Hi Robert, I corrected the service imap-login section of both dovecot.conf AND conf.d/10-master.conf as you suggested,
The files in ssl_cert and ssl_key exist and are readable by dovecot. I have even changed for testing the permission of /etc/letsencrypt/live /etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output of ss -tuln | grep 993 is still null.
What next? Thanks
---------- Forwarded message --------- Da: Robert Nowotny <rnowotny@rotek.at> Date: mar 21 gen 2025 alle ore 23:47 Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere To: Marco Fioretti <marco.fioretti@gmail.com>
To resolve the connection refused error when accessing Dovecot on the new server, you need to adjust the Dovecot configuration to enable the appropriate IMAP service ports.
Enable IMAPS (Port 993) for Secure Connections: listener:
- Modify the
service imap-loginsection in your Dovecot configuration (likely in/etc/dovecot/conf.d/10-master.conf) to include animaps
service imap-login { inet_listener imap { port = 0 # Disables plain IMAP (port 143) } inet_listener imaps { port = 993 ssl = yes } }- This configuration disables plaintext IMAP on port 143 and enables IMAPS on port 993 with SSL.
- Modify the
Ensure SSL Certificates Are Correct:
- Verify the paths to your SSL certificate and key in
/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem - Confirm the files exist and have proper permissions (readable by Dovecot).
- Verify the paths to your SSL certificate and key in
Restart Dovecot:
sudo systemctl restart dovecotVerify Dovecot is Listening:
sudo ss -tuln | grep 993- You should see Dovecot listening on port 993.
Test the Connection Using SSL:
openssl s_client -connect example.com:993- This should establish a secure connection to the IMAPS port.
Additional Recommendations:
- Disable Plaintext IMAP: Keeping
port = 0for theimaplistener ensures unencrypted IMAP is disabled, enhancing security. - Firewall Configuration: Confirm UFW allows port 993:
sudo ufw allow 993/tcp
By enabling IMAPS on port 993 and ensuring SSL is properly configured,
secure email access will be restored. If you must use port 143 (not
recommended), set port = 143 in the imap listener and enforce STARTTLS
by adding ssl = required in your SSL configuration.
*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ
*An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere
---------- Forwarded message --------- Da: Marco Fioretti <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> Date: mar 21 gen 2025 alle ore 19:33 Subject: Re: [OFFLIST] Re: connection refused, no error anywhere To: Michael Peddemors <michael@linuxmagic.com> <michael@linuxmagic.com>
Hi Michel,
I cannot say which NGO it is. What I know is that everything with that configuration was working fine, as far as they know, on the old server. So, any help to change the configuration to make it work with the current version of dovecot on Ubuntu 24.04LTS is very welcome...
Il giorno mar 21 gen 2025 alle ore 19:11 Michael Peddemors <michael@linuxmagic.com> ha scritto:
Which NGO?
Don't listen on port 143 any more, make sure to only listen on 587/465/993/995 with TLS/SSL..
NGO's are often targeted..
On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:
Greetings,
I was just tasked with rebuilding from scratch the mail server of an NGO, on a brand new Ubuntu 24.04 LTS VPS.
I have copied the whole dovecot configuration to the new server, and now
am
stuck because:
dovecot IS running, dovecot service status shows no errors, but:
if I try to connect with mutt from my desktop I get "connection
refused"
the ufw firewall does allow imap/imaps connections, and there are no errors in its log
even "telnet localhost 143" fails: Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
I see no related errors in /var/log/mail.log or /var/log/syslog.
output of dovecot -n is pasted below, I only changed the actual domain
name
to "example.com"
TIA for any pointer, I really need to get this server back online as soon as possible...
Marco
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf
-Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: example.com auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org