1 (edited by lesz.mar 2019-09-05 03:49:07)

Topic: [SOLVED] imap, smtp TLS problem

- iRedMail version (check /etc/iredmail-release):
0.9.9 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer?
downloadable installer
- Linux/BSD distribution name and version:
Debian9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
mariaDB
- Web server (Apache or Nginx):
Nginx

I installed on clean Debian9 iredmail 0.9.9, then as instructed: https://docs.iredmail.org/letsencrypt.html i installed Let's Encrypt for my hostname -f
imap works correctly with roundcube, in thunerbird when i set port 993 and SSL/TLS with normal password also is OK
but when i set port 143 STARTTLS and normal password  get the message-> timed out
and mail delivery by SMTP port 587 STARTTLS  normal password, i get the message ->time out
dovecot/imap.log is clean, there is no entry in it
i stoped fail2ban

any idea what i did wrong?

2

Re: [SOLVED] imap, smtp TLS problem

from a different client ->evolution
I received a message: dovecot: imap-login: Disconnected (no auth attempts in 6 secs): user=<>, rip=x.x.x.x, lip=x.x.x.x, TLS handshaking: SSL_accept() syscall failed: Success, session=<NHxP9raRYnpN/C+W>

3

Re: [SOLVED] imap, smtp TLS problem

when i from an external host test imap:
  $ openssl s_client -starttls imap -showcerts -connect s1.itcoma.pl:143
  140140668699840:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110:
  140140668699840:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
  connect:errno=110

root@s1:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@s1:~# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.1:7778          0.0.0.0:*               LISTEN      999/python2         
tcp        0      0 127.0.0.1:7779          0.0.0.0:*               LISTEN      999/python2         
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      1588/amavisd-new (m
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      2208/master         
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               LISTEN      1588/amavisd-new (m
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1090/mysqld         
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      2208/master         
tcp        0      0 127.0.0.1:10027         0.0.0.0:*               LISTEN      1588/amavisd-new (m
tcp        0      0 127.0.0.1:10028         0.0.0.0:*               LISTEN      2208/master         
tcp        0      0 127.0.0.1:9998          0.0.0.0:*               LISTEN      1588/amavisd-new (m
tcp        0      0 127.0.0.1:7790          0.0.0.0:*               LISTEN      844/uwsgi           
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      6048/dovecot       
tcp        0      0 127.0.0.1:7791          0.0.0.0:*               LISTEN      852/uwsgi           
tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN      756/php-fpm: master
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      847/nginx: master p
tcp        0      0 127.0.0.1:24242         0.0.0.0:*               LISTEN      6048/dovecot       
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      850/sshd           
tcp        0      0 127.0.0.1:24            0.0.0.0:*               LISTEN      6048/dovecot       
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2208/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      847/nginx: master p
tcp        0      0 127.0.0.1:8125          0.0.0.0:*               LISTEN      2245/netdata       
tcp        0      0 127.0.0.1:4190          0.0.0.0:*               LISTEN      6048/dovecot       
tcp        0      0 127.0.0.1:19999         0.0.0.0:*               LISTEN      2245/netdata       
tcp        0      0 127.0.0.1:20000         0.0.0.0:*               LISTEN      1151/sogod         
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      6048/dovecot       
tcp        0      0 127.0.0.1:7777          0.0.0.0:*               LISTEN      999/python2         
tcp6       0      0 :::143                  :::*                    LISTEN      6048/dovecot       
tcp6       0      0 :::22                   :::*                    LISTEN      850/sshd           
tcp6       0      0 :::993                  :::*                    LISTEN      6048/dovecot 

when i test imap locally on the server:

root@s1:~# openssl s_client -starttls imap -showcerts -connect localhost:143
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = s1.itcoma.pl
verify return:1
---
Certificate chain
0 s:CN = s1.itcoma.pl
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgISAwOMEhy1sS9lKWkEW04BcCl3MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MDMwNzQxNDJaFw0x
OTEyMDIwNzQxNDJaMBcxFTATBgNVBAMTDHMxLml0Y29tYS5wbDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALnQrCVgrrhPAHKd/zylx2igvgSEObGf1ro1
FsxUrrtY3wQ/au4H+TRtnZyBWdU2iyK+Uft/keOAvDbWN1Jae6QWOsjEiUK+ZGZY
k4OwXLASmz3wJTRQalew8+CnjLdySjXnT1XhyacVoH4QcwWIGfkmTbF/a99/GPvH
cKkdiQBTnxl7PPTA4gkxvgklSJyGc3wfp6p28u8DAt30kt0FW74+mdloyhOOyT3R
CU2Scq8bTLiCbVOSNKghT/IVZY0kKuU07KBP24zu80EJwwIdtU11xUnImBryEefK
r3TbDBsg0ME+t850rOKIcdYwspGWPtMLCbce9HOn+gWTAArtyNcCAwEAAaOCAl8w
ggJbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUr+H0o0tJvXusBIGkhhZROUlA4TUw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAXBgNVHREEEDAOggxzMS5pdGNvbWEucGwwTAYDVR0gBEUwQzAIBgZngQwBAgEw
NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
cnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQDiaUuuJujpQAnohhu2
O4PUPuf+dIj7pI8okwGd3fHb/gAAAWz2SW16AAAEAwBGMEQCIDzcjXGjjso83UY2
rC8ZW0kIwp6dpCdOYptbtfHdjRCdAiA1Q19LBNLci1RkYJ56U/UDR9FlQ8fPwdxn
E30kIV7MqAB1AGPy283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAABbPZJ
bZYAAAQDAEYwRAIgAd4XVFCDEgZuVzXeVCzyPUZ7tAkrjYy0SSQnnK8clQUCIExH
83aWeUunXSvHzEVey8Td0SBLF0WFIviRTOf2BnZvMA0GCSqGSIb3DQEBCwUAA4IB
AQBNJpYG9jLRxqzdcIbEKGKTRgaoKeOJ1ToqdbaYvmZfsu1dJqf5S911nMIaE0Ls
3vVvdJwk7BRm7/5vn0zFf5IkK3ojBAJHlz+jXWUH2FpC0wM7M1i7vudY3sN0mC4o
zdGKDNW8uGDxWhfsGuXqAtWgKY9tl4GfKeETpLHrSY2ReQfrNm9oi/jUPkHHTU/2
6RZllAafuSPrDktFvQ65NYybmAxHw/NzKN7tMIxQHcPpb73BScUJhUh6mGl6+Zia
GR8LK8ZZyjxJgmNb2dQvm2a5NJEwuJaCkYQvJPTDWeq65pfimDUOc5L7NkD5sIrb
f7kZNK6dcdN1/4D8oEZH+p7W
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = s1.itcoma.pl

