1

Topic: Can not connect to IMAP Server using Outlook and android Gmail

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? No
- Linux/BSD distribution name and version:  Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi, ZhangHuangbin

I have a problem with the connection to IMAP, I tried to connect my email to the server using outlook but an error occurred, the error that appears is
"We couldn't connect to the incoming IMAP server using the specified encryption method."
it's also the same as I'm using Gmail MUA on android
now I'm using 1 certificate with multiple SAN, and the certificate was created using certbot,I have used this certificate for 2 months and previously had no problems with Outlook , but when I tried to use Thunderbird or Roundcube no errors appeared.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Can not connect to IMAP Server using Outlook and android Gmail

- Is your client / device IP address blocked in Fail2ban? Maybe stop fail2ban service temporarily and try again?
- Any related error in Dovecot log files (/var/log/dovecot/*.log)?

3

Re: Can not connect to IMAP Server using Outlook and android Gmail

sorry for the late update, after I try using Comodo SSL with 2 SAN, I can normally log in to outlook windows, and Gmail for Android, but when i using outlook for android the problem still occurs. i got no log that related to my problem with outlook android, what should i do?

4

Re: Can not connect to IMAP Server using Outlook and android Gmail

Cannot help much without related log.
Did you stop fail2ban and try again? We need log lines.

5

Re: Can not connect to IMAP Server using Outlook and android Gmail

hi, i have the update, I just bought a new ssl with ov verify, and i have put all ssl files on let'sencrypt folder (because before bougt the ssl,  I'm using certbot to get ssl) and ssl folders with the key, and i restart all the service and reboot my server, but it's still get invalid certificate one outlook mobile. then i try to check my ssl with syntax " openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.co" i got this one.

openssl output wrote:

CONNECTED(00000005)
depth=0 C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
verify return:1
---
Certificate chain
0 s:C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
   i:C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIEXx7g2zANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJD
SDEVMBMGA1UEBwwMU2NoYWZmaGF1c2VuMQ4wDAYDVQQKDAVQbGVzazEOMAwGA1UE
AwwFUGxlc2sxHTAbBgkqhkiG9w0BCQEWDmluZm9AcGxlc2suY29tMB4XDTIwMDcy
NzE0MTI0M1oXDTIxMDcyNzE0MTI0M1owYzELMAkGA1UEBhMCQ0gxFTATBgNVBAcM
DFNjaGFmZmhhdXNlbjEOMAwGA1UECgwFUGxlc2sxDjAMBgNVBAMMBVBsZXNrMR0w
GwYJKoZIhvcNAQkBFg5pbmZvQHBsZXNrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANCoVZSLPcifaZCW1TD0jKWX0FjIh6WjTMoECWDvQ9uNbeXi
AXRZSwn0b+C32oK/Bxb3qwboEBcRCqrcHA38yMcuQG9U9T93APnc+g9aqKk1Dc1e
cItrXq95pfnO98dfVFnI+VJw2ypeBzCVerAo8Y9fhfKJvKm5OlkgQrltxD+xzl9j
XhlKoACttf3fu9E59bI8QtPGypQ03On4tX5qxBUUAd/me8IS0Bi1uboI3KM/Y/xZ
Sh4EGT7aRS1ju8gpNozuEDY5i/RLmDk14Jqrg5zy/iWT1KmkdrFsEdIgynu3MEH1
O2NllqAcbVWCVzp29DdYFvABWDsX1yvGjh50+N8CAwEAAaMXMBUwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHGDdGPjCQA7gzJg+GbV3XBr
ApBcoslavHD2kj/ZswByNNVP4Bmx+sBGXNKt+7yz1G/M2WNaKlWTHP6kOrFtkLIt
/AgcOeafWCXgcVv8SV0yrAq1gEBsHQ0peuKLb9Lo+LFiw+qwJg6TJyMgMVRh9dc8
AQ2Mo+pbBoXZsoeGEUvZXR2XiMxuU0DeSTgFKCjoMu8G+hhlySPYEQLD+jcZiwm2
Xt2zD9qlO09UXvqG+SP1rJUiZzOZ2n7luElm/Af03z3s3gG8zA1JZfS19j1TpJ70
gsVfppIw6ypKj3Kxrv6o9WRkUvBjO9ZFTNegLTi6diWXmdaNsLy5erlnCaDp7tc=
-----END CERTIFICATE-----
---
Server certificate
subject=C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com

