Concept configuration of Postfix with Smarthosts

Hi,

With verbose I recieve this:

fetchmail@svgwma-kopa-02:~$ fetchmail -f fetchmail-accounts
Sat Jun  2 07:43:32 2018: [info   ] Coredump status left at system default.
Sat Jun  2 07:43:32 2018: [11417] [debug  ] StatsClient binding socket
Sat Jun  2 07:43:32 2018: [11417] [debug  ] StatsClient bound socket to /tmp/.32877d08a35722c.sock
Sat Jun  2 07:43:32 2018: [11417] [debug  ] Submit thread started
Sat Jun  2 07:43:32 2018: [11417] [debug  ] StatsClient thread started
Sat Jun  2 07:43:32 2018: [11417] [debug  ] PYTHONPATH = /usr/share/kopano-dagent/python
Sat Jun  2 07:43:32 2018: [11417] [error  ]   Python type: (null)
Sat Jun  2 07:43:32 2018: [11417] [error  ]   Python error: No module named MAPI
Sat Jun  2 07:43:32 2018: [11417] [crit   ] K-1732: Unable to initialize the dagent plugin manager: Unknown error code (1).
Sat Jun  2 07:43:32 2018: [11417] [debug  ] StatsClient terminating
Sat Jun  2 07:43:32 2018: [11417] [debug  ] StatsClient terminated

I will check if I can update Kopano and test again…

EDIT 1:

I download via wget the newest kopano-core and then made the package and installed it.
This worked fine so far. After the installation the system user on Ubuntu 18.04 had a new Password <- why?

Now when I want to login via Webapp I recieve this error:

Unknown MAPI Error: MAPI_E_NOT_FOUND

When I make this: kopano-admin --create-store hispeed

Then I recieve:

kopano-admin: relocation error: kopano-admin: symbol _ZN2KC21GetAutoAcceptSettingsEP9IMsgStorePbS2_S2_S2_ version KC_8.6.80 not defined in file libmapi.so.1 with link time reference

It’s getting worser from day to day ;=)…

Yes yes yes…

I don’t believe it I can now recieve. I updated the whole Ubuntu and restartet. Then I had to change something in the config from Kopano. Attachament stored as File (I made there a change earlier). I’m sure I can switch that to database later.
Restarting everything and now I can recieve e-mails.

Thanks so far for everyone. There are still a few questions open like: why the kopano user gets a new password after update?

Now I have to figure out how I can send E-mails… For this I’m going to use postfix.

Postfix i’m back in trouble :D! Yes something is wrong in my postfix configuration.

Jun  3 16:20:58 svgwma-kopa-02 kopano-server[2270]: message repeated 9 times: [ Error while connecting to search on "file:///var/run/kopano/search.sock"]
Jun  3 16:21:01 svgwma-kopa-02 postfix/pickup[10947]: A6A46320DFE: uid=0 from=<root>
Jun  3 16:21:01 svgwma-kopa-02 postfix/cleanup[10957]: A6A46320DFE: message-id=<20180603162101.A6A46320DFE@svgwma-kopa-02.mydomain.me>
Jun  3 16:21:01 svgwma-kopa-02 postfix/qmgr[10948]: A6A46320DFE: from=<root@mydomain.me>, size=727, nrcpt=1 (queue active)
Jun  3 16:21:01 svgwma-kopa-02 postfix/lmtp[10959]: host localhost[::1] offers SMTPUTF8 support, but not 8BITMIME
Jun  3 16:21:01 svgwma-kopa-02 postfix/lmtp[10959]: A6A46320DFE: to=<root@mydomain.me>, orig_to=<root>, relay=localhost[::1]:2003, delay=0.18, delays=0.03/0.01/0.06/0.07, dsn=5.1.1, status=bounced (host localhost[::1] said: 503 5.1.1 User does not exist (in reply to RCPT TO command))
Jun  3 16:21:01 svgwma-kopa-02 postfix/cleanup[10957]: CE28C320DFF: message-id=<20180603162101.CE28C320DFF@svgwma-kopa-02.mydomain.me>
Jun  3 16:21:01 svgwma-kopa-02 postfix/bounce[10962]: A6A46320DFE: sender non-delivery notification: CE28C320DFF
Jun  3 16:21:01 svgwma-kopa-02 postfix/qmgr[10948]: CE28C320DFF: from=<>, size=2791, nrcpt=1 (queue active)
Jun  3 16:21:01 svgwma-kopa-02 postfix/qmgr[10948]: A6A46320DFE: removed
Jun  3 16:21:01 svgwma-kopa-02 postfix/lmtp[10959]: host localhost[::1] offers SMTPUTF8 support, but not 8BITMIME
Jun  3 16:21:01 svgwma-kopa-02 postfix/lmtp[10959]: CE28C320DFF: to=<root@mydomain.me>, relay=localhost[::1]:2003, delay=0.11, delays=0.01/0/0.06/0.05, dsn=5.1.1, status=bounced (host localhost[::1] said: 503 5.1.1 User does not exist (in reply to RCPT TO command))
Jun  3 16:21:01 svgwma-kopa-02 postfix/qmgr[10948]: CE28C320DFF: removed

