LinuxQuestions.org - imap connection failed.

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - imap connection failed. (https://www.linuxquestions.org/questions/linux-newbie-8/imap-connection-failed-4175651122/)

imap connection failed.

Server is centos 7 with postfix, dovecot, roundcube, mysql recently installed. Webmail works ok. can send/receive messages.
Problem is that cannot connect imap client from outside, but inside it works ok.
Forexample configuring account in outlook, testmessage receives ok but cannot login to account. Testing with telnet commands to localhost port143 seems ok.

Code:

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

imap check from outside gives blank screen and tcpdump, it shows packet request at same time so firewall not blocking

Any help would be grateful.

Without looking at your configuration, not much we can help.
And, how do you define outside; is it still same network or different?
Inside is on the same server I assume?
When you telnet to localhost port 143 that is bypassing localhost's firewall rules, so that is not a valid test.
Try to telnet from a different machine on network.

Quote:

Originally Posted by dc.901 (Post 5979120)

outside -> it means different machine on same subnet

Code:

[root@xch2 ~]# postconf -n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5

home_mailbox = Maildir/

html_directory = no

inet_interfaces = all

inet_protocols = ipv4

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mydestination = localhost.$mydomain, localhost, $mydomain

mydomain = xch2.local

mynetworks = 192.168.102.0/23, 127.0.0.0/8

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

relay_domains = minudomain.net

relayhost = [192.168.102.243]:25

sample_directory = /usr/share/doc/postfix-2.10.1/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

transport_maps = hash:/etc/postfix/transport

unknown_local_recipient_reject_code = 550

Code:

[root@xch2 ~]# dovecot -n

# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf

# OS: Linux 3.10.0-957.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)

# Hostname: xch2.minudomain.local

auth_debug = yes

auth_debug_passwords = yes

auth_mechanisms = plain login

auth_verbose = yes

auth_verbose_passwords = yes

first_valid_uid = 1000

listen = *

mail_debug = yes

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

service auth {

  unix_listener auth-userdb {

    group = postfix

    user = postfix

  }

}

ssl = required

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

ssl_key =  # hidden, use -P to show it

userdb {

  driver = passwd

}

Try using telnet from the host you are trying to connect from. Where did you run tcpdump from? I would assume you ran it from the server, filtering for the IMAP port and the outside machine's IP?

Quote:

Originally Posted by tyler2016 (Post 5979150)

Try using telnet from the host you are trying to connect from. Where did you run tcpdump from? I would assume you ran it from the server, filtering for the IMAP port and the outside machine's IP?

Exactly. I try connect with outlook from other machine.

this is what server sees in same time:

Code:

[root@xch2 ~]# tcpdump -i ens192 -nn -s0 -v port imap

tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

15:03:34.388847 IP (tos 0x0, ttl 128, id 21322, offset 0, flags [DF], proto TCP (6), length 52)

    192.168.103.152.5157 > 192.168.102.92.143: Flags [S], cksum 0x22ef (correct), seq 3680955590, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

15:03:37.397210 IP (tos 0x0, ttl 128, id 21329, offset 0, flags [DF], proto TCP (6), length 52)

    192.168.103.152.5157 > 192.168.102.92.143: Flags [S], cksum 0x22ef (correct), seq 3680955590, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

15:03:43.397001 IP (tos 0x0, ttl 128, id 21342, offset 0, flags [DF], proto TCP (6), length 48)

    192.168.103.152.5157 > 192.168.102.92.143: Flags [S], cksum 0x36f8 (correct), seq 3680955590, win 8192, options [mss 1460,nop,nop,sackOK], length 0

^

imap still not working from outside. Maybe must start all installation over again. :~

Is there anything relevant in your logs? Since it seems your client can connect to it, I would assume there would be something there. Maybe it is a TLS issue? Are you using a self signed cert or private CA?

Just in case to simplify all these configuration process,
I use only plaintext login until I get it done successfully.

If I connect telnet to mailserver imap from outside. Is it normal I only see blank screen ?
I expect response something like that.

Code:

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

So when you use telnet from the client machine you get nothing back? I noticed in your tcpdump output that traffic was coming in, nothing was going out. I would check outbound firewall rules on the mail server:

Code:

iptables-save | egrep 'REJECT|DROP'

Code:

[root@xch2 ~]# iptables-save | egrep 'REJECT|DROP'

-A INPUT -m conntrack --ctstate INVALID -j DROP

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -m conntrack --ctstate INVALID -j DROP

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

tried to add

Code:

# iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT

or

# iptables -A INPUT -p tcp --dport 143 -j ACCEPT

# iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT

or

# iptables -F

also tried to disable firewall with systemctl stop firewalld

result no changes and tcpdump still shows those "zero packets"

-A appends rules to the end of the chain, so in the case of your chains, you are adding the ACCEPT rule after it would already be rejected. I don't use firewalld, so I'm not sure if stopping it just turns off the daemon or actually flushes your rules. If you have console access to the machine try this instead:

Code:

# iptables -F

# iptables-save

Code:

# iptables -F

# iptables-save

tried, nothing changed. :~

today tried same move:

Code:

iptables -F

And it works ! :)

Wonder why it did'nt work yesterday with the same moves?

Anyway, thanks to all to all responders who tried to help!

Maybe you accidentally grabbed the # from my post? I sometimes do things like that if I am tired. I wouldn't recommend leaving the firewall off. I would add the necessary rules and re-enable it.