311 lines
20 KiB
HTML
311 lines
20 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Errors you may see while maintaining iRedMail server</title>
|
|
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="https://www.iredmail.org" target="_blank">
|
|
<img alt="iRedMail web site"
|
|
src="./images/logo-iredmail.png"
|
|
style="vertical-align: middle; height: 30px;"
|
|
/>
|
|
<span>iRedMail</span>
|
|
</a>
|
|
// <a href="./index.html">Document Index</a></div><h1 id="errors-you-may-see-while-maintaining-iredmail-server">Errors you may see while maintaining iRedMail server</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#errors-you-may-see-while-maintaining-iredmail-server">Errors you may see while maintaining iRedMail server</a><ul>
|
|
<li><a href="#postfix-smtp">Postfix (SMTP)</a><ul>
|
|
<li><a href="#intended-policy-rejection-please-try-again-later">Intended policy rejection, please try again later</a></li>
|
|
<li><a href="#sender-address-rejected-not-logged-in">Sender address rejected: not logged in</a></li>
|
|
<li><a href="#sender-address-rejected-not-owned-by-user-userdomainltd">Sender address rejected: not owned by user user@domain.ltd</a></li>
|
|
<li><a href="#recipient-address-rejected-smtp-auth-is-required-for-users-under-this-sender-domain">Recipient address rejected: SMTP AUTH is required for users under this sender domain</a></li>
|
|
<li><a href="#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username">Recipient address rejected: Sender is not same as SMTP authenticate username</a><ul>
|
|
<li><a href="#case-1">case #1</a></li>
|
|
<li><a href="#case-2">case #2</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#unreasonable-virtual_alias_maps-map-expansion-size-for-userdomaincom">unreasonable virtual_alias_maps map expansion size for user@domain.com</a></li>
|
|
<li><a href="#helo-command-rejected-need-fully-qualified-hostname">Helo command rejected: need fully-qualified hostname</a></li>
|
|
<li><a href="#helo-command-rejected-host-not-found">Helo command rejected: Host not found</a></li>
|
|
<li><a href="#helo-command-rejected-access-denied-your-email-was-rejected-because-the-sending-mail-server-does-not-identify-itself-correctly-local">Helo command rejected: ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (.local)</a></li>
|
|
<li><a href="#warning-do-not-list-domain-mydomaincom-in-both-mydestination-and-virtual_mailbox_domains">warning: do not list domain mydomain.com in BOTH mydestination and virtual_mailbox_domains</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#dovecot-imap-pop3">Dovecot (IMAP / POP3)</a><ul>
|
|
<li><a href="#plaintext-authentication-not-allowed-without-ssltls">Plaintext authentication not allowed without SSL/TLS</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#amavisd">Amavisd</a><ul>
|
|
<li><a href="#connect-to-12700112700110024-connection-refused">connect to 127.0.0.1[127.0.0.1]:10024: Connection refused</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<h2 id="postfix-smtp">Postfix (SMTP)</h2>
|
|
<h3 id="intended-policy-rejection-please-try-again-later">Intended policy rejection, please try again later</h3>
|
|
<p>Sample error message in Postfix log file:</p>
|
|
<blockquote>
|
|
<p>Jul 24 06:43:08 mx0 postfix/smtpd[12719]: NOQUEUE: reject: RCPT from sender.com[xx.xx.xx.xx]: 451 4.7.1 <a href="mailto:recipient@my-domain.com">recipient@my-domain.com</a>: Recipient address rejected: <strong class="red">Intentional policy rejection, please try again later</strong>; from=<a href="mailto:sender@sender-domain.com">sender@sender-domain.com</a> to=<a href="mailto:recipient@my-domain.com">recipient@my-domain.com</a> proto=SMTP helo=<mx2.sender.com></p>
|
|
</blockquote>
|
|
<p>This error is caused by greylisting service, sender server will retry to
|
|
deliver the same email, and your server will accept it after few retries.</p>
|
|
<ul>
|
|
<li>For more technical details about Greylisting, please visit:<ul>
|
|
<li><a href="http://greylisting.org">Homepage: What is greylisting?</a></li>
|
|
<li><a href="http://greylisting.org/articles/">Articles about greylisting</a></li>
|
|
</ul>
|
|
</li>
|
|
<li>To manage greylisting service, please read iRedAPD tutorial: <a href="./manage.iredapd.html#greylisting">Manage iRedAPD: Greylisting</a></li>
|
|
</ul>
|
|
