6

* TLDR ; if you have connection problems, not only make sure you have added the required rules to your firewall, but also make sure ($ iptables -L -v) that the rules are in the correct order! *


It's been a few days now, and I can't figure out why my IMAP set up (on port 993) refuses to work (with Dovecot, version 2.2.22). The connection does not succeed, for some reason I don't see.

Troubleshooting the connection with openssl: Connecting on port 993 does not work:

$ openssl s_client -connect my-domain.com:993

returns:

connect: Connection timed out
connect:errno=110

But the port used (993) seems open:

$ ufw status

returns:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
25/tcp                     ALLOW       Anywhere                  
587/tcp                    ALLOW       Anywhere                  
993/tcp                    ALLOW       Anywhere                  
143/tcp                    ALLOW       Anywhere                  
465/tcp                    ALLOW       Anywhere                  
110/tcp                    ALLOW       Anywhere                  
995/tcp                    ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
25/tcp (v6)                ALLOW       Anywhere (v6)             
587/tcp (v6)               ALLOW       Anywhere (v6)             
993/tcp (v6)               ALLOW       Anywhere (v6)             
143/tcp (v6)               ALLOW       Anywhere (v6)             
465/tcp (v6)               ALLOW       Anywhere (v6)             
110/tcp (v6)               ALLOW       Anywhere (v6)             
995/tcp (v6)               ALLOW       Anywhere (v6)            

My dovecot config is:

$ dovecot -n

# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-38-generic x86_64 Ubuntu 16.04.1 LTS ext4
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = sha1
mail_debug = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap pop3 lmtp
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service pop3-login {
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_cert = </etc/ssl/localcerts/www.my-domain.com.chained.crt
ssl_key = </etc/ssl/localcerts/www.my-domain.com.key
userdb {
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
  driver = static
}
verbose_ssl = yes

EDIT 1:

Key and certificate do match:

$ (openssl x509 -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.crt | openssl md5 ;\
openssl rsa -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.key | openssl md5) | uniq

returns only 1 identifier:

(stdin)= cfcbed2e4061910c47c5008d8732e522

EDIT 2:

Enabling maximum logging for Dovecot, with:

auth_verbose=yes
auth_debug=yes
auth_debug_passwords=yes
mail_debug=yes
verbose_ssl=yes
auth_verbose_passwords=sha1

returns:

$ tail -f /var/log/mail.log

dovecot: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3, lmtp (core dumps disabled)
[...]
dovecot: lmtp(5491): Connect from local
dovecot: lmtp(info@my-domain.com): +rg7LUpw6ldzFQAAxWOCog: msgid=<57ea704a99e89_b638aedb491d2@chbh.mail>: saved mail to INBOX
dovecot: lmtp(5491): Disconnect from local: Successful quit

EDIT 3:

Connecting via SSL to the webserver (Nginx) which uses the same certificate and key on port 443 works totally fine:

$ openssl s_client -connect my-domain.com:443

EDIT 4:

I used the same version of Dovecot, the same Dovecot configuration and the same certificate+key on the old server, where the IMAP connection with Dovecot worked totally fine.

EDIT 5:

Trying to establish the connection on the IMAP port 993 (via openssl s_client) with the parameter -dtls1 seems to do something:

$ openssl s_client -connect my-domain.com:993 -dtls1 -debug

returns (very slowly) something like this:

CONNECTED(00000003)
write to 0x1425de0 [0x142f970] (202 bytes => 202 (0xCA))
0000 - 16 fe ff 00 00 00 00 00-00 00 00 00 bd 01 00 00   ................
0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25   ...........y.n}%
0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1   ...K.N.p....r...
0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0   F0...FcM.u....V.
[...]
0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01   ........1.......
00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00   ................
00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00   ................
00c0 - 0a 00 23 00 00 00 0f 00-01 01                     ..#.......
read from 0x1425de0 [0x142b413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write to 0x1425de0 [0x1434ed0] (202 bytes => 202 (0xCA))
0000 - 16 fe ff 00 00 00 00 00-00 00 01 00 bd 01 00 00   ................
0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25   ...........y.n}%
0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1   ...K.N.p....r...
0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0   F0...FcM.u....V.
[...]
00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00   ................
00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00   ................
00c0 - 0a 00 23 00 00 00 0f 00-01 01                     ..#.......
[...]
0070 - 45 00 44 00 43 00 42 c0-0e c0 04 00 2f 00 96 00   E.D.C.B...../...
0080 - 41 c0 12 c0 08 00 16 00-13 00 10 00 0d c0 0d c0   A...............
0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01   ........1.......
00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00   ................
00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00   ................
00c0 - 0a 00 23 00 00 00 0f 00-01 01                     ..#.......
read from 0x1e8dde0 [0x1e93413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF))
139876009338520:error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired:d1_lib.c:495:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 2424 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : DTLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1474892601
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

...and then the connection is closed.

