Okay. A few days late, but I've gone through the replies I received from several of you and consolidated responses into one mail. Of course life gets crazy when I need to sit down and work on things.
"It seems to me Thunderbird is struggling to write to the Sent mailbox, so disk space, and file permissions are the obvious ones to check. And yes, on the server rather than your local machine, as you're using IMAP"
It's definitely not disc space. I wouldn't think an upgrade would change permissions, but it's a place to check. I'm showing my newbieness here but, I'm not even sure what account should have access to those files. I know, it's a miracle I got all this working in the first place. I should have taken notes, but I did so much fiddling with this and that to make it behave that I didn't know what to write down.
"Anything interesting in the dovecot logs at the time when you check?"
So I looked up dovecot logs on google, and what I'm seeing is that dovecot generally writes to mail logs under /var/log. The stuff I sent in my first email came from mail.err in that folder. The only other file I could find was mail.log. Using tail on that file, I see entries like these. Dec 2 20:53:07 kylesmith-music postfix/smtpd[396853]: warning: unknown[212.70.149.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 2 20:53:07 kylesmith-music postfix/smtpd[396853]: disconnect from unknown[212.70.149.37] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 There are similar entries from a different ip address, but interestingly neither match the ip address of our fiber modem so I have no idea what's going on there.
"First, do you have a backup prior to upgrading the server? You may want to refer to that to get a clean idea of how the configuration was set up initially. Sometimes the upgrade process can reset configuration files and its usually easier to work from a known working configuration. "
I really wish I did, but I'm not sure how to effectively back up a VPS.
"Second, can you describe how you set the mail stack you are using up?"
I can tell you it's postfix and dovecot. That's what a lot of articles recommended, so I went with that. We use different devices so I chose to use imap as it interfaces directly with the stored mail on the server. Usually this is good, except now when it breaks.
"Its possible the issue is SSL related but its difficult to say. There have been a number of breaks with SSL encryption in recent years which is why the cipher list has been adjusted,"
SSL is definitely my weakest point of knowledge. I know I had it working smoothly but it was basically following how to stuff. The reason we're using it even for mail has to do with someone in my husband's life who would get in and mess things up if he had the chance, so I'm trying to make sure he doesn't have that chance by locking things down tight.
"google can also be out of date I'd recommend using a date filter when using it for checking configurations and limit it only to the last 1-2 years as you will get more relevant information typically."
Oh my gosh, that alone would be extremely helpful. The number of seriously outdated articles I had to filter through when I set this up in the first place is just unreal. Mind telling me how to do a date filter? Otherwise, I'll google how to use google, hahaha.
"The configuration parameter for the cipher list uses HIGH as a default profile and if I recall correctly that disables lower TLS versions that are susceptible to certain types of attacks. (SSL3,TLS1,TLS1.1,1.2 I think) The dovecot documentation explains what the defaults are for HIGH. The ! prevents using specifica protocols and configuration is usually a chain (processed from left to right until a match is found). DH is the diffie-helman exchange. Usually this file is recalculated on a per server basis to prevent pre-calculation attacks on SSL and usually it must meet a certain key length. DH Groups 1 and 2 are known to be insecure."
Okay, that went way over my head, but it sounds like good information to have and study up more on, hopefully after I get the immediate issue solved. If I'm following you correctly at all though I could see that potentially being my issue, hmm. I will for sure see if I can get my hands on that book.
"Some quick thoughts here — if the changes you mentioned did not solve the issue, I would definitely comment those back out so you are only troubleshooting one thing at a time."
Fair point. I commented out the one about dh high, then hopefully reloaded the configuration, dovecot reload? That done, I tried sending an email from the domain to my gmail using thunderbird. I got the same message, but it did actually send this time. However, when I replied to the test message with my gmail account, it wasn't received by thunderbird. I do see it using the mail app on the server, though.
"Next, are you able to send email using any other client?" I can send mail locally on the server from one account to another for sure. I managed it once, at least. Those mail clients seem clunky though so I may not be doing things correctly to test.
"Third, try disabling all SSL and see if you are able to send via Thunderbird or really, any client at all…"
Is there an easy way to disable ssl for now and then reenable it? That would definitely help narrow this down.
"Your DH parameters are too weak. You should generate at least 2048 byte parameters."
To be honest, I don't even recall setting up DH parameters. I would guess that probably happened when I was setting up ssl?
Again, thank you to each of you for helping with this. I really try not to send stuff like this to mailing lists that are technical in nature, but this is important business mail he's potentially missing and I'm a bit out of my league. First project once this gets fixed will be learning how to back up the server.
Christy
On 03/12/2020 11.22, Christy S wrote:
"Anything interesting in the dovecot logs at the time when you check?"
So I looked up dovecot logs on google, and what I'm seeing is that dovecot generally writes to mail logs under /var/log. The stuff I sent in my first email came from mail.err in that folder. The only other file I could find was mail.log.
Unusual. You can find out the location of the log file with doveconf log_path Mine is /var/log/dovecot.log, but this will vary with OS.
Incidentally you can also use doveconf to see the current values of all config items, which means that doveconf -a > 201203_backup.conf will give you a reference backup, and doveconf -a | grep search_term will let you look for the current value of likely items, try "dh" or "ssl"
But the definitive way to backup config would be to take a copy of /etc/dovecot/ to make sure you get everything in the same layout.
"google can also be out of date I'd recommend using a date filter when using it for checking configurations and limit it only to the last 1-2 years as you will get more relevant information typically."
Once you've done a search: Tools > Any Time > Past Year
P.
<snip/>
"Your DH parameters are too weak. You should generate at least 2048 byte parameters."
To be honest, I don't even recall setting up DH parameters. I would guess that probably happened when I was setting up ssl?
openssl gendh 4096 > /path/to/dh.pem
Alternatively, update to latest dovecot from https://repo.dovecot.org and disable DH support completely. See https://doc.dovecot.org/installation_guide/upgrading/from-2.2-to-2.3/#diffie...
Again, thank you to each of you for helping with this. I really try not to send stuff like this to mailing lists that are technical in nature, but this is important business mail he's potentially missing and I'm a bit out of my league. First project once this gets fixed will be learning how to back up the server.
Christy
Aki
participants (3)
-
Aki Tuomi
-
Christy S
-
Plutocrat