Hi everyone,

I recently set up a mailcow server. It work well except I can’t receve email from external domain. I can send email to anyone and receve to other mailbox on mailcow and use mailbox with client like thunderbird.

I follow DNS recommendations in mailcowUI>Email>Configuration>domain>DNS. All required ports are open in my ISP firewall (PFSense) and in the server firewall (ufw). I tried to telnet on port 25 of my public IP and I had the SMTP banner so SMTP seems to work. I did the same on port 143 and it also work so do 587 and others.

Here is copy of my DNS record (of course 8.8.8.8 and exemple are not my real IP/domain :-) )

$TTL 3600
@	IN SOA dns17.ovh.net. tech.ovh.net. (2023091040 86400 3600 3600000 300)
                          IN NS     dns17.ovh.net.
                          IN NS     ns17.ovh.net.
                          IN MX     10 mail
                          IN A      8.8.8.8
                      600 IN TXT    "v=spf1 mx ~all"

_autodiscover._tcp        IN SRV    0 1 443 mail
_caldavs._tcp             IN TXT    "path=/SOGo/dav/"
_carddavs._tcp            IN SRV    0 1 443 mail
_dmarc                    IN TXT    ( "v=DMARC1;p=reject;rua=mailto:mailauth-reports@exemple.ovh." )
_imap._tcp                IN SRV    0 1 143 mail
_imaps._tcp               IN SRV    0 1 993 mail
_submission._tcp          IN SRV    0 1 587 mail
autoconfig                IN CNAME  mail
autodiscover              IN CNAME  mail
bkp                    60 IN A      8.8.8.8
dkim._domainkey           IN TXT    ( "v=DKIM1;k=rsa;s=email;p=mysyperkeyhere;t=s;" )
dl                     60 IN A      8.8.8.8
mail                      IN A      8.8.8.8
omv                    60 IN A      8.8.8.8
pf                     60 IN A      8.8.8.8
stream                 60 IN A      8.8.8.8
stream                 60 IN TXT    "2|dynhost.exemple.ovh"
webmail                   IN A      8.8.8.8
wiki                   60 IN A      8.8.8.8
www                       IN A      8.8.8.8
www                       IN TXT    "l|fr"
www                       IN TXT    "3|welcome"

