Testin new installation
The first place I went to for test advice and planning recommendations was http://wiki2.dovecot.org/TestInstallation - The very first test failed. Doc says:
Next check that Dovecot is listening for connections:
telnet localhost 143
Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Dovecot ready.
If you got "connection refused", make sure that Dovecot is configured to serve the imap protocol and listening on the expected interfaces/addresses. The simplest way to do that would be using doveconf(1):
doveconf protocols listen
protocols = imap pop3 lmtp sieve listen = *, ::
If the protocols setting shouldn't contain imap so add it. Also make sure, that relevant !include or !try_include configuration lines are not commented.
*** End doc extract ***
All of the above specified settings are correct. Yet, when I telnet localhost 143, I get:
Trying ::1... # this is certainly suspect Escape character is '^['. Connection closed by foreign host.
On Sat, 13 Jun 2015 14:16:30 +0200, you wrote:
It doesn't look good.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 <my-system's-address>:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN
tcp6 0 0 :::995 :::* LISTEN
tcp6 0 0 :::110 :::* LISTEN
tcp6 0 0 :::143 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::21 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
tcp6 0 0 :::993 :::* LISTEN
dovecot process should appear with :143
Am Samstag, den 13.06.2015, 13:40 -0400 schrieb Steve Matzura:
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
dovecot process should appear with :143
Did you specify the p option? Then dovecot process name should appear. Try telnet 127.0.0.1 143 instead of localhost telnet localhost seems to use the IPv6 localhost adress which isn't used on dovecot side. I assume you don't use much IPv6 on this system, so this is no problem at all.
On Sat, 13 Jun 2015 20:41:01 +0200, you wrote:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
25239/dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
25239/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
25239/dovecot
tcp 0 0 <my-system's-ip-address>:53 0.0.0.0:*
LISTEN 1111/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
1111/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
11686/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
1111/named
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
31857/icecast
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
25239/dovecot
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN
31857/icecast
I eliminated the IPv6 lines for brevity.
Try telnet 127.0.0.1 143 instead of localhost
When I telnet 127.0.0.1 143 from a non-root account, I get "Connection closed by foreign host." When I do it from root, it connects but I get no other response and have to ^] to disconnect.
That's right. IN fact, the only v6 used at all is for our audio streaming services.
On Sat, 13 Jun 2015 21:57:06 +0200, you wrote:
Oh yes! Sorry for not having checked this before.
Jun 13 18:50:56 <my-node> dovecot: master: Error: service(pop3-login): command startup failed, throttling for 2 secs Jun 13 19:30:26 <my-node> dovecot: imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key Jun 13 19:30:26 <my-node> dovecot: imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line Jun 13 19:30:26 <my-node> dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs Jun 13 19:31:27 <my-node> dovecot: imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key Jun 13 19:31:27 <my-node> dovecot: imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line Jun 13 19:31:27 <my-node> dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs Jun 13 19:33:04 <my-node> dovecot: imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key Jun 13 19:33:04 <my-node> dovecot: imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line Jun 13 19:33:04 <my-node> dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs
I thought this was a possibility. It probably means I have concatenated incorrect elements to form the certificate files.
Am 13.06.2015 um 22:11 schrieb Steve Matzura:
Looks like there is something wrong with the format of your certificates. Do your files contain the start and end lines?
The private key file should look like this: -----BEGIN RSA PRIVATE KEY----- cWgpJPyTE7yxI7cqREE8ULqn4eVJ85YckBNooOXGiumSkoTske7XIGNvRQWkpFUN [...] 4LMADvl806xkVkoWDGqJvN2MrN4qeRWuiTQ4tqmi0xp8wfoKWD0q4A== -----END RSA PRIVATE KEY-----
The public certificates file should look like this: -----BEGIN CERTIFICATE----- DwAwggEKAoIBAQCxpX2YsLeMT3GIMDtdJIoVkT+qe5PrpPL3omglJ+sKXnulM8JP [... more stuff from your domains cert ...] VmXZvW8oF1yaSQ/lSXZZ5Cg7mFZqqGrO5Sr15ZrduPlgdQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i [... more stuff from your intermediate cert ...] AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOg== -----END CERTIFICATE-----
-- Alex JOST
Gere's the command I used to generate the CSR. It is really one line, even though your message display program may cause it to wrap midway:
openssl req -nodes -newkey rsa:2048 -sha1 -keyout myserver.key -out server.csr
Am Sonntag, den 14.06.2015, 13:10 -0400 schrieb Steve Matzura:
The public cert part is good, but the private one begins with "Begin private key", not "RSA key."
I generated my own dovecot CSR with certtool from gnutls-bin which indeed adds 'RSA Private Key' But that openssl command you used does it without the RSA
If the Key and Certificate has been correctly generated can be checked with the gnutls certtool: 1 certtool -k < myserver.key | less certtool -i < cert.pem | less (or whatever you called the signed certificate)
It outputs the key with the RSA line added. Maybe just try that out
On Sat, 13 Jun 2015, Steve Matzura wrote:
On Sat, 13 Jun 2015 14:16:30 +0200, you wrote:
Am Samstag, den 13.06.2015, 08:00 -0400 schrieb Steve Matzura:
This is normal.
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp6 0 0 :::143 :::* LISTEN
tcp6 0 0 :::993 :::* LISTEN
This is also normal.
If you want to do a complete check of a service on a dual-stack host you really do need to explicitly specify the host by every IP address you intend it to be listening on since the client's ultimate choice of which address to choose, if you simply leave it up to DNS and the client, is variable.
Antonio Querubin e-mail: tony@lavanauts.org xmpp: antonioquerubin@gmail.com
On Sat, 13 Jun 2015 13:28:53 -0500, you wrote:
Apologies for not posting that.
2.2.18: /etc/dovecot/dovecot.conf
OS: Linux 3.2.65-xenU-19-0e6777a-x86_64 x86_64 Fedora release 20
(Heisenbug) mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } service lmtp { unix_listener lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = /etc/pki/dovecot/certs/tbv2015.crt ssl_key = </etc/pki/dovecot/private/tgv2015-private.crt userdb { driver = passwd }
Urban:
On Sun, 14 Jun 2015 11:58:57 +0200, you wrote:
That one was my fault. That's what it is inside 10-ssl.conf, but because I typed the mail message manually, I forgot the `<'.
It appears, however, that I may have solved the problem with the certificates. I happened to look at the file size of tgv2015.crt and noticed it was incorrect, which meant I created it incorrectly. I recreated it, restarted DOvecot, and have not seen the file open errors. I'll continue with testing.
Alex, et al.,
I spoke too soon. Upon close examination of /var/log/maillog, the errors previously reported via the maillog extracts only happen when I attempt to test the imap connection. Everything appears correctly set up, defined, etc. It's now down to the certificates themselves I think. I have the following files:
. A file containing the certificate as issued by the certifying uthority that sold it to me. This file has a .CRT extension.
. The certifying authority's standard (or intermediate) certificate. This file has a .PEM extension.
. The private key file I generated when I created the CSR which was submitted to the certifying authority to create the signed certificate for my domain. This file has a .KEY extension.
I created the certificate file by opening a new text buffer in the editor of my choice and reading in the first and second of the above three files, then saving the concatenated buffer as /etc/pki/dovecot/certs/tgv2015.crt
participants (7)
-
Alex JOST
-
Antonio Querubin
-
b-dovecot.org@grmbl.net
-
Edgar Pettijohn III
-
Felix Zielcke
-
Steve Matzura
-
Urban Loesch