Unable to connect to mail server (SMTP/IMAP), SASL trouble

[UFHH01]

Hi Superkikim,

please post as well your file "smtpd.conf".

... and double-check with for example "locate smtpd.conf" the locations on your server.

 

[Superkikim]

I found two. in /usr/lib64/sasl and in /usr/lib64/sasl2

 

[Superkikim]

By using locate, I've just found that plesk kept historical files. I will try to revert to a previous one

 

[UFHH01]

Suggestions to main.cf:

Consider to change:

mydestination = localhost.$mydomain, localhost, localhost.localdomain

to

mydestination = localhost.paasone.com, localhost, localhost.localdomain​

Please post as well your file "/etc/hostname" and "/etc/hosts".

 

[UFHH01]

Hi Superkikim,

please check your files "smtpd.conf" - they differ and should look like this:

pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
sql_engine: intentionally disabled
log_level: 9

 

[Superkikim]

No luck with previous master.cf and main.cf.

What I don't get is that as soon as I try an auth login, I'm ejected from the server:

Connected to mail.domain.ltd.
Escape character is '^]'.
220 plesk.mydomain.ltd ESMTP Postfix
starttls
220 2.0.0 Ready to start TLS
auth login
Connection closed by foreign host.

This is smtp, on port 587.

However, I seem to be looking at the wrong place !!! In fact, I can connect to smtp, however I can't connect to imap ! Connections to port 143 and 993 are refused, even locally. I didn't try before, because I've disabled fail2ban and iptables for tests. And the issue was the same, therefore I assumed it was no connection issue. But the error is indeed the fact I can't connect to the server !

And when digging this, the following command gives no postfix result:

lsof -Pnl +M -i4

However I get this:

portreser  1196        0    5u  IPv4    8640      0t0  UDP *:143
portreser  1196        0    7u  IPv4    8642      0t0  UDP *:993
portreser  1196        0    9u  IPv4    8644      0t0  UDP *:110
portreser  1196        0   11u  IPv4    8646      0t0  UDP *:995

Therefore ports are listening.

ps aux | grep postfix

root     20936  0.0  0.0  57820  2768 ?        Ss   22:22   0:00 /usr/libexec/postfix/master
postfix  20938  0.0  0.0  57900  2760 ?        S    22:22   0:00 pickup -l -t fifo -u
postfix  20939  0.0  0.0  58100  2896 ?        S    22:22   0:00 qmgr -l -t fifo -u
postfix  21007  0.0  0.0 402308  3584 ?        Ssl  22:22   0:00 /usr/lib64/plesk-9.0/psa-pc-remote -p inet:[email protected]
postfix  21119  0.0  0.0  57900  2792 ?        S    22:22   0:00 tlsmgr -l -t unix -u
postfix  21596  0.0  0.0  57892  2696 ?        S    22:32   0:00 anvil -l -t unix -u

Note that sending mail works as I was able to configure redirection for the existing mailboxes.

 

[Superkikim]

hosts

127.0.0.1    localhost.localdomain localhost
92.222.8.6    vps66298.ovh.net vps66298
127.0.0.1    plesk.paasone.com    plesk

no /etc/hostname file.


For reference:

CentOS release 6.7 (Final)
2.6.32-431.17.1.el6.x86_64

Product version: 12.0.18 Update #80
Update date: 2016/04/04 02:12
Build date: 2015/10/14 14:00
Build target: CentOS 6
Revision: 333059
Architecture: 64-bit
Wrapper version: 1.1

 

[UFHH01]

ah... we are getting closer ( apart from that you didn't stated, if you already changed your smtpd.conf !!! ).

You have in your main.cf:

smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL
smtpd_sasl_security_options = noplaintext

Please be aware that SSLv3 is insecure and outdated. The correct usage should be:

smtpd_tls_protocols=!SSLv2,!SSLv3

smtp_tls_protocols=!SSLv2,!SSLv3

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

... and restart postfix after your changes, please.


To check, please post the output of:

openssl s_client -connect localhost:465 -ssl3


If you still experience issues, please consider to read and follow:

[Plesk] CVE-2014-3566: POODLE Attack Exploiting SSL 3.0 Fallback

and please use the forum search for other possible discussions, suggestions and solutions about TLS - usage.​

 

[Dave W]

Hi Superkikim,

Ports 143 and 993 are blocked on your vps:

C:\Users\Dave>telnet 92.222.8.6 143
Connecting To 92.222.8.6...Could not open connection to the host, on port 143: C
onnect failed

C:\Users\Dave>telnet 92.222.8.6 993
Connecting To 92.222.8.6...Could not open connection to the host, on port 993: C
onnect failed

whats the output of

 ss -lnp|grep -E '143|993'

and

iptables -L -n

 

[Superkikim]

ss -lnp|grep -E '143|993'
No result

Attached iptables output. Note that the huge droplist is due to the fact I use spamhaus drop.

Note that even if I stop iptables service, it still does not work.

 

[Dave W]

ss -lnp|grep -E '143|993'
No result

means you dont have anything listening on those ports hense you cant connect. Depending on which one you are using, Courier or Dovecot should be listening on those ports.

 

[Superkikim]

Well, that's something new. Just tell me something. What is postfix in this ? I'm not familiar with the mail architecture. I thought Postfix what the IMAP/POP server.

