Resolved dovecot imap ssl - not working

[Oliver_Strixner]

Hi,

i had a crash after maintenance by strato, after fixing my plesk obsidian installation, i have no imap running. but pop2 over ssl is working fine.

i see there are no open ports 993, 143

dovecot is running

plesk repair all -n shows no errors

any ideas?

 

[sebgonzes]

What error you obtain in maillog files? what status you had with an service dovecot status?

 

[Oliver_Strixner]

ok i hope i have the interesting infomation

dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/dovecot.service.d
           └─respawn.conf
   Active: active (running) since Mo 2020-05-04 15:25:49 CEST; 3h 38min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 32149 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
 Main PID: 32153 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─ 8508 dovecot/auth
           ├─32153 /usr/sbin/dovecot -F
           ├─32159 dovecot/anvil
           ├─32160 dovecot/log
           ├─32161 dovecot/config
           └─32750 dovecot/stats

in the /var/log/maillog
i have no imap entries - no errors
the email clients gets a connection refused message. port 993 and 143 are closed

openssl s_client -showcerts -connect xxxxx.de:993 -servername xxxxx.de
connect: Connection refused
connect:errno=111

POP3 with SSL is working fine, but it seems that IMAP is missing.
mail-client connections tries leave no message in log fils (syslog, auth, mail.err)

i had a problem and then i tried to remove and install dovecot with
plesk installer --select-product-id plesk --select-release-current --remove-component dovecot
but it removed all depended plesk packages (plesk-core) and crashes the installation.
i ve got plesk working now, but the imap thing will not start, may a missing package?

i don't know how to verify the dovecot imap installation. In the panel and plesk repair all -n seems everything ok.
the bad thing no error messages on the server, and imap ports are closed. May be a package missing?

 

[sebgonzes]

ok i hope i have the interesting infomation

dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/dovecot.service.d
           └─respawn.conf
   Active: active (running) since Mo 2020-05-04 15:25:49 CEST; 3h 38min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 32149 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
Main PID: 32153 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─ 8508 dovecot/auth
           ├─32153 /usr/sbin/dovecot -F
           ├─32159 dovecot/anvil
           ├─32160 dovecot/log
           ├─32161 dovecot/config
           └─32750 dovecot/stats

in the /var/log/maillog
i have no imap entries - no errors
the email clients gets a connection refused message. port 993 and 143 are closed

openssl s_client -showcerts -connect xxxxx.de:993 -servername xxxxx.de
connect: Connection refused
connect:errno=111

POP3 with SSL is working fine, but it seems that IMAP is missing.
mail-client connections tries leave no message in log fils (syslog, auth, mail.err)

i had a problem and then i tried to remove and install dovecot with
plesk installer --select-product-id plesk --select-release-current --remove-component dovecot
but it removed all depended plesk packages (plesk-core) and crashes the installation.
i ve got plesk working now, but the imap thing will not start, may a missing package?

i don't know how to verify the dovecot imap installation. In the panel and plesk repair all -n seems everything ok.
the bad thing no error messages on the server, and imap ports are closed. May be a package missing?

iptables? iptables -L / iptables -F

 

[Oliver_Strixner]

ok i've got it. It was no firewall thing. Its an automatic installation of the kolab-premium-mail extension, which i dont want, but its automatic activated - strange.

this article is the solution:
Unable to log in to webmail with enabled Plesk Premium Email: Could not connect to localhost:143: Connection refused

to check this, the netstat command give the right information

netstat -plutn | grep 143
tcp        0      0 127.0.0.1:9143          0.0.0.0:*               LISTEN      6263/dovecot

netstat -plutn | grep 993
tcp        0      0 127.0.0.1:9993          0.0.0.0:*               LISTEN      6263/dovecot

removing the "Plesk Premium Email, powered by Kolab" extension via panel, dovecot works on the normal ports:

netstat -plutn | grep 993
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      14523/dovecot

 

[marvin]

I've just encountered a similar issue. Can receive email over POP3 no problems but not over IMAP. This is happening on a VPS that hostes a few other websites/email so I have so people are starting to get upset.