issuer=C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = info@plesk.com

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1423 bytes and written 404 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 85660462B13AF8B4987C647D163845696A9EF8731EC5F6EC82FF2C6419D0E132
    Session-ID-ctx:
    Resumption PSK: 5344EAC7E13F9073E998BA3A42C8BFB0908733625AFC52EFC0CD17F94A086F758D5F53CBCE2EC67C2866F5BE18A431EC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 54 dd ca 92 3e 46 d5 e5-fd 07 da d5 e6 b0 d2 ce   T...>F..........
    0010 - 50 7a b8 7e 34 4a 24 96-43 e0 5d b3 66 7a f7 6a   Pz.~4J$.C.].fz.j
    0020 - ba d9 fe c4 b4 d3 b4 c5-00 c8 e5 6b 57 46 99 25   ...........kWF.%
    0030 - fb 20 85 96 bf 64 f1 88-2d a3 37 cb 04 fe f2 9a   . ...d..-.7.....
    0040 - ac 72 4e a0 df 83 55 e5-cc 54 7d 21 f4 19 c2 8b   .rN...U..T}!....
    0050 - 37 32 48 78 22 b6 ba 80-d5 46 c6 df 12 be 9f ce   72Hx"....F......
    0060 - d4 e0 ca 14 ac b7 9f 4f-58 22 f2 e2 ce ae 95 d6   .......OX"......
    0070 - f5 28 c7 12 f7 86 e6 04-f8 d8 55 d3 a4 dc 8c fa   .(........U.....
    0080 - 6b 95 6c dc b6 4d 47 87-9d e6 ee 20 1f 07 c4 37   k.l..MG.... ...7
    0090 - 8f d2 b7 d2 56 53 ea 42-6b 49 bb 59 fa 64 e8 f9   ....VS.BkI.Y.d..
    00a0 - 51 97 8a 3c 30 b5 e0 67-ce 70 69 14 0a 13 8a f5   Q..<0..g.pi.....
    00b0 - 1b aa dc df 96 51 a1 31-93 a7 41 ff 00 21 ab 07   .....Q.1..A..!..
    00c0 - 0d cc 9a a4 1c f6 d8 a7-71 bb 7f a7 28 0e ec de   ........q...(...
    00d0 - c1 a5 bb 58 01 44 d4 3a-4b a0 12 53 c5 db 81 82   ...X.D.:K..S....

    Start Time: 1624234516
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BA1C9236AB8FC4BD7FA491BE7F7695DD1C77F1CC5F90CAA16D994375D404BF65
    Session-ID-ctx:
    Resumption PSK: 9D39463FE6911C29BF73E805AE3D157EFD723C698F97DDBEAB019CE555384B2E874405194E687FAAD8B51586C714C12B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 54 dd ca 92 3e 46 d5 e5-fd 07 da d5 e6 b0 d2 ce   T...>F..........
    0010 - bf 01 d3 1f df 72 8d 8a-10 c6 7c dc f3 e0 37 fa   .....r....|...7.
    0020 - cb 8b 3d 33 41 46 b3 28-d8 01 48 9a fb 7f c8 57   ..=3AF.(..H....W
    0030 - 32 fa 2f aa 83 22 d8 39-84 bf a2 1f 73 c1 55 e5   2./..".9....s.U.
    0040 - a3 3b bb 41 bb 95 a1 f8-3f 10 3e 2e d6 6f 52 f7   .;.A....?.>..oR.
    0050 - 7c 48 72 0f 6b 63 b6 45-e0 49 2d d4 4f b2 b9 44   |Hr.kc.E.I-.O..D
    0060 - 5b a5 87 0d 74 9a 3d 7d-f8 37 d7 3f 49 d1 71 b6   [...t.=}.7.?I.q.
    0070 - 2d 4c e9 03 72 5a 68 b6-0a fe 69 8f 6d b6 9c a5   -L..rZh...i.m...
    0080 - 39 36 76 5a 95 3b 72 6b-2b 5a 31 a0 e8 8a 7c 51   96vZ.;rk+Z1...|Q
    0090 - 6b 27 01 d1 8e 9f 81 c5-19 4e be 98 f6 99 11 1a   k'.......N......
    00a0 - ff 0d 42 14 45 1a ab 9e-8b 76 ea bb dc 2e b6 c3   ..B.E....v......
    00b0 - 82 82 d2 a6 b8 e3 2c 2c-f0 73 88 df 0e e8 05 c0   ......,,.s......
    00c0 - d9 dd 60 fe 90 7e 18 58-9e 76 e0 e8 40 d6 12 ee   ..`..~.X.v..@...
    00d0 - df b3 5b 3d 82 cd 23 1e-f7 b9 7a 7c e6 c1 92 89   ..[=..#...z|....

