For some reason my mail client cannot connect to newly built FreeBSD mail server to send emails - connection refused. Originally I was intending to build secure connection using SASL2 and TLS/SSL but like I said I experience difficulties connecting to SMTP server.


My observations:

1. Receiving of emails works fine via Courier IMAP (993)

2. Squirrelmail installed on the system DOES allow to send with SMTP Authentication set to 'none' and TLS set to 'false'. So far this is the only way of responding to emails.

3. Posffix was compiled with SASL2 (see below):
one# make showconfig
===> The following configuration options are available for postfix-2.6.1,1:
PCRE=on "Perl Compatible Regular Expressions"
SASL2=on "Cyrus SASLv2 (Simple Auth. and Sec. Layer)"
DOVECOT=off "Dovecot SASL authentication method"
SASLKRB=off "If your SASL req. Kerberos select this option"
SASLKRB5=off "If your SASL req. Kerberos5 select this option"
SASLKMIT=off "If your SASL req. MIT Kerberos5 select this option"
TLS=on "Enable SSL and TLS support"
BDB=off "Berkeley DB (choose version with WITH_BDB_VER)"
MYSQL=off "MySQL maps (choose version with WITH_MYSQL_VER)"
PGSQL=off "PostgreSQL maps (choose with DEFAULT_PGSQL_VER)"
OPENLDAP=off "OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)"
CDB=off "CDB maps lookups"
NIS=off "NIS maps lookups"
VDA=off "VDA (Virtual Delivery Agent)"
TEST=off "SMTP/LMTP test server and generator"
===> Use 'make config' to modify these settings


4. SMTP is set to listen to the outside world:
one# netstat -a | grep 'smtp'
tcp4 0 0 *.smtp *.* LISTEN
ffffff0001b348b8 stream 0 0 ffffff0001ceb3f0 0 0 0 private/smtp


5. I can telnet localhost 25 and openssl localhost:25 during my ssh session.

6. Here's the output of postconf -n

broken_sasl_auth_clients = yes
canonical_maps = hash:/usr/local/etc/postfix/canonical
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
mail_owner = postfix
mailbox_command = /usr/local/bin/procmail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/share/examples/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/sasldb2
smtp_tls_CAfile = /usr/local/openssl/certs/mailexpeditor.com-CAcert.pem
smtp_tls_cert_file = /usr/local/openssl/certs/one.mailexpeditor.com-cert.pem
smtp_tls_key_file = /usr/local/openssl/certs/one.mailexpeditor.com-unencrypted-key.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/openssl/certs/mailexpeditor.com-CAcert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/openssl/certs/one.mailexpeditor.com-cert.pem
smtpd_tls_key_file = /usr/local/openssl/certs/one.mailexpeditor.com-unencrypted-key.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = domain1.co.uk, domain2.com
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual

7. I tried connecting to SMTP with "no authentication" and "no SSL" set in mail client (as in case with Squirrelmail) but all I get is email back with "Relay access denied" in tail -f /var/log/maillog:
Jun 30 16:41:41 one postfix/smtpd[23319]: NOQUEUE: reject: RCPT from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]: 554 5.7.1 <sometestaccount@gmail.com>: Relay access denied; from=<myemail@domain1.co.uk> to=<sometestaccount@gmail.com> proto=ESMTP helo=<gnrPC>


8. If I set mail client to authenticate and use SSL result in log is as follows:
Jun 30 16:47:16 one postfix/smtpd[23346]: connect from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]
Jun 30 16:47:16 one postfix/smtpd[23346]: lost connection after UNKNOWN from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]
Jun 30 16:47:16 one postfix/smtpd[23346]: disconnect from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]



Not sure why this is happening. Help please!

You still need to allow the 127.0.0.0/8 localnet.
Add the following to /usr/local/etc/postfix/main.cf and see if it works
mynetworks = 127.0.0.0/8

What about master.cf? Is it configured properly?

You still need to allow the 127.0.0.0/8 localnet.
Add the following to /usr/local/etc/postfix/main.cf and see if it works
mynetworks = 127.0.0.0/8

Thanks for your reply rbelk. Server is in remote office with no local network. All clients are remote on dynamic IPs. Not to question your experience but given the circumstances will it change anything?

What about master.cf? Is it configured properly?

Hi Vivek,


Can you pls have a look and say if you see anything misconfigured?

here goes:



smtp inet n - n - - smtpd
-o content_filter=spamd:
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ================================================== ==================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ================================================== ==================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ================================================== ==================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient
#
# ================================================== ==================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipien
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

spamd unix - n n - - pipe
flags=Rq user=spamd argv=/usr/local/bin/spamd.sh -f ${sender} -- ${recipient}