Bonjour à tous,
J'ai récemment migré nos emails depuis grandi vers ovh.
Les serveurs, des VM ubuntu 22.04 sur hyperviser ProxMox v7, envoient des logs fail2ban à it@domain.com ; depuis la migration, nous ne recevons plus aucun email.
J'arrive à me connecter à mon compte email via Thunderbird, Webmail et Apple Mail.
J'arrive également à me connecter via openssl:
===============================
openssl s_client -connect pro3.mail.ovh.net:587 -starttls smtp -crlf
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = pro3.mail.ovh.net
verify return:1
—
Certificate chain
0 s:CN = pro3.mail.ovh.net
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
—
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN = pro3.mail.ovh.net
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
—
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
—
SSL handshake has read 4531 bytes and written 500 bytes
Verification: OK
—
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: [xxx]
Session-ID-ctx:
Master-Key: [yyyyyyyy]
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1698886360
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
—
250 SMTPUTF8
EHLO
250-pro3.mail.ovh.net Hello [1.2.3.4]
250-SIZE 104857600
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH GSSAPI NTLM LOGIN
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
AUTH LOGIN
334 VXNlcm5hbWU6
[login en base 64]
334 UGFzc3dvcmQ6
[mdp en base 64]
235 2.7.0 Authentication successful
==========================================
J'ai mis a jour:
/etc/postfix/sasl/sasl_passwd
-> contient domain:port login:motdepasse
-> je fais le postmap
/etc/postfix/main.cf
-> en remplacant le mail.gandi.net:587 par pro3.mail.ovh.net:587 ou ssl0.ovh.net:465
Toutes mes tentatives ont échouées.
J'observe que si je mets [domaine]:port j'ai le message ci-dessous:
=======================
Nov 2 01:41:47 nextcloud postfix/smtp[1139908]: 7D84E2EE03DE: to=, relay=pro3.mail.ovh.net[145.239.216.210]:587, delay=5.2, delays=0.04/0/0.17/5, dsn=5.7.57, status=bounced (host pro3.mail.ovh.net[145.239.216.210] said: 530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM (in reply to MAIL FROM command))
=======================
Si je mets domaine:port , j'obtiens ce message:
=======================
Nov 2 01:57:31 nextcloud postfix/smtp[1140650]: D0AD32EE01CB: to=, relay=pro3.mail.ovh.net[145.239.216.210]:587, delay=1060, delays=1055/0.02/5.2/0, dsn=4.7.3, status=deferred (SASL authentication failed; server pro3.mail.ovh.net[145.239.216.210] said: 535 5.7.3 Authentication unsuccessful)
=======================
voici l'output de postconf -n
=======================
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination =
mydomain = nextcloud.domain.com
myhostname = nextcloud.domain.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = ssl0.ovh.net:465
sender_canonical_maps = hash:/etc/postfix/canonical
smtp_enforce_tls = yes
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_wrappermode = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
=======================
J'ai testé avec les différentes options: (activées ou commentées)
=======================
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login
fallback_transport = relay
smtp_pix_workarounds = disable_esmtp
smtp_tls_protocols = !SSLv2
smtp_pix_workarounds =
smtp_always_send_ehlo = yes
smtp_sasl_mechanism_filter=!gssapi, !login,static:rest
smtp_always_send_ehlo=yes
smtpd_sasl_local_domain=$mydomain
broken_sasl_auth_clients=yes
smtp_send_dummy_mail_auth=no
smtpd_recipient_restrictions= permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_sasl_path=smtpd
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
=======================
Quelles options fonctionnent chez vous? J'arrive a un point ou je regretterai presque Gandi…
En ajoutant :
smtp_sasl_mechanism_filter = login
Les mails passent…
Bonjour @MatthieuO1,
Je vous remercie d'avoir apporté la réponse à votre propre sujet,
Passez une excellente journée et une bonne navigation sur Community.
^FabL