<h3 id="sender-address-rejected-not-logged-in">Sender address rejected: not logged in</h3>
|
|
<p>Sample error message in Postfix log file:</p>
|
|
<blockquote>
|
|
<p>Jun 24 11:57:13 mx1 postfix/smtpd[2667]: NOQUEUE: reject: RCPT from
|
|
mail.mydomain.com[1.2.3.4]: 553 5.7.1 <sombody@my-domain.com>: <strong class="red">Sender address
|
|
rejected: not logged in</strong>; from=<sombody@my-domain.com>
|
|
to=<receipent@receipentdomain.com> proto=ESMTP helo=<client_helo.com></p>
|
|
</blockquote>
|
|
<p>This error is caused by incorrectly configured mail client application, not a
|
|
server issue.</p>
|
|
<p>All mail users are forced to perform SMTP auth before sending email, so you
|
|
must configure your mail client applications (Outlook, Thunderbird, ...) to
|
|
enable SMTP authentication.</p>
|
|
<h3 id="sender-address-rejected-not-owned-by-user-userdomainltd">Sender address rejected: not owned by user user@domain.ltd</h3>
|
|
<p>This error is caused by restriction rule <code>reject_sender_login_mismatch</code> in
|
|
Postfix parameter <code>smtpd_recipient_restrictions</code>, in file <code>/etc/postfix/main.cf</code>:</p>
|
|
<pre><code>smtpd_recipient_restrictions =
|
|
...
|
|
reject_sender_login_mismatch,
|
|
...
|
|
</code></pre>
|
|
|
|
<p>It will reject the request when $smtpd_sender_login_maps specifies an owner
|
|
for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL
|
|
FROM address owner; or when the client is (SASL) logged in, but the client
|
|
login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.
|
|
Check <a href="http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch">manual page of Postfix configuration file</a> for more details.</p>
|
|
<p>Removing <code>reject_sender_login_mismatch</code> and restarting Postfix service fixes
|
|
this issue.</p>
|
|
<div class="admonition note">
|
|
<p class="admonition-title">Note</p>
|
|
<p>If you want to allow some users to send as other users, or allow all users
|
|
to send as their alias addresses, or allow member of mail list/alias to send
|
|
as mail list/alias, you should try iRedAPD plugin <code>reject_sender_login_mismatch</code>
|
|
instead (requires iRedAPD-1.4.4 or later releases).</p>
|
|
<p>Read comments in file <code>/opt/iredapd/plugins/reject_sender_login_mismatch.py</code>,
|
|
then enable it in iRedAPD config file <code>/opt/iredapd/settings.py</code> (<code>plugins =</code>),
|
|
restart iRedAPD service. That's all.</p>
|
|
</div>
|
|
<h3 id="recipient-address-rejected-smtp-auth-is-required-for-users-under-this-sender-domain">Recipient address rejected: SMTP AUTH is required for users under this sender domain</h3>
|
|
<blockquote>
|
|
<p>With old iRedAPD releases, the error messages may be one of below:</p>
|
|
<ul>
|
|
<li><code>SMTP AUTH is required, or it is a spam with forged sender domain</code></li>
|
|
<li><code>Recipient address rejected: Policy rejection not logged in</code></li>
|
|
</ul>
|
|
</blockquote>
|
|
<p>This error message means sender domain is hosted locally on your iRedMail
|
|
server, but sender doesn't perform SMTP AUTH to send email.</p>
|
|
<ol>
|
|
<li>If the email is not sent by a server or device under your control, most
|
|
likely this email is spam with forged sender address, it's safe to ignore it
|
|
in this case.</li>
|
|
<li>If the email is sent from your server, that means your MUA (Mail User Agent,
|
|
e.g. Outlook, Thunderbird, etc) is not configured to perform SMTP
|
|
authentication to send email. Enabling smtp auth will fix this automatically.</li>
|
|
<li>
|
|
<p>If the email is sent from a server or device <strong>NOT</strong> under your control,
|
|
you want to bypass the email sent from this sender address but not the whole
|
|
server, please list this sender address in iRedAPD config file
|
|
<code>/opt/iredapd/settings.py</code>, parameter <code>ALLOWED_FORGED_SENDERS</code> like below:</p>
|
|
<p><code>ALLOWED_FORGED_SENDERS = ['user@domain.com']</code></p>
|
|
<div class="admonition warning">
|
|
<p class="admonition-title">Warning</p>
|
|
<p>With this setting, iRedAPD accepts all emails with this forged address
|
|
from <strong>ANY</strong> mail server.</p>
|
|
</div>
|
|
<p>Notes:</p>
|
|
<ul>
|
|
<li>This parameter doesn't exist in <code>/opt/iredapd/settings.py</code> by default,
|
|
feel free to add it manually. You can find detailed comments in file
|
|