And here a copy of my mailcow.conf


> # ------------------------------
> # mailcow web ui configuration
> # ------------------------------
> # example.org is _not_ a valid hostname, use a fqdn here.
> # Default admin user is "admin"
> # Default password is "moohoo"
> 
> MAILCOW_HOSTNAME=mail.exemple.ovh
> ADDITIONAL_SERVER_NAMES=webmail.exemple.ovh exemple.ovh
> ADDITIONAL_SAN=webmail.exemple.ovh exemple.ovh
> 
> # Password hash algorithm
> # Only certain password hash algorithm are supported. For a fully list of supported schemes,
> # see https://mailcow.github.io/mailcow-dockerized-docs/models/model-passwd/
> MAILCOW_PASS_SCHEME=BLF-CRYPT
> 
> # ------------------------------
> # SQL database configuration
> # ------------------------------
> 
> DBNAME=mailcow
> DBUSER=mailcow
> 
> # Please use long, random alphanumeric strings (A-Za-z0-9)
> 
> DBPASS=dd
> DBROOT=dd
> 
> # ------------------------------
> # HTTP/S Bindings
> # ------------------------------
> 
> # You should use HTTPS, but in case of SSL offloaded reverse proxies:
> # Might be important: This will also change the binding within the container.
> # If you use a proxy within Docker, point it to the ports you set below.
> # Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
> # IMPORTANT: Do not use port 8081, 9081 or 65510!
> # Example: HTTP_BIND=1.2.3.4
> # For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
> # For IPv6 see https://mailcow.github.io/mailcow-dockerized-docs/post_installation/firststeps-ip_bindings/
> 
> HTTP_PORT=80
> HTTP_BIND=
> 
> HTTPS_PORT=443
> HTTPS_BIND=
> 
> # ------------------------------
> # Other bindings
> # ------------------------------
> # You should leave that alone
> # Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
> 
> SMTP_PORT=25
> SMTPS_PORT=465
> SUBMISSION_PORT=587
> IMAP_PORT=143
> IMAPS_PORT=993
> POP_PORT=110
> POPS_PORT=995
> SIEVE_PORT=4190
> DOVEADM_PORT=127.0.0.1:19991
> SQL_PORT=127.0.0.1:13306
> SOLR_PORT=127.0.0.1:18983
> REDIS_PORT=127.0.0.1:7654
> 
> # Your timezone
> # See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
> # Use the row named 'TZ database name' + pay attention for 'Notes' row
> 
> TZ=Europe/Paris
> 
> # Fixed project name
> # Please use lowercase letters only
> 
> COMPOSE_PROJECT_NAME=mailcowdockerized
> 
> # Used Docker Compose version
> # Switch here between native (compose plugin) and standalone
> # For more informations take a look at the mailcow docs regarding the configuration options.
> # Normally this should be untouched but if you decided to use either of those you can switch it manually here.
> # Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
> 
> DOCKER_COMPOSE_VERSION=native
> 
> # Set this to "allow" to enable the anyone pseudo user. Disabled by default.
> # When enabled, ACL can be created, that apply to "All authenticated users"
> # This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
> # Otherwise a user might share data with too many other users.
> ACL_ANYONE=disallow
> 
> # Garbage collector cleanup
> # Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
> # How long should objects remain in the garbage until they are being deleted? (value in minutes)
> # Check interval is hourly
> 
> MAILDIR_GC_TIME=7200
> 
> # Additional SAN for the certificate
> #
> # You can use wildcard records to create specific names for every domain you add to mailcow.
> # Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
> #ADDITIONAL_SAN=imap.*,smtp.*
> # This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
> # plus every domain you add in the future.
> #
> # You can also just add static names...
> #ADDITIONAL_SAN=srv1.example.net
> # ...or combine wildcard and static names:
> #ADDITIONAL_SAN=imap.*,srv1.example.com
> #
> 
> ADDITIONAL_SAN=
> 
> # Additional server names for mailcow UI
> #
> # Specify alternative addresses for the mailcow UI to respond to
> # This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
> # If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
> # You can understand this as server_name directive in Nginx.
> # Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
> 
> ADDITIONAL_SERVER_NAMES=
> 
> # Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
> 
> SKIP_LETS_ENCRYPT=n
> 
> # Create seperate certificates for all domains - y/n
> # this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
> # see https://wiki.dovecot.org/SSL/SNIClientSupport
> ENABLE_SSL_SNI=n
> 
> # Skip IPv4 check in ACME container - y/n
> 
> SKIP_IP_CHECK=n
> 
> # Skip HTTP verification in ACME container - y/n
> 
> SKIP_HTTP_VERIFICATION=n
> 
> # Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
> 
> SKIP_CLAMD=n
> 
> # Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
> 
> SKIP_SOGO=n
> 
> # Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
> 
> SKIP_SOLR=n
> 
> # Solr heap size in MB, there is no recommendation, please see Solr docs.
> # Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
> 
> SOLR_HEAP=1024
> 
> # Allow admins to log into SOGo as email user (without any password)
> 
> ALLOW_ADMIN_EMAIL_LOGIN=n
> 
> # Enable watchdog (watchdog-mailcow) to restart unhealthy containers
> 
> USE_WATCHDOG=y
> 
> # Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
> # CAUTION:
> # 1. You should use external recipients
> # 2. Mails are sent unsigned (no DKIM)
> # 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
> # Multiple rcpts allowed, NO quotation marks, NO spaces
> 
> #WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
> #WATCHDOG_NOTIFY_EMAIL=
> 
> # Notify about banned IP (includes whois lookup)
> WATCHDOG_NOTIFY_BAN=n
> 
> # Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
> #WATCHDOG_SUBJECT=
> 
> # Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
> # https://www.servercow.de/mailcow?lang=en
> # https://www.servercow.de/mailcow?lang=de
> # No data is collected. Opt-in and anonymous.
> # Will only work with unmodified mailcow setups.
> WATCHDOG_EXTERNAL_CHECKS=n
> 
> # Enable watchdog verbose logging
> WATCHDOG_VERBOSE=n
> 
> # Max log lines per service to keep in Redis logs
> 
> LOG_LINES=9999
> 
> # Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
> # Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
> 
> IPV4_NETWORK=172.22.1
> 
> # Internal IPv6 subnet in fc00::/7
> # Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
> 
> IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
> 
> # Use this IPv4 for outgoing connections (SNAT)
> 
> #SNAT_TO_SOURCE=
> 
> # Use this IPv6 for outgoing connections (SNAT)
> 
> #SNAT6_TO_SOURCE=
> 
> # Create or override an API key for the web UI
> # You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
> # An API key defined as API_KEY has read-write access
> # An API key defined as API_KEY_READ_ONLY has read-only access
> # Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
> # You can define API_KEY and/or API_KEY_READ_ONLY
> 
> #API_KEY=
> #API_KEY_READ_ONLY=
> #API_ALLOW_FROM=172.22.1.1,127.0.0.1
> 
> # mail_home is ~/Maildir
> MAILDIR_SUB=Maildir
> 
> # SOGo session timeout in minutes
> SOGO_EXPIRE_SESSION=480
> 
> # DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
> # Empty by default to auto-generate master user and password on start.
> # User expands to DOVECOT_MASTER_USER@mailcow.local
> # LEAVE EMPTY IF UNSURE
> DOVECOT_MASTER_USER=
> # LEAVE EMPTY IF UNSURE
> DOVECOT_MASTER_PASS=
> 
> # Let's Encrypt registration contact information
> # Optional: Leave empty for none
> # This value is only used on first order!
> # Setting it at a later point will require the following steps:
> # https://mailcow.github.io/mailcow-dockerized-docs/troubleshooting/debug-reset_tls/
> ACME_CONTACT=
> 
> # WebAuthn device manufacturer verification
> # After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
> # root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
> WEBAUTHN_ONLY_TRUSTED_VENDORS=n
> 
> # Spamhaus Data Query Service Key
> # Optional: Leave empty for none
> # Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.
> # If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
> # Otherwise it will work normally.
> SPAMHAUS_DQS_KEY=