However, using the parameters -tls1 (TLSv1) or -tls1_1 (TLSv1.1) or -tls1_2 (TLSv1.2) returns the time out message: connect: Connection timed out and connect:errno=110

EDIT 6:

If I enable the secure POP port 995 in Dovecot, restart it, open this port in the firewall, and then try:

openssl s_client -connect my-domain.com:995

...I also get the time-out error connect: Connection timed out and connect:errno=110, apparently indicating that the source of the problem applies for both IMAP and POP.

EDIT 7:

The right processes seem to listen on the right ports:

$ netstat -tulpn

returns:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2597/master     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2827/nginx      
tcp        0      0 127.0.0.1:8891          0.0.0.0:*               LISTEN      2327/opendkim   
tcp        0      0 127.0.0.1:2812          0.0.0.0:*               LISTEN      1918/monit      
tcp        0      0 127.0.0.1:34305         0.0.0.0:*               LISTEN      2915/public     
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      2306/dovecot    
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      2306/dovecot    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      2269/mysqld     
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      2597/master     
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      2306/dovecot    
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      2306/dovecot    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2827/nginx      
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      2597/master     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2249/sshd       
tcp6       0      0 :::25                   :::*                    LISTEN      2597/master     
tcp6       0      0 :::993                  :::*                    LISTEN      2306/dovecot    
tcp6       0      0 :::995                  :::*                    LISTEN      2306/dovecot    
tcp6       0      0 :::587                  :::*                    LISTEN      2597/master     
tcp6       0      0 :::110                  :::*                    LISTEN      2306/dovecot    
tcp6       0      0 :::143                  :::*                    LISTEN      2306/dovecot    
tcp6       0      0 :::465                  :::*                    LISTEN      2597/master   

EDIT 8:

Telnet works only on ports 80 and 443 (used by Nginx), all other ports don't seem to respond (time-out).

EDIT 9:

I just did a port scan using nmap 12.34.56.78 and it showed only 22/tcp | open | ssh and 80/tcp | open | http and 443/tcp | open | https. If you look at the result from ufw status posted above, you can see that I allowed a whole list of ports that are not "found" by nmap. What is the reason of and the solution for that? (I know it's not my network or provider - I can connect to my old/"identical" server and the nmap scan shows the required IMAPs port as "open").

EDIT 10:

$ iptables -L -v

returns:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 387K   57M f2b-HTTPS  tcp  --  any    any     anywhere             anywhere             tcp dpt:https
 118K 7235K f2b-SSH    tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
 387K   57M f2b-HTTPS  tcp  --  any    any     anywhere             anywhere             tcp dpt:https
 488K   64M f2b-nginx-http-auth  tcp  --  any    any     anywhere             anywhere             multiport dports http,https
 118K 7228K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
 118K 7226K f2b-SSH    tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
 387K   57M f2b-HTTPS  tcp  --  any    any     anywhere             anywhere             tcp dpt:https
 387K   57M f2b-HTTPS  tcp  --  any    any     anywhere             anywhere             tcp dpt:https
 488K   64M f2b-nginx-http-auth  tcp  --  any    any     anywhere             anywhere             multiport dports http,https
 118K 7226K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
1381K  214M ACCEPT     all  --  lo     any     anywhere             anywhere            
 222K   45M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  398 23248 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
 7903  443K ACCEPT     tcp  --  any    any     anywhere             anywhere             multiport dports http,https
 7460  441K DROP       all  --  any    any     anywhere             anywhere            
    0     0 ufw-before-logging-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-before-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-logging-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-reject-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-track-input  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-before-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-reject-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-track-forward  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 53 packets, 3160 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1575K  531M ufw-before-logging-output  all  --  any    any     anywhere             anywhere            
1575K  531M ufw-before-output  all  --  any    any     anywhere             anywhere            
  537 97799 ufw-after-output  all  --  any    any     anywhere             anywhere            
  537 97799 ufw-after-logging-output  all  --  any    any     anywhere             anywhere            
  537 97799 ufw-reject-output  all  --  any    any     anywhere             anywhere            
  537 97799 ufw-track-output  all  --  any    any     anywhere             anywhere            

Chain f2b-HTTPS (4 references)
 pkts bytes target     prot opt in     out     source               destination         
1547K  228M RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-SSH (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 235K   14M RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-nginx-http-auth (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 975K  128M RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain f2b-sshd (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     62-210-106-228.rev.poneytelecom.eu  anywhere             reject-with icmp-port-unreachable
 235K   14M RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:microsoft-ds
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootps
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootpc
    0     0 ufw-skip-to-policy-input  all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ufw-user-forward  all  --  any    any     anywhere             anywhere            

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    0     0 ufw-not-local  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             239.255.255.250      udp dpt:1900
    0     0 ufw-user-input  all  --  any    any     anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
1381K  214M ACCEPT     all  --  any    lo      anywhere             anywhere            
 194K  317M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  537 97799 ufw-user-output  all  --  any    any     anywhere             anywhere            

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  112 10791 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
  300 22604 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:smtp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:submission
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:imaps

