Fwd: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Hi Robert, I corrected the service imap-login section of both dovecot.conf AND conf.d/10-master.conf as you suggested,
The files in ssl_cert and ssl_key exist and are readable by dovecot. I have even changed for testing the permission of /etc/letsencrypt/live /etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output of ss -tuln | grep 993 is still null.
What next? Thanks
---------- Forwarded message --------- Da: Robert Nowotny <rnowotny@rotek.at> Date: mar 21 gen 2025 alle ore 23:47 Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere To: Marco Fioretti <marco.fioretti@gmail.com>
To resolve the connection refused error when accessing Dovecot on the new server, you need to adjust the Dovecot configuration to enable the appropriate IMAP service ports.
Enable IMAPS (Port 993) for Secure Connections: listener:
- Modify the
service imap-loginsection in your Dovecot configuration (likely in/etc/dovecot/conf.d/10-master.conf) to include animaps
service imap-login { inet_listener imap { port = 0 # Disables plain IMAP (port 143) } inet_listener imaps { port = 993 ssl = yes } }- This configuration disables plaintext IMAP on port 143 and enables IMAPS on port 993 with SSL.
- Modify the
Ensure SSL Certificates Are Correct:
- Verify the paths to your SSL certificate and key in
/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem - Confirm the files exist and have proper permissions (readable by Dovecot).
- Verify the paths to your SSL certificate and key in
Restart Dovecot:
sudo systemctl restart dovecotVerify Dovecot is Listening:
sudo ss -tuln | grep 993- You should see Dovecot listening on port 993.
Test the Connection Using SSL:
openssl s_client -connect example.com:993- This should establish a secure connection to the IMAPS port.
Additional Recommendations:
- Disable Plaintext IMAP: Keeping
port = 0for theimaplistener ensures unencrypted IMAP is disabled, enhancing security. - Firewall Configuration: Confirm UFW allows port 993:
sudo ufw allow 993/tcp
By enabling IMAPS on port 993 and ensuring SSL is properly configured,
secure email access will be restored. If you must use port 143 (not
recommended), set port = 143 in the imap listener and enforce STARTTLS
by adding ssl = required in your SSL configuration.
*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ
*An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere
---------- Forwarded message --------- Da: Marco Fioretti <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> Date: mar 21 gen 2025 alle ore 19:33 Subject: Re: [OFFLIST] Re: connection refused, no error anywhere To: Michael Peddemors <michael@linuxmagic.com> <michael@linuxmagic.com>
Hi Michel,
I cannot say which NGO it is. What I know is that everything with that configuration was working fine, as far as they know, on the old server. So, any help to change the configuration to make it work with the current version of dovecot on Ubuntu 24.04LTS is very welcome...
Il giorno mar 21 gen 2025 alle ore 19:11 Michael Peddemors <michael@linuxmagic.com> ha scritto:
Which NGO?
Don't listen on port 143 any more, make sure to only listen on 587/465/993/995 with TLS/SSL..
NGO's are often targeted..
On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:
Greetings,
I was just tasked with rebuilding from scratch the mail server of an NGO, on a brand new Ubuntu 24.04 LTS VPS.
I have copied the whole dovecot configuration to the new server, and now
am
stuck because:
dovecot IS running, dovecot service status shows no errors, but:
if I try to connect with mutt from my desktop I get "connection
refused"
the ufw firewall does allow imap/imaps connections, and there are no errors in its log
even "telnet localhost 143" fails: Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
I see no related errors in /var/log/mail.log or /var/log/syslog.
output of dovecot -n is pasted below, I only changed the actual domain
name
to "example.com"
TIA for any pointer, I really need to get this server back online as soon as possible...
Marco
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf
-Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: example.com auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
marco,
Dovecot configurations are split across multiple files. If service imap-login is defined in both dovecot.conf and conf.d/10-master.conf, this can cause conflicts.
Fix:
Remove the service imap-login block from dovecot.conf (keep it only in 10-master.conf).
Ensure 10-master.conf contains:
service imap-login { inet_listener imap { port = 0 # Disable plain IMAP } inet_listener imaps { port = 993 ssl = yes } }
- SSL Certificate Permissions Even if paths are correct, key permissions often cause silent failures.