Mail over IMAP was working fine last week but stopped on Friday (3 days ago). Really need to get this going quickly, can anybody offer advice?

 

[marvin]

It's happening again!!

Started when my security certificate self-renewed. Was unable to send email on one POP3 machine or via IMAP from one email account. Others were working fine. Fiddled about with server, enabled sending on Pop3 machine but could not send or receive on IMAP. Webmail (Roundcube) also down.

Anybody else had this problem?

 

[Peter Debik]

https://support.plesk.com/hc/en-us/articles/12377286818071-Mail-users-with-iOS-and-MacOS-devices-cannot-access-mail-after-certificate-renewal-on-Plesk-server-Cannot-Verify-Server-Identity

 

[marvin]

Thanks @Peter Debik -- that looks really interesting... although MacMail and Thunderbird are now working OK over POP with Dovecot. So it looks as if we're past the certificate issue... ?

What's the deal with IMAP? Thinking about removing Dovecot and reinstalling it via command line. If there a way to verify if IMAP is loaded?

 

[marvin]

Oh -- and further to this, SMTP is working on my wife's iPhone. I duplicated her settings on my phone (ports, ect) but it's not working on mine. Phones are the same... same OS ???

 

[Peter Debik]

You only need three correct values: servername, username, password. If these are correct, connection will work. If username or password are incorrect, Fail2Ban on your server will block the IP by which your phone connects to the server. In that case, look up the IP on the phone, e.g. by opening a site like Whats My IP Address - IP Address, Whois & IP Tracing, then check occurences in /var/log/fail2ban.log or remove it from the fail2ban bans.

 

[marvin]

Hi again @Peter Debik -- if my servername is OK (same as my wife's settings), and I"m using MY correct username and MY correct password, can't see why the connection isn't working. Can try tracing the IP (don't know anything about fail2ban or if it's even running -- if it's a standard Plesk thing I suppose it is...)

Webmail (which also uses IMAP) got to login screen the other day but couldn't access directories. Now it's having a security certificate issue and not working at all...

One way or another, something is very wrong with my mail services. I suppose at last I haven't been fielding message from frustrated clients that I co-host email for on the VPS. The whole thing is bloody weird:

• 25 May security certificate for my domain auto renews. my services continue to operate as normal, my wife loses POP and SMTP on computer (Thunderbird) and SMTP on iPhone (Mac Mail)
• 3 June I discover problem when my wife tries to use webmail. Server goes down completely. I manually renew security certificates -- which doesn't change anything. Server re-sets itself and websites are live but email situation persists. During shutdown period my email continues to work as normal.
• Last Thursday I do some investigation. Not sure what I achieved on server but suddenly my wife has POP and SMTP restored on computer. Still has issues with phone. My phone can't download new email and neither can my wife's.
• Delete mail account on my phone and set up again. IMAP and SMTP don't work. My wife has no IMAP on phone but can send via SMTP

Getting bloody frustrated now. I'm wondering if I just get my ISP to set up a fresh VPS with a new copy of Plesk and just move everything across to there??

 

[marvin]

Checked my IP address. Normally I'm on WIFI so IP is the same as computers. It's not blocked by fail2ban...

 

[Peter Debik]

I see you are frustrated, but repeating that something does not work does not lead to a solution. Instead, please try to systematically check all the points you mention that do not work. For example you mention that you experience issues with the SSL certificate.
- What issues exactly? For example is is expired? Is it missing? From where? Is it the domain certificate or the server certificate? If it is the domain certificate, does it have the SNI checkbox checked (for protection of email)?
- Is this about the host email certificate? Is that selected as default and is it selected to protect the mail hostname in Tools & Settings > Security > SSL/TLS certificates?
- What errors are logged in /var/log/maillog when you try to connect to the server? Are there any errors logged at all? Or is not connection logged?
- If no connection is logged, is the IP address from where you attempt a connect listed in /var/log/fail2ban.log? If not, then your device is not sending a connect attempt at all and it has nothing to do with the server configuration, but the device only. If errors are logged what are these errors exactly (wording)?
- Are you using the correct ports in your IMAP configuration? It would be port 993 for incoming mail and IMAP with SSL or 143 für incoming an IMAP without SSL. 465 for outgoing with SSL, 25 for outgoing without SSL. Are these ports open on your router through which you connect? Do you connect through your router at all or are you going directly through a cell (wifi turned off)?
- Did you verify that your same username (=mailbox name) and password for that mailbox work when you are using webmail (like Roundcube, Horde)? Can you send and receive mails with Roundcube or Horde? I am asking, because these login/logout exactly like remote email clients as they are nothing else but email clients, just like the one on your phone. They use the same ports, the same algorithms etc.

