[Dovecot] Dovecot not accepting connections
Hi, new user here, trying to track down an issue. Sometimes, after
starting dovecot, I'll attempt to check mail and will not be able to
get a connection to my server. I'll kill dovecot, restart it, and
usually it will begin working. When I first ran into this, I first
tried auth_debug=yes, restarted dovecot, and had no problems. I'd
turn set auth_debug=no, restart dovecot, and would be unable to check
mail. After a time I determined that setting the debug wasn't really
effecting anything, it was just hit or miss if I'd be able to get a
connection. Once I was able to get a connection, things were fine
until dovecot started again.
Nothing unusual in the logs, if it works or not, I'll just see this at
startup:
Mar 25 21:34:48 mail-web-server dovecot[664]: dovecot v1.1.13 starting
up (core dumps disabled)
Mar 25 21:34:48 mail-web-server dovecot[664]: auth-worker(default):
mysql: Connected to localhost (postfix)
If debug is on and connections aren't being accepted, I never see
anything in the logs.
Below is my config. Running on OS X 10.5.6. Any info on
troubleshooting would be appreciated.
mail-web-server:~ wright$ sudo /usr/local/sbin/dovecot -n Password: # 1.1.13: /usr/local/etc/dovecot.conf # OS: Darwin 9.6.0 i386 hfs protocols: imap imaps pop3 pop3s ssl_disable: yes disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_user: _dovecot login_max_processes_count: 64 max_mail_processes: 128 first_valid_uid: 27 last_valid_uid: 27 first_valid_gid: 27 last_valid_gid: 27 mail_privileged_group: postfix mail_uid: 27 mail_gid: 27 mail_location: maildir:/var/mail/vhosts/%d/%n mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 namespace: type: private inbox: yes list: yes subscriptions: yes auth default: mechanisms: plain login cram-md5 passdb: driver: sql args: /usr/local/etc/dovecot-mysql.conf userdb: driver: sql args: /usr/local/etc/dovecot-mysql.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
On Mar 25, 2009, at 10:47 PM, Jim wrote:
Nothing unusual in the logs, if it works or not, I'll just see this
at startup:Mar 25 21:34:48 mail-web-server dovecot[664]: dovecot v1.1.13
starting up (core dumps disabled) Mar 25 21:34:48 mail-web-server dovecot[664]: auth-worker(default):
mysql: Connected to localhost (postfix)If debug is on and connections aren't being accepted, I never see
anything in the logs.
Are you sure errors are also logged to that same log? They might be
logged elsewhere. See http://wiki.dovecot.org/Logging
And what does "not accepting connections" mean? Does the TCP handshake
finish? For example if you do:
telnet localhost 143
Does it
a) Hang after "Trying 127.0.0.1..." b) Hang after "Escape character is '^]'." c) Say connect to address 127.0.0.1: Connection refused
On Mar 26, 2009, at 6:01 PM, Timo Sirainen wrote:
Are you sure errors are also logged to that same log? They might be
logged elsewhere. See http://wiki.dovecot.org/Logging
Good to know. Everything here is going to /var/mail.log
And what does "not accepting connections" mean? Does the TCP
handshake finish? For example if you do:telnet localhost 143
Does it
a) Hang after "Trying 127.0.0.1..." b) Hang after "Escape character is '^]'." c) Say connect to address 127.0.0.1: Connection refused
Naturally, now that I'm trying to duplicate the issue, I can't get it
to act up. If I can get into a mode where it stops working again,
I'll try that and report back.
Thanks!
On Mar 27, 2009, at 3:37 PM, Jim wrote:
On Mar 26, 2009, at 6:01 PM, Timo Sirainen wrote:
And what does "not accepting connections" mean? Does the TCP
handshake finish? For example if you do:telnet localhost 143
Does it
a) Hang after "Trying 127.0.0.1..." b) Hang after "Escape character is '^]'." c) Say connect to address 127.0.0.1: Connection refused
Naturally, now that I'm trying to duplicate the issue, I can't get
it to act up. If I can get into a mode where it stops working
again, I'll try that and report back.
