1

Topic: TLS is required, but was not offered by host 127.0.0.1

==== Required information ====
- iRedMail version:  0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Linux/BSD distribution name and version: Ubuntu 14.04
- Related log if you're reporting an issue:
====

I have installed iRedMail on a virtual machine on Google Compute Engine.
Unfortunately Google blocks email outgoing ports (25 etc.). Instead they suggest
to use SendGrid, which is their partner:
https://cloud.google.com/compute/docs/t … ixsendgrid

I followed these instructions, but when I try to send a mail, it doesn't work:

# tail -n 5 /var/log/syslog

Mar 26 16:36:07 m postfix/cleanup[21128]: 242883691: message-id=<d4ceb9f29aff3031dfdfdbdce56f153d@fs.al>
Mar 26 16:36:07 m postfix/qmgr[20993]: 242883691: from=<postmaster@fs.al>, size=508, nrcpt=1 (queue active)
Mar 26 16:36:07 m roundcube: User postmaster@fs.al [172.17.0.9]; Message for dashohoxha@gmail.com; 250: 2.0.0 Ok: queued as 242883691
Mar 26 16:36:07 m postfix/smtp[21135]: 242883691: to=<dashohoxha@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.5, delays=1.5/0.01/0.01/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])
Mar 26 16:36:07 m postfix/smtpd[21118]: disconnect from localhost[127.0.0.1]

It says: (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])
Maybe this is not related to SendGrid, but I don't know how to fix it anyway.
Do you have any idea?
Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: TLS is required, but was not offered by host 127.0.0.1

It mentions the port 10024 right before not having TLS, that is the AmavisD-New Port, any chance you could run

postconf -n

and paste the output here?

Edit: I think the TLS on security setting that their tutorial includes, makes Postfix try to TLS connect to AmavisD, which it seems not to support; Let's see what Zhang thinks of this.

3

Re: TLS is required, but was not offered by host 127.0.0.1

7t3chguy wrote:

It mentions the port 10024 right before not having TLS, that is the AmavisD-New Port, any chance you could run

postconf -n

and paste the output here?

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_size_limit = 4096000
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = example.org
myhostname = mail.example.org
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = mail.example.org
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost = [smtp.sendgrid.net]:2525
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031,
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000
7t3chguy wrote:

Edit: I think the TLS on security setting that their tutorial includes, makes Postfix try to TLS connect to AmavisD, which it seems not to support; Let's see what Zhang thinks of this.

Most probably you are right (see: http://serverfault.com/questions/598343 … relayhost)
But I still don't understand how to fix it (I am not an expert on postfix, amavisd, etc.)

4

Re: TLS is required, but was not offered by host 127.0.0.1

The link you posted provides the fix, great:
open up your master.cf file in /etc/postfix
and find entries similar to the ones below in your file
and make yours match the ones below

amavis unix - - - - 2 smtp
  -o smtp_tls_security_level=none

127.0.0.1:10025 inet n - - - - smtpd
  -o smtp_tls_security_level=none

It basically says to disable TLS communication only for AmavisD-New Communications. Let me know if this works for you

5

Re: TLS is required, but was not offered by host 127.0.0.1

I have also disabled spam and virus checking:
https://github.com/docker-build/iRedMai … 45c3f687aa

But maybe this is not relevant.

6

Re: TLS is required, but was not offered by host 127.0.0.1

You still have to pass your mail through Amavis for DKIM and SpamAssassin [SPF] Support

7

Re: TLS is required, but was not offered by host 127.0.0.1

Thanks, it worked. I added "-o smtp_tls_security_level=none" on "/etc/postfix/master.cf":

smtp-amavis unix -  -   -   -   4  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    -o smtp_tls_security_level=none

Then I restarted 'postfix' and 'amavis' (I am not sure whether this is necessary though):

/etc/init.d/postfix restart
/etc/init.d/amavis restart

an then the mail was sent:

Mar 26 19:05:48 m postfix/smtpd[23007]: connect from localhost[127.0.0.1]
Mar 26 19:05:48 m postfix/smtpd[23007]: B90CF2884: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=postmaster@fs.al
Mar 26 19:05:49 m postfix/cleanup[23018]: B90CF2884: message-id=<54dfc8b09cb911cbe2294f3351bfdd53@fs.al>
Mar 26 19:05:49 m postfix/qmgr[22977]: B90CF2884: from=<postmaster@fs.al>, size=508, nrcpt=1 (queue active)
Mar 26 19:05:49 m roundcube: User postmaster@fs.al [172.17.0.9]; Message for dashohoxha@gmail.com; 250: 2.0.0 Ok: queued as B90CF2884
Mar 26 19:05:49 m postfix/smtpd[23030]: connect from localhost[127.0.0.1]
Mar 26 19:05:49 m postfix/smtpd[23030]: E7A5F3691: client=localhost[127.0.0.1]
Mar 26 19:05:49 m postfix/cleanup[23018]: E7A5F3691: message-id=<54dfc8b09cb911cbe2294f3351bfdd53@fs.al>
Mar 26 19:05:49 m postfix/qmgr[22977]: E7A5F3691: from=<postmaster@fs.al>, size=1517, nrcpt=1 (queue active)
Mar 26 19:05:49 m postfix/smtpd[23030]: disconnect from localhost[127.0.0.1]
Mar 26 19:05:49 m amavis[22842]: (22842-01) Passed CLEAN {RelayedInternal}, MYNETS/MYUSERS LOCAL [127.0.0.1]:59520 [127.0.0.1] <postmaster@fs.al> -> <dashohoxha@gmail.com>, Queue-ID: B90CF2884, Message-ID: <54dfc8b09cb911cbe2294f3351bfdd53@fs.al>, mail_id: 2mod7yNIQg3i, Hits: -, size: 508, queued_as: E7A5F3691, dkim_new=dkim:fs.al, 126 ms
Mar 26 19:05:49 m postfix/smtp[23025]: B90CF2884: to=<dashohoxha@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.5, delays=1.4/0.01/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E7A5F3691)
Mar 26 19:05:49 m postfix/qmgr[22977]: B90CF2884: removed
Mar 26 19:05:50 m postfix/smtpd[23007]: disconnect from localhost[127.0.0.1]
Mar 26 19:05:50 m postfix/smtp[23031]: E7A5F3691: to=<dashohoxha@gmail.com>, relay=smtp.sendgrid.net[208.43.76.147]:2525, delay=0.73, delays=0.01/0.02/0.64/0.06, dsn=2.0.0, status=sent (250 Delivery in progress)
Mar 26 19:05:50 m postfix/qmgr[22977]: E7A5F3691: removed

8

Re: TLS is required, but was not offered by host 127.0.0.1

Is everything working good now then? Am I alright to close the Thread?

9

Re: TLS is required, but was not offered by host 127.0.0.1

7t3chguy wrote:

Is everything working good now then? Am I alright to close the Thread?

Yes, this problem is fixed. In case of any other problems I will open other threads smile

10

Re: TLS is required, but was not offered by host 127.0.0.1

dashohoxha wrote:

I have also disabled spam and virus checking:
https://github.com/docker-build/iRedMai … 45c3f687aa

But maybe this is not relevant.

It's recommended to enable spam/virus scanning to reduce virus/spam.

You're right that spam/virus scanning will take too much memory, but instead of disabling them, you should consider reducing the concurrent Amavisd processes or adding more memory to your server.