Verify:
sudo ls -l /etc/letsencrypt/live/example.com/privkey.pem the Key must be readable only by Dovecot
sudo chmod 0600 /etc/letsencrypt/live/example.com/privkey.pem sudo chown dovecot:dovecot /etc/letsencrypt/live/example.com/privkey.pem
Ensure /etc/letsencrypt/live and /etc/letsencrypt/archive are owned by root:root (not world-writable).
- Check for Configuration Errors
sudo doveconf -n Look for warnings (e.g., certificate path typos, deprecated settings).
If you see ssl_dh_parameters_length, remove it (it’s obsolete).
- Dovecot Service Status Check if Dovecot actually restarted: sudo systemctl status dovecot
Look for errors like:
Failed to listen on *:993 (port conflict) SSL_CTX_use_PrivateKey_file failed (certificate issues).
- Port Binding If Dovecot is running but not binding to 993: Check if another service (e.g., stunnel, nginx) is using port 993:
sudo ss -tulpn | grep ':993' If yes, stop the conflicting service.
- Test with Minimal Configuration Create a minimal config to isolate the issue:
sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.backup
echo "ssl = required ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem protocols = imap service imap-login { inet_listener imaps { port = 993 } }" | sudo tee /etc/dovecot/dovecot.conf sudo systemctl restart dovecot If this works, your original config has conflicting settings.
- Logs Key command: sudo journalctl -u dovecot --since "5 minutes ago" | grep -iE 'error|warning|imap-login'
Look for lines like:
Couldn't listen on *:993: Address already in use SSL_CTX_use_PrivateKey_file: error:0A080086...
- Reinstall Dovecot (Last Resort) If all else fails:
sudo apt purge dovecot-core dovecot-imapd sudo rm -rf /etc/dovecot # Backup first! sudo apt install dovecot-core dovecot-imapd Then rebuild your config from scratch.
Let me know what you find in the logs or after testing the minimal config.
*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org>
*Gesendet:* Mittwoch, 22. Januar 2025 um 00:32 MEZ
*An:* Dovecot <dovecot@dovecot.org>
*Betreff:* FW: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Hi Robert, I corrected the service imap-login section of both dovecot.conf AND conf.d/10-master.conf as you suggested,
The files in ssl_cert and ssl_key exist and are readable by dovecot. I have even changed for testing the permission of /etc/letsencrypt/live /etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output of ss -tuln | grep 993 is still null.
What next? Thanks
---------- Forwarded message --------- Da: Robert Nowotny<rnowotny@rotek.at> Date: mar 21 gen 2025 alle ore 23:47 Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere To: Marco Fioretti<marco.fioretti@gmail.com>
To resolve the connection refused error when accessing Dovecot on the new server, you need to adjust the Dovecot configuration to enable the appropriate IMAP service ports.
Enable IMAPS (Port 993) for Secure Connections: listener:
- Modify the
service imap-loginsection in your Dovecot configuration (likely in/etc/dovecot/conf.d/10-master.conf) to include animapsservice imap-login { inet_listener imap { port = 0 # Disables plain IMAP (port 143) } inet_listener imaps { port = 993 ssl = yes } }
- This configuration disables plaintext IMAP on port 143 and enables IMAPS on port 993 with SSL.
Ensure SSL Certificates Are Correct:
- Verify the paths to your SSL certificate and key in
/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem- Confirm the files exist and have proper permissions (readable by Dovecot).
Restart Dovecot:
sudo systemctl restart dovecotVerify Dovecot is Listening:
sudo ss -tuln | grep 993
- You should see Dovecot listening on port 993.
Test the Connection Using SSL:
openssl s_client -connect example.com:993
- This should establish a secure connection to the IMAPS port.