    Start Time: 1624234516
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.

is my ssl not active on dovecot?

6

Re: Can not connect to IMAP Server using Outlook and android Gmail

Fajar_Hardianto wrote:

verify error:num=18:self signed certificate

You're using a self-signed certificate.

7

Re: Can not connect to IMAP Server using Outlook and android Gmail

but, i check on my sslabs.com,  my ssl is active.

https://i.ibb.co/5Wp86JQ/screencapture-ssllabs-ssltest-analyze-html-2021-06-21-08-37-45.png

and this is my dovecot and postfix config

dovecot.conf wrote:

# More details about Dovecot settings:
#   - http://wiki2.dovecot.org/
#   - http://wiki2.dovecot.org/Variables

# Listen addresses.
#   - '*' means all available IPv4 addresses.
#   - '[::]' means all available IPv6 addresses.
# Listen on all available addresses by default
listen = * [::]

#base_dir = /var/run/dovecot
mail_plugins = quota mailbox_alias acl mail_log notify stats

# Enabled mail protocols.
protocols = pop3 imap sieve lmtp

# User/group who owns the message files:
mail_uid = 2000
mail_gid = 2000

# Assign uid to virtual users.
first_valid_uid = 2000
last_valid_uid = 2000

# Logging. Reference: http://wiki2.dovecot.org/Logging
#
# Use syslog
syslog_facility = local5
# Log file path if we use internal log system
#log_path = /var/log/dovecot/dovecot.log

# Debug
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
# Possible values: no, plain, sha1.
#auth_verbose_passwords = no

# SSL: Global settings.
# Refer to wiki site for per protocol, ip, server name SSL settings:
# http://wiki2.dovecot.org/SSL/DovecotConfiguration
ssl_protocols =  !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_ca = </etc/SectigoSSL/21062021/chain.pem
ssl_cert = </etc/SectigoSSL/21062021/fullchain.pem
ssl_key = </etc/SectigoSSL/21062021/privkey.pem

# Fix 'The Logjam Attack'
ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
ssl_prefer_server_ciphers = yes

# With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.
# Set disable_plaintext_auth=no AND ssl=yes to allow plain password transmitted
# insecurely.
disable_plaintext_auth = yes

# Allow plain text password per IP address/net
#remote 192.168.0.0/24 {
#   disable_plaintext_auth = no
#}

# Mail location and mailbox format.
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/

# Authentication related settings.
# Append this domain name if client gives empty realm.
#auth_default_realm = domain.com (example)

# Authentication mechanisms.
auth_mechanisms = PLAIN LOGIN

# Limits the number of users that can be logging in at the same time.
# Default is 100. This can be overridden by `process_limit =` in
# `service [protocol]` block.
# e.g.
#       protocol imap-login {
#           ...
#           process_limit = 500
#       }
#default_process_limit = 100

