e40fa5488496@zintis.ops>
Aug  7 15:52:59 vm2 postfix/qmgr[2855]: 4DDEE4592B1: from=<zintis@zintis.ops>, size=625, nrcpt=1 (queue active)
Aug  7 15:52:59 vm2 postfix/smtpd[2856]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug  7 15:52:59 vm2 postfix/smtp[2861]: 4DDEE4592B1: to=<zintis@zintis.ops>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.27, delays=0.04/0.02/0.17/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 521A1CA2147)
Aug  7 15:52:59 vm2 postfix/qmgr[2855]: 4DDEE4592B1: removed
Aug  7 16:20:19 vm2 postfix/smtpd[2912]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 16:20:19 vm2 postfix/smtpd[2912]: Anonymous TLS connection established from c8host.zintis.ops[192.168.111.1]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
Aug  7 16:20:19 vm2 postfix/smtpd[2912]: 848B54592B1: client=c8host.zintis.ops[192.168.111.1]
Aug  7 16:20:19 vm2 postfix/cleanup[2915]: 848B54592B1: message-id=<a50a0505-2d0c-9400-d1ec-74d7a961eda1@zintis.ops>
Aug  7 16:20:19 vm2 postfix/qmgr[2855]: 848B54592B1: from=<zintis@zintis.ops>, size=631, nrcpt=1 (queue active)
Aug  7 16:20:19 vm2 postfix/smtpd[2912]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug  7 16:20:19 vm2 postfix/smtp[2916]: 848B54592B1: to=<zintis@zintis.ops>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.22, delays=0.03/0.01/0.13/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8163FCA2147)
Aug  7 16:20:19 vm2 postfix/qmgr[2855]: 848B54592B1: removed
Aug  7 16:22:14 vm2 postfix/smtpd[2918]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 16:22:14 vm2 postfix/smtpd[2918]: Anonymous TLS connection established from c8host.zintis.ops[192.168.111.1]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
Aug  7 16:22:14 vm2 postfix/smtpd[2918]: 9EB0B4592B1: client=c8host.zintis.ops[192.168.111.1]
Aug  7 16:22:14 vm2 postfix/cleanup[2921]: 9EB0B4592B1: message-id=<104d827e-f548-9987-5833-9e311c7a2826@zintis.ops>
Aug  7 16:22:14 vm2 postfix/qmgr[2855]: 9EB0B4592B1: from=<zintis@zintis.ops>, size=660, nrcpt=1 (queue active)
Aug  7 16:22:14 vm2 postfix/smtpd[2918]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug  7 16:22:14 vm2 postfix/smtp[2922]: 9EB0B4592B1: to=<zintis@zintis.ops>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.17, delays=0.04/0.01/0.1/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 948C6CA2147)
Aug  7 16:22:14 vm2 postfix/qmgr[2855]: 9EB0B4592B1: removed

In setting up ssl to dovecot getting this message in /var/log/messages: Aug 7 17:32:49 vm3 dovecot[1588]: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem Aug 7 17:32:49 vm3 dovecot[1588]: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem

dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem

18 Mail related ports:

Protocol	Usage	Plain text	Encrypted	Message
		encrypted	session only	Store
POP3	incoming	110	995	messages deleted
	mail			from server
IMAP	incoming	143	993	message stays on
	mail			server
SMTP	outgoing	25	465
	mail
Submission	Outgoing	587
	mail

19 dovecot debugging:

From iredmail.org : Turn on debug mode in Dovecot

Don't know where Dovecot config files are? check this tutorial: Locations of configuration and log files of major components.

To turn on debug mode in Dovecot, please update below parameter in Dovecot config file dovecot.conf:

mail_debug = yes

Restart Dovecot service.

If you need authentication and password related debug message, turn on related settings and restart dovecot service.

auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth_verbose_passwords = yes

If Dovecot service cannot start, please run it manually, it will print the error message on console:

dovecot -c /etc/dovecot/dovecot.conf