<code>/opt/iredapd/libs/default_settings.py</code>, read the comments to understand
|
|
it better.</li>
|
|
<li>This parameter name must be in upper cases.</li>
|
|
</ul>
|
|
</li>
|
|
<li>
|
|
<p>If the email is sent by a server or device under your control and you want to
|
|
trust this server/device and bypass all emails, you can whitelist the IP
|
|
address of this server/device in iRedAPD config file <code>/opt/iredapd/settings.py</code> like below:</p>
|
|
<p><code>MYNETWORKS = ['192.168.0.10', '192.168.0.20', '192.168.0.30']</code></p>
|
|
<p>Notes:</p>
|
|
<ul>
|
|
<li>This parameter doesn't exist in <code>/opt/iredapd/settings.py</code> by default,
|
|
feel free to add it manually. You can find detailed comments in file
|
|
<code>/opt/iredapd/libs/default_settings.py</code>, read the comments to understand
|
|
it better.</li>
|
|
<li>This parameter name must be in upper cases.</li>
|
|
</ul>
|
|
</li>
|
|
</ol>
|
|
<h3 id="recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username">Recipient address rejected: Sender is not same as SMTP authenticate username</h3>
|
|
<h4 id="case-1">case #1</h4>
|
|
<p>If the smtp authenticate username is different than the address in mail header
|
|
<code>From:</code> field, you will get this rejection (by iRedAPD).</p>
|
|
<p>Solutions:</p>
|
|
<ul>
|
|
<li>If you don't need to send as different sender, please update your mail
|
|
composer (like Outlook, Thunderbird, webmail, your own script used to send
|
|
email, etc) to use same address as smtp authenticate username and sender
|
|
address in <code>From:</code>.</li>
|
|
<li>If you do need to send as different sender address (<code>From:</code>), please add one
|
|
setting in iRedAPD config file <code>/opt/iredapd/settings.py</code>, then restart
|
|
iRedAPD service:</li>
|
|
</ul>
|
|
<pre><code>ALLOWED_LOGIN_MISMATCH_SENDERS = ['user@mydomain.com']
|
|
</code></pre>
|
|
|
|
<p>Notes: <code>user@mydomain.com</code> is the email address you used for smtp authentication.</p>
|
|
<h4 id="case-2">case #2</h4>
|
|
<p>If you're a member of mailing list or mail alias, and trying to send email with
|
|
the email address of mailing list/alias as sender address, you will get same
|
|
error. There's another setting you can try (either one is ok):</p>
|
|
<pre><code>ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True
|
|
</code></pre>
|
|
|
|
<p>It will allow all members of mailing list/alias to send email with the email
|
|
of mailing list/alias as the sender address.</p>
|
|
<h3 id="unreasonable-virtual_alias_maps-map-expansion-size-for-userdomaincom">unreasonable virtual_alias_maps map expansion size for user@domain.com</h3>
|
|
<p>Sample error message in Postfix log file:</p>
|
|
<blockquote>
|
|
<p>Feb 11 19:59:06 mail postfix/cleanup[30575]: warning: 23C334232FB3:
|
|
<strong class="red">unreasonable virtual_alias_maps map expansion size</strong> for
|
|
user@domain.com -- deferring delivery</p>
|
|
</blockquote>
|
|
<p>It means the maximal number of addresses that virtual alias expansion produces
|
|
from each original recipient exceeds hard limit, please either increase the
|
|
hard limit (default is 1000), or reduce alias members.</p>
|
|
<p>To increase the limit to, for example, 1500, please add below setting in
|
|
Postfix config file <code>/etc/postfix/main.cf</code>:</p>
|
|
<pre><code>virtual_alias_expansion_limit = 1500
|
|
</code></pre>
|
|
|
|
<p>Reference: <a href="http://www.postfix.org/postconf.5.html#virtual_alias_expansion_limit">Postfix Configuration Parameters</a></p>
|
|
<h3 id="helo-command-rejected-need-fully-qualified-hostname">Helo command rejected: need fully-qualified hostname</h3>
|
|
<p>Sample error message in Postfix log file:</p>
|
|
<blockquote>
|
|
<p>Sep 22 08:51:03 mail postfix/smtpd[22067]: NOQUEUE: reject: RCPT from
|
|
dslb-092-074-062-133.092.074.pools.vodafone-ip.de[92.74.62.133]: 504 5.5.2
|
|
<EHSGmbHLUCASPC>: <strong>Helo command rejected: need fully-qualified hostname</strong>;
|
|
from=<a href="mailto:user@domain-a.com">user@domain-a.com</a> to=<a href="mailto:user@domain-b.com">user@domain-b.com</a> proto=ESMTP helo=<EHSGmbHLUCASPC></p>
|
|
</blockquote>
|
|
<p>According to RFC document, HELO identity must be a FQDN (fully-qualified
|
|
hostname). Sender sends <code>EHSGmbHLUCASPC</code> as HELO hostname, but it's not a FQDN.