# Mail delivery log format
deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, %$

service auth {
    unix_listener /var/spool/postfix/private/dovecot-auth {
        user = postfix
        group = postfix
        mode = 0666
    }
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
    unix_listener auth-userdb {
        user = vmail
        group = vmail
        mode = 0660
    }
}

# LMTP server (Local Mail Transfer Protocol).
# Reference: http://wiki2.dovecot.org/LMTP
service lmtp {
    user = vmail

    # For higher volume sites, it may be desirable to increase the number of
    # active listener processes. A range of 5 to 20 is probably good for most
    # sites.
    process_min_avail = 5

    # Logging.
    # Require 'log_path =' in 'protocol lmtp {}' block.
    executable = lmtp -L

    # Listening on socket file and TCP
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        user = postfix
        group = postfix
        mode = 0600
    }

    inet_listener lmtp {
        # Listen on localhost (ipv4)
        address = 127.0.0.1
        port = 24
    }
}

# Virtual mail accounts.
userdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = sql
}
passdb {
    args = /etc/dovecot/dovecot-mysql.conf
    driver = sql
}

# Master user.
# Master users are able to log in as other users. It's also possible to
# directly log in as any user using a master password, although this isn't
# recommended.
# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers
auth_master_user_separator = *
passdb {
    driver = passwd-file
    args = /etc/dovecot/dovecot-master-users
    master = yes
}

plugin {
    # Quota configuration.
    # Reference: http://wiki2.dovecot.org/Quota/Configuration
    quota = dict:user::proxy::quotadict

    # Set default quota rule if no quota returned from SQL/LDAP query.
    #quota_rule = *:storage=1G
    #quota_rule2 = *:messages=0
    #quota_rule3 = Trash:storage=1G
    #quota_rule4 = Junk:ignore

    # Quota warning.
    #
    # If user suddenly receives a huge mail and the quota jumps from
    # 85% to 95%, only the 95% script is executed.
    #
    # Only the command for the first exceeded limit is executed, so configure
    # the highest limit first.
    quota_warning = storage=100%% quota-warning 100 %u
    quota_warning2 = storage=95%% quota-warning 95 %u
    quota_warning3 = storage=90%% quota-warning 90 %u
    quota_warning4 = storage=85%% quota-warning 85 %u

    # allow user to become max 10% (or 50 MB) over quota
    quota_grace = 10%%
    #quota_grace = 50 M

    # Custom Quota Exceeded Message.
    # You can specify the message directly or read the message from a file.
    #quota_exceeded_message = Quota exceeded, please try again later.
    #quota_exceeded_message = </path/to/quota_exceeded_message.txt

    # Plugin: expire.
    #expire = Trash 7 Trash/* 7 Junk 30
    #expire_dict = proxy::expire

    # ACL and share folder
    acl = vfile
    acl_shared_dict = proxy::acl

    # By default Dovecot doesn't allow using the IMAP "anyone" or
    # "authenticated" identifier, because it would be an easy way to spam
    # other users in the system. If you wish to allow it,
    #acl_anyone = allow

    # Pigeonhole managesieve service.
    # Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
    # Per-user sieve settings.
    sieve_dir = ~/sieve
    sieve = ~/sieve/dovecot.sieve

    # Global sieve settings.
    sieve_global_dir = /hdd/vmail/sieve
    # Note: if user has personal sieve script, global sieve rules defined in
    #       sieve_default will be ignored. Please use sieve_before or
    #       sieve_after instead.
    #sieve_default =

    sieve_before = /hdd/vmail/sieve/dovecot.sieve
    #sieve_after =

    # The maximum number of redirect actions that can be performed during a
    # single script execution.
    # The meaning of 0 differs based on your version. For pigeonhole-0.3.0 and
    # beyond this means that redirect is prohibited. For older versions,
    # however, this means that the number of redirects is unlimited.
    sieve_max_redirects = 30

    # Use recipient as vacation message sender instead of null sender (<>).
    sieve_vacation_send_from_recipient = yes

    # Reference: http://wiki2.dovecot.org/Plugins/MailboxAlias
    mailbox_alias_old = Sent
    mailbox_alias_new = Sent Messages
    mailbox_alias_old2 = Sent
    mailbox_alias_new2 = Sent Items

