follow up to my mail issues I posted about
Christy S
christys1075 at gmail.com
Thu Dec 3 05:22:22 EET 2020
Okay. A few days late, but I've gone through the replies I received from
several of you and consolidated responses into one mail. Of course life
gets crazy when I need to sit down and work on things.
"It seems to me Thunderbird is struggling to write to the Sent mailbox,
so disk space, and file permissions are the obvious ones to check. And
yes, on the server rather than your local machine, as you're using IMAP"
It's definitely not disc space. I wouldn't think an upgrade would change
permissions, but it's a place to check. I'm showing my newbieness here
but, I'm not even sure what account should have access to those files. I
know, it's a miracle I got all this working in the first place. I should
have taken notes, but I did so much fiddling with this and that to make
it behave that I didn't know what to write down.
"Anything interesting in the dovecot logs at the time when you check?"
So I looked up dovecot logs on google, and what I'm seeing is that
dovecot generally writes to mail logs under /var/log. The stuff I sent
in my first email came from mail.err in that folder. The only other file
I could find was mail.log. Using tail on that file, I see entries like
these.
Dec 2 20:53:07 kylesmith-music postfix/smtpd[396853]: warning:
unknown[212.70.149.37]: SASL LOGIN authentication failed:
UGFzc3dvcmQ6 Dec 2
20:53:07 kylesmith-music postfix/smtpd[396853]: disconnect from
unknown[212.70.149.37] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
There are similar entries from a different ip address, but interestingly
neither match the ip address of our fiber modem so I have no idea what's
going on there.
"First, do you have a backup prior to upgrading the server? You may want
to refer to that to get a clean idea of how the configuration was set up
initially. Sometimes the upgrade process can reset configuration files
and its usually easier to work from a known working configuration. "
I really wish I did, but I'm not sure how to effectively back up a VPS.
"Second, can you describe how you set the mail stack you are using up?"
I can tell you it's postfix and dovecot. That's what a lot of articles
recommended, so I went with that. We use different devices so I chose to
use imap as it interfaces directly with the stored mail on the server.
Usually this is good, except now when it breaks.
"Its possible the issue is SSL related but its difficult to say. There
have been a number of breaks with SSL encryption in recent years which
is why the cipher list has been adjusted,"
SSL is definitely my weakest point of knowledge. I know I had it working
smoothly but it was basically following how to stuff. The reason we're
using it even for mail has to do with someone in my husband's life who
would get in and mess things up if he had the chance, so I'm trying to
make sure he doesn't have that chance by locking things down tight.
"google can also be out of date I'd recommend using a date filter when
using it for checking configurations and limit it only to the last 1-2
years as you will get more relevant information typically."
Oh my gosh, that alone would be extremely helpful. The number of
seriously outdated articles I had to filter through when I set this up
in the first place is just unreal. Mind telling me how to do a date
filter? Otherwise, I'll google how to use google, hahaha.
"The configuration parameter for the cipher list uses HIGH as a default
profile and if I recall correctly that disables lower TLS versions that
are susceptible to certain types of attacks. (SSL3,TLS1,TLS1.1,1.2 I
think) The dovecot documentation explains what the defaults are for
HIGH. The ! prevents using specifica protocols and configuration is
usually a chain (processed from left to right until a match is found).
DH is the diffie-helman exchange. Usually this file is recalculated on a
per server basis to prevent pre-calculation attacks on SSL and usually
it must meet a certain key length. DH Groups 1 and 2 are known to be
insecure."
Okay, that went way over my head, but it sounds like good information to
have and study up more on, hopefully after I get the immediate issue
solved. If I'm following you correctly at all though I could see that
potentially being my issue, hmm. I will for sure see if I can get my
hands on that book.
"Some quick thoughts here — if the changes you mentioned did not solve
the issue, I would definitely comment those back out so you are only
troubleshooting one thing at a time."
Fair point. I commented out the one about dh high, then hopefully
reloaded the configuration, dovecot reload? That done, I tried sending
an email from the domain to my gmail using thunderbird. I got the same
message, but it did actually send this time. However, when I replied to
the test message with my gmail account, it wasn't received by
thunderbird. I do see it using the mail app on the server, though.
"Next, are you able to send email using any other client?"
I can send mail locally on the server from one account to another for
sure. I managed it once, at least. Those mail clients seem clunky though
so I may not be doing things correctly to test.
"Third, try disabling all SSL and see if you are able to send via
Thunderbird or really, any client at all…"
Is there an easy way to disable ssl for now and then reenable it? That
would definitely help narrow this down.
"Your DH parameters are too weak. You should generate at least 2048 byte
parameters."
To be honest, I don't even recall setting up DH parameters. I would
guess that probably happened when I was setting up ssl?
Again, thank you to each of you for helping with this. I really try not
to send stuff like this to mailing lists that are technical in nature,
but this is important business mail he's potentially missing and I'm a
bit out of my league. First project once this gets fixed will be
learning how to back up the server.
Christy
More information about the dovecot
mailing list