Additional Recommendations:
- Disable Plaintext IMAP: Keeping
port = 0for theimaplistener ensures unencrypted IMAP is disabled, enhancing security.- Firewall Configuration: Confirm UFW allows port 993:
sudo ufw allow 993/tcpBy enabling IMAPS on port 993 and ensuring SSL is properly configured, secure email access will be restored. If you must use port 143 (not recommended), set
port = 143in theimaplistener and enforce STARTTLS by addingssl = requiredin your SSL configuration.*Von:* Marco Fioretti via dovecot<dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ
*An:* Dovecot<dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere
---------- Forwarded message --------- Da: Marco Fioretti<marco.fioretti@gmail.com> <marco.fioretti@gmail.com> Date: mar 21 gen 2025 alle ore 19:33 Subject: Re: [OFFLIST] Re: connection refused, no error anywhere To: Michael Peddemors<michael@linuxmagic.com> <michael@linuxmagic.com>
Hi Michel,
I cannot say which NGO it is. What I know is that everything with that configuration was working fine, as far as they know, on the old server. So, any help to change the configuration to make it work with the current version of dovecot on Ubuntu 24.04LTS is very welcome...
Il giorno mar 21 gen 2025 alle ore 19:11 Michael Peddemors <michael@linuxmagic.com> ha scritto:
Which NGO?
Don't listen on port 143 any more, make sure to only listen on 587/465/993/995 with TLS/SSL..
NGO's are often targeted..
On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:
Greetings,
I was just tasked with rebuilding from scratch the mail server of an NGO, on a brand new Ubuntu 24.04 LTS VPS.
I have copied the whole dovecot configuration to the new server, and now
am
stuck because:
dovecot IS running, dovecot service status shows no errors, but:
if I try to connect with mutt from my desktop I get "connection
refused"
the ufw firewall does allow imap/imaps connections, and there are no errors in its log
even "telnet localhost 143" fails: Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
I see no related errors in /var/log/mail.log or /var/log/syslog.
output of dovecot -n is pasted below, I only changed the actual domain
name
to "example.com"
TIA for any pointer, I really need to get this server back online as soon as possible...
Marco
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf
-Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: example.com auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us athttp://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Infohttp://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
Hi Robert, and all.
As I mentioned in a previous replay, everything started to work when I added "protocols = imap" to dovecot.conf.
However, following your advice, I have removed the service imap-login section from dovecot.conf, and checked again the permission of the key file and its parent directory: the unexpected thing is that the file and the folder where (in the old server, I mean) owned by root, group ssl_cert. I guess this is because the same certificates were used by the website, which I also have to rebuild next week. So I will have to add dovecot and the httpd user to that group, I think. No?
Thanks, Marco
Il giorno mer 22 gen 2025 alle ore 08:46 Robert Nowotny <rnowotny@rotek.at> ha scritto:
marco,
Dovecot configurations are split across multiple files. If service imap-login is defined in both dovecot.conf and conf.d/10-master.conf, this can cause conflicts.
Fix:
Remove the service imap-login block from dovecot.conf (keep it only in 10-master.conf).
Ensure 10-master.conf contains:
service imap-login { inet_listener imap { port = 0 # Disable plain IMAP } inet_listener imaps { port = 993 ssl = yes } }
- SSL Certificate Permissions Even if paths are correct, key permissions often cause silent failures.
Verify:
sudo ls -l /etc/letsencrypt/live/example.com/privkey.pem the Key must be readable only by Dovecot
sudo chmod 0600 /etc/letsencrypt/live/example.com/privkey.pem sudo chown dovecot:dovecot /etc/letsencrypt/live/example.com/privkey.pem
Ensure /etc/letsencrypt/live and /etc/letsencrypt/archive are owned by root:root (not world-writable).
- Check for Configuration Errors
sudo doveconf -n Look for warnings (e.g., certificate path typos, deprecated settings).
If you see ssl_dh_parameters_length, remove it (it’s obsolete).
- Dovecot Service Status Check if Dovecot actually restarted: sudo systemctl status dovecot
Look for errors like:
Failed to listen on *:993 (port conflict) SSL_CTX_use_PrivateKey_file failed (certificate issues).
- Port Binding If Dovecot is running but not binding to 993: Check if another service (e.g., stunnel, nginx) is using port 993:
sudo ss -tulpn | grep ':993' If yes, stop the conflicting service.
- Test with Minimal Configuration Create a minimal config to isolate the issue:
sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.backup
echo "ssl = required ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem protocols = imap service imap-login { inet_listener imaps { port = 993 } }" | sudo tee /etc/dovecot/dovecot.conf sudo systemctl restart dovecot If this works, your original config has conflicting settings.