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination   
TomDogg
  • 113
  • 1
  • 8
  • So, you're only testing it with `openssl s_client`? Have you tried an actual email client like Thunderbird? – coladict Sep 27 '16 at 11:50
  • Yes, I also use Thunderbird (and it can't connect), but I fear it may introduce additional potential error sources, making the situation even more complex. Which is why I then used `openssl s_client`. – TomDogg Sep 27 '16 at 12:18
  • Comparing the configuration with the one on our server, the `inet_listener` definitions for imap, imaps, pop3, pop3s are empty on our end. I'm assuming it just takes some default values. Also a long list added to `ssl_cipher_list` from some security site that recommended which to enable/disable, but it doesn't look as if your connection reaches that far. – coladict Sep 27 '16 at 12:58
  • Yes, commented out `inet_listener` values mean default values (I have used this tutorial: https://www.linode.com/docs/email/email-with-postfix-dovecot-and-mysql). – TomDogg Sep 27 '16 at 13:29
  • 2
    I think is the firewall. Can you please post the output of iptables -L -v? I can't be sure but I think you have a drop before ufw rules. – Laurentiu Roescu Sep 28 '16 at 14:47
  • @LaurentiuRoescu - Done, please see: EDIT 10 – TomDogg Sep 28 '16 at 14:53
  • Just for testing and to verify a problem in the firewall, if you turn off the firewall can you make connections? – Joe Sep 28 '16 at 15:05
  • 2
    It looks like @LaurentiuRoescu is correct. The accept imaps rule is in the ufw-user-input chain which is in the ufw-before-input chain which is in the INPUT chain after the DROP all from anywhere line. So packets get dropped before any chance to match the imaps rule. – Joe Sep 28 '16 at 15:10
  • Thank you, this actually is it; would you mind adding an answer that I can accept (bounty pending)? And: How did this line get in the wrong place, why would this not be handled intelligently by the software, as it seems to me that this line should (logically) always be at the very bottom (as the "fallback" rule)? – TomDogg Sep 28 '16 at 17:21

5 Answers5

1

You have a DROP rule before ufw rules which deny imaps connections. And this is not the only rule which can create problems. You should check how they got there, maybe you used -I instead of -A in before.rules or after.rules.

1381K  214M ACCEPT     all  --  lo     any     anywhere             anywhere            
 222K   45M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  398 23248 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
 7903  443K ACCEPT     tcp  --  any    any     anywhere             anywhere             multiport dports http,https
 7460  441K DROP       all  --  any    any     anywhere             anywhere 

All above rules are inserted before ufw rules and can make problems. For example, if you configure ufw to deny http or https, these rules will allow these ports anyway.

Laurentiu Roescu
  • 2,246
  • 16
  • 17
  • So is it safe to say that all "CAPITAL rules" (such as ACCEPT, REJECT, DROP, RETURN, LOG, ...) should always be at the very bottom of a "block"? – TomDogg Sep 29 '16 at 10:56
0

Try setting:

disable_plaintext_auth=no
ssl=yes
Henry
  • 910
  • 1
  • 5
  • 17
  • Thank you; unfortunately, this did not change the situation. I interpreted your comment like this: In `/etc/dovecot/conf.d/10-auth.conf` change `disable_plaintext_auth = yes` to `disable_plaintext_auth = no` and in `/etc/dovecot/conf.d/10-ssl.conf` change `ssl = required` to `ssl = yes`, then restart Dovecot. (The log file entries posted above also say `SSL negotiation finished successfully [127.0.0.1]`, which makes me doubt that the problem lies with the SSL set up, but I'm no expert.) – TomDogg Sep 26 '16 at 08:39
0

What about reverse DNS resolution ? Dovecot may check it whereas NGinx don't.

Try to add

127.0.0.1 my-domain.com

to your host file.

Leahkim
  • 175
  • 6
  • Thank you; unfortunately, adding this entry in the file `/etc/hosts` and rebooting doesn't solve the problem - the Dovecot log entries posted above stay the same and the command `openssl s_client -connect my-domain.com:993` still results in the above mentioned time-out error message. – TomDogg Sep 27 '16 at 08:34
  • You talk about firewall, what do you get by connecting to nginx by port 993 or 995 (dovecot stopped) ? – Leahkim Sep 28 '16 at 13:04
  • Thanks; the server is currently running in production, so I'd first like to say something else that clearly *is* fishy: (please see EDIT 9) – TomDogg Sep 28 '16 at 14:15
0

I ran into the same problem that you are describing. You probably figured it out by now but I only got dovecot to send a response when connecting to the 993 port by adding "imaps" to the list of protocols that it should support. Adding "imap" and setting the "ssl" property in the configuration to "yes" or "required" was not enough. Hope that helps.

0

I ran into the same problem. Check your logs once (/var/log/mail.log) I was having certificate issue [warning: cannot get RSA private key from file "/etc/dovecot/dovecot.pem": disabling TLS support ] though it was a warning I tried solving it by using my own server certificate with the following documentation [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html] and made changes accordingly. It worked for me.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47