Mailbox connection fails: Connection closed (No commands sent) Help please
I would greatly appreciate help with this.
VPS ubuntu 20.04 postfix 3.4.13 dovecot 2.3.7.2
I'm trying to set up postfix with dovecot for virtual mailboxes using mysql
I have a database mailserver with tables virtual_domains, virtual_users & virtual_aliases
Using postmap I've tested all connections and gotten correct responses (1, 1, smoker1@sizzelicks.com mailto:smoker1@sizzelicks.com )
I have a domain: sizzelicks.com and an email address smoker1@sizzelicks.com mailto:smoker1@sizzelicks.com
The password for the user is encrypted with sha512-CRYPT
My VPS IP is: 194.163.45.150
MX test from: https://mxtoolbox.com/SuperTool.aspx?action=mx%3asizzelicks.com&run=toolpage
I set up a mailbox for smoker1@sizzelicks.com mailto:smoker1@sizzelicks.com in Thunderbird:
IMAP and SMTP server: mail.sizzelicks.com
IMAP port: 993 SMTP port: 587
IMAP connection security: SSL/TLS
SMTP connection security: STARTTLS
When I try to connect to the mailbox Thunderbird returns this: server mail.sizzelicks.com has disconnected.
The server may have gone down or there may be a network problem.
mail.log
Dec 7 21:16:02 softlinksys dovecot: imap-login: Login: user=, method=PLAIN, rip=67.8.3.170, lip=194.163.45.150, mpid=63115, TLS, session= Dec 7 21:16:02 softlinksys dovecot: imap(smoker1@sizzelicks.com)<63115>: Connection closed (No commands sent) in=0 out=388 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Dec 7 21:16:04 softlinksys dovecot: imap-login: Login: user=, method=PLAIN, rip=67.8.3.170, lip=194.163.45.150, mpid=63117, TLS, session= Dec 7 21:16:04 softlinksys dovecot: imap(smoker1@sizzelicks.com)<63117>: Connection closed (No commands sent) in=0 out=388 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Dovecot -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0 x86_64 Ubuntu 20.04.3 LTS ext4
# Hostname: softlinksys.com
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
postmaster_address = postmaster at aecperformance.com
protocols = imap pop3 lmtp
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_cert =
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
Kristy Atkins
ViviData SaaS
Am 07.12.2021 um 22:45 schrieb postfix@aecperformance.com:
My VPS IP is: 194.163.45.150
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993 CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT verify return:0
Alexander
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993 CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed...
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert...
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993 ...
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
-- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
Thanks for your help.
I was able to 'confirm' the certificate in Thunderbird.
I looked at the certificate in Thunderbird. As I knew, it is a chain of multiple domains, all set up on our VPS.
Under Issuer Name it says: Common Name R3
It appears that I'm able to connect to the mailbox now but I can’t receive or send email.
Thunderbird says: Wrong Site The certificate belongs to a different site, which could mean that someone is trying to impersonate this site.
In Thunderbird I can Confirm Security Exception but I’d much rather fix the problem.
The certificate is for a 'chain' of domains, 5 as of now, with the primary domain being aecperformance.com (not sizzelicks.com).
The certificate as shown in Thunderbird says: Common Name aecperformance.com
The certificate does show a list of all the domains in the chain.
Our VPS hosts multiple domains (5 right now) all of which receive and send email.
The websites on the VPS all work fine under ssl using the same certificate chain set up in postfix/dovecot config.
When I install postfix and dovecot the configuration includes paths for 1 certificate.
The certificate files I have set in postfix & dovecot config are the letsencrypt files for the websites.
How should I set up the certificates for the domains that postfix/dovecot handles?
How can I fix the problem Thunderbird is having with the certificate chain of multiple domains?
-----Original Message----- From: dovecot dovecot-bounces@dovecot.org On Behalf Of Robert L Mathews Sent: Tuesday, December 7, 2021 7:46 PM To: dovecot@dovecot.org Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help please
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify
error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed... https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed...
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert... https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert...
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993
...
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
--
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/ http://www.tigertech.net/
On Wed, 8 Dec 2021, postfix@aecperformance.com wrote:
Thunderbird says: Wrong Site The certificate belongs to a different site, which could mean that someone is trying to impersonate this site.
$ openssl s_client -connect aecperformance.com:993 < /dev/null 2>/dev/null | openssl x509 -noout -text | grep -F -A1 'X509v3 Subject Alternative Name:'
X509v3 Subject Alternative Name:
DNS:aecperformance.com, DNS:deanhh.com, DNS:dev.aecperformance.com, DNS:sizzelicks.com, DNS:softlinksys.com, DNS:www.aecperformance.com, DNS:www.deanhh.com, DNS:www.sizzelicks.com, DNS:www.softlinksys.com
Is your Thunderbird set up to use one of the above server names, and not, for example, imap.aecperformance.com. The server name has to match one of the above.
Joseph Tam jtam.home@gmail.com
OK I'm confused. It looks like I'm connected to the mailbox but when I try to 'Get Messages' now it says that the server has disconnected.