EDIT: 3
Gerald or someone else:

Do you have a sample of the postfix configuration?

@hispeed let me know when you need advice

Postfix offers SMTPUTF8 support, kopano LMTP not.
Set in postfix smtputf8_enable = no restart postfix and its fixed. ;-)

Hi martimcfly,

Yes I need help. My configuration looks like that at the moment:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

compatibility_level = 2

mydomain = mydomain.me
myorigin = $mydomain
mynetworks = 127.0.0.0/8, [::1]/128
smtp_host_lookup = dns, native

mailbox_size_limit = 0
message_size_limit = 52428800

delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s

# header_checks = regexp:/etc/kopano/postfix/header_checks
# body_checks = regexp:/etc/kopano/postfix/body_checks

alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/kopano/postfix/valiases

virtual_mailbox_domains = /etc/kopano/postfix/vdomains
virtual_transport = lmtp:localhost:2003

smtpd_banner = $myorigin ESMTP
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_mynetworks reject_invalid_hostname reject_unauth_destination reject_unknown_recipient_domain
smtpd_sender_restrictions = reject_unknown_address
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12

smtp_tls_security_level = may
smtp_sasl_auth_enable = yes
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/kopano/postfix/sasl_passwd
sender_dependent_relayhost_maps = hash:/etc/kopano/postfix/sender_relay
smtp_use_tls = yes
smtp_tls_enforce_peername = no
smtp_sasl_security_options = noanonymous
smtp_helo_timeout = 120s

# Korrekturen
smtputf8_autodetect_classes = verify

I need to use this two lines or something similar:

smtp_sasl_password_maps = hash:/etc/kopano/postfix/sasl_passwd
sender_dependent_relayhost_maps = hash:/etc/kopano/postfix/sender_relay

With this config it doesn’t work. Postfix keeps telling me that the user doesn’t exist in Kopano. But I have created a user with this e-mail.

Thanks for your ideas…

Have you even tried what i did say… :-/

Your logs show:
host localhost[::1] offers SMTPUTF8 support, but not 8BITMIME

kopano-lmtp does NOT support SMTPUTF8 and you mail is rejected.

What you see in your logs is correct.

https://forum.kopano.io/topic/1262/kopano-smtputf8-support
Already reported this some time ago.

and about you postfix config. this part needs serious fixing, this is not ok.

smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_mynetworks reject_invalid_hostname reject_unauth_destination reject_unknown_recipient_domain
smtpd_sender_restrictions = reject_unknown_address

I suggest and this is a verified config by the postfix list.
i have more but this is a working setup

smtpd_delay_reject = yes

# Obey the RFC's. any hostname should have an A and/or MX and/or PTR ( or resolvable CNAME ) 
# see RFC https://tools.ietf.org/html/rfc2821#section-2.3.4  and 2.3.5 
smtpd_client_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_hostname,
    reject_unknown_hostname,
    reject_invalid_hostname,
    reject_unauth_pipelining

smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_pipelining

smtpd_sender_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_address,
    reject_unauth_pipelining

smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_recipient,
    check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
    reject_unknown_recipient_domain,
    reject_multi_recipient_bounce,
    reject_unlisted_recipient,
    reject_unverified_recipient

smtpd_relay_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
    reject_multi_recipient_bounce,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_invalid_helo_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    defer_unauth_destination
##
smtpd_data_restrictions =
    reject_unauth_pipelining,
    reject_multi_recipient_bounce
##
smtpd_etrn_restrictions =
    permit_mynetworks,
    reject

Now, your internet ready.

