1

Topic: iRedMail 1.6.8 cannot send/receive emails

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.8
- Deployed with iRedMail Easy or the downloadable installer? iRedMail.sh
- Linux/BSD distribution name and version: FreeBSD 13.2-RELEASE
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

My old server with 1.6.2 works fine, but I thought it was time to upgrade to 1.6.8. I did a fresh 1.6.8 install and I cannot send/receive emails outside the host. Though from the command line on the same server, I can send emails.

When I receive email the logs look like this:

Jan 15 23:29:21 mx2 postfix/postscreen[76450]: CONNECT from [199.16.156.139]:20293 to [XXX.XXX.XXX.XXX]:25
Jan 15 23:29:21 mx2 postfix/postscreen[76450]: PASS OLD [199.16.156.139]:20293
Jan 15 23:29:21 mx2 postfix/smtpd[25831]: connect from spring-chicken-ce.twitter.com[199.16.156.139]
Jan 15 23:29:21 mx2 postfix/smtpd[25831]: discarding EHLO keywords: CHUNKING
Jan 15 23:29:21 mx2 postfix/pipe[80131]: 4TDSyn5YkRz1y14: to=<info@mydomain.com>, orig_to=<postmaster>, relay=dovecot, delay=0.19, delays=0/0.01/0/0.18, dsn=2.0.0, status=sent (delivered via dovecot service)
Jan 15 23:29:21 mx2 postfix/qmgr[64270]: 4TDSyn5YkRz1y14: removed
Jan 15 23:29:22 mx2 postfix/smtpd[25831]: NOQUEUE: reject: RCPT from spring-chicken-ce.twitter.com[199.16.156.139]: 450 4.7.1 <spring-chicken-ce.x.com>: Helo command rejected: Host not found; from=<b07371e9fcdmailbox=mydomain.com@bounce.x.com> to=<mailbox@mydomain.com> proto=ESMTP helo=<spring-chicken-ce.x.com>
Jan 15 23:29:27 mx2 postfix/smtpd[25831]: disconnect from spring-chicken-ce.twitter.com[199.16.156.139] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Then when I try to send from SOGo, on the UI I get:

not allowed in state 1

Logs show:

2024-01-15 18:33:48.940 sogod[61741:100200] SMTP: unexpected response from STARTTLS command (454)
Jan 15 18:33:48 sogod [61741]: [ERROR] <0x0x230bad44d8c8[SOGoMailer]> Could not connect to the SMTP server smtp://127.0.0.1:587/?tls=YES&tlsVerifyMode=allowInsecureLocalhost
Jan 15 18:33:48 sogod [61741]: XXX.XXX.XXX.XXX "POST /SOGo/so/mailbox@mydomain.com/Mail/0/folderDrafts/newDraft1705358163-1/send HTTP/1.0" 405 55/171 0.099 - - -

In the sogo.conf file I have:

    // SMTP server
    SOGoSMTPServer = "smtp://127.0.0.1:587/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
    SOGoMailingMechanism = smtp;
    SOGoSMTPAuthenticationType = PLAIN;

And, finally from another server I have sSMTP configured and no configuration has changed. It was working with the old server but not the new server. I get:

SSL_connect: No error: 0
sendmail: Cannot open smtp.mydomain:465

The firewall ports also open:

ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
56000 allow tcp from any to me 1317
56010 allow tcp from any to me 80
56020 allow tcp from any to me 443
56030 allow tcp from any to me 143
56040 allow tcp from any to me 993
56050 allow tcp from any to me 110
56060 allow tcp from any to me 995
56070 allow tcp from any to me 25
56080 allow tcp from any to me 465
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any

This is the openssl command trying to connect:

$ openssl s_client -connect smtp.mydomain.com:25 -tls1_2 -cipher 'AES256-SHA256' 
                                              
CONNECTED(00000003)
4017DA25147F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../openssl-3.1.4/ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 136 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1705361953
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---



$ openssl s_client -connect smtp.mydomain.com:465 -tls1_2 -cipher 'AES256-SHA256'
                                                                               
CONNECTED(00000003)
40A764A8137F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.1.4/ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 143 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1705361880
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---



$ openssl s_client -connect smtp.mydomain.com:587 -tls1_2 -cipher 'AES256-SHA256' 
                                               
CONNECTED(00000003)
4017993B937F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../openssl-3.1.4/ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 136 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1705362245
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.