    # Events to log. `autoexpunge` is included in `expunge`
    # Defined in https://github.com/dovecot/core/blob/ma … g-plugin.c
    mail_log_events = delete undelete expunge mailbox_delete mailbox_rename
    mail_log_fields = uid box msgid size from subject

    # stats
    #
    # how often to session statistics (must be set)
    stats_refresh = 30 secs
    # track per-IMAP command statistics (optional)
    stats_track_cmds = yes
    # Last Login Plugin
    last_login_dict = proxy::lastlogin
    last_login_key = last-login/%s/%u/%d
}

service stats {
    fifo_listener stats-mail {
        user = vmail
        mode = 0644
    }

    inet_listener {
        address = 127.0.0.1
        port = 24242
    }
}

service quota-warning {
    executable = script /usr/local/bin/dovecot-quota-warning.sh
    unix_listener quota-warning {
        user = vmail
        group = vmail
        mode = 0660
    }
}

service dict {
    unix_listener dict {
        mode = 0660
        user = vmail
        group = vmail
    }
}

dict {
    #expire = db:/var/lib/dovecot/expire/expire.db
    quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
    acl = mysql:/etc/dovecot/dovecot-share-folder.conf
    lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf
}

protocol lda {
    # Reference: http://wiki2.dovecot.org/LDA
    mail_plugins = $mail_plugins sieve
    lda_mailbox_autocreate = yes
    lda_mailbox_autosubscribe = yes

    # Log file path if we use internal log system
    #log_path = /var/log/dovecot/sieve.log
}

protocol lmtp {
    # Log file path if we use internal log system
    #log_path = /var/log/dovecot/lmtp.log

    # Plugins
    mail_plugins = quota sieve

    # Address extension delivery
    lmtp_save_to_detail_mailbox = yes
    recipient_delimiter = +
}

protocol imap {
    mail_plugins = $mail_plugins imap_quota imap_acl imap_stats last_login
    imap_client_workarounds = tb-extra-mailbox-sep

    # Maximum number of IMAP connections allowed for a user from each IP address.
    # NOTE: The username is compared case-sensitively.
    # Default is 10.
    # Increase it to avoid issue like below:
    # "Maximum number of concurrent IMAP connections exceeded"
    mail_max_userip_connections = 30
}

protocol pop3 {
    mail_plugins = $mail_plugins last_login
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
    pop3_uidl_format = %08Xu%08Xv

    # Maximum number of IMAP connections allowed for a user from each IP address.
    # NOTE: The username is compared case-sensitively.
    # Default is 10.
    mail_max_userip_connections = 30

    # POP3 logout format string:
    #  %i - total number of bytes read from client
    #  %o - total number of bytes sent to client
    #  %t - number of TOP commands
    #  %p - number of bytes sent to client as a result of TOP command
    #  %r - number of RETR commands
    #  %b - number of bytes sent to client as a result of RETR command
    #  %d - number of deleted messages
    #  %m - number of messages (before deletion)
    #  %s - mailbox size in bytes (before deletion)
    # Default format doesn't have 'in=%i, out=%o'.
    #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, in=%i, out=%o
}

# Login processes. Refer to Dovecot wiki for more details:
# http://wiki2.dovecot.org/LoginProcess
service imap-login {
    #inet_listener imap {
    #    port = 143
    #}
    #inet_listener imaps {
    #    port = 993
    #    ssl = yes
    #}

    service_count = 1

    # To avoid startup latency for new client connections, set process_min_avail
    # to higher than zero. That many idling processes are always kept around
    # waiting for new connections.
    #process_min_avail = 0