- Logs Key command: sudo journalctl -u dovecot --since "5 minutes ago" | grep -iE 'error|warning|imap-login'
Look for lines like:
Couldn't listen on *:993: Address already in use SSL_CTX_use_PrivateKey_file: error:0A080086...
- Reinstall Dovecot (Last Resort) If all else fails:
sudo apt purge dovecot-core dovecot-imapd sudo rm -rf /etc/dovecot # Backup first! sudo apt install dovecot-core dovecot-imapd Then rebuild your config from scratch.
Let me know what you find in the logs or after testing the minimal config.
*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Mittwoch, 22. Januar 2025 um 00:32 MEZ
*An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Hi Robert, I corrected the service imap-login section of both dovecot.conf AND conf.d/10-master.conf as you suggested,
The files in ssl_cert and ssl_key exist and are readable by dovecot. I have even changed for testing the permission of /etc/letsencrypt/live /etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output of ss -tuln | grep 993 is still null.
What next? Thanks
---------- Forwarded message --------- Da: Robert Nowotny <rnowotny@rotek.at> <rnowotny@rotek.at> Date: mar 21 gen 2025 alle ore 23:47 Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere To: Marco Fioretti <marco.fioretti@gmail.com> <marco.fioretti@gmail.com>
To resolve the connection refused error when accessing Dovecot on the new server, you need to adjust the Dovecot configuration to enable the appropriate IMAP service ports.
Enable IMAPS (Port 993) for Secure Connections: listener:
- Modify the
service imap-loginsection in your Dovecot configuration (likely in/etc/dovecot/conf.d/10-master.conf) to include animapsservice imap-login { inet_listener imap { port = 0 # Disables plain IMAP (port 143) } inet_listener imaps { port = 993 ssl = yes } }
- This configuration disables plaintext IMAP on port 143 and enables IMAPS on port 993 with SSL.
Ensure SSL Certificates Are Correct:
- Verify the paths to your SSL certificate and key in
/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem- Confirm the files exist and have proper permissions (readable by Dovecot).
Restart Dovecot:
sudo systemctl restart dovecotVerify Dovecot is Listening:
sudo ss -tuln | grep 993
- You should see Dovecot listening on port 993.
Test the Connection Using SSL:
openssl s_client -connect example.com:993
- This should establish a secure connection to the IMAPS port.
Additional Recommendations:
- Disable Plaintext IMAP: Keeping
port = 0for theimaplistener ensures unencrypted IMAP is disabled, enhancing security.- Firewall Configuration: Confirm UFW allows port 993:
sudo ufw allow 993/tcpBy enabling IMAPS on port 993 and ensuring SSL is properly configured, secure email access will be restored. If you must use port 143 (not recommended), set
port = 143in theimaplistener and enforce STARTTLS by addingssl = requiredin your SSL configuration.*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org> <dovecot@dovecot.org><dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ
*An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org> <dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere
---------- Forwarded message --------- Da: Marco Fioretti <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> Date: mar 21 gen 2025 alle ore 19:33 Subject: Re: [OFFLIST] Re: connection refused, no error anywhere To: Michael Peddemors <michael@linuxmagic.com> <michael@linuxmagic.com> <michael@linuxmagic.com> <michael@linuxmagic.com>
Hi Michel,
I cannot say which NGO it is. What I know is that everything with that configuration was working fine, as far as they know, on the old server. So, any help to change the configuration to make it work with the current version of dovecot on Ubuntu 24.04LTS is very welcome...
Il giorno mar 21 gen 2025 alle ore 19:11 Michael Peddemors<michael@linuxmagic.com> <michael@linuxmagic.com> ha scritto:
Which NGO?
Don't listen on port 143 any more, make sure to only listen on 587/465/993/995 with TLS/SSL..
NGO's are often targeted..
On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:
Greetings,
I was just tasked with rebuilding from scratch the mail server of an NGO, on a brand new Ubuntu 24.04 LTS VPS.
I have copied the whole dovecot configuration to the new server, and now
am
stuck because:
dovecot IS running, dovecot service status shows no errors, but:
if I try to connect with mutt from my desktop I get "connection
refused"
the ufw firewall does allow imap/imaps connections, and there are no errors in its log
even "telnet localhost 143" fails: Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
I see no related errors in /var/log/mail.log or /var/log/syslog.
output of dovecot -n is pasted below, I only changed the actual domain
name
to "example.com"
TIA for any pointer, I really need to get this server back online as soon as possible...
