Hi Robert, and all.
As I mentioned in a previous replay, everything started to work when I added "protocols = imap" to dovecot.conf.
However, following your advice, I have removed the service imap-login section from dovecot.conf, and checked again the permission of the key file and its parent directory: the unexpected thing is that the file and the folder where (in the old server, I mean) owned by root, group ssl_cert. I guess this is because the same certificates were used by the website, which I also have to rebuild next week. So I will have to add dovecot and the httpd user to that group, I think. No?
Thanks, Marco
Il giorno mer 22 gen 2025 alle ore 08:46 Robert Nowotny <rnowotny@rotek.at> ha scritto:
marco,
Dovecot configurations are split across multiple files. If service imap-login is defined in both dovecot.conf and conf.d/10-master.conf, this can cause conflicts.
Fix:
Remove the service imap-login block from dovecot.conf (keep it only in 10-master.conf).
Ensure 10-master.conf contains:
service imap-login { inet_listener imap { port = 0 # Disable plain IMAP } inet_listener imaps { port = 993 ssl = yes } }
- SSL Certificate Permissions Even if paths are correct, key permissions often cause silent failures.
Verify:
sudo ls -l /etc/letsencrypt/live/example.com/privkey.pem the Key must be readable only by Dovecot
sudo chmod 0600 /etc/letsencrypt/live/example.com/privkey.pem sudo chown dovecot:dovecot /etc/letsencrypt/live/example.com/privkey.pem
Ensure /etc/letsencrypt/live and /etc/letsencrypt/archive are owned by root:root (not world-writable).
- Check for Configuration Errors
sudo doveconf -n Look for warnings (e.g., certificate path typos, deprecated settings).
If you see ssl_dh_parameters_length, remove it (it’s obsolete).
- Dovecot Service Status Check if Dovecot actually restarted: sudo systemctl status dovecot
Look for errors like:
Failed to listen on *:993 (port conflict) SSL_CTX_use_PrivateKey_file failed (certificate issues).
- Port Binding If Dovecot is running but not binding to 993: Check if another service (e.g., stunnel, nginx) is using port 993:
sudo ss -tulpn | grep ':993' If yes, stop the conflicting service.
- Test with Minimal Configuration Create a minimal config to isolate the issue:
sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.backup
echo "ssl = required ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem protocols = imap service imap-login { inet_listener imaps { port = 993 } }" | sudo tee /etc/dovecot/dovecot.conf sudo systemctl restart dovecot If this works, your original config has conflicting settings.
- Logs Key command: sudo journalctl -u dovecot --since "5 minutes ago" | grep -iE 'error|warning|imap-login'
Look for lines like:
Couldn't listen on *:993: Address already in use SSL_CTX_use_PrivateKey_file: error:0A080086...
- Reinstall Dovecot (Last Resort) If all else fails:
sudo apt purge dovecot-core dovecot-imapd sudo rm -rf /etc/dovecot # Backup first! sudo apt install dovecot-core dovecot-imapd Then rebuild your config from scratch.
Let me know what you find in the logs or after testing the minimal config.
*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Mittwoch, 22. Januar 2025 um 00:32 MEZ
*An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Hi Robert, I corrected the service imap-login section of both dovecot.conf AND conf.d/10-master.conf as you suggested,
The files in ssl_cert and ssl_key exist and are readable by dovecot. I have even changed for testing the permission of /etc/letsencrypt/live /etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output of ss -tuln | grep 993 is still null.
What next? Thanks
---------- Forwarded message --------- Da: Robert Nowotny <rnowotny@rotek.at> <rnowotny@rotek.at> Date: mar 21 gen 2025 alle ore 23:47 Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere To: Marco Fioretti <marco.fioretti@gmail.com> <marco.fioretti@gmail.com>
To resolve the connection refused error when accessing Dovecot on the new server, you need to adjust the Dovecot configuration to enable the appropriate IMAP service ports.
Enable IMAPS (Port 993) for Secure Connections: listener:
- Modify the
service imap-loginsection in your Dovecot configuration (likely in/etc/dovecot/conf.d/10-master.conf) to include animapsservice imap-login { inet_listener imap { port = 0 # Disables plain IMAP (port 143) } inet_listener imaps { port = 993 ssl = yes } }
- This configuration disables plaintext IMAP on port 143 and enables IMAPS on port 993 with SSL.
Ensure SSL Certificates Are Correct:
- Verify the paths to your SSL certificate and key in
/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem- Confirm the files exist and have proper permissions (readable by Dovecot).
Restart Dovecot:
sudo systemctl restart dovecotVerify Dovecot is Listening:
sudo ss -tuln | grep 993
- You should see Dovecot listening on port 993.
Test the Connection Using SSL:
openssl s_client -connect example.com:993
- This should establish a secure connection to the IMAPS port.
Additional Recommendations:
- Disable Plaintext IMAP: Keeping
port = 0for theimaplistener ensures unencrypted IMAP is disabled, enhancing security.- Firewall Configuration: Confirm UFW allows port 993:
sudo ufw allow 993/tcpBy enabling IMAPS on port 993 and ensuring SSL is properly configured, secure email access will be restored. If you must use port 143 (not recommended), set
port = 143in theimaplistener and enforce STARTTLS by addingssl = requiredin your SSL configuration.*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org> <dovecot@dovecot.org><dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ
*An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org> <dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere
---------- Forwarded message --------- Da: Marco Fioretti <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> Date: mar 21 gen 2025 alle ore 19:33 Subject: Re: [OFFLIST] Re: connection refused, no error anywhere To: Michael Peddemors <michael@linuxmagic.com> <michael@linuxmagic.com> <michael@linuxmagic.com> <michael@linuxmagic.com>
Hi Michel,
I cannot say which NGO it is. What I know is that everything with that configuration was working fine, as far as they know, on the old server. So, any help to change the configuration to make it work with the current version of dovecot on Ubuntu 24.04LTS is very welcome...
Il giorno mar 21 gen 2025 alle ore 19:11 Michael Peddemors<michael@linuxmagic.com> <michael@linuxmagic.com> ha scritto:
Which NGO?
Don't listen on port 143 any more, make sure to only listen on 587/465/993/995 with TLS/SSL..
NGO's are often targeted..
On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:
Greetings,
I was just tasked with rebuilding from scratch the mail server of an NGO, on a brand new Ubuntu 24.04 LTS VPS.
I have copied the whole dovecot configuration to the new server, and now
am
stuck because:
dovecot IS running, dovecot service status shows no errors, but:
if I try to connect with mutt from my desktop I get "connection
refused"
the ufw firewall does allow imap/imaps connections, and there are no errors in its log
even "telnet localhost 143" fails: Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
I see no related errors in /var/log/mail.log or /var/log/syslog.
output of dovecot -n is pasted below, I only changed the actual domain
name
to "example.com"
TIA for any pointer, I really need to get this server back online as soon as possible...
Marco
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf
-Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: example.com auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org