RE: Fwd: Fwd: [OFFLIST] Re: connection refused, no error anywhere

[Robert Nowotny via dovecot]

Hey Marco,
this is what to do:

1. Group Membership for SSL Certificates
   - Add Users to `ssl-cert` Group:
     On Ubuntu, the default group for SSL certificates is `ssl-cert`, 
not `ssl_cert`. Confirm with:
     ```bash
     ls -l /etc/letsencrypt/live/example.com/privkey.pem
     ```
     If the group is `ssl-cert`, add Dovecot and the web server user 
(e.g., `www-data`) to it:
     ```bash
     sudo usermod -aG ssl-cert dovecot
     sudo usermod -aG ssl-cert www-data  # Replace with your HTTP 
server user
     ```
   - Verify Group Membership:
     ```bash
     groups dovecot  # Should show "ssl-cert"
     ```
2. Certificate Permissions
   - Private Key Permissions:
     Ensure strict permissions (readable only by `root` and `ssl-cert` 
group):
     ```bash
     sudo chmod 0640 /etc/letsencrypt/live/example.com/privkey.pem
     sudo chown root:ssl-cert /etc/letsencrypt/live/example.com/privkey.pem
     ```
   - Directory Permissions:
     Ensure parent directories are secure (e.g., `/etc/letsencrypt/live`):
     ```bash
     sudo chmod 0755 /etc/letsencrypt/{live,archive}
     sudo chown root:root /etc/letsencrypt/{live,archive}
     ```

3. Dovecot Configuration
   - Explicitly Enable IMAP Protocol:
     Adding `protocols = imap` ensures IMAP is enabled. Verify with:
     ```bash
     doveconf -n | grep protocols
     ```
   - Avoid Redundant Configurations


4. Restart Services
   ```bash
   sudo systemctl restart dovecot
   sudo systemctl restart apache2  # Or nginx, depending on your HTTP 
server
   ```

5. Final Verification
   - Check Port 993 Binding:
     ```bash
     sudo ss -tuln | grep 993
     ```
   - Test SSL Connection:
     ```bash
     openssl s_client -connect example.com:993
     ```
     Look for `SSL handshake` success and certificate details.


Key Issues :
Group Membership: Adding users to `ssl-cert` (not `ssl_cert`) allows 
shared certificate access securely.
Protocols Directive: Explicitly setting `protocols = imap` avoids 
relying on defaults, which may vary between versions of dovecot.
Permissions: Tight control over private keys prevents silent failures.



*Von:* Marco Fioretti via dovecot <dovecot@dovecot.org>

*Gesendet:* Mittwoch, 22. Januar 2025 um 17:37 MEZ

*An:* Dovecot <dovecot@dovecot.org>

*Betreff:* RE: Fwd: Fwd: [OFFLIST] Re: connection refused, no error anywhere


Hi Robert, and all.

As I mentioned in a previous replay, everything started to work when I
added "protocols = imap" to dovecot.conf.

However, following your advice, I have removed the service imap-login
section from dovecot.conf, and checked again the permission of the key file
and its parent directory: the unexpected thing is that the file and the
folder where (in the old server, I mean) owned by root, group ssl_cert. I
guess this is because the same certificates were used by the website, which
I also have to rebuild next week. So I will have to add dovecot and the
httpd user to that group, I think. No?

Thanks,
Marco



Il giorno mer 22 gen 2025 alle ore 08:46 Robert Nowotny<rnowo...@rotek.at>
ha scritto:

marco,

Dovecot configurations are split across multiple files. If service
imap-login is defined in both dovecot.conf and conf.d/10-master.conf, this
can cause conflicts.

Fix:

Remove the service imap-login block from dovecot.conf (keep it only in
10-master.conf).

Ensure 10-master.conf contains:

service imap-login {
   inet_listener imap {
     port = 0  # Disable plain IMAP
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}

2. SSL Certificate Permissions
Even if paths are correct, key permissions often cause silent failures.

Verify:

sudo ls -l /etc/letsencrypt/live/example.com/privkey.pem
the Key must be readable only by Dovecot

sudo chmod 0600 /etc/letsencrypt/live/example.com/privkey.pem
sudo chown dovecot:dovecot /etc/letsencrypt/live/example.com/privkey.pem

Ensure /etc/letsencrypt/live and /etc/letsencrypt/archive are owned by
root:root (not world-writable).