 

[marvin]

I see you are frustrated, but repeating that something does not work does not lead to a solution. Instead, please try to systematically check all the points you mention that do not work. For example you mention that you experience issues with the SSL certificate.

- What issues exactly? For example is is expired? Is it missing? From where? Is it the domain certificate or the server certificate? If it is the domain certificate, does it have the SNI checkbox checked (for protection of email)?

Thanks for your feedback @Peter Debik . It’s great to have a list of steps that I can work through. I’m trying to set out what happened/is still happening here. As far as I can see, this problems started after something changed on the server (Security Certificate validation??). I had no problems before this and have used the same settings for many years.

Domain certificate expired on 25 May and auto-renewed. When I discovered the problem I renewed it manually. I made sure all checkboxes were ticked, including the SNI checkbox.

- Is this about the host email certificate? Is that selected as default and is it selected to protect the mail hostname in Tools & Settings > Security > SSL/TLS certificates?

Looking at the Host Certificate (didn’t know where this was) i see there is no CSR Certificate or -CA.CRT certificate (The component is missing.) I’m not sure if this is the default setting or if something was there and now is not as I’ve never been in this screen before.

What I do have in place is a Private Key (*.key) and a Cerificate (*.crt)

- What errors are logged in /var/log/maillog when you try to connect to the server? Are there any errors logged at all? Or is not connection logged?

I can see log entries (not errors) for POP3 connections and SMTP from my computer. Cannot see any activity (IMAP or SMTP) from my phone. I can see SMTP form my wife’s phone but no IMAP activity.

- If no connection is logged, is the IP address from where you attempt a connect listed in /var/log/fail2ban.log? If not, then your device is not sending a connect attempt at all and it has nothing to do with the server configuration, but the device only. If errors are logged what are these errors exactly (wording)?

All these connections are over the same IP address. This address is not showing in fail2ban.

- Are you using the correct ports in your IMAP configuration? It would be port 993 for incoming mail and IMAP with SSL or 143 für incoming an IMAP without SSL. 465 for outgoing with SSL, 25 for outgoing without SSL. Are these ports open on your router through which you connect? Do you connect through your router at all or are you going directly through a cell (wifi turned off)?

As I mentioned before, I normally connect through router. I’ve just turned WIFI off so phone is using Cellular Data. Phone is unable to send or receive

Looking at IMAP end on phone. Was on Port 143 (no SSL). I turned on SSL and Port 993. Phone is unable to receive mail. (unable to verify). Error message spake thus: ’The IMAP server ‘mail.mysite.co.nz’ is not responding. Check your network connection and that you entered the correct information in the ‘Incoming Mail Server’ field”. Which I have. Changed to Port 143. Phone is unable to verify.

Looking at the SMTP end on phone. Added new password. No SSL. Basic Server Port 25. Phone is unable to verify. Tells me server is not responding. I need to set to correct information in the ‘Outgoing Mail field. Which is correct.

Added username and password and turned on SSL. Phone verified address.

- Did you verify that your same username (=mailbox name) and password for that mailbox work when you are using webmail (like Roundcube, Horde)? Can you send and receive mails with Roundcube or Horde? I am asking, because these login/logout exactly like remote email clients as they are nothing else but email clients, just like the one on your phone. They use the same ports, the same algorithms etc.

I’m using Roundcube for webmail. It’s not working (security certificate issue apparently).

—

TODAY’S DEVELOPMENTS

I received this mornings emails on my computer (POP3). I am unable to send.

