2

I have a debian VPS with a Postfix server on it and I want to deliver local mails sent by connected cameras. Here is my postfix main.cf :

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = yes
append_dot_mydomain = no

readme_directory = no


compatibility_level = 3.6


TLS parameters


smtpd_tls_cert_file=/etc/letsencrypt/live/geolithe.duckdns.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/geolithe.duckdns.org/privkey.pem
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_cache


smtp_tls_security_level=may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated  reject_unauth_destination reject_unknown_reverse_client_hostname


myhostname = vps-aab534d9


alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases


myorigin = /etc/mailname


mydestination = vps-aab534d9.vps.ovh.net, localhost.vps.ovh.net, localhost, $myhostname, localhost.$myhostname


relayhost =


relay_domains = $mydestination


mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128


mailbox_size_limit = 0
recipient_delimiter = +


inet_interfaces = all


inet_protocols = all


virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 100
virtual_mailbox_limit = 0
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000


smtp_generic_maps = hash:/etc/postfix/generic


local_recipient_maps =
message_size_limit = 52428800

I made a script to test my server configuration and I can send emails through port 587 with it. However, when I try to send a picture with my camera, it doesn't work. Here is the logs I obtain :

2024-06-10T13:57:32.021209+00:00 geolithe postfix/submission/smtpd[123209]: warning: hostname 81.128.252.185.rev.airmob.eu does not resolve to address 185.252.128.81: Name or service not known
2024-06-10T13:57:32.021506+00:00 geolithe postfix/submission/smtpd[123209]: connect from unknown[185.252.128.81]
2024-06-10T13:57:32.021707+00:00 geolithe postfix/submission/smtpd[123209]: improper command pipelining after CONNECT from unknown[185.252.128.81]: \026\003\003\001u\001\000\001q\003\003S\221\310\312T\027\262h\003\234`\241\331\330\201m2\325\207\232\001\222\360?S\240\255\211\214\374\277\312\000\001\000\314\250\314\251\314\252\300,\3000\000\237\300\255\300\237\300$\300(\000k\300\n\300\024\0009\300\257\300\243\300\207\300\213\300}\300s\300w\000\304\000\210\300+\300/\000\236\300\254
2024-06-10T13:57:32.070553+00:00 geolithe postfix/submission/smtpd[123209]: lost connection after CONNECT from unknown[185.252.128.81]
2024-06-10T13:57:32.070682+00:00 geolithe postfix/submission/smtpd[123209]: disconnect from unknown[185.252.128.81] commands=0/0

I read on this forum that could be due to the code sending the email. The problem is that I can't control it, cameras are sold with a private source code. There is no problem to send emails via my cameras with google smtp or other smtp servers. Does anyone have any idea on how to configure postfix to accept these mails ?

Paul
  • 3,278
Maxime Pieau
  • 33

2 Answers2

2

\026\003\003\001u\001\000\001q\003\003S\221\310\312T\027\262h\003\234... this doesn't look like SMTP at all. It's not actual pipelining, and the whole improper command pipelining after CONNECT... error message seems to be very misleading. What this does look like is TLS session initiation.

Probably, your client is instructed to use static TLS, but Postfix submission service running on port 587 expects client to start with "ordinary" ESMTP EHLO command, and then it can be switched to TLS by the client issuing STARTTLS (if server announces the support of this command in the reply).

Either you need to set up clients to use STARTTLS on port 587, or set up and use static TLS instance for which port 465 is typically used. Postfix's master.cf usually has it under the smtps name, commented out.

Currently static TLS is typically considered more secure, however, if client can be set to refuse to talk to server if STARTTLS isn't offered, and smtpd_tls_security_level set to encrypt (requiring the client to issue STARTTLS) they're the same. However, it's strongly advisable to set smtpd_tls_security_level=encrypt only for the submission service in master.cf, for it to not be enforced on the default port 25 smtp instance.

Nikita Kipriyanov
  • 15,624
1

As Nikita said, the improper command pipelining was a misconfiguration about port and SSL type. I use a mobile communication to communicate between cameras and server. Client's IPs are dynamics on the same network. If you want to debug these, you must find the network in the logs by doing some tests. After that, you can add it into debug_peer_list in main.cf adding the length of the network. For example, in my case :

debug_peer_level = 4
debug_peer_list = 185.252.128.0/24

It gives me some information about the place of the error. In my case, the IMAP connection wasn't complete. The problem was that I used AUTH PLAIN connection instead of AUTH LOGIN. To put things right, add login to auth_mechanisms in /etc/dovecot/conf.d/10-auth.conf and it should work.

Maxime Pieau
  • 33