Working email server suddenly broken

Question

Alright, so the background on this server is: I installed postfix/dovecot/spamassassin/opendkim on an Ubuntu 14.04 server running on AWS. After a bit of pulling my hair out, everything worked. Why, oh why, I didn't just leave the damn thing alone -- well, we'll never know the answer to that. I upgraded it to Ubuntu 16.04, and everything actually worked after the upgrade! I had made a backup image just in case, but to get things up and running required only a single change in one config file.

And then, for some inexplicable reason, my residential IP changed (it's supposed to be static, I've had the same IP for over a year and a half now).

Now, when I try and send an email from Thunderbird, I get this in /var/log/mail.log:

Sep  4 14:03:19 ip-x-x-59-35 postfix/master[2746]: reload -- version 3.1.0, configuration /etc/postfix
Sep  4 14:03:30 ip-x-x-59-35 postfix/smtpd[2933]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Sep  4 14:03:30 ip-x-x-59-35 postfix/smtpd[2933]: connect from unknown[x.x.x.61]
Sep  4 14:03:30 ip-x-x-59-35 postfix/smtpd[2933]: warning: connect to Milter service unix:/opendkim/opendkim.sock: Connection refused
Sep  4 14:03:30 ip-x-x-59-35 postfix/smtpd[2933]: Anonymous TLS connection established from unknown[x.x.x.61]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  4 14:03:30 ip-x-x-59-35 postfix/smtpd[2933]: NOQUEUE: reject: RCPT from unknown[x.x.x.61]: 550 5.7.25 Client host rejected: cannot find your hostname, [x.x.x.61]; from=<blanked> to=<blanked> proto=ESMTP helo=<[192.168.0.10]>
Sep  4 14:03:32 ip-x-x-59-35 postfix/smtpd[2933]: disconnect from unknown[x.x.x.61] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7

The only place my IP is even in a config file was in /etc/postfix/main.cf, so I went in there and updated it (to x.x.x.0/24, as it was before). Restarted postfix, still not working. I'm also extremely confused as to why opendkim is refusing the connection over the socket...

If anyone can provide some insight, it would be extremely appreciated. I can provide more info as needed. I initially followed this four-part tutorial on setting up an email server. My config files are almost identical to those in part 2 of the tutorial.

EDIT: I started looking back through the logs for the last week (before this problem started). The opendkim socket has been refusing connections for a while now, but the mail server was still working while that was happening. I noticed a major difference in the logs when my laptop connects to the server to send mail. Here's what it looked like before the IP change:

Aug 29 17:03:43 ip-35 postfix/smtpd[22986]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Aug 29 17:03:43 ip-35 postfix/smtpd[22986]: connect from CPE00fc8d374753-CM00fc8d374750.cpe.net.cable.rogers.com[old.ip.138.5]
Aug 29 17:03:43 ip-35 postfix/smtpd[22986]: warning: connect to Milter service unix:/opendkim/opendkim.sock: Connection refused
Aug 29 17:03:43 ip-35 postfix/smtpd[22986]: Anonymous TLS connection established from **cpe00fc8d374753-cm00fc8d374750.cpe.net.cable.rogers.com**[old.ip.138.5]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 29 17:03:43 ip-35 postfix/smtpd[22986]: 8931F80078: client=CPE00fc8d374753-CM00fc8d374750.cpe.net.cable.rogers.com[old.ip.138.5], sasl_method=PLAIN, sasl_username=username@website.com

Notice how there's a hostname before the IP? That is missing now, and the error that it sends to Thunderbird is that it cannot find my hostname. I believe in setting up the server this was one of the security options that I turned on. I'm really stumped on how to fix it without compromising the security of the mail server.

Also, the opendkim thing is very strange. OpenDkim was the one thing I had to change after the switch to 16.04 -- because of the switch to systemctl (systemd), it had created a new file for the opendkim service. For some reason, opendkim was looking in a different place for its configuration file, so I just added an argument to that .service file to point it at the config file /etc/opendkim.conf ... and it worked fine. I specifically checked to make sure that it started and worked properly. So I'm really scratching my head.

Your email client should be connecting to port 587, not port 25. — Michael Hampton, Sep 04 '16 at 18:22
Your opendkim is dead too "unix:/opendkim/opendkim.sock: Connection refused" — Dom, Sep 04 '16 at 18:27

score 1 · Accepted Answer · answered Sep 04 '16 at 22:01

The problem was indeed that my ISP, for some strange reason, does not send a hostname along with my IP to my mail server when I send an email. So, because of the smtpd_sender_restrictions and smtpd_recipient_restictions in /etc/postfix/main.cf, it was denying unknown hostnames.

It looked like this:

smtpd_recipient_restrictions = reject_unknown_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch

You'll notice that permit_mynetworks comes after reject_unknown_client_hostname. To fix this, I just had to move permit_mynetworks to the front of the list, and also added it to the sender_restrictions list. In the variable mynetworks, I put in my specific IP instead of ending it in .0 to avoid others being able to send (although they would still need my password). I'm not sure if moving that has any big security reprecussions, and if anyone can find a better way to solve it, I would greatly appreciate it!

The opendkim thing is still not working, but that's a separate problem.

Working email server suddenly broken

1 Answers1