Marco
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf
-Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: example.com auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Il giorno mer 22 gen 2025 alle ore 17:51 Marc <Marc@f1-outsourcing.eu> ha scritto:
guess this is because the same certificates were used by the website, which I also have to rebuild next week. So I will have to add dovecot and the httpd user to that group, I think. No?
No the other way around. Add dovecot to the acme group, the certs are the least important.
Excuse me Marc, but I don't understand exactly what you mean by "the certs are the least important" .
Also, there is no acme group in this server, and there was none in the old one, which hosted both email and websites with the same certs. My understanding from looking at the backups of the old server is that it had an ssl_cert group that included root, dovecot and the apache user. Why wouldn't that be OK?
Thanks, Marco
On 22/01/2025 17:04, Marco Fioretti via dovecot wrote:
Il giorno mer 22 gen 2025 alle ore 17:51 Marc<Marc@f1-outsourcing.eu> ha scritto:
guess this is because the same certificates were used by the website, which I also have to rebuild next week. So I will have to add dovecot and the httpd user to that group, I think. No?
No the other way around. Add dovecot to the acme group, the certs are the least important.
Excuse me Marc, but I don't understand exactly what you mean by "the certs are the least important" .
Also, there is no acme group in this server, and there was none in the old one, which hosted both email and websites with the same certs. My understanding from looking at the backups of the old server is that it had an ssl_cert group that included root, dovecot and the apache user. Why wouldn't that be OK?
Thanks, Marco
The group is ssl-cert in Debian and Ubuntu.
Hey Marco, this is what to do:
Group Membership for SSL Certificates - Add Users to
ssl-certGroup: On Ubuntu, the default group for SSL certificates isssl-cert, notssl_cert. Confirm with:bash ls -l /etc/letsencrypt/live/example.com/privkey.pemIf the group isssl-cert, add Dovecot and the web server user (e.g.,www-data) to it:bash sudo usermod -aG ssl-cert dovecot sudo usermod -aG ssl-cert www-data # Replace with your HTTP server user- Verify Group Membership:bash groups dovecot # Should show "ssl-cert"Certificate Permissions - Private Key Permissions: Ensure strict permissions (readable only by
rootandssl-certgroup):bash sudo chmod 0640 /etc/letsencrypt/live/example.com/privkey.pem sudo chown root:ssl-cert /etc/letsencrypt/live/example.com/privkey.pem- Directory Permissions: Ensure parent directories are secure (e.g.,/etc/letsencrypt/live):bash sudo chmod 0755 /etc/letsencrypt/{live,archive} sudo chown root:root /etc/letsencrypt/{live,archive}Dovecot Configuration - Explicitly Enable IMAP Protocol: Adding
protocols = imapensures IMAP is enabled. Verify with:bash doveconf -n | grep protocols- Avoid Redundant ConfigurationsRestart Services
bash sudo systemctl restart dovecot sudo systemctl restart apache2 # Or nginx, depending on your HTTP serverFinal Verification - Check Port 993 Binding:
bash sudo ss -tuln | grep 993- Test SSL Connection:bash openssl s_client -connect example.com:993Look forSSL handshakesuccess and certificate details.
Key Issues :
Group Membership: Adding users to ssl-cert (not ssl_cert) allows
shared certificate access securely.
Protocols Directive: Explicitly setting protocols = imap avoids
relying on defaults, which may vary between versions of dovecot.
Permissions: Tight control over private keys prevents silent failures.
*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org>
*Gesendet:* Mittwoch, 22. Januar 2025 um 17:37 MEZ
*An:* Dovecot <dovecot@dovecot.org>
*Betreff:* RE: Fwd: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Hi Robert, and all.
As I mentioned in a previous replay, everything started to work when I added "protocols = imap" to dovecot.conf.
However, following your advice, I have removed the service imap-login section from dovecot.conf, and checked again the permission of the key file and its parent directory: the unexpected thing is that the file and the folder where (in the old server, I mean) owned by root, group ssl_cert. I guess this is because the same certificates were used by the website, which I also have to rebuild next week. So I will have to add dovecot and the httpd user to that group, I think. No?