Finally had this happen again. Connecting via localhost worked just
fine, returned "OK Dovecot ready". Connecting via my domain name
resulted in a hung connection that eventually just timed out. Nothing
in my firewall that would be blocking this, port 143 redirects
straight to my mail server as does port 80 and a few others, which all
worked fine using my domain name for connections. The problem is
isolated to Dovecot.
The only odd thing that I noticed when I went to stop and restart the
Dovecot process is that only one dovecot-auth process was running,
normally I see two processing running. After quitting Dovecot and
starting it again, I saw two dovecot-auth processes start up, and then
I was able to get mail just fine.
No errors in my mail.log that might have shed additional light on
this. mail_debug = yes was set when I was having this problem,
nothing was logged during my failed connection attempt, Dovecot never
received the connection.
On Sun, 2009-04-12 at 15:03 -0500, Jim wrote:
Does it
a) Hang after "Trying 127.0.0.1..." b) Hang after "Escape character is '^]'." c) Say connect to address 127.0.0.1: Connection refused
Naturally, now that I'm trying to duplicate the issue, I can't get
it to act up. If I can get into a mode where it stops working
again, I'll try that and report back.Finally had this happen again. Connecting via localhost worked just
fine, returned "OK Dovecot ready".
If Dovecot is answering on localhost, I can't think of any reasons why it wouldn't answer to non-localhost connections.
Connecting via my domain name
resulted in a hung connection that eventually just timed out.
So did it time out on a) or b)?
And you say "domain name", what about IP address? If the problem is with DNS resolving?
The only odd thing that I noticed when I went to stop and restart the
Dovecot process is that only one dovecot-auth process was running,
normally I see two processing running. After quitting Dovecot and
starting it again, I saw two dovecot-auth processes start up, and then
I was able to get mail just fine.
Was one of them "dovecot -w" process? Anyway the number of dovecot-auth processes shouldn't really make a difference.
On Apr 15, 2009, at 5:27 PM, Timo Sirainen wrote:
On Sun, 2009-04-12 at 15:03 -0500, Jim wrote:
Does it
a) Hang after "Trying 127.0.0.1..." b) Hang after "Escape character is '^]'." c) Say connect to address 127.0.0.1: Connection refused
So did it time out on a) or b)?
Timed out after a.
And you say "domain name", what about IP address? If the problem is
with DNS resolving?
Didn't try that, one more data point for next time.
The only odd thing that I noticed when I went to stop and restart the Dovecot process is that only one dovecot-auth process was running, normally I see two processing running. After quitting Dovecot and starting it again, I saw two dovecot-auth processes start up, and
then I was able to get mail just fine.Was one of them "dovecot -w" process? Anyway the number of dovecot- auth processes shouldn't really make a difference.
May be unrelated then, just something I noticed. I just start Dovecot
with a '/usr/local/sbin/dovecot' at startup, I'm not sure what the -w
flag does? It doesn't seem to be an option in my version:
Usage: dovecot [-F] [-c <config file>] [-p] [-n] [-a] [--version] [--build-options] [--exec-mail <protocol> [<args>]] Fatal: Unknown argument: -w
On Thu, 2009-04-16 at 20:32 -0500, Jim wrote:
The only odd thing that I noticed when I went to stop and restart the Dovecot process is that only one dovecot-auth process was running, normally I see two processing running. After quitting Dovecot and starting it again, I saw two dovecot-auth processes start up, and
then I was able to get mail just fine.Was one of them "dovecot -w" process? Anyway the number of dovecot- auth processes shouldn't really make a difference.
May be unrelated then, just something I noticed. I just start Dovecot
with a '/usr/local/sbin/dovecot' at startup, I'm not sure what the -w
flag does? It doesn't seem to be an option in my version:
Sorry, I meant if the dovecot-auth processes were "dovecot-auth -w", i.e. auth worker processes. There's typically one dovecot-auth master and one dovecot-auth -w worker (if you're using passdbs/userdbs that use workers).
But anyway if you don't even get TCP accept reply, dovecot-auth processes shouldn't matter. Only imap-login processes matter, since they're the one accepting the connection.
