Hi, I have setup some new email accounts in Virtualmin, which work using Usermin. When I setup email accounts in an email client, there are errors: Errors: mail.domain.com:admin@domain.com. SMTP. Trying to log in to this SMTP account failed. Verify that the username and password are correct.
domain.com. IMAP. Could not connect to thisSMTP server. Check your network connection and that you entered the correct information in the Account preferences. Also verify that the server supports SSL. If it does not, deselect the "Use SSL" checkbox in the Advanced tab of Account preferences.
smtp.domain.com:admin@domain.com. SMTP. Could not connect to thisSMTP server. Check your network connection and that you entered the correct information in the Account preferences. Also verify that the server supports SSL. If it does not, deselect the "Use SSL" checkbox in the Advanced tab of Account preferences.
I suspect there's a port setting or SSL setting needed in Virtualmin, however I cannot find any instructions to make it work yet.
Any suggestions welcome.
When I setup email accounts in an email client with the following settings:
Mail > Preferences > + > select radio button, Add Other Mail Account... > Continue > Full Name: admin@domain.com > Email Address: admin@domain.com > Password: > Create > Next > Account Type: IMAP > Mail Server: mail.domain.com > User Name: admin@domain.com > Password: > Next > Next > (Incoming Mail Server Info) Port: 993 > tick Use SSL > Authentication: Password > Next > (Outgoing Mail Server Info) SMTP Server: smtp.domain.com > User Name: admin@domain.com > Password: > Create.
So, tried all version of email client with Virtualmin/Usermin email. IMAP port 993 SSL IMAP port 143 SSL IMAP port 993 no SSL IMAP port 143 no SSL
Here's some of the /var/log/maillog data:
No other options left on email client as needs to be IMAP. Anyone know of a link on Virtualmin on how to setup the settings correctly so email works on Usermin and an email client?
I tried Virtualmin > Server Templates > Defaults Settings > Mail for Domain > Format for usernames that include domain > username@domain > Save and Next > Virtualmin > Edit Users > tick user to be deleted > Delete Selected Users > Yes, Delete Them > Add a user to this server., but same error.
Not quite sure if saslfinger will help. I installed and ran saslfinger with # saslfinger -c
saslfinger - postfix Cyrus sasl configuration Tue Dec 3 15:17:02 EST 2013 version: 1.0.2 mode: client-side SMTP AUTH -- basics -- Postfix: 2.6.6 System: CentOS release 6.4 (Final) -- smtp is linked to -- libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fcd4c7c7000) -- active SMTP AUTH and TLS parameters for smtp -- No active SMTP AUTH and TLS parameters for smtp in main.cf! SMTP AUTH can't work!Howdy,
You can verify what username to login as by going into Edit Users, and reviewing the "IMAP / POP3 / FTP login" field.
Also, to make sure that SMTPS and Submission are enabled, you can edit your /etc/postfix/master.cf file, and make sure the lines in there beginning with "Submission" and "SMTPS" are uncommented (along with all the lines following them that begin with "-o".
Then restart Postfix after making any changes to those.
-Eric
Thank you for the reply. Submission and SMTP are uncommented, so no changes needed there I think.
Not sure why but same error, so I'll keep researching, unless someone else has a suggestion?
Okay, so deleted all Virtualmin accounts, set format to user@domain.com and same error. Logs:
Are you still trying to use your home Internet connection for a server? Because in your first log excerpt I can see bounce messages from Hotmail: they rejected your mail because your IP is blacklisted.
I can't see any errors though in your last log, what's the problem there exactly?
Okay, so seems the consistent error is: Could not connect to this IMAP server. Check your network connection and that you entered the correct information in the Account preferences. Also verify that the server supports SSL. If it does not, deselect the "Use SSL" checkbox in the Advanced tab of Account preferences.
Try telnetting to the server's IP, port 143 (IMAP) or 993 (IMAPS), from the computer where you're doing these tests. If that fails, try a traceroute from that computer to the server. Check if Dovecot is listening on those ports on the server, and make sure no firewall is blocking access. If you're still doing your home-server thing, make sure ports are forwarded correctly and not blocked by your ISP.
And note that - as I said - your IP is on a blacklist. You won't be able to change that, so if you use this system as your server, you won't be able to send emails to a number of destinations, here Hotmail.
