1

I'm having an issue with Postfix+Dovecot configuration in Ubuntu 16.04. I could configure my mailboxes and I can correctly send and receive emails and now I wanted to set up POP3+IMAP.
The problem I'm having is that when connecting I always get the wrong certificate

root@server:~# openssl s_client -connect server:993 #with or without servername parameter
CONNECTED(00000003)
depth=0 CN = localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/CN=localhost.localdomain
   i:/CN=localhost.localdomain

Then it does not return the certificate configured in /etc/dovecot/conf.d/10-ssl.conf. In this file I specify the ssl, ssl_cert, ssl_key, ssl_key_password and verbose_ssl. For building the certificate I concatenated the "example.com" crt, the CA bundle and the key all in same file.
The certificate used was issued for "example.com" (no subdomain), and I configured my server /etc/postfix/main.cf to include "example.com" as myhostname and as mydestination fields. My MX record also points to "example.com"
The hostname of the machine is "server"

The only weird messages in the log are:

May 20 01:33:47 server dovecot: lda(root): Error: chdir(/root/) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup) missing +x perm: /root, dir owned by 0:0 mode=0700)
May 20 01:33:47 server dovecot: lda(root): Error: chdir(/root) failed: Permission denied
May 20 01:33:47 server dovecot: lda(root): Error: User initialization failed: Namespace '': stat(/root/Maildir) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup) missing +x perm: /root, dir owned by 0:0 mode=0700)
May 20 10:58:47 server dovecot: lda: Fatal: Invalid user settings. Refer to server log for more information.
May 20 01:33:47 server dovecot: lda: Fatal: Invalid user settings. Refer to server log for more information.
May 20 09:26:07 server postfix/smtpd[23663]: warning: cannot get RSA certificate from file "/etc/ssl/certs/mail_with_key_creationbyte_com.crt": disabling TLS support
May 20 09:26:07 server postfix/smtpd[23663]: warning: TLS library problem: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:708:

The root folder already has root:root 0700 permission.
Any ideas of which commands to use to debug this? I'm blind on how dovecot decides which certificate to serve..

neoocm
  • 21
  • 3
  • 3
    What other configuration changes did you make to dovecot? And did you restart it? – Michael Hampton May 20 '18 at 06:19
  • Yes I have restarted it many times after applying the changes. Other changes to the dovecot server are the ones instructed to configure an imap/pop3 server here https://www.namecheap.com/support/knowledgebase/article.aspx/9795/69/installing-and-configuring-ssl-on-postfixdovecot-mail-server – neoocm May 20 '18 at 15:28

1 Answers1

1

There were several problems here:

The 10-ssl.conf file was being replaced by this of higher numeration: /etc/dovecot/conf.d/99-mail-stack-delivery.conf

So no matter what I entered in 10-ssl.conf it always returned the default configured in 99-mail-stack-delivery.conf (the default certificate was the localhost.localdomain)

I was also pointing to the wrong port. I needed to use port 143

The error I was getting about the certificate was because the cat command had malformed it like this: ----- END CERTIFICATE ---------- BEGIN CERTIFICATE ----- (missing a new line between the two)

Then there was a difference between the SMTP certificate in postfix config file and the certificate specified in 99-mail-stack-delivery.conf The one in postfix I configured it using an encrypted key file but SMTP does not allow encrypted keys. So I had to point to the unencrypted key in the postfix config.

Hope all this information helps a newbie like me to install the email server.

The most useful tools I used were:

# summary and validation of all config
dovecot -n  

# errors and verbosing
tail -f /var/log/dovecot.log   

openssl s_client -connect example.com:143 -servername example.com -starttls imap
openssl s_client -connect example.com:143 -servername example.com -starttls imap

With these 2 you can check your certificates and if the service works

Check for email queue: mailq command

Check ~/Maildir{cur,new,tmp} folders exist and have right permissions (youruser:youruser 0700)

Turn on logging for Outlook: File -> Options -> Advanced -> Other -> Enable troubleshooting logging. Logs will be in AppData\Local\Temp\Outlook Logging

pufferfish
  • 2,660
  • 9
  • 37
  • 40
neoocm
  • 21
  • 3