|
|
It's sender's fault, not your mistake.</p>
|
|
<p>As a temporary solution, you can whitelist this HELO hostname
|
|
by adding a line like below at the top of file <code>/etc/postfix/helo_access.pcre</code>
|
|
(Linux/OpenBSD) or <code>/usr/local/etc/postfix/helo_access.pcre</code> (FreeBSD):</p>
|
|
<pre><code>/^EHSGmbHLUCASPC$/ OK
|
|
</code></pre>
|
|
|
|
<h3 id="helo-command-rejected-host-not-found">Helo command rejected: Host not found</h3>
|
|
<p>Sample error message in Postfix log file:</p>
|
|
<blockquote>
|
|
<p>Aug 13 08:07:14 mail postfix/smtpd[8606]: NOQUEUE: reject: RCPT from mta02.globetel.com.ph[120.28.49.114]: 450 4.7.1 <mta02.globetel.com>: Helo command rejected: Host not found; from=<a href="mailto:tcadd01@globetel.com.ph">tcadd01@globetel.com.ph</a> to=<a href="mailto:user@example.com">user@example.com</a> proto=ESMTP helo=<mta02.globetel.com></p>
|
|
</blockquote>
|
|
<p>Postfix does DNS query to verify whether A type of DNS record of HELO domain
|
|
name <code>mta02.globetel.com</code> exists, if not, Postfix rejects the email.</p>
|
|
<p>As a temporary solution, you can whitelist this HELO hostname
|
|
by adding a line like below at the top of file <code>/etc/postfix/helo_access.pcre</code>
|
|
(Linux/OpenBSD) or <code>/usr/local/etc/postfix/helo_access.pcre</code> (FreeBSD):</p>
|
|
<pre><code>/^mta02\.globetel\.com$/ OK
|
|
</code></pre>
|
|
|
|
<h3 id="helo-command-rejected-access-denied-your-email-was-rejected-because-the-sending-mail-server-does-not-identify-itself-correctly-local">Helo command rejected: ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (.local)</h3>
|
|
<p>It means sender mail server uses a FQDN hostname which ends with <code>.local</code> as
|
|
HELO identity. <code>.local</code> is not a valid top level domain name, and all mail
|
|
servers should use a valid domain name which is resolvable from DNS query.</p>
|
|
<p>Two solutions:</p>
|
|
<ol>
|
|
<li>Temporarily remove this HELO check rule on YOUR server, in file
|
|
<code>/etc/postfix/helo_access.pcre</code> (Linux/OpenBSD) or
|
|
<code>/usr/local/etc/postfix/helo_access.pcre</code> (FreeBSD), then reload Postfix
|
|
service.</li>
|
|
<li>Ask sender server system administrator to correct their HELO identity, they
|
|
will experience same issue while sending email to others.</li>
|
|
</ol>
|
|
<h3 id="warning-do-not-list-domain-mydomaincom-in-both-mydestination-and-virtual_mailbox_domains">warning: do not list domain mydomain.com in BOTH mydestination and virtual_mailbox_domains</h3>
|
|
<p>Sample log in Postfix log file:</p>
|
|
<blockquote>
|
|
<p>Feb 20 03:31:54 mail postfix/trivial-rewrite[2216]: warning: do not list
|
|
domain mydomain.com in BOTH mydestination and virtual_mailbox_domains</p>
|
|
</blockquote>
|
|
<p>This error message means mail domain name <code>mydomain.com</code> is:</p>
|
|
<ul>
|
|
<li>listed in Postfix parameter <code>mydestination</code>. Most probably, this domain name
|
|
is value of Postfix parameter <code>myhostname</code>, and <code>myhostname</code> is value of
|
|
<code>mydestination</code>.</li>
|
|
<li>a virtual mail domain name. Most probably, you added this domain with
|
|
iRedAdmin.</li>
|
|
</ul>
|
|
