follow up to my mail issues I posted about

Thu Dec 3 05:22:22 EET 2020

Okay. A few days late, but I've gone through the replies I received from 
several of you and consolidated responses into one mail. Of course life 
gets crazy when I need to sit down and work on things.

"It seems to me Thunderbird is struggling to write to the Sent mailbox, 
so disk space, and file permissions are the obvious ones to check. And 
yes, on the server rather than your local machine, as you're using IMAP"

It's definitely not disc space. I wouldn't think an upgrade would change 
permissions, but it's a place to check. I'm showing my newbieness here 
but, I'm not even sure what account should have access to those files. I 
know, it's a miracle I got all this working in the first place. I should 
have taken notes, but I did so much fiddling with this and that to make 
it behave that I didn't know what to write down.

"Anything interesting in the dovecot logs at the time when you check?"

So I looked up dovecot logs on google, and what I'm seeing is that 
dovecot generally writes to mail logs under /var/log. The stuff I sent 
in my first email came from mail.err in that folder. The only other file 
I could find was mail.log. Using tail on that file, I see entries like 
these.
Dec  2 20:53:07 kylesmith-music postfix/smtpd[396853]: warning: 
unknown[212.70.149.37]: SASL LOGIN authentication failed: 
UGFzc3dvcmQ6                                              Dec  2 
20:53:07 kylesmith-music postfix/smtpd[396853]: disconnect from 
unknown[212.70.149.37] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
There are similar entries from a different ip address, but interestingly 
neither match the ip address of our fiber modem so I have no idea what's 
going on there.

"First, do you have a backup prior to upgrading the server? You may want 
to refer to that to get a clean idea of how the configuration was set up 
initially. Sometimes the upgrade process can reset configuration files 
and its usually easier to work from a known working configuration. "

I really wish I did, but I'm not sure how to effectively back up a VPS.

"Second, can you describe how you set the mail stack you are using up?"

I can tell you it's postfix and dovecot. That's what a lot of articles 
recommended, so I went with that. We use different devices so I chose to 
use imap as it interfaces directly with the stored mail on the server. 
Usually this is good, except now when it breaks.

"Its possible the issue is SSL related but its difficult to say. There 
have been a number of breaks with SSL encryption in recent years which 
is why the cipher list has been adjusted,"

SSL is definitely my weakest point of knowledge. I know I had it working 
smoothly but it was basically following how to stuff. The reason we're 
using it even for mail has to do with someone in my husband's life who 
would get in and mess things up if he had the chance, so I'm trying to 
make sure he doesn't have that chance by locking things down tight.

"google can also be out of date I'd recommend using a date filter when 
using it for checking configurations and limit it only to the last 1-2 
years as you will get more relevant information typically."

Oh my gosh, that alone would be extremely helpful. The number of 
seriously outdated articles I had to filter through when I set this up 
in the first place is just unreal. Mind telling me how to do a date 
filter? Otherwise, I'll google how to use google, hahaha.

"The configuration parameter for the cipher list uses HIGH as a default 
profile and if I recall correctly that disables lower TLS versions that 
are susceptible to certain types of attacks. (SSL3,TLS1,TLS1.1,1.2 I 
think) The dovecot documentation explains what the defaults are for 
HIGH. The ! prevents using specifica protocols and configuration is 
usually a chain (processed from left to right until a match is found). 
DH is the diffie-helman exchange. Usually this file is recalculated on a 
per server basis to prevent pre-calculation attacks on SSL and usually 
it must meet a certain key length. DH Groups 1 and 2 are known to be 
insecure."

Okay, that went way over my head, but it sounds like good information to 
have and study up more on, hopefully after I get the immediate issue 
solved. If I'm following you correctly at all though I could see that 
potentially being my issue, hmm. I will for sure see if I can get my 
hands on that book.

"Some quick thoughts here — if the changes you mentioned did not solve 
the issue, I would definitely comment those back out so you are only 
troubleshooting one thing at a time."

Fair point. I commented out the one about dh high, then hopefully 
reloaded the configuration, dovecot reload? That done, I tried sending 
an email from the domain to my gmail using thunderbird. I got the same 
message, but it did actually send this time. However, when I replied to 
the test message with my gmail account, it wasn't received by 
thunderbird. I do see it using the mail app on the server, though.

"Next, are you able to send email using any other client?"
I can send mail locally on the server from one account to another for 
sure. I managed it once, at least. Those mail clients seem clunky though 
so I may not be doing things correctly to test.

"Third, try disabling all SSL and see if you are able to send via 
Thunderbird or really, any client at all…"

Is there an easy way to disable ssl for now and then reenable it? That 
would definitely help narrow this down.

"Your DH parameters are too weak. You should generate at least 2048 byte 
parameters."

To be honest, I don't even recall setting up DH parameters. I would 
guess that probably happened when I was setting up ssl?

Again, thank you to each of you for helping with this. I really try not 
to send stuff like this to mailing lists that are technical in nature, 
but this is important business mail he's potentially missing and I'm a 
bit out of my league. First project once this gets fixed will be 
learning how to back up the server.

Christy