Hallo,

since this morning I can not receive any mail in my selfhosted mailcow. If I connect to port 25 I see only the line
220-mailcow.plant.systems ESMTP Postcow
which ist postscreen if i remember correctly, but get no “220 mailcow….” after a while.

No changes where made on the system, no updates in the past few days.

Can anybody help me debug this?
Thanks

In the dovecot logs I found the following when someone tries to send me a messages:

22.05.2024, 14:56:49 info managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250
22.05.2024, 14:56:49 info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250
22.05.2024, 14:56:49 info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
22.05.2024, 14:56:49 info lmtp(608): Disconnect from 172.22.1.2: Logged out (state=MAIL FROM)
22.05.2024, 14:56:49 info lmtp(608): Connect from 172.22.1.2

In the dovecot logs I found the following when a mail tries to enter my system:

22.05.2024, 14:56:49 info managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250
22.05.2024, 14:56:49 info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250
22.05.2024, 14:56:49 info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
22.05.2024, 14:56:49 info lmtp(608): Disconnect from 172.22.1.2: Logged out (state=MAIL FROM)
22.05.2024, 14:56:49 info lmtp(608): Connect from 172.22.1.2

In the dovecot logs I found the following when a mail tries to enter my system:

22.05.2024, 14:56:49 info managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250
22.05.2024, 14:56:49 info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250
22.05.2024, 14:56:49 info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.2, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
22.05.2024, 14:56:49 info lmtp(608): Disconnect from 172.22.1.2: Logged out (state=MAIL FROM)
22.05.2024, 14:56:49 info lmtp(608): Connect from 172.22.1.2

  • ETNyx replied to this.
  • All mails coming in which were deferred yesterday. It was really the DNSSEC, must read more on the consequences on activating it.

    Thanks to everyone for your help.

    tomspost In the dovecot logs I found the following when someone tries to send me a messages:

    this is attempt to sign in dovecot, dovecot purpose is to read email from server not send or recieve.

    You are connecting to port 25 that should be bind to postfix (sending e-mails), so if you are not able to receive you are on correct port but you are reading wrong logs. Go to postifx logs

    Also you are trying to manually debug SMTP connect so I suppose you are using telnet like
    telnet mail.server 25

    pause on 220-mailcow.plant.systems ESMTP Postcow is allright server is waiting for your next move try EHLO test.mailcow.com or somethink like this server should respons 250-* multiple lines

      Have something to say?

      Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

      Forgot to give essential information, panic is a bad advisor ;-)

      Systemversion is 2024-04
      Watchdog says everything is ok.
      Running on Docker CE 26.1 on a Debian 12.5 Host

      One correction, in your dovecot log, there is LMTP, it’s protocol to send emails, may be worth to investigate, but it’s purpose is substitute SMTP in cases when you do not have SMTP server. So Mailcow have SMTP server Postfix, by your description I believe problem is more likely in Postfix instead of Dovecot.

      Server looks good so far, maybe under load

      MxToolbox Icon Network Tools: DNS,IP,Email

      Did you try to restart your mailcow?

      docker compose down
      docker compose up -d

      ETNyx Thanks for your answer.

      I see, only mails from Office365/Outlook.com do not arrive. I tested only with a O365-Account from my job.
      Mail from a MariaDB-list entered this moment, although the Debian Users mailing list did not send a mail since this morning, which is strange. And a test with a Gmail account also succeeded.

      When a mail from O365 arrives postfix log tells the following:
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/postscreen[522]: CONNECT from [40.107.20.115]:62834 to [172.22.1.253]:25
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/postscreen[522]: WHITELISTED [40.107.20.115]:62834
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/smtpd[525]: connect from mail-db8eur05on2115.outbound.protection.outlook.com[40.107.20.115]
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/smtpd[525]: discarding EHLO keywords: CHUNKING
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/smtpd[525]: TLS SNI mailcow.plant.systems from mail-db8eur05on2115.outbound.protection.outlook.com[40.107.20.115] not matched, using default chain
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/smtpd[525]: Anonymous TLS connection established from mail-db8eur05on2115.outbound.protection.outlook.com[40.107.20.115]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/smtpd[525]: disconnect from mail-db8eur05on2115.outbound.protection.outlook.com[40.107.20.115] ehlo=1 starttls=1 quit=1 commands=3
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/postscreen[522]: CONNECT from [2a01:111:f400:7e1a::723]:30113 to [fd4d:6169:6c63:6f77::11]:25
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/postscreen[522]: WHITELISTED [2a01:111:f400:7e1a::723]:30113
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/smtpd[525]: connect from mail-db8eur05on20723.outbound.protection.outlook.com[2a01:111:f400:7e1a::723]
      postfix-mailcow-1 | May 22 15:47:20 cebdaaff7b0c postfix/smtpd[525]: discarding EHLO keywords: CHUNKING
      postfix-mailcow-1 | May 22 15:47:21 cebdaaff7b0c postfix/smtpd[525]: Anonymous TLS connection established from mail-db8eur05on20723.outbound.protection.outlook.com[2a01:111:f400:7e1a::723]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
      postfix-mailcow-1 | May 22 15:47:21 cebdaaff7b0c postfix/smtpd[525]: disconnect from mail-db8eur05on20723.outbound.protection.outlook.com[2a01:111:f400:7e1a::723] ehlo=1 starttls=1 quit=1 commands=3

