LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 12-13-2009, 12:05 PM   #1
volga629
Member
 
Registered: Dec 2009
Posts: 67

Rep: Reputation: 21
Exclamation DOVECOT SSL/TLS connection problem on port 993 or 995


I installed Postfix with Dovecot and SASL authentication. My external DNS use for MX record is godaddy.com. And i have my DNS internally.
Postfix working well here output of connection on port 465
Connected to mail.skillsearch.ca (XXX.XXX.XXX.XXX).
Escape character is '^]'.
220 mail.skillsearch.ca ESMTP Postfix
ehlo skillsearch.ca
250-mail.skillsearch.ca
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
#######################################

But with Dovecot no luck, POP3 110 and IMAP 143 working well without SSL/TLS, but only on server machine.
If i issue command:
openssl s_client -starttls imap -crlf -connect mail.skillsearch.ca:143
CONNECTED(00000003)
depth=0 /C=CA/ST=Ontario/L=Ottawa/O=Skillsearch Recruting/OU=Mail Server linux/CN=skillsearch.ca/emailAddress=webmaster@skillsearch.ca
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=CA/ST=Ontario/L=Ottawa/O=Skillsearch Recruting/OU=Mail