@thctlo yes this does fix this error if I add this line. But still there are some other issues.

@martimcfly I have copied now your configuration. How do I now create the check_recipient_access-allow.map?
Where do I define the passwords and login data for my different mail accounts?

At the moment I get this error:

Jun  4 17:52:35 svgwma-kopa-02 kopano-server[12291]: Error while connecting to search on "file:///var/run/kopano/search.sock"
Jun  4 17:53:25 svgwma-kopa-02 kopano-server[12291]: message repeated 5 times: [ Error while connecting to search on "file:///var/run/kopano/search.sock"]
Jun  4 17:54:01 svgwma-kopa-02 postfix/pickup[26277]: D3277320E04: uid=0 from=<root>
Jun  4 17:54:01 svgwma-kopa-02 postfix/cleanup[26505]: D3277320E04: message-id=<20180604175401.D3277320E04@svgwma-kopa-02.localdomain>
Jun  4 17:54:01 svgwma-kopa-02 postfix/qmgr[26278]: D3277320E04: from=<root@svgwma-kopa-02.localdomain>, size=757, nrcpt=1 (queue active)
Jun  4 17:54:01 svgwma-kopa-02 postfix/local[26507]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jun  4 17:54:01 svgwma-kopa-02 postfix/local[26507]: D3277320E04: to=<root@svgwma-kopa-02.localdomain>, orig_to=<root>, relay=local, delay=0.06, delays=0.02/0/0/0.03, dsn=2.0.0, status=sent (delivered to mailbox)
Jun  4 17:54:01 svgwma-kopa-02 postfix/qmgr[26278]: D3277320E04: removed

EDIT:
@fbartels Can you help me with this: Jun 4 17:52:35 svgwma-kopa-02 kopano-server[12291]: Error while connecting to search on “file:///var/run/kopano/search.sock” ?
-> This is solved with: Search Socket Error

On the images you see my old Zarafa config, which is running right now. This works fine for me. Maybe there’s a security risk somewhere I don’t know. First I need to create that on Kopano and then I can add security.

0_1528135898230_2018-06-04 20_07_56-Titanserver_zarafa_config_postfix.jpg
1_1528135898231_2018-06-04 20_07_56-Titanserver_zarafa_config_postfix_2.jpg

Update:
SSL self-signed = Is working
Z-Push 2.4.2 = Is working with Ubuntu 18.04 (No official build I took: 16.04 version)
Deskapp = Is working
Cron Job for Fetchmail = Is working

To do:
Send E-Mails ;=)

Sorry to disturb everyone again…

I’m still workin on my postfix configuration. I can’t send e-mails I get at the moment this error:

Jun  6 19:30:01 svgwma-kopa-02 postfix/cleanup[3494]: 9A8FD320E71: message-id=<20180606193001.9A8FD320E71@svgwma-kopa-02.mydomain.me>
Jun  6 19:30:01 svgwma-kopa-02 postfix/qmgr[3482]: 9A8FD320E71: from=<root@mydomain.me>, size=727, nrcpt=1 (queue active)
Jun  6 19:30:01 svgwma-kopa-02 postfix/lmtp[3496]: connect to 127.0.0.1[127.0.0.1]:2003: Connection refused
Jun  6 19:30:01 svgwma-kopa-02 postfix/lmtp[3496]: 9A8FD320E71: to=<root@mydomain.me>, orig_to=<root>, relay=none, delay=0.03, delays=0.02/0.01/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:2003: Connection refused)