      This will be huge guess. This:
      postfix-mailcow-1 | May 22 15:47:21 cebdaaff7b0c postfix/smtpd[525]: disconnect from mail-db8eur05on20723.outbound.protection.outlook.com[2a01:111:f400:7e1a::723] ehlo=1 starttls=1 quit=1 commands=3

      connection from outlook made 3 comands (you see them just before), ehlo -> starttls -> quit. I would read this outlook do not like your encryption. This can be for many reasons, in case you did not try @DocFraggle suggestion to restart, now is the time

      Yes, restarted the system a few minutes ago, uptime 8 minutes, but same behaviour.

      But it also says “postfix-mailcow-1 | May 22 16:17:52 cebdaaff7b0c postfix/smtpd[388]: Anonymous TLS connection established from mail-vi1eur05on20701.outbound.protection.outlook.com[2a01:111:f403:2613::701]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)” which would suggest a successfull connection, isn’t it?

        tomspost No, it doesn’t really restart the docker containers if you boot the system. Run

        docker compose down
        docker compose up -d

        inside the mailcow directory

          tomspost

          well not sure, like i wrote it a huge guess, this is most-likely over my head. I believe for negotiation both side make connection. Your server is OK whit outlook, that is that record you are referencing. (If it make some sense?)

          Somehow your server takes more than 4 seconds until a EHLO is accepted… maybe that’s too long for Microsoft. You need to check all the logs to see what’s going on there…

          Connecting to 109.199.109.60
          
          220-mailcow.plant.systems ESMTP Postcow
          220 mailcow.plant.systems ESMTP Postcow [4291 ms]

            DocFraggle

            Hmm interesting, but from that postifx log, last connection. those 3 commands i wrote about, are in 1 second from connection (May 22 15:47:20) to quit (May 22 15:47:21). Seems to be ok at that connection

              ETNyx Yes, seems the IPs from outlook.com are whitelisted in Mailcow:

              postfix-mailcow-1 | May 22 17:09:06 01b560ffa376 postfix/postscreen[638]: CONNECT from [40.107.15.129]:55173 to [172.22.1.253]:25
              postfix-mailcow-1 | May 22 17:09:06 01b560ffa376 postfix/postscreen[638]: WHITELISTED [40.107.15.129]:55173
              postfix-mailcow-1 | May 22 17:09:06 01b560ffa376 postfix/smtpd[642]: connect from mail-db5eur01on2129.outbound.protection.outlook.com[40.107.15.129]

              Yes, this is in Postscreen and only true for Postscreen, it’s a relatively new daemon in postifx, designed to pre-filter connection from bad actors (spamers) before they send any e-mail, connect to log-in or so,… Postscreen is relatively resource cheap in opposition of antispam like rspamd in mailcow. Google and Outlook are usually pre-whitelisted based on IP, both Google and Outlook are publishing their IPs

              Does the sender get a bounce message in his outlook.com mailbox? If yes, what is the exact content?

                esackbauer Not until now, not even a delay message. Think we will have to wait another few hours.

                Maybe it has to do with TLSA. I get the following error if I send to bendel.debian.org:
                Sender address rejected: unverified address: TLSA lookup error for mailcow.plant.systems:25 (in reply to RCPT TO command)

                I do not have a TLSA, and never had, record in my DNS. However I enabled DNSSEC on my domain a few weeks ago. I disabled it again. We will see if thing go better in a few hours after the TTL expires.

                All mails coming in which were deferred yesterday. It was really the DNSSEC, must read more on the consequences on activating it.

                Thanks to everyone for your help.

                No one is typing