Mailcow Slew of Authentication Problems

grg

I use Thunderbird on my desktop and a few internal tools that are meant for sending out emails to users. I keep getting issues where its either constantly failing to connect to my mail server or its having some type of auth issue.

From my application.
Checklist:

I used dig and dmarc, spf and dkim settings came back fine!
IP is not blacklisted.
UFW ports are open because sometimes it works.
Passwords are fine

I might have thought it could have been an SSL/TSL thing? I did find port 587 has no cert. I don’t know what mailcow settings are I couldnt find any documentation. Does it need to be pushed to users? And its not doing it.

sudo openssl s_client -connect localhost:587 -starttls smtp

CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 23 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

3: Connection: opening to mail.mydomain.com:587, timeout=300, options=array()
3: Connection: opened
2: SERVER -> CLIENT: 220 mail.mydomain.com ESMTP Postcow

1: CLIENT -> SERVER: EHLO hbt.mydomain.com

2: SERVER -> CLIENT: 250-mail.mydomain.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

1: CLIENT -> SERVER: STARTTLS

2: SERVER -> CLIENT: 220 2.0.0 Ready to start TLS

1: CLIENT -> SERVER: EHLO hbt.mydomain.com

2: SERVER -> CLIENT: 250-mail.mydomain.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

1: CLIENT -> SERVER: AUTH LOGIN

2: SERVER -> CLIENT: 334 VXNlcm5hhWS5

1: CLIENT -> SERVER: ---obfuscated---
2: SERVER -> CLIENT: 334 UGFzc3dvfbnT

1: CLIENT -> SERVER: ---obfuscated---
2: SERVER -> CLIENT: 535 5.7.8 Error: authentication failed: (reason unavailable)

1: SMTP ERROR: Password command failed: 535 5.7.8 Error: authentication failed: (reason unavailable)

3: SMTP Error: Could not authenticate.
1: CLIENT -> SERVER: QUIT

2: SERVER -> CLIENT: 221 2.0.0 Bye

3: Connection: closed
3: SMTP Error: Could not authenticate.

esackbauer

grg Passwords are fine

If you are using 2FA, you cannot use your UI password for services like IMAP, SMTP etc.
You must use app passwords.

Ganzjahresgriller

Did you read the Docs? Mailcow and a Firewall is not the best Idea

grg

esackbauer For the main admin account?? Thats the only thing I have 2FA on

esackbauer

The main admin account is not mail enabled by default (for security reasons). So it doesnt matter.
Did you enable this? Then yes probably you also need to use app passwords for the clients.
Never tried this, because its security worst practice to do daily tasks like email with an administration account.

grg

esackbauer None of my email clients (IMAP) are using 2FA.

I have 2FA on the admin default account. So, is that why its asking me for login credentials of my main account??

Message: “mailserver.mydomain.com is requesting your username and password.” That can’t possibly be my main admin account lol. Makes no sense. I don’t know what account it would be.

esackbauer

What is your “main account”? Are you on a supported OS?
Is there a reverse proxy inbetween? Are you on cloudflare tunnels?

grg

esackbauer

Default admin account, the one that ships with Mailcow. Thats the only account that has 2FA enabled.

I have a mail.domain.com A record that is proxied. However, I use imap.domain.com for my mail server (grey cloud) not proxied. Same with autoconfig and autodiscover they are both grey cloud on Cloudflare and point to imap.domain.com.

No proxy yet as I plan to reverse proxy the imap.domain.com so it does not lead to the mail server login.