I realy don’t know what could be wrong so any help is welcome :-)

Kind regards

  • amisbievre

    Thanks everyone,

    I found the solution It was the IDS …

    So problem is solvec :-) many thanks for your help

    Not sure if this is the root cause of the issue. However, I noticed two things in your zone file…

    1. You’re missing out the ORIGIN parameter / variable at the very beginning of the zone file, which should be:

      $ORIGIN example.com.

      Note that all records must be written out as Fully Qualified Domain Names (FQDNs) which adds a . to the domain name.

    2. You could try to append the FQDN (with a . at the end) to the MX, CNAME and SRV records instead of just mail.

      Example:

      @                       IN      MX      10 mail.example.tld.

autoconfig              IN      CNAME   mail.example.tld.
autodiscover            IN      CNAME   mail.example.tld.

_autodiscover._tcp      IN      SRV     0 0 443 mail.example.tld.
_imap._tcp              IN      SRV     0 0 143 mail.example.tld.
_imaps._tcp             IN      SRV     0 0 993 mail.example.tld.
_smtps._tcp             IN      SRV     0 0 465 mail.example.tld.
_submission._tcp        IN      SRV     0 0 587 mail.example.tld.

      Have something to say?

      Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

      mlcwuser

      Hi,
      Everything end with a dot, when I edit as text to copy everyhing the dot desapear to simplify edition but the dot is prensent. So it is not that sadly.

        esackbauer

        Hi,

        yes I have only one domain (exemple.com) and one host (mail.exemple.com)

        Here are return logs from external source and attchement with mailcow logs:

        This is the mail system at host host1

####################################################################
# THIS IS A WARNING ONLY.  YOU DO NOT NEED TO RESEND YOUR MESSAGE. #
####################################################################

Your message could not be delivered for more than 8 hour(s).
It will be retried until it is 1 day(s) old.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<info@exemple.com>: connect to mail.exemple.com[8.8.8.8]:25: Connection
    timed out


Reporting-MTA: dns; some.external.com
X-Postfix-Queue-ID: E02D81A00EB
X-Postfix-Sender: rfc822; some@external.com
Arrival-Date: Sun, 10 Sep 2023 11:52:41 +0200 (CEST)

Final-Recipient: rfc822; info@exemple.com
Original-Recipient: rfc822;info@exemple.com
Action: delayed
Status: 4.4.1
Diagnostic-Code: X-Postfix; connect to mail.exemple.com[8.8.8.8]:25:
    Connection timed out
Will-Retry-Until: Mon, 11 Sep 2023 11:52:41 +0200 (CEST)


Return-Path: <some@external.com>
Received: from some.external.com (unknown [10.0.0.65])
	by some.external.com (Postfix) with ESMTPS id E02D81A00EB
	for <info@exemple.com>; Sun, 10 Sep 2023 11:52:41 +0200 (CEST)
Received: from submission-encrypt01.external.com (unknown [10.0.0.75])
	by some.external.com (Postfix) with ESMTPS id BDF2D240027
	for <info@exemple.com>; Sun, 10 Sep 2023 11:52:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=external.com; s=2017;
	t=1694339561; bh=aZobTwiQM4K9VKzNzBmQFj8gLwaaoZ/ZylwIEEOHXhg=;
	h=Message-ID:Date:MIME-Version:Subject:To:From:
	 Content-Transfer-Encoding:From;
	b=IHKsUFh0n9vWwOuKdDD79dNjfBvfbIk48e6IyoM4SQCYQdF+AaCqmBRh/ieY7bsjt
	 RigZb345AC4biKcz+Z9FzbNPDK92r8SoY73LDOnjp/3u2BvE7TfpfNYSKMAibeKYme
	 AkG9cxmu6ndtBpXpAg1em0EobQV8vHiYgze21LUZXFlj0im1EMG9h5CXUuZBflfTdX
	 LHWvPoOR2fRYMbcM/87lQkoGh2q3z5h2z0bRpwohoClUj1wWTxOt5sczNTipIvBEny
	 RxAwv90i+CTaSOaRQEYi2sOvsPe2GDgsbar6s0WDOjcKXPaaSwSpqdOubxDTQVgrQI
	 nlJixwguad7Ig==
Received: from customer (localhost [127.0.0.1])
	by submission (external.com) with ESMTPSA id 4Rk4s53nG7z6tvn
	for <info@exemple.com>; Sun, 10 Sep 2023 11:52:41 +0200 (CEST)
Message-ID: <c79f7caf-785b-0034-49cc-e2b778bc3fec@external.com>
Date: Sun, 10 Sep 2023 09:52:42 +0000
MIME-Version: 1.0
Subject: Re: tes
Content-Language: fr
To: Info Exemple <info@exemple.com>
References: <2a09b196-8872-809c-e15f-67ca459fd4d0@exemple.com>
From:  <some@external.com>
In-Reply-To: <2a09b196-8872-809c-e15f-67ca459fd4d0@exemple.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
external-User: some@external.com
external-Dkim: ok
        logs.txt
        2MB
        logsp2.txt
        2MB

            amisbievre

            Thanks everyone,

            I found the solution It was the IDS …

            So problem is solvec :-) many thanks for your help

              No one is typing