Thanks, Marco
Il giorno mer 22 gen 2025 alle ore 08:46 Robert Nowotny<rnowotny@rotek.at> ha scritto:
marco,
Dovecot configurations are split across multiple files. If service imap-login is defined in both dovecot.conf and conf.d/10-master.conf, this can cause conflicts.
Fix:
Remove the service imap-login block from dovecot.conf (keep it only in 10-master.conf).
Ensure 10-master.conf contains:
service imap-login { inet_listener imap { port = 0 # Disable plain IMAP } inet_listener imaps { port = 993 ssl = yes } }
- SSL Certificate Permissions Even if paths are correct, key permissions often cause silent failures.
Verify:
sudo ls -l /etc/letsencrypt/live/example.com/privkey.pem the Key must be readable only by Dovecot
sudo chmod 0600 /etc/letsencrypt/live/example.com/privkey.pem sudo chown dovecot:dovecot /etc/letsencrypt/live/example.com/privkey.pem
Ensure /etc/letsencrypt/live and /etc/letsencrypt/archive are owned by root:root (not world-writable).
- Check for Configuration Errors
sudo doveconf -n Look for warnings (e.g., certificate path typos, deprecated settings).
If you see ssl_dh_parameters_length, remove it (it’s obsolete).
- Dovecot Service Status Check if Dovecot actually restarted: sudo systemctl status dovecot
Look for errors like:
Failed to listen on *:993 (port conflict) SSL_CTX_use_PrivateKey_file failed (certificate issues).
- Port Binding If Dovecot is running but not binding to 993: Check if another service (e.g., stunnel, nginx) is using port 993:
sudo ss -tulpn | grep ':993' If yes, stop the conflicting service.
- Test with Minimal Configuration Create a minimal config to isolate the issue:
sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.backup
echo "ssl = required ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem protocols = imap service imap-login { inet_listener imaps { port = 993 } }" | sudo tee /etc/dovecot/dovecot.conf sudo systemctl restart dovecot If this works, your original config has conflicting settings.
- Logs Key command: sudo journalctl -u dovecot --since "5 minutes ago" | grep -iE 'error|warning|imap-login'
Look for lines like:
Couldn't listen on *:993: Address already in use SSL_CTX_use_PrivateKey_file: error:0A080086...
- Reinstall Dovecot (Last Resort) If all else fails:
sudo apt purge dovecot-core dovecot-imapd sudo rm -rf /etc/dovecot # Backup first! sudo apt install dovecot-core dovecot-imapd Then rebuild your config from scratch.
Let me know what you find in the logs or after testing the minimal config.
*Von:* Marco Fioretti via dovecot<dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Mittwoch, 22. Januar 2025 um 00:32 MEZ
*An:* Dovecot<dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Hi Robert, I corrected the service imap-login section of both dovecot.conf AND conf.d/10-master.conf as you suggested,
The files in ssl_cert and ssl_key exist and are readable by dovecot. I have even changed for testing the permission of /etc/letsencrypt/live /etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output of ss -tuln | grep 993 is still null.
What next? Thanks
---------- Forwarded message --------- Da: Robert Nowotny<rnowotny@rotek.at> <rnowotny@rotek.at> Date: mar 21 gen 2025 alle ore 23:47 Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere To: Marco Fioretti<marco.fioretti@gmail.com> <marco.fioretti@gmail.com>
To resolve the connection refused error when accessing Dovecot on the new server, you need to adjust the Dovecot configuration to enable the appropriate IMAP service ports.
Enable IMAPS (Port 993) for Secure Connections: listener:
- Modify the
service imap-loginsection in your Dovecot configuration (likely in/etc/dovecot/conf.d/10-master.conf) to include animapsservice imap-login { inet_listener imap { port = 0 # Disables plain IMAP (port 143) } inet_listener imaps { port = 993 ssl = yes } }
- This configuration disables plaintext IMAP on port 143 and enables IMAPS on port 993 with SSL.
Ensure SSL Certificates Are Correct:
- Verify the paths to your SSL certificate and key in
/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem- Confirm the files exist and have proper permissions (readable by Dovecot).