Thanks. Telnet failed on 143 and 993, but worked on 25.
telnet domain.com 25 Trying WANIP... Connected to domain.com. Excape character is '^]'. 220 centos.com ESMTP Postfix 421 4.4.2 centos.com Error: timeout exceeded Connection closed by foreign host.
telnet domain.com 143 Trying WANIP... telnet: connect to address WANIP: Operation timed out telnet: Unable to connect to remote host
telnet domain.com 993 Trying WANIP... telnet: connect to address WANIP: Operation timed out telnet: Unable to connect to remote host
Checked iptables in Terminal > localhost > iptables -L -n
service iptables stop
telnet domain.com 143 Trying WANIP... telnet: connect to address WANIP: Operation timed out telnet: Unable to connect to remote host
telnet domain.com 993 Trying WANIP... telnet: connect to address WANIP: Operation timed out telnet: Unable to connect to remote host
traceroute localhost
I port forwarded IMAPS 993 to localhost, telnet domain.com 993 now works. Email client still has same error, so deleted email accounts, restarted email and added back again. 1 of 2 email accounts seems to register, but unable to send or receive emails.
You left your domain in your last post, I checked the IP and it is classified as a residential connection. You can run your own mail server, but to 99% of the internet, the mail you send out will end up either blocked or flagged as SPAM.
Your hostname on your server also seems to be incorrect as well. Your server claims to be "centos.com" which is incorrect and invalid.
Also a lot of residential ISPs block traceroute, it can be used maliciously. So don't take too much heart in what you see.
I use IntoVPS, they have worldwide locations, and their basic VPS is $10/month. No email problems, and no changing things around when DHCP gives you a new IP. Depends on how much this is worth to you.
Thanks. What do you mean by residential? Do you mean DHCP rather than static, as I can fix that? Not sure why centos.com is wrong as this is what Virtualmin setup and works in Usermin. Forwarded ports 993 and 143 which help the email client remove some errors, but still not sending or receiving email.
Here's the latest /var/log/maillog
With "residential" he meant using your home DSL to operate a server. Like I myself noted multiple times, a lot of issues you're seeing is stemming from that. So here's once more and a final time my suggestion to NOT use your home connection for a server! If you insist on doing that, I wish, you good luck, because I can't really help any further.
I see a number of DNS lookup failures in your logs.
You may want to verify that the DNS server listed in /etc/resolv.conf is correct, and that the BIND service is running.
Also, I see you have a firewall setup on your server.
With all the problems you seem to be having, I'd suggest keeping that turned off, until you've gotten everything working.
-Eric
Okay, so I have setup a dynamic dns which is running. Researching Virtualmin forum for how to configure Virtualmin with the dyndns.
Is anyone able to help with setting up Virtualmin now with the dyndns I have setup? Research says this should fix the email issue and future Virtualmin use.
Having a dyndns hostname will not help you when your IP is blacklisted due to being a dialup. Also, operating nameservers on a dynamic DHCP-assigned home IP is a no-go. You'll run into a lot of trouble with your setup.
Thank you for the replies. Well, my ISP is setting my IP as a business account. Internet connection is not a dialup connection. Look forward to some positive feedback and help how to get the email going on Virtualmin, as I now have my regular email not getting through ports 143 and 993.
Still working on finalising the ddns setup which seems to be needed according to research. Any help welcome.
Okay, so testing Virtualmin/Usermin works internally between email@domain1.com to email@domain2.com and email@domain3.com. email@domain3.com receives external email okay on Virtualmin/Usermin.
Mac and iPhone give similar errors of: The IMAP server "mail.domain3.com" is not responding. Check your network connection and that you entered the correct information in the "Incoming Mail Server" field.
Mac and iPhone have similar settings: Advanced Incoming Settings Use SSL: ON Authentication: Password IMAP Path Prefix: INBOX Server Port: 993
Are you able to telnet into port 143 and 993?
If not -- then you're still seeing some sort of NAT, firewall, or routing issue.
You'd need to make sure your firewall on your server isn't preventing access to those ports, and verify that your router is forwarding those ports to your server.
-Eric
Yes, telnet results are same as several weeks ago with connection.
Port 143.
Port 993.
iptables -L -n shows all ports are open
/etc/postfix/master.cf file has details below:
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # The Cyrus deliver program has changed incompatibly, multiple times. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yesThe maillog gives 12000 lines of similar looking errors like this sample: (also, I don't know who those email addresses are as I don't know any of them? Seem to have been automatically generated).
You did your telnet test in your LAN apparently. To be meaningful for a connectivity test, you need to do them over the internet. What's the external IP in question?
The error messages in your log indicate two things: you still have DNS issues, and a spammer/hacker possibly already got a hold of your server and is trying to use it to send out spam. I don't see why else your system would be trying to send 12000 mails to random Hotmail addresses.
You should immediately disconnect it from the internet until you get this issue fixed. This is no joke anymore! Your experimental server is beginning to constitute a danger for the internet.
Thank you for the reply.
