Hello all. Thank you for your service.
Easy when you know how, but presently I do not. After literally months of research and experimentation we simply cannot log into our PAM / apache2 / postfix / dovecot pop3/imap STARTTLS email server with an ordinary email client, e.g., Evolution or Thunderbird.
We can connect to the host server in a host of different ways (no pun intended)—http, https, ssh, vnc, telnet, openssl -sclient
Similarly we can connect to postfix and dovecot in yet another number of ways—telnet, openssl -sclient—but cannot log in to the email server with a normal email client (either Evolution or Thunderbird) by either pop3 or imap.
SSL certificates are in place, verified, and tested.
Part of the problem is the many changes in all the involved operating systems and protocols (e.g., imaps and pop3s are deprecated, openSUSE has migrated to LEAP, etc.) so many of the docs from Google are no longer valid. Additionally, there simply are bugs: Leap 42.1 YAST does not work when it comes to setting up websites. Documented. But I digress.
I'm sure it's something really simple, but it evades me. Research details below. Any help would be more than appreciated.
Thanks in advance, Andy
======================= Configuration testing details =======================
System is: Linux openSUSE Leap 42.1 Dovecot --version 2.2.18, Postfix Version: 2.11.6-3.1 Apache2 Version: 2.4.16-9.1
Connections 1. Evolution or Thunderbird to pop3 or imap reports: The reported error was "Could not connect to mail.privustech.com: Connection refused". Both connect successfully to googlemail.com with the same protocol: Port 993 SSL on a dedicated port
I have also tried
Port 143 STARTTLS after connecting
without success
2. openssl s_client -connect mail.privustech.com:xxx
a. xxx=25, 110, 143 all return
error:140770FC
b. xxx=993, 995 return
socket: Connection refused
connect:errno=111
3.telnet to
a. smtp works.
b. pop3
andy@tm2t:~> telnet 70.186.159.22 110
...
+OK POP3 2007e.104 server ready <48fa.572a0769@privustech.com>
...
user andy
-ERR Unknown AUTHORIZATION state command
c. imap connects but does not allow login, and should not.
http://marc.info/?l=imap&m=118775891829506&w=2
The most simple answer is "you cannot TELNET to a modern, correctly-configured,
IMAP server and log in to it."
andy@tm2t:~> telnet 70.186.159.22 143
...
* OK [...] privustech.com IMAP4rev1 2007e.404 at Wed, 4 May 2016 10:26:28
-0400 (EDT)
... A NO Invalid login credentials
Modules
• Apache2 works just fine. The server is up and answering. ping works just fine. We have http and https to all vhost sites (privustech, mailprivustech, nptbeyond, gvhl, truthcourage, and their www. subsites).
• Postfix reports no errors. We can log in on localhost, send a message to ourselves and see the message.
• Dovecot:
a. Logging is enabled in 10-logging.conf to /var/log/dovecot.conf but no logging has occurred there.
b. doveconf -n throws no errors.
Checks and tests completed
1. /etc/hosts is just fine.
2. Firewall is open for telnet, postfix, dovecot.
3. Added andy to dovecot, postfix groups, in addition to mail, reset password to ANDYbbs14@.
4. We tried enabling imaps, pop3s, but this command returns errors about these protocols being obsolete.
https://tools.ietf.org/html/rfc2595
Use of these ports is discouraged in favor of the STARTTLS or STLS
commands.
5. Reviewed doveconf -n:
a. Note, there are no Dovecot users established other than
user postfix
group postfix
service auth {
unix_listener auth-userdb {
group = postfix
user = postfix
}
}
i. postfix has its own set of users, including andy, which works just fine within postfix.
We can send mail and read mail in the mailbox.
b. Authentication is performed by PAM:
passdb {
driver = pam
}
i. Examined PAM:
A. The files /etc/pam.d/xxx, where xxx = dovecot, pop, imap, are all the same
lavarre:~ # cat /etc/pam.d/xxx
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
B. They do not resemble at all the form presented in
http://wiki2.dovecot.org/PasswordDatabase/PAM
passdb {
driver = pam
args = %s
}
C. Add (B.) to see if that works: No change.
Comment out the original (A.): No change.
Restore it.
c. SSL is required and apparently configured correctly
(the less-than symbol '<'causes the succeeding file to be read into the variable):
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/dovecot.pem
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
i. dovecot.pem, both cert and key, are installed in /etc/ssl as above and verified as a pair with
openssl x509.
And we point to them in /etc/dovecot/conf.d/10-ssl.conf as seen in the above.
6. Checked listening as it does not appear in doveconf -n:
lavarre:~ # doveconf protocols listen
protocols = imap pop3 lmtp
listen = *, ::
a. conf.d/10-master.conf
ports for service xxx-login {inet_listener} are commented out.
In fact, the entire file is commented out.
Uncomment the listeners, restart. But no change. So undo.