Anyway. Seems that courier is not running.

[~]$ sudo ps aux | grep courier
akim       599  0.0  0.0 103304   860 pts/0    S+   23:13   0:00 grep courier
root     20987  0.0  0.0   4068   484 ?        S    Apr05   0:00 /usr/sbin/courierlogger -name=courier-authdaemon -pid=/var/run/courier-authdaemon.pid -lockfile=/var/lock/subsys/courier-authdaemon -start /usr/lib64/courier-authlib/authdaemond
root     20988  0.0  0.0  29848  1384 ?        S    Apr05   0:00 /usr/lib64/courier-authlib/authdaemond
root     20990  0.0  0.0  29848   480 ?        S    Apr05   0:00 /usr/lib64/courier-authlib/authdaemond
root     20991  0.0  0.0  29848   480 ?        S    Apr05   0:00 /usr/lib64/courier-authlib/authdaemond
root     20992  0.0  0.0  29848   480 ?        S    Apr05   0:00 /usr/lib64/courier-authlib/authdaemond
root     20993  0.0  0.0  29848   480 ?        S    Apr05   0:00 /usr/lib64/courier-authlib/authdaemond
root     20994  0.0  0.0  29848   480 ?        S    Apr05   0:00 /usr/lib64/courier-authlib/authdaemond

chkconfig returns:

courier-imapd 0ff 1ff 2n 3n 4n 5n 6ff
courier-imaps 0ff 1ff 2n 3n 4n 5n 6ff
courier-pop3d 0ff 1ff 2n 3n 4n 5n 6ff
courier-pop3s 0ff 1ff 2n 3n 4n 5n 6ff

When I check all four services status, the returned message is "courierlogger dead but pid file exists".

When I stop or start, it says "Ok"...

Any idea ?

Note that I tried changing to Dovecot from plesk installer earlier (as proposed in some posts), and I had the same problems. I didn't dig much. Seen it was not working, reverted to courier.

 

[Superkikim]

I installed Dovecot again. After a reboot I get:

$ sudo ss -lnp|grep -E '143|993'
LISTEN     0      128               127.0.0.1:783                      *:*      users:(("spamd",1430,5),("spamd",1431,5),("spamd",1432,5))
LISTEN     0      100                      :::143                     :::*      users:(("dovecot",1411,40))
LISTEN     0      100                       *:143                      *:*      users:(("dovecot",1411,39))
LISTEN     0      100                      :::993                     :::*      users:(("dovecot",1411,42))
LISTEN     0      100                       *:993                      *:*      users:(("dovecot",1411,41))

Howver, I'm still unable to connect with horde, nor can Thunderbird successfully test the connection. But at least now I have a "login failure" message. not a "connection error".

Login attempts from Horde give:

Apr  6 23:37:44 plesk dovecot: imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
Apr  6 23:37:44 plesk dovecot: imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line
Apr  6 23:37:44 plesk dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs

This would confirm my first idea that something is wrong with the certificate. I'm just not sure where to look as this is most probably not the same certificate as the plesk default certificate...

 

[UFHH01]

Hi Superkikim,

please read carefully the KB - article:

How can I change the default certificates for SMTP, IMAP, and POP3 over SSL? ( Plesk Knowledge-Base article 1062 )​

 

[Superkikim]

I checked dovecot.conf, and the cert are shown like this... Is the "<" sign on purpose ??? Don't see why it would be there ....

ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem
ssl_key =  </etc/dovecot/private/ssl-cert-and-key.pem

 

[HoracioS]

In Plesk, Postfix force encryption on SMTP using ports 587 / 465).
You must specify on SMTP setting on the client to use SSL/TLS, if not, you will receive the typical: authentication failed: encryption needed to use mechanism

The best solution (but insecure) is to allow plain login on these ports. To enable it, just edit
/etc/postfix/master.cf
found this by the end lines: smtpd_tls_security_level=encrypt
and replace by: smtpd_tls_security_level=may

It solve your problems.

Best regards,
Horacio Stolovitzky

Hi all,

Since two days, my users can't access their mailbox nor send emails with authentification.

I've been troubleshooting this for some hours now and here are my findings:

When I try to test the auth login, I get an error message:

535 5.7.8 Error: authentication failed: encryption needed to use mechanism

Therefore I specify:

AUTH CRAM-MD5

and try again AUTH LOGIN

535 5.7.8 Error: authentication failed: bad protocol / cancel

So. Seems that SASL is dead. I've been checking all configuration files, all articles from the KB, all forum exchanges about postfix and SASL...

I ended up trying to run manually /var/spool/postfix/private/plesk_saslauthd --h

and TADAAAAAA .....

-bash: /var/spool/postfix/private/plesk_saslauthd: Permission denied

So, I checked the file. And TADAAAA again:

srw-rw-rw- 1 postfix postfix 0 Apr  2 20:42 /var/spool/postfix/private/plesk_saslauthd

Well... "TADAAAA" does not fix issues. It need help....

So question: Am I right in assuming that this file should not be 0 bytes, and should not have srw-rw-rw- as permissions ?

Am I right in assuming this is why it does not work ?

 

[UFHH01]

Is the "<" sign on purpose ???

Yes, this configuration is necessary with dovecot. This is no typing error.