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3586 bytes and written 757 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
. OK Pre-login capabilities listed, post-login capabilities have more.
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7390585B5CF7CE8A26029EA7D314C47B6DE37C454C769D86D48A87E0378F9A4B
    Session-ID-ctx:
    Resumption PSK: 73A7AD3048054A9D5387CE9B744821B975441D380CD609B1CB7FF4DF4CB2B090BF78BF7DAEEFFC0B53D6944EDD831F1A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da 54 92 c8 6f c2 c4 61-63 f7 b9 3b 7d 5c 9e e3   .T..o..ac..;}\..
    0010 - 2d 70 01 b0 6b 57 02 49-05 aa 8f fc cb db 65 72   -p..kW.I......er
    0020 - 25 12 cb b8 7f 7f 6e b5-9a 18 fb 3b 63 27 f8 94   %.....n....;c'..
    0030 - 43 2e af a6 c0 8e 55 54-85 eb 61 70 2c 9e 9d a0   C.....UT..ap,...
    0040 - 25 49 a0 9f 78 63 29 01-a0 81 f0 3e e8 77 b4 0b   %I..xc)....>.w..
    0050 - 33 fc 4c be fc d7 70 d4-e3 9b 84 91 3a 91 99 25   3.L...p.....:..%
    0060 - 4f c4 74 13 3f 55 fa fa-25 73 ee 75 46 d0 04 0c   O.t.?U..%s.uF...
    0070 - 4f 41 73 75 51 9b 12 49-bc 14 78 63 e2 b8 88 e2   OAsuQ..I..xc....
    0080 - 6a a7 69 f0 87 15 d3 19-ad a7 9c 2e 6e 21 76 ea   j.i.........n!v.
    0090 - 80 9f 55 9f 0b 57 36 dc-7b 5a 99 6b 25 47 cf 5b   ..U..W6.{Z.k%G.[
    00a0 - bd 8b 33 d4 45 62 ee f3-45 08 b2 60 5d 0d c5 9d   ..3.Eb..E..`]...
    00b0 - 19 5d 44 a7 ba 82 a4 82-38 45 8c 7a 0f 8e b1 15   .]D.....8E.z....

    Start Time: 1567602868
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4C3BEA8F2E5D748585669C340CA7A51689D16B176426ABEDB9B1A686AB11F24D
    Session-ID-ctx:
    Resumption PSK: 05B1E92AE39B0F194D7253063C8CFB0165736A5A9ACA5BD524491A70840B9BE4EFE533227EDFA1CDF5B8B435936F0940
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da 54 92 c8 6f c2 c4 61-63 f7 b9 3b 7d 5c 9e e3   .T..o..ac..;}\..
    0010 - 31 8e fd 77 fd c5 76 3e-f6 74 ca 25 34 63 8e f9   1..w..v>.t.%4c..
    0020 - dc bd 50 28 53 7b 9b 1a-a3 f5 61 11 91 15 4a df   ..P(S{....a...J.
    0030 - ff fa 80 b4 5c f0 6f 71-33 89 3d 0c 8d 9e 57 58   ....\.oq3.=...WX
    0040 - 48 b8 c7 bb 99 46 1c 21-a9 4f 78 6d cb 86 a3 93   H....F.!.Oxm....
    0050 - d6 8e 92 ea f1 83 c6 d6-bd 13 73 01 a5 e9 21 7d   ..........s...!}
    0060 - b1 50 5e 10 f0 0f 6b 9e-13 d0 79 dc ea 36 60 40   .P^...k...y..6`@
    0070 - 97 b1 37 dc 18 8b 5b 2e-c3 62 2e a9 67 13 e2 48   ..7...[..b..g..H
    0080 - f9 20 4e 03 9f b2 07 a6-c9 ef cd 31 cb 4d c9 d7   . N........1.M..
    0090 - fb 00 f3 26 32 fd 89 4a-26 32 ae 67 eb 55 ab bc   ...&2..J&2.g.U..
    00a0 - ec a3 12 3a 84 da ed 55-e9 24 d3 72 af ed f8 2f   ...:...U.$.r.../
    00b0 - 9a cd 5e 9d 86 e7 d2 78-f8 2e bf 65 d4 c2 26 4c   ..^....x...e..&L

    Start Time: 1567602869
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

4

Re: [SOLVED] imap, smtp TLS problem

it turned out that for unknown reasons the internet provider on the router blocks TLS, the same happens to smtp TLS google :

$ openssl s_client -starttls smtp -showcerts -connect smtp.gmail.com:587
140698890945728:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110:
140698890945728:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
140698890945728:error:02002065:system library:connect:Network is unreachable:crypto/bio/b_sock2.c:110:
140698890945728:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=101

iredmail is not guilty smile