12000 lines of code I mentioned aren't 12000 emails/hackers, so please don't jump to conclusions too hastily. The setup of Virtualmin is not a joke, so please post serious posts to assist in addressing the setup of Virtualmin. If you have any constructive suggestions re possible hackers, please post some info on that, as turning off Virtualmin is not a viable solution.
Tested WAN and error: telnet WAN_IP 143 Connecting To WAN_IP...Could not open connection to the host, on port 143: Connect failed
telnet WAN_IP 993 Connecting To WAN_IP...Could not open connection to the host, on port 993: Connect failed
Router has ports 23, 143 and 993 forwarded to the server's LAN IP.
Please read my posts closely. I did not say "12000 hackers". I said SOME hacker potentially found a security issue and is abusing your server to send out spam.
Your log clearly indicates - since you said you don't know these addresses and there's 12000 of those lines - that your server is trying to send thousands of email to random Hotmail addresses. No server or software is doing that just like that! So my post was very serious!
You're most likely going to be blocked by DNSBL lists, and your ISP is going to receive complaints about your server if you don't resolve this issue. So disconnecting your server from the net until this is resolved is not only viable, but necessary! As long as you keep it connected with the possible security hole present, even more hackers are going to find their way into it. In addition to it contributing to the threat that hacked servers on the net constitute.
As for "constructive suggestions": My apologies. Normally I'd gladly help you out, but with the myriads of problems you've been having since you started setting up this server, in this and other forum threads, my main suggestion would be doing a clean reinstall. Since you're not able to get paid support, anything else would probably be too time consuming to try and debug from my end.
Port 23? I suppose you mean port 25?
If you can't connect to those ports from the outside, and you are 100% sure you forwarded them correctly in your router, they are blocked along the way. It's possible your ISP is blocking them; potentially (and especially port 25) they are blocking them due to the possible hacker issue. So before you do further debugging, you might want to contact them and ask them if any blocks are in place or complaints have been received.
I've seen ISPs that block some specific ports that are prone to abuse by hackers by default for their users. So if you want to operate a server on your home connection, you might want to ask them if such generic blocks are in place and if they can be lifted. Of course, before you do that, you need to make sure that your server is clean.
Hi, I did mean port 23, to ensure Telnet packets can be sent and received. Port 25 is also another port that's forwarded.
So, does anyone know how to fix this Virtualmin security flaw if my server is having hackers send random emails from my email?
Would paid support fix it or is it impossible?
Working on clean up now and testing port again to get emails working.
It's unlikely that you're experiencing a Virtualmin security issue.
The issue you're seeing normally happens either when a web app installed in one of your domains is compromised, or when the passwords to one of your accounts is guessed.
You would need to review the headers of the emails in your mail queue in order to determine where they are coming from.
-Eric
Thank you, I updated all email passwords and will monitor this. I checked the maillogs which seems to determine which email account the hacker is using, so I should be able to notice any difference shortly.
Having thought about this, it could also be occurring from the website's forum, which has Captcha security, however spam accounts still seem to be generated.
I have checked the ISP who has the ports open and the router has the ports forwarded, so all I can think of is setting a static IP address. I have a static WAN IP setup, however if there are any suggestion how to configure, this would be helpful.
What would you need telnet for? It's unencrypted and sends everything in clear text including passwords, you should definitely use SSH instead.
Okay, after much ado, the ISP says cable won't be given a static IP. I have setup a DDNS, however some German sites have still blacklisted the email server. Still can't get the email working on email clients, but the email does work on the local server?
Any suggestions on how to setup the static IP? or get the DDNS working?
If your ISP does not give you a static IP, there's nothing you can do. If your dynamic IPs are on blacklists, there's also nothing you can do.
You simply can NOT (reliably) use your home-hosted machine as an outgoing email server, you should accept that fact. All you can use it for is incoming email, provided the MX records are set properly, since that direction is not affected by blacklists.
Make sure you get a DynDNS service with a very low TTL (time to live) for its dynamic host entries. Otherwise, when your IP changes, mail to your server can get delivered to the wrong machine while the dynamic host is updated. That means, if the user who gets your old IP after you happens to also be running a mail server, he'll receive the mail that's meant to go to you. Also take note that there are DNS servers/relays that don't accept very short TTLs and still cache entries for a while, so receiving email using that method on your home-hosted machine can be unreliable.
For outgoing mail, your best bet is using a smarthost, which means getting an email account on some external service and instruct your local Postfix to send all outgoing email via that service, and authenticate itself with your credentials.
That has some implications of course. For one, the service you choose must allow you using it for a local server as opposed for "private use". And, you are potentially personally responsible for the email your users send, since it all goes through your email account.
All fixed. All fixed, doesn't work through email client, only webmail, but good enough for now until the ISP allow a static IP.