Hi Robert, and all.
As I mentioned in a previous replay, everything started to work when I
added "protocols = imap" to dovecot.conf.
However, following your advice, I have removed the service imap-login
section from dovecot.conf, and checked again the permission of the key file
and its parent directory: the unexpected thing is that the file and the
folder where (in the old server, I mean) owned by root, group ssl_cert. I
guess this is because the same certificates were used by the website, which
I also have to rebuild next week. So I will have to add dovecot and the
httpd user to that group, I think. No?
Thanks,
Marco
Il giorno mer 22 gen 2025 alle ore 08:46 Robert Nowotny <rnowo...@rotek.at>
ha scritto:
> marco,
>
> Dovecot configurations are split across multiple files. If service
> imap-login is defined in both dovecot.conf and conf.d/10-master.conf, this
> can cause conflicts.
>
> Fix:
>
> Remove the service imap-login block from dovecot.conf (keep it only in
> 10-master.conf).
>
> Ensure 10-master.conf contains:
>
> service imap-login {
> inet_listener imap {
> port = 0 # Disable plain IMAP
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
>
> 2. SSL Certificate Permissions
> Even if paths are correct, key permissions often cause silent failures.
>
> Verify:
>
> sudo ls -l /etc/letsencrypt/live/example.com/privkey.pem
> the Key must be readable only by Dovecot
>
> sudo chmod 0600 /etc/letsencrypt/live/example.com/privkey.pem
> sudo chown dovecot:dovecot /etc/letsencrypt/live/example.com/privkey.pem
>
> Ensure /etc/letsencrypt/live and /etc/letsencrypt/archive are owned by
> root:root (not world-writable).
>
> 3. Check for Configuration Errors
>
> sudo doveconf -n
> Look for warnings (e.g., certificate path typos, deprecated settings).
>
> If you see ssl_dh_parameters_length, remove it (it’s obsolete).
>
> 4. Dovecot Service Status
> Check if Dovecot actually restarted:
> sudo systemctl status dovecot
>
> Look for errors like:
>
> Failed to listen on *:993 (port conflict)
> SSL_CTX_use_PrivateKey_file failed (certificate issues).
>
> 5. Port Binding
> If Dovecot is running but not binding to 993:
> Check if another service (e.g., stunnel, nginx) is using port 993:
>
> sudo ss -tulpn | grep ':993'
> If yes, stop the conflicting service.
>
> 6. Test with Minimal Configuration
> Create a minimal config to isolate the issue:
>
> sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.backup
>
> echo "ssl = required
> ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
> ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
> protocols = imap
> service imap-login {
> inet_listener imaps { port = 993 }
> }" | sudo tee /etc/dovecot/dovecot.conf
> sudo systemctl restart dovecot
> If this works, your original config has conflicting settings.
>
> 7. Logs
> Key command:
> sudo journalctl -u dovecot --since "5 minutes ago" | grep -iE
> 'error|warning|imap-login'
>
> Look for lines like:
>
> Couldn't listen on *:993: Address already in use
> SSL_CTX_use_PrivateKey_file: error:0A080086...
>
> 8. Reinstall Dovecot (Last Resort)
> If all else fails:
>
> sudo apt purge dovecot-core dovecot-imapd
> sudo rm -rf /etc/dovecot # Backup first!
> sudo apt install dovecot-core dovecot-imapd
> Then rebuild your config from scratch.
>
> Let me know what you find in the logs or after testing the minimal config.
>
>
>
> *Von:* Marco Fioretti via dovecot <dovecot@dovecot.org>
> <dovecot@dovecot.org>
>
> *Gesendet:* Mittwoch, 22. Januar 2025 um 00:32 MEZ
>
> *An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
>
> *Betreff:* FW: Fwd: [OFFLIST] Re: connection refused, no error anywhere
>
> Hi Robert,
> I corrected the service imap-login section of both dovecot.conf AND
> conf.d/10-master.conf as you suggested,
>
> The files in ssl_cert and ssl_key exist and are readable by dovecot. I have
> even changed for testing the permission of /etc/letsencrypt/live
> /etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output
> of ss -tuln | grep 993 is still null.
>
> What next? Thanks
>
> ---------- Forwarded message ---------
> Da: Robert Nowotny <rnowo...@rotek.at> <rnowo...@rotek.at>
> Date: mar 21 gen 2025 alle ore 23:47
> Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere
> To: Marco Fioretti <marco.fiore...@gmail.com> <marco.fiore...@gmail.com>
>
>
> To resolve the connection refused error when accessing Dovecot on the new
> server, you need to adjust the Dovecot configuration to enable the
> appropriate IMAP service ports.
>
> 1. Enable IMAPS (Port 993) for Secure Connections:
> - Modify the `service imap-login` section in your Dovecot configuration
> (likely in `/etc/dovecot/conf.d/10-master.conf`) to include an `imaps`
> listener:
> ```conf
> service imap-login {
> inet_listener imap {
> port = 0 # Disables plain IMAP (port 143)
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> ```
> - This configuration disables plaintext IMAP on port 143 and enables
> IMAPS on port 993 with SSL.
>
> 2. Ensure SSL Certificates Are Correct:
> - Verify the paths to your SSL certificate and key in
> `/etc/dovecot/conf.d/10-ssl.conf`:
> ```conf
> ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
> ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
> ```
> - Confirm the files exist and have proper permissions (readable by
> Dovecot).
>
> 3. Restart Dovecot:
> ```bash
> sudo systemctl restart dovecot
> ```
>
> 4. Verify Dovecot is Listening:
> ```bash
> sudo ss -tuln | grep 993
> ```
> - You should see Dovecot listening on port 993.
>
> 5. Test the Connection Using SSL:
> ```bash
> openssl s_client -connect example.com:993
> ```
> - This should establish a secure connection to the IMAPS port.
>
> Additional Recommendations:
> - Disable Plaintext IMAP: Keeping `port = 0` for the `imap` listener
> ensures unencrypted IMAP is disabled, enhancing security.
> - Firewall Configuration: Confirm UFW allows port 993:
> ```bash
> sudo ufw allow 993/tcp
> ```
>
> By enabling IMAPS on port 993 and ensuring SSL is properly configured,
> secure email access will be restored. If you must use port 143 (not
> recommended), set `port = 143` in the `imap` listener and enforce STARTTLS
> by adding `ssl = required` in your SSL configuration.
>
>
>
> *Von:* Marco Fioretti via dovecot <dovecot@dovecot.org>
> <dovecot@dovecot.org><dovecot@dovecot.org> <dovecot@dovecot.org>
>
> *Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ
>
> *An:* Dovecot <dovecot@dovecot.org> <dovecot@dovecot.org>
> <dovecot@dovecot.org> <dovecot@dovecot.org>
>
> *Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere
>
> ---------- Forwarded message ---------
> Da: Marco Fioretti <marco.fiore...@gmail.com> <marco.fiore...@gmail.com>
> <marco.fiore...@gmail.com> <marco.fiore...@gmail.com>
> Date: mar 21 gen 2025 alle ore 19:33
> Subject: Re: [OFFLIST] Re: connection refused, no error anywhere
> To: Michael Peddemors <mich...@linuxmagic.com> <mich...@linuxmagic.com>
> <mich...@linuxmagic.com> <mich...@linuxmagic.com>
>
>
> Hi Michel,
>
> I cannot say which NGO it is. What I know is that everything with that
> configuration was working fine, as far as they know, on the old server. So,
> any help to change the configuration to make it work with the current
> version of dovecot on Ubuntu 24.04LTS is very welcome...
>
> Il giorno mar 21 gen 2025 alle ore 19:11 Michael
> Peddemors<mich...@linuxmagic.com> <mich...@linuxmagic.com> ha scritto:
>
>
> Which NGO?
>
> Don't listen on port 143 any more, make sure to only listen on
> 587/465/993/995 with TLS/SSL..
>
> NGO's are often targeted..
>
>
>
> On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:
>
> Greetings,
>
> I was just tasked with rebuilding from scratch the mail server of an NGO,
> on a brand new Ubuntu 24.04 LTS VPS.
>
> I have copied the whole dovecot configuration to the new server, and now
>
> am
>
> stuck because:
>
> - dovecot IS running, dovecot service status shows no errors, but:
>
> - if I try to connect with mutt from my desktop I get "connection
>
> refused"
>
> - the ufw firewall does allow imap/imaps connections, and there are no
> errors in its log
>
> - even "telnet localhost 143" fails:
> Trying ::1...
> Connection failed: Connection refused
> Trying 127.0.0.1...
> telnet: Unable to connect to remote host: Connection refused
>
> - I see no related errors in /var/log/mail.log or /var/log/syslog.
>
>
> output of dovecot -n is pasted below, I only changed the actual domain
>
> name
>
> to "example.com"
>
> TIA for any pointer, I really need to get this server back online as soon
> as possible...
>
> Marco
>
> # 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.21 (f6cd4b8e)
> doveconf: Warning: NOTE: You can get a new clean config file with:
>
> doveconf
>
> -Pn > dovecot-new.conf
> doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9:
> ssl_dh_parameters_length is no longer needed
> # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4
> # Hostname: example.com
> auth_debug = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> mail_location = maildir:/var/mail/mymail_storage/base/
> mbox_write_locks = fcntl
> passdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> passdb {
> driver = pam
> }
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
> }
> }
> service imap-login {
> inet_listener imap {
> port = 0
> }
> }
> ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
> ssl_cipher_list = ALL
> ssl_key = # hidden, use -P to show it
> ssl_prefer_server_ciphers = yes
> userdb {
> args = /etc/imap.v_users
> driver = passwd-file
> }
> userdb {
> driver = passwd
> }
> verbose_ssl = yes
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
>
> --
> "Catch the Magic of Linux..."
> ------------------------------------------------------------------------
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
> ------------------------------------------------------------------------
> 604-682-0300 Beautiful British Columbia, Canada
>
>
>
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
>
>
>
>
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