Restart Dovecot:
sudo systemctl restart dovecotVerify Dovecot is Listening:
sudo ss -tuln | grep 993
- You should see Dovecot listening on port 993.
Test the Connection Using SSL:
openssl s_client -connect example.com:993
- This should establish a secure connection to the IMAPS port.
Additional Recommendations:
- Disable Plaintext IMAP: Keeping
port = 0for theimaplistener ensures unencrypted IMAP is disabled, enhancing security.- Firewall Configuration: Confirm UFW allows port 993:
sudo ufw allow 993/tcpBy enabling IMAPS on port 993 and ensuring SSL is properly configured, secure email access will be restored. If you must use port 143 (not recommended), set
port = 143in theimaplistener and enforce STARTTLS by addingssl = requiredin your SSL configuration.*Von:* Marco Fioretti via dovecot<dovecot@dovecot.org> <dovecot@dovecot.org><dovecot@dovecot.org> <dovecot@dovecot.org>
*Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ
*An:* Dovecot<dovecot@dovecot.org> <dovecot@dovecot.org> <dovecot@dovecot.org> <dovecot@dovecot.org>
*Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere
---------- Forwarded message --------- Da: Marco Fioretti<marco.fioretti@gmail.com> <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> <marco.fioretti@gmail.com> Date: mar 21 gen 2025 alle ore 19:33 Subject: Re: [OFFLIST] Re: connection refused, no error anywhere To: Michael Peddemors<michael@linuxmagic.com> <michael@linuxmagic.com> <michael@linuxmagic.com> <michael@linuxmagic.com>
Hi Michel,
I cannot say which NGO it is. What I know is that everything with that configuration was working fine, as far as they know, on the old server. So, any help to change the configuration to make it work with the current version of dovecot on Ubuntu 24.04LTS is very welcome...
Il giorno mar 21 gen 2025 alle ore 19:11 Michael Peddemors<michael@linuxmagic.com> <michael@linuxmagic.com> ha scritto:
Which NGO?
Don't listen on port 143 any more, make sure to only listen on 587/465/993/995 with TLS/SSL..
NGO's are often targeted..
On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:
Greetings,
I was just tasked with rebuilding from scratch the mail server of an NGO, on a brand new Ubuntu 24.04 LTS VPS.
I have copied the whole dovecot configuration to the new server, and now
am
stuck because:
dovecot IS running, dovecot service status shows no errors, but:
if I try to connect with mutt from my desktop I get "connection
refused"
the ufw firewall does allow imap/imaps connections, and there are no errors in its log
even "telnet localhost 143" fails: Trying ::1... Connection failed: Connection refused Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
I see no related errors in /var/log/mail.log or /var/log/syslog.
output of dovecot -n is pasted below, I only changed the actual domain
name
to "example.com"
TIA for any pointer, I really need to get this server back online as soon as possible...
Marco
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with:
doveconf
-Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: example.com auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us athttp://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Infohttp://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
Robert Nowotny via dovecot skrev den 2025-01-22 20:16:
Hey Marco, this is what to do:
dovecot starts as root, and drops priveleges later, so group it non rooted is a security problem on its own :)
certbot creates letencrypt pem files owned by root and grouped root, only the private key cant be readed by other users then root
dont make it more complicated
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ls -lr /etc/letsencrypt/live/
dovecot starts as root, and drops priveleges later, so group it non rooted is a security problem on its own :)
certbot creates letencrypt pem files owned by root and grouped root, only the private key cant be readed by other users then root
wtf letsencrypt still requires root?? What an amateur club there. I am using this this, without root, than you can easily switch to zerossl. https://github.com/acmesh-official/acme.sh
Marc via dovecot skrev den 2025-01-23 09:21:
dovecot starts as root, and drops priveleges later, so group it non rooted is a security problem on its own :)
certbot creates letencrypt pem files owned by root and grouped root, only the private key cant be readed by other users then root
wtf letsencrypt still requires root?? What an amateur club there. I am using this this, without root, than you can easily switch to zerossl. https://github.com/acmesh-official/acme.sh
1k issues ?, how is this better ?
I have 0 issues 2-3 years. Besides what can be the issues with some shell scripting. Better than having some code running as root.