Maybe I have to configure something in the master.cf? I have added there some lines which I have in my Synology set-up. Unfortunately I doesn’t help.

nano /etc/postfix/master.cf

# From Synology / Zarafa4h Docker Image Configuration
smtp-amavis     unix    -       -       -       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20

127.0.0.1:10025 inet n  -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining

Postfix config:

# Set compatibility level 2 because we don't want to use old configurations
compatibility_level = 2

# Domain and network settings
mydomain = mydomain.me
myorigin = $mydomain
mynetworks = 127.0.0.0/8, [::1]/128

# Mailbox limits
mailbox_size_limit = 0
message_size_limit = 52428800

# Various settings
delay_warning_time = 3h
unknown_local_recipient_reject_code = 450
maximal_queue_lifetime = 5d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s

# Header and Body Checks
# header_checks = regexp:/etc/kopano/postfix/header_checks
# body_checks = regexp:/etc/kopano/postfix/body_checks

# Alias maps and virtual aliases
alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/kopano/postfix/valiases
virtual_mailbox_domains = /etc/kopano/postfix/vdomains
virtual_transport = lmtp:localhost:2003

# smtp settings
smtpd_banner = $myorigin ESMTP
smtpd_delay_reject = yes
smtputf8_enable = no 
smtp_host_lookup = dns, native
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
smtp_tls_security_level = may
smtp_sasl_auth_enable = yes
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/kopano/postfix/sasl_passwd
sender_dependent_relayhost_maps = hash:/etc/kopano/postfix/sender_relay
smtp_use_tls = yes
smtp_tls_enforce_peername = no
smtp_sasl_security_options = noanonymous
smtp_helo_timeout = 120s

smtpd_client_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_hostname,
    reject_unknown_hostname,
    reject_invalid_hostname,
    reject_unauth_pipelining

smtpd_helo_required = yes

smtpd_helo_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_pipelining

smtpd_sender_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_address,
    reject_unauth_pipelining

smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_recipient,
    check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
    reject_unknown_recipient_domain,
    reject_multi_recipient_bounce,
    reject_unlisted_recipient,
    reject_unverified_recipient

smtpd_relay_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
    reject_multi_recipient_bounce,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_invalid_helo_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    defer_unauth_destination

smtpd_data_restrictions =
    reject_unauth_pipelining,
    reject_multi_recipient_bounce

smtpd_etrn_restrictions =
    permit_mynetworks,
    reject

@hispeed

Hey Highspeed,

I’m sorry for my absence. I was much to busy with construction work.

Passwords are checked against Kopanos imap service. For this I use the saslauthd service. Postfix does its login checks saslauthd. You can find the configuration in github, too.

# /etc/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

https://github.com/pietmacom/com-pietma-zarafa-postfixadmin/blob/kopano/doc/pietma/configs/postfix/main.cf

# /etc/postfix/main.cf

# kopano gateway authentification before accepting relay
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
broken_sasl_auth_clients = yes

The e-mail adresses (Mailboxes, Aliases) are checked against postifxadmin. Changes to Mailbox accounts are transfered to Kopano by a services which does poll the postfixadmin changelog.

Postifx is configured to check all e-mail adresses against the postfixadmin database. It executes predefined SQL statements…
https://github.com/pietmacom/com-pietma-zarafa-postfixadmin/tree/kopano/doc/example-config/postfix

# /etc/postfix/main.cf

virtual_mailbox_domains = 
    proxy:mysql:/etc/webapps/kopano-postfixadmin/postfix/domain_domain_to_domain.mysql

virtual_mailbox_maps = 
    proxy:mysql:/etc/webapps/kopano-postfixadmin/postfix/mailbox_username_to_username.mysql

virtual_alias_maps = 
    proxy:mysql:/etc/webapps/kopano-postfixadmin/postfix/alias_address_to_goto.mysql,
    proxy:mysql:/etc/webapps/kopano-postfixadmin/postfix/aliasdomain_at-aliasdomain_to_at-targetdomain.mysql

If you like, you could do the address checks directly against the kopano database.

I hope to find the setting for notifcations here.

Marti