In the mail.log file I see this (again):
Dec 8 12:55:43 softlinksys dovecot: imap-login: Login: user=, method=PLAIN, rip=67.8.3.170, lip=194.163.45.150, mpid=67110, TLS, session=
Dec 8 12:55:43 softlinksys dovecot: imap-login: Login: user=, method=PLAIN, rip=67.8.3.170, lip=194.163.45.150, mpid=67111, TLS, session=
Dec 8 12:55:43 softlinksys dovecot: imap(smoker1@sizzelicks.com)<67110>: Connection closed (No commands sent) in=0 out=387 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Dec 8 12:55:43 softlinksys dovecot: imap(smoker1@sizzelicks.com)<67111>: Connection closed (No commands sent) in=0 out=388 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Please help me.
How can I fix this problem?
-----Original Message----- From: dovecot dovecot-bounces@dovecot.org On Behalf Of Robert L Mathews Sent: Tuesday, December 7, 2021 7:46 PM To: dovecot@dovecot.org Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help please
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify
error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed... https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed...
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert... https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert...
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993
...
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
--
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/ http://www.tigertech.net/
Try https://wiki.mozilla.org/Thunderbird:Debugging
Aki
On 08/12/2021 15:04 postfix@aecperformance.com wrote:
OK I'm confused. It looks like I'm connected to the mailbox but when I try to 'Get Messages' now it says that the server has disconnected. In the mail.log file I see this (again): Dec 8 12:55:43 softlinksys dovecot: imap-login: Login: user=, method=PLAIN, rip=67.8.3.170, lip=194.163.45.150, mpid=67110, TLS, session= Dec 8 12:55:43 softlinksys dovecot: imap-login: Login: user=, method=PLAIN, rip=67.8.3.170, lip=194.163.45.150, mpid=67111, TLS, session= Dec 8 12:55:43 softlinksys dovecot: imap(smoker1@sizzelicks.com)<67110>: Connection closed (No commands sent) in=0 out=387 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Dec 8 12:55:43 softlinksys dovecot: imap(smoker1@sizzelicks.com)<67111>: Connection closed (No commands sent) in=0 out=388 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Please help me. How can I fix this problem?
-----Original Message----- From: dovecot dovecot-bounces@dovecot.org On Behalf Of Robert L Mathews Sent: Tuesday, December 7, 2021 7:46 PM To: dovecot@dovecot.org Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help please
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993 CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed...
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert...
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993 ...
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
-- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
Am 08.12.2021 um 01:46 schrieb Robert L Mathews:
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993 CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed...
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert...
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993 ... * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
Confirmed, my fault.
# openssl s_client -connect 194.163.45.150:993 CONNECTED(00000003) Can't use SSL_get_servername depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = aecperformance.com verify return:1
Certificate chain 0 s:CN = aecperformance.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3
Alexander
I could really use some help here please.
VPS Ubuntu 20.04 postfix 3.4.13 and dovecot 2.3.7.2
I have an email address: smoker1@sizzelicks.com mailto:smoker1@sizzelicks.com on the VPS.
When I try to log into the smoker1@sizzelicks.com mailto:smoker1@sizzelicks.com mailbox from Thunderbird I see that it's connected but then get a message saying the server disconnected saying:
"The server may have gone down or there may have been an network problem"
When I look at syslog on the VPS I see this:
Dec 8 23:03:34 softlinksys dovecot: imap-login: Login: user=smoker1@sizzelicks.com,
Dec 8 23:03:34 softlinksys dovecot: imap(smoker1@sizzelicks.com)<4981><pvGof6rShPRDCAOq>: Connection closed (No commands sent)
When a spammer tried to log in (s.petersqwe@softlinksys.com mailto:s.petersqwe@softlinksys.com not our email address) the log shows this:
Dec 8 23:16:51 softlinksys dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=
So I see the difference: imap-login: Login: user=
Clearly, I'm successfully logging into the mailbox - yes?
BUT - immediately afterward the server disconnects with 'No commands sent'.
It looks to me like dovecot expects 'commands' that Thunderbird isn't sending. Is this correct?
Thunderbird queries for messages (or it's supposed to). The response & log is the same if I click ‘Get Messages’.
Also, I’ve sent numerous messages to smoker1@sizzelicks.com mailto:smoker1@sizzelicks.com . They do not bounce and I don’t get an email saying it couldn’t be delivered.
However, nothing is added to the logs from postfix about it.
Why is dovecot disconnecting? How can I fix this problem?
-----Original Message----- From: dovecot dovecot-bounces@dovecot.org On Behalf Of Alexander Dalloz Sent: Wednesday, December 8, 2021 5:53 PM To: dovecot@dovecot.org Subject: Re: Mailbox connection fails: Connection closed (No commands sent) Help please
Am 08.12.2021 um 01:46 schrieb Robert L Mathews:
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify
error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021
GMT
That error's happening because you (Alexander) are using an old
openssl version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire
/
That's not the problem that the original poster is having unless
Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-in https://community.letsencrypt.org/t/note-regarding-transition-to-r3-in
termediate-with-firefox-or-thunderbird/140049
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediat https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediat
e-certificates-to-mozilla-applications/
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993
...
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
Confirmed, my fault.
# openssl s_client -connect 194.163.45.150:993
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1
depth=0 CN = aecperformance.com
verify return:1
Certificate chain
0 s:CN = aecperformance.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
Alexander
participants (5)
-
Aki Tuomi
-
Alexander Dalloz
-
Joseph Tam
-
postfix@aecperformance.com
-
Robert L Mathews