I guess you see issues here, because if you ask at letsencrypt who can you sue if they issue a false certificate, why they are not hosting in Europe, why they run as root, you get blocked.
-----Original Message----- From: Benny Pedersen via dovecot <dovecot@dovecot.org> Sent: Thursday, 23 January 2025 09:27 To: dovecot@dovecot.org Subject: Re: Fwd: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Marc via dovecot skrev den 2025-01-23 09:21:
dovecot starts as root, and drops priveleges later, so group it non rooted is a security problem on its own :)
certbot creates letencrypt pem files owned by root and grouped root, only the private key cant be readed by other users then root
wtf letsencrypt still requires root?? What an amateur club there. I am using this this, without root, than you can easily switch to zerossl. https://github.com/acmesh-official/acme.sh
1k issues ?, how is this better ?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Oh forgot letsencrypt also does not like when you ask about their ip ranges and when you redirect dns of the amazon cloud to different zone files. So basically when you use letsencrypt, you automatically have to open up your webserver (unless you alter your environment on renewals) to amazon abuse. I told these guys from zerossl about this and they should use dedicated range to fall back on, and I think they did, because I don't have time outs any more because of blocked ranges. These people of zerossl have brains, if you tell them about something how they can make it better, they consider it and apply these changes.
-----Original Message----- From: Marc Sent: Thursday, 23 January 2025 09:35 To: 'Benny Pedersen' <me@junc.eu>; dovecot@dovecot.org Subject: RE: Fwd: Fwd: [OFFLIST] Re: connection refused, no error anywhere
I have 0 issues 2-3 years. Besides what can be the issues with some shell scripting. Better than having some code running as root.
I guess you see issues here, because if you ask at letsencrypt who can you sue if they issue a false certificate, why they are not hosting in Europe, why they run as root, you get blocked.
-----Original Message----- From: Benny Pedersen via dovecot <dovecot@dovecot.org> Sent: Thursday, 23 January 2025 09:27 To: dovecot@dovecot.org Subject: Re: Fwd: Fwd: [OFFLIST] Re: connection refused, no error anywhere
Marc via dovecot skrev den 2025-01-23 09:21:
dovecot starts as root, and drops priveleges later, so group it non rooted is a security problem on its own :)
certbot creates letencrypt pem files owned by root and grouped
root,
only the private key cant be readed by other users then root
wtf letsencrypt still requires root?? What an amateur club there. I am using this this, without root, than you can easily switch to zerossl. https://github.com/acmesh-official/acme.sh
1k issues ?, how is this better ?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
if you put all that into docker you can mitigate the privilege issue - you only need to chown the letsencrypt files as needed while copying them to the directories for the dovecot certificates.
Am 23. Januar 2025 um 09:34 schrieb "Marc via dovecot" <dovecot@dovecot.org mailto:dovecot@dovecot.org?to=%22Marc%20via%20dovecot%22%20%3Cdovecot%40dovecot.org%3E >:
I have 0 issues 2-3 years. Besides what can be the issues with some shell scripting. Better than having some code running as root.
I guess you see issues here, because if you ask at letsencrypt who can you sue if they issue a false certificate, why they are not hosting in Europe, why they run as root, you get blocked. (...)
For a 200kb task that runs once a day/week? I think you can just run this certbot stuff under a different user, people are probably just to 'lazy' to adapt this.
if you put all that into docker you can mitigate the privilege issue - you only need to chown the letsencrypt files as needed while copying them to the directories for the dovecot certificates.
Am 23. Januar 2025 um 09:34 schrieb "Marc via dovecot" <dovecot@dovecot.org mailto:dovecot@dovecot.org?to=%22Marc%20via%20dovecot%22%20%3Cdovecot%40 dovecot.org%3E >:
I have 0 issues 2-3 years. Besides what can be the issues with some
shell scripting. Better than having some code running as root.
I guess you see issues here, because if you ask at letsencrypt who can
you sue if they issue a false certificate, why they are not hosting in Europe, why they run as root, you get blocked.
(...)
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (6)
-
Benny Pedersen
-
Marc
-
Marco Fioretti
-
Nick Howitt
-
Robert Nowotny
-
Schulz