    # number of simultaneous IMAP connections
    process_limit = 500

    # vsz_limit should be fine at its default 64MB value
    #vsz_limit = 64M
}

service pop3-login {
    #inet_listener pop3 {
    #    port = 110
    #}
    #inet_listener pop3s {
    #    port = 995
    #    ssl = yes
    #}

    service_count = 1

    # number of simultaneous POP3 connections
    #process_limit = 500
}

service managesieve-login {
    inet_listener sieve {
        # Listen on localhost (ipv4)
        address = 127.0.0.1
        port = 4190
    }
}

namespace {
    type = private
    separator = /
    prefix =
    inbox = yes

    # Refer to document for more details about alias mailbox:
    # http://wiki2.dovecot.org/MailboxSettings
    #
    # Sent
    mailbox Sent {
        auto = subscribe
        special_use = \Sent
    }
    mailbox "Sent Messages" {
        auto = no
        special_use = \Sent
    }
    mailbox "Sent Items" {
        auto = no
        special_use = \Sent
    }

    mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
    }

    # Trash
    mailbox Trash {
        auto = subscribe
        special_use = \Trash
    }

    mailbox "Deleted Messages" {
        auto = no
        special_use = \Trash
    }

    # Junk
    mailbox Junk {
        auto = subscribe
        special_use = \Junk
    }
    mailbox Spam {
        auto = no
        special_use = \Junk
    }
    mailbox "Junk E-mail" {
        auto = no
        special_use = \Junk
    }

    # Archive
    mailbox Archive {
        auto = no
        special_use = \Archive
    }
    mailbox Archives {
        auto = no
        special_use = \Archive
    }
}

namespace {
    type = shared
    separator = /
    prefix = Shared/%%u/
    location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln

    # this namespace should handle its own subscriptions or not.
    subscriptions = yes
    list = children
}

# Public mailboxes.
# Refer to Dovecot wiki page for more details:
# http://wiki2.dovecot.org/SharedMailboxes/Public
#namespace {
#    type = public
#    separator = /
#    prefix = Public/
#    location = maildir:/hdd/vmail/public:CONTROL=%Lh/Maildir/public:INDEXPVT=%Lh/Maildir/public
#
#    # Allow users to subscribe to the public folders.
#    subscriptions = yes
#}

!include_try /etc/dovecot/iredmail/*.conf


an this is my postfix conifg

main.cf wrote:

# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix

# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin

# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
daemon_directory = /usr/lib/postfix/sbin

# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
data_directory = /var/lib/postfix

# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix.
mail_owner = postfix

# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases

# full pathname of the Postfix mailq command.  This is the Sendmail-compatible
# mail queue listing command.
mailq_path = /usr/bin/mailq

# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
setgid_group = postdrop

# external command that is executed when a Postfix daemon program is run with
# the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

debug_peer_level = 2

# --------------------
# CUSTOM SETTINGS
#

# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550

# Do not notify local user.
biff = no

# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no

# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no

# Allow recipient address start with '-'.
allow_min_user = no

# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
disable_vrfy_command = yes

# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all

# Enable all network interfaces.
inet_interfaces = all

#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/SectigoSSL/21062021/privkey.pem
smtpd_tls_cert_file = /etc/SectigoSSL/21062021/fullchain.pem
smtpd_tls_CAfile = /etc/SectigoSSL/21062021/chain.pem
smtpd_tls_CApath = /etc/ssl/certs

#
# Disable SSLv2, SSLv3
#
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem

tls_random_source = dev:/dev/urandom

# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate
# verification is not required. With Postfix 2.8 and earlier, log the summary
# message, peer certificate summary information and unconditionally log
# trust-chain verification errors.
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may

# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes

# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
#   - http://www.postfix.org/TLS_README.html#client_tls_may
#   - http://www.postfix.org/postconf.5.html# … rity_level
smtp_tls_security_level = may

# Use the same CA file as smtpd.
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes

# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
enable_long_queue_ids = yes

# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes

# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre

# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

# Sender restrictions
smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject_unknown_sender_domain
# Recipient restrictions
smtpd_recipient_restrictions =
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining

# SRS (Sender Rewriting Scheme) support
sender_canonical_maps = tcp:127.0.0.1:7778
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:7779
recipient_canonical_classes= envelope_recipient,header_recipient

proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps

# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no

# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /hdd/vmail

# Do not set virtual_alias_domains.
virtual_alias_domains =

#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
#          be forced to submit email through port 587 instead.
#
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes

# hostname
myhostname = mail.domain.com (example)
myorigin = mail.domain.com (example)
mydomain = mail.domain.com (example)

# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
#       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
#       for example:
#
#       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 [::1]

# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

# Default message_size_limit.
message_size_limit = 31457280

# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +

# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h
compatibility_level = 2
#
# Lookup virtual mail accounts
#
transport_maps =
    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

sender_dependent_relayhost_maps =
    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf

relay_domains =
    $mydestination
    proxy:mysql:/etc/postfix/mysql/relay_domains.cf

virtual_mailbox_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

virtual_alias_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf

sender_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf

recipient_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf

#
# Postscreen
#
postscreen_greet_action = drop
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_threshold = 2

# Attention:
#   - zen.spamhaus.org free tire has 3 limits
#     (https://www.spamhaus.org/organization/dnsblusage/):
#
#     1) Your use of the Spamhaus DNSBLs is non-commercial*, and
#     2) Your email traffic is less than 100,000 SMTP connections per day, and
#     3) Your DNSBL query volume is less than 300,000 queries per day.
#
#   - FAQ: "Your DNSBL blocks nothing at all!"
#     https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
#
# It's strongly recommended to use a local DNS server for cache.
postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.2*2

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr

# Require Postfix-2.11+
postscreen_dnsbl_whitelist_threshold = -2
#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

#
# mlmmj - mailing list manager
#
mlmmj_destination_recipient_limit = 1

#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024

# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1

8

Re: Can not connect to IMAP Server using Outlook and android Gmail

Do you use same ssl cert in Nginx?

9

Re: Can not connect to IMAP Server using Outlook and android Gmail

yeah, i'am using the same ssl cert in my nginx,postfix, and dovecot.

this is my template ssl file of my nginx .

ssl.tmp wrote:

ssl on;
ssl_protocols TLSv1.2 TLSv1.3;

# Fix 'The Logjam Attack'.
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;

# To use your own ssl cert (e.g. LetsEncrypt), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
#
ssl_certificate /etc/SectigoSSL/21062021/fullchain.pem;
ssl_certificate_key /etc/SectigoSSL/21062021/privkey.pem;

10

Re: Can not connect to IMAP Server using Outlook and android Gmail

Did you restart Dovecot/Postfix services to load new ssl cert?

11

Re: Can not connect to IMAP Server using Outlook and android Gmail

yeah i had restart the service, but when i check using openssl still get self-signed certificate.

https://i.ibb.co/19sx09J/running.png


and, btw i send you some coffee, thank you for creating such as great apps

https://i.ibb.co/2ZXhkVm/iredmail.png

12

Re: Can not connect to IMAP Server using Outlook and android Gmail

i have another update, so right now i'm using iredmail with multiple domain ssl, when i check with openssl client on "Domain1.com", i'm still get self sign certficate, but when i check on "domain2.com" i got my real certificate, so dovecot and postfix have load my ssl, but somhow only active on my "domain2.com". can anybody can how to fix it?

13

Re: Can not connect to IMAP Server using Outlook and android Gmail

Do you use only one cert/key for all domains, or one cert/key for each domain?

14

Re: Can not connect to IMAP Server using Outlook and android Gmail

now i'm usign one cert/key for all domain using ssl with SAN

15

Re: Can not connect to IMAP Server using Outlook and android Gmail

Hello Everyone. I'm really excited to post my topic here.

I had a problem to connect to iRedmail server via IMAP/POP3 in Thundbird mail client app but Roundcube webmail is working fine. Can you give me any suggestion for my issue?

I will appreciate if you can answer me soon.
Thanks.

16

Re: Can not connect to IMAP Server using Outlook and android Gmail

You were so exicted, that you just post in someone else thread, and aswell ignore all needed informations?

If you want help, don't do such things, open an own, new thread and provide significant informations