Q: Users are unable to setup email accounts on their mobile devices.

I'm not sure which details you need? This happens with all remote setup of a mobile device. It MAY also effect desktops but that is more difficult to test, had one recent issue with a desktop that I ended up putting their IP into mynetworks which allowed them to verify.

I'm having them set their account up as IMAP, using SSL for incoming (993), TLS for outgoing (587). The incoming and outgoing are the same FQDN and then their username and password.

I found commas in the 'smtpd_recipient_restrictions' yesterday and took those out. I was getting spam injected into our server a couple of months ago. They configured headers to appear from our server but with bogus email accounts, I made a change that prevented this, and think this may be part of the problem. One of the suggestions I had followed was entering restrictions in a certain order. In the case of 'smtpd_recipient_restrictions' this put the permits for mynetwork or authenticated after some restriction checks. So, if the suggestion was wrong I may have my restrictions in the wrong order.

mydomain_fallback = localhost

message_size_limit = 104857600

biff = no

mynetworks = 10.0.0.0/8, mail.i6live.us, 174.136.6.72/32, 127.0.0.0/8, [::1]/128

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_client_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_unknown_recipient_domain reject_rbl_client b.barracudacentral.org permit

recipient_delimiter = +

smtpd_tls_ciphers = medium

inet_protocols = all

inet_interfaces = all

smtpd_enforce_tls = no

smtpd_use_pw_server = yes

relayhost =

mydomain = i6win.us

smtpd_pw_server_security_options = cram-md5,gssapi,login,plain

smtpd_sasl_auth_enable = yes

disable_vrfy_command = yes

smtpd_helo_required = yes

smtpd_delay_reject = no

content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_reject_unlisted_sender = yes

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce, reject_non_fqdn_hostname, reject_invalid_hostname, permit

header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks

myhostname = mail.i6win.us

smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname reject_invalid_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname permit

smtpd_use_tls = yes

enable_server_options = yes

recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps

virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users hash:/Library/Server/Mail/Data/listserver/aliases/list_server_virtual

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

myorigin = $mydomain

relay_domains = $mydestination

mailbox_transport = dovecot

postscreen_dnsbl_sites = zen.spamhaus.org*2

maps_rbl_domains =

virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains

smtp_tls_loglevel = 1

smtp_tls_security_level = may

smtpd_require_virtual_map = yes

alias_maps = hash:/Library/Server/Mail/Config/postfix/aliases hash:/Library/Server/Mail/Data/listserver/aliases/list_server_aliases

smtpd_tls_cert_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.cert.pem

smtpd_tls_CAfile = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.chain.pem

smtpd_tls_key_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.key.pem

smtp_tls_cert_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.cert.pem

smtp_tls_CAfile = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.chain.pem

smtp_tls_key_file = /etc/certificates/i6win.us.7B4F4C0D1F6C22C7228299CB07DA4890D6781494.key.pem

Which protocol is active or used when verifying a new account. After the initial creation of a new account on a device, subsequent connections to send or retrieve email works. Its just during the initial verification that is it fails.

I was getting this error in the mail.log

May 13 20:23:16 i6win.us postfix/smtpd[9214]: warning: hostname mobile-166-177-122-248.mycingular.net does not resolve to address 166.177.122.248: nodename nor servname provided, or not known

and this error in mail-err.log

May 13 20:15:44 auth: Error: od(budee,166.177.122.248,<ROcsIcMyAwCmsXr4>): Credentials could not be verified, username or password is invalid.

May 13 20:15:44 auth: Error: od(budee,166.177.122.248,<ROcsIcMyAwCmsXr4>): authentication failed for user=budee, method=CRAM-MD5

username and password were correct, I could login locally to the server or via the web email using the same creditials.

I am running DNS for my local internet. Did open it up to everyone as I thought maybe the remote users were unable to find the server. Removed the reject_unknown_client_hostname and am able to create an account remotely and send and retrieve email. All authentication methods are allowed except Digest-MD5. Have been testing this all weekend, no issues since that change.

I originally added the hostname and helo restrictions to reduce spam. I was expecting remote users who are sending through my server would not have issues with these parameters. Was also expecting the permits for authenticated users to fall through without the other client restrictions being applied. Any suggestions for improving my config to reduce spammers while allowing authenticated users to freely use our available services would be much appreciated.