On Mar 26, 2009, at 6:01 PM, Timo Sirainen wrote:
On Mar 25, 2009, at 10:47 PM, Jim wrote:
Nothing unusual in the logs, if it works or not, I'll just see this
at startup:Mar 25 21:34:48 mail-web-server dovecot[664]: dovecot v1.1.13
starting up (core dumps disabled) Mar 25 21:34:48 mail-web-server dovecot[664]: auth-worker(default):
mysql: Connected to localhost (postfix)If debug is on and connections aren't being accepted, I never see
anything in the logs.And what does "not accepting connections" mean? Does the TCP
handshake finish? For example if you do:telnet localhost 143
Does it
a) Hang after "Trying 127.0.0.1..." b) Hang after "Escape character is '^]'." c) Say connect to address 127.0.0.1: Connection refused
mail-web-server:~ wright$ telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying fe80::1... telnet: connect to address fe80::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK Dovecot ready.
mail-web-server:~ wright$ telnet localhost 110 Trying ::1... telnet: connect to address ::1: Connection refused Trying fe80::1... telnet: connect to address fe80::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK Dovecot ready.
My various attempts to quit both of these sessions showed the
following in the log:
Mar 28 20:48:03 mail-web-server dovecot[227]: imap-login:
Disconnected: Too many invalid commands (no auth attempts):
rip=127.0.0.1, lip=127.0.0.1, secured
Mar 28 20:48:26 mail-web-server dovecot[227]: pop3-login: Aborted
login (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
The above does seem like Dovecot is running properly. But when
checking mail via my mail client (OS X, Mail.app, POP account), the
connection attempts for about 30 seconds, then aborts. Likewise,
trying an IMAP login via webmail (RoundCube) fails after about 15
seconds. Nothing in the log from either of these attempts.
This was following a server reboot. Stopping dovecot, enabled debug,
and restarting dovecot restored normal operation. Rebooting again
with debug still enabled continued to work normally.
On 3/28/2009 10:07 PM, Jim wrote:
mail-web-server:~ wright$ telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying fe80::1... telnet: connect to address fe80::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK Dovecot ready.
Firewall issue? Or maybe one of the 'secure' options like SELinux?
--
Best regards,
Charles
On Mar 29, 2009, at 8:29 AM, Charles Marcus wrote:
On 3/28/2009 10:07 PM, Jim wrote:
mail-web-server:~ wright$ telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying fe80::1... telnet: connect to address fe80::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK Dovecot ready.
Firewall issue? Or maybe one of the 'secure' options like SELinux?
I was thinking that originally, but the mial server doesn't run a
firewall, and the firewall isn't filtering LAN connections only WAN.
But I realize now that I should have also tried telneting to my DNS
name and not just localhost for a better idea on that. One more thing
to try the next time this happens.
On Mar 29, 2009, at 8:29 AM, Charles Marcus wrote:
On 3/28/2009 10:07 PM, Jim wrote:
mail-web-server:~ wright$ telnet localhost 143 Trying ::1... telnet: connect to address ::1: Connection refused Trying fe80::1... telnet: connect to address fe80::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK Dovecot ready.
Firewall issue? Or maybe one of the 'secure' options like SELinux?
Just wrapping up this thread, it was a firewall issue after all,
unbeknownst to me, the mail server box itself had a firewall running,
separate from the main firewall box protecting my LAN. For some
reason at boot time the local firewall was blocking connections to
dovecot, but after restarting dovecot, all was well. I've shut down
the firewall on the local box, which should prevent this from
happening again in the future.
Jim
On 5/10/2009, Jim (Jim@themailshack.com) wrote:
Just wrapping up this thread, it was a firewall issue after all, unbeknownst to me, the mail server box itself had a firewall running, separate from the main firewall box protecting my LAN. For some reason at boot time the local firewall was blocking connections to dovecot, but after restarting dovecot, all was well. I've shut down the firewall on the local box, which should prevent this from happening again in the future.
A basic firewall is not resource intensive, and I always set one up on any box I administer... especially since I always use fail2ban to lock out brute force attackers (requires a firewall)...
I'd recommend re-enabling it and configuring it properly... not much effort, and is just one more layer of protection...
--
Best regards,
Charles
participants (3)
-
Charles Marcus
-
Jim
-
Timo Sirainen