<p>To solve this, please either use a different <code>myhostname</code> or don't use this
|
|
domain name as mail domain (remove it with iRedAdmin). To use a different value
|
|
for Postfix parameter <code>myhostname</code>, you must also
|
|
<a href="./change.server.hostname.html">change server hostname</a>.</p>
|
|
<h2 id="dovecot-imap-pop3">Dovecot (IMAP / POP3)</h2>
|
|
<h3 id="plaintext-authentication-not-allowed-without-ssltls">Plaintext authentication not allowed without SSL/TLS</h3>
|
|
<p>Error message in Dovecot log file:</p>
|
|
<blockquote>
|
|
<p>[ALERT] Plaintext authentication not allowed without SSL/TLS, but your client
|
|
did it anyway. If anyone was listening, the password was exposed.</p>
|
|
</blockquote>
|
|
<p>Dovecot is configured to force clients to use secure IMAP/POP3 connections,
|
|
but your client is trying to use plain and insecure connection without TLS or
|
|
SSL.</p>
|
|
<p>The <strong>BEST</strong> solution is updating IMAP/POP3 settings in the mail client
|
|
application (e.g. Outlook, Thunderbird) to enable secure connection. Please
|
|
check <a href="./index.html#mua">this link</a> to see network port numbers and secure
|
|
connection types.</p>
|
|
<p>The <strong>NOT RECOMMENDED</strong> solution is updating Dovecot config file to allow
|
|
insecure connection, this is dangerous because your password is sent in plain
|
|
text, if someone can trace the network traffic with network gateway / firewall,
|
|
your password is explosed. if you clearly understand the risk and still want
|
|
to enable insecure connections, please check <a href="./allow.insecure.pop3.imap.smtp.connections.html">this document</a>.</p>
|
|
<h2 id="amavisd">Amavisd</h2>
|
|
<h3 id="connect-to-12700112700110024-connection-refused">connect to 127.0.0.1[127.0.0.1]:10024: Connection refused</h3>
|
|
<p>This error means Amavisd service is not running, please try to start it first.</p>
|
|
<ul>
|
|
<li>RHEL/CentOS/FreeBSD: <code># service amavisd restart</code></li>
|
|
<li>Debian/Ubuntu: <code># service amavis restart</code></li>
|
|
<li>OpenBSD: <code># /etc/rc.d/amavisd restart</code> or <code># rcctl restart amavisd</code></li>
|
|
</ul>
|
|
<p>After restarted amavisd service, please check its
|
|
<a href="./file.locations.html#amavisd">log file</a> to make sure it's running.</p>
|
|
<p>Notes:</p>
|
|
<ul>
|
|
<li>4 GB memory is recommended for a low traffic production mail server. If your
|
|
server doesn't have enough memory, Amavisd and ClamAV may be not able to
|
|
start, or stop running automatically after running for a while. If it's just
|
|
a testing server, you can follow
|
|
<a href="./completely.disable.amavisd.clamav.spamassassin.html">our tutorial</a> to
|
|
disable some features of Amavisd to keep it running, or disable it completely.</li>
|
|
</ul><div class="footer">
|
|
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
|
</div>
|
|
<!-- Global site tag (gtag.js) - Google Analytics -->
|
|
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
|
|
<script>
|
|
window.dataLayer = window.dataLayer || [];
|
|
function gtag(){dataLayer.push(arguments);}
|
|
gtag('js', new Date());
|
|
|
|
gtag('config', 'UA-3293801-21');
|
|
</script>
|
|
</body></html> |