Just tried IMAP on my phone again. Cannot received email. Tried SMTP again. Error message (presumably generic) tells me ‘The sender address is invalid’.

Just tried SMTP on my computer. Server is telling me ‘Unable to verify account name or password’ (I just changed password via Plesk after it asked me PW+SWD — it normally doesn’t as PSWD is saved).

Just tried to log in to Webmail. Where I was informed thus:

—

Did Not Connect: Potential Security Issue​

Firefox detected a potential security threat and did not continue to webmail.mhdesign.co.nz because this website requires a secure connection.

What can you do about it?

webmail.mydomain.co.nz has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

—

Meanwhile my wife’s copy of Thunderbird is functioning normally. Her phone can send email but cannot receive them.

 

[marvin]

Thought I'd check out what Chrome made of the webmail situation:

Your connection is not private​

Attackers might be trying to steal your information from webmail.mysite.co.nz (for example, passwords, messages or credit cards). Learn more


NET::ERR_CERT_COMMON_NAME_INVALID

Still pointing to a server certificate thing...

 

[marvin]

@Peter Debik –– thinking out loud here:

When I first had this problem (February) I resolved it but switching from Dovecot to Courier. At the time it restored ALL mail service to all hosted email accounts on my VPS (on various domains.

After recent problems I switched back to Dovecot.

I believe Plesk has a preference (recommends) Dovecot?

 

[Peter Debik]

Quite simple: You are using the wrong hostname. From your error messages shown above it is clear that you are using the wrong hostname (actually, you are not using the hostname at all, neither your domain name, but a fantasy server name like "mail.mysite.co.nz": " ... ’The IMAP server ‘mail.mysite.co.nz’ is not responding. ...". There will never be a certificate for mail.mysite.co.nz. The max you can do is to have a certificate for mysite.co.nz, but only if you have activated "Assign the certificate to the mail domain" in the individual domain subscription's SSL. Normally you'd simply address the server by using the hostname so that the connection uses the general SSL certificate from Tools & Settings > Security > SSL/TLS.

For a Let's Encrypt certificate you do not need any entries in the crt and -ca.crt fields.

For the webmail SSL issue again a wrong SSL certificate is used. There you'll need to check the "Webmail" checkbox when issueing or re-issueing the Let's Encrypt SSL certificate of your domain.

So from your description above it all burns down that SSL is not properly configured and the wrong names are used on the device. It may have worked before, because the end user might have tapped a dialog like "Confirm certificate mismatch" or similar, but once the certs renewed, this won't work any longer.

Please go back to your Plesk SSL configuration and make sure that you have up-to-date certificates in place for
a) the domainname
b) the hostname

Then go back to the device email configuration and make sure that you are using the hostname for incoming and outgoing mail server.

 

[marvin]

Sorry @Peter Debik -- not quite as simple as that. I was attempting to 'obfuscate' my domain name (call me paranoid but this is a public forum). So I made up 'mail.mysite.co.nz' which is, of course, completely fictitious... it was just there as a placeholder/example. In fact yes, I am using my real domain and there is a SSL certificate for this domain in place.

If it were only that easy... at the current time I DO have SMTP and POP3 back but no IMAP. Which is why, in February, I changed from Dovecot to Courier. Which was working until May 25th... and then stopped working on SMTP for my wife.

I lost these services when I renewed the mail account on my phone, but today got SMTP back...

Lost POP3 today on my computer, then got it back again... along with SMTP ??!

 

[marvin]

Hi again @Peter Debik -- thanks heaps for your support so far, back with a few questions:

As a Plesk staff member, can you tell me the 'official' Plesk position on Courier IMAP/POP3/SMTP service. From what I've read I believe that Dovecot is preferred. I'm not wanting to lose the service I have but I'm wondering if moving back to Courier will fix the problem?

-- Would it be better to remove/reinstall Dovecot?
-- Is this 'cleaner' when done in Command Line?
-- Is there a way to check if ports are blocked?

Looking at logs for Dovecot it would seem that there's no IMAP activity at all... no attempted logins etc are showing.

And what's with the Certificate issue in Webmail?