3. Check for Configuration Errors

sudo doveconf -n
Look for warnings (e.g., certificate path typos, deprecated settings).

If you see ssl_dh_parameters_length, remove it (it’s obsolete).

4. Dovecot Service Status
Check if Dovecot actually restarted:
sudo systemctl status dovecot

Look for errors like:

Failed to listen on *:993 (port conflict)
SSL_CTX_use_PrivateKey_file failed (certificate issues).

5. Port Binding
If Dovecot is running but not binding to 993:
Check if another service (e.g., stunnel, nginx) is using port 993:

sudo ss -tulpn | grep ':993'
If yes, stop the conflicting service.

6. Test with Minimal Configuration
Create a minimal config to isolate the issue:

sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.backup

echo "ssl = required
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
protocols = imap
service imap-login {
   inet_listener imaps { port = 993 }
}" | sudo tee /etc/dovecot/dovecot.conf
sudo systemctl restart dovecot
If this works, your original config has conflicting settings.

7. Logs
Key command:
sudo journalctl -u dovecot --since "5 minutes ago" | grep -iE
'error|warning|imap-login'

Look for lines like:

Couldn't listen on *:993: Address already in use
SSL_CTX_use_PrivateKey_file: error:0A080086...

8. Reinstall Dovecot (Last Resort)
If all else fails:

sudo apt purge dovecot-core dovecot-imapd
sudo rm -rf /etc/dovecot  # Backup first!
sudo apt install dovecot-core dovecot-imapd
Then rebuild your config from scratch.

Let me know what you find in the logs or after testing the minimal config.



*Von:* Marco Fioretti via dovecot<dovecot@dovecot.org>
<dovecot@dovecot.org>

*Gesendet:* Mittwoch, 22. Januar 2025 um 00:32 MEZ

*An:* Dovecot<dovecot@dovecot.org> <dovecot@dovecot.org>

*Betreff:* FW: Fwd: [OFFLIST] Re: connection refused, no error anywhere

Hi Robert,
I corrected the service imap-login section of both dovecot.conf AND
conf.d/10-master.conf as you suggested,

The files in ssl_cert and ssl_key exist and are readable by dovecot. I have
even changed for testing the permission of /etc/letsencrypt/live
/etc/letsencrypt/archive to 0755 and restarted dovecot. However, the output
of ss -tuln | grep 993 is still null.

What next? Thanks

---------- Forwarded message ---------
Da: Robert Nowotny<rnowo...@rotek.at> <rnowo...@rotek.at>
Date: mar 21 gen 2025 alle ore 23:47
Subject: RE: Fwd: [OFFLIST] Re: connection refused, no error anywhere
To: Marco Fioretti<marco.fiore...@gmail.com> <marco.fiore...@gmail.com>


To resolve the connection refused error when accessing Dovecot on the new
server, you need to adjust the Dovecot configuration to enable the
appropriate IMAP service ports.

1. Enable IMAPS (Port 993) for Secure Connections:
    - Modify the `service imap-login` section in your Dovecot configuration
(likely in `/etc/dovecot/conf.d/10-master.conf`) to include an `imaps`
listener:
      ```conf
      service imap-login {
        inet_listener imap {
          port = 0  # Disables plain IMAP (port 143)
        }
        inet_listener imaps {
          port = 993
          ssl = yes
        }
      }
      ```
    - This configuration disables plaintext IMAP on port 143 and enables
IMAPS on port 993 with SSL.

2. Ensure SSL Certificates Are Correct:
    - Verify the paths to your SSL certificate and key in
`/etc/dovecot/conf.d/10-ssl.conf`:
      ```conf
      ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
      ```
    - Confirm the files exist and have proper permissions (readable by
Dovecot).

3. Restart Dovecot:
    ```bash
    sudo systemctl restart dovecot
    ```

4. Verify Dovecot is Listening:
    ```bash
    sudo ss -tuln | grep 993
    ```
    - You should see Dovecot listening on port 993.

5. Test the Connection Using SSL:
    ```bash
    openssl s_client -connect example.com:993
    ```
    - This should establish a secure connection to the IMAPS port.

Additional Recommendations:
- Disable Plaintext IMAP: Keeping `port = 0` for the `imap` listener
ensures unencrypted IMAP is disabled, enhancing security.
- Firewall Configuration: Confirm UFW allows port 993:
   ```bash
   sudo ufw allow 993/tcp
   ```

By enabling IMAPS on port 993 and ensuring SSL is properly configured,
secure email access will be restored. If you must use port 143 (not
recommended), set `port = 143` in the `imap` listener and enforce STARTTLS
by adding `ssl = required` in your SSL configuration.



*Von:* Marco Fioretti via dovecot<dovecot@dovecot.org> 
<dovecot@dovecot.org><dovecot@dovecot.org> <dovecot@dovecot.org>

*Gesendet:* Dienstag, 21. Januar 2025 um 23:22 MEZ

*An:* Dovecot<dovecot@dovecot.org> <dovecot@dovecot.org> <dovecot@dovecot.org> 
<dovecot@dovecot.org>

*Betreff:* FW: [OFFLIST] Re: connection refused, no error anywhere

---------- Forwarded message ---------
Da: Marco Fioretti<marco.fiore...@gmail.com> <marco.fiore...@gmail.com> 
<marco.fiore...@gmail.com> <marco.fiore...@gmail.com>
Date: mar 21 gen 2025 alle ore 19:33
Subject: Re: [OFFLIST] Re: connection refused, no error anywhere
To: Michael Peddemors<mich...@linuxmagic.com> <mich...@linuxmagic.com> 
<mich...@linuxmagic.com> <mich...@linuxmagic.com>


Hi Michel,

I cannot say which NGO it is. What I know is that everything with that
configuration was working fine, as far as they know, on the old server. So,
any help to change the configuration to make it work with the current
version of dovecot on Ubuntu 24.04LTS is very welcome...

Il giorno mar 21 gen 2025 alle ore 19:11 Michael Peddemors<mich...@linuxmagic.com> 
<mich...@linuxmagic.com> ha scritto:


Which NGO?

Don't listen on port 143 any more, make sure to only listen on
587/465/993/995 with TLS/SSL..

NGO's are often targeted..



On 2025-01-21 09:50, Marco Fioretti via dovecot wrote:

Greetings,

I was just tasked with rebuilding from scratch the mail server of an NGO,
on a brand new Ubuntu 24.04 LTS VPS.

I have copied the whole dovecot configuration to the new server, and now

am

stuck because:

- dovecot IS running, dovecot service status shows no errors, but:

- if I try to connect with mutt from my desktop I get "connection

refused"

- the ufw firewall does allow imap/imaps connections, and there are no
errors in its log

- even "telnet localhost 143" fails:
Trying ::1...
Connection failed: Connection refused
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

- I see no related errors in /var/log/mail.log or /var/log/syslog.


output of dovecot -n is pasted below, I only changed the actual domain

name

to "example.com"

TIA for any pointer, I really need to get this server back online as soon
as possible...

Marco

# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21 (f6cd4b8e)
doveconf: Warning: NOTE: You can get a new clean config file with:

doveconf

-Pn > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9:
ssl_dh_parameters_length is no longer needed
# OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4
# Hostname: example.com
auth_debug = yes
auth_verbose = yes
auth_verbose_passwords = plain
mail_location = maildir:/var/mail/mymail_storage/base/
mbox_write_locks = fcntl
passdb {
    args = /etc/imap.v_users
    driver = passwd-file
}
passdb {
    driver = pam
}
service auth {
    unix_listener /var/spool/postfix/private/auth {
      group = postfix
      mode = 0660
      user = postfix
    }
}
service imap-login {
    inet_listener imap {
      port = 0
    }
}
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_cipher_list = ALL
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
    args = /etc/imap.v_users
    driver = passwd-file
}
userdb {
    driver = passwd
}
verbose_ssl = yes
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org

--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us athttp://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Infohttp://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada



_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org




_______________________________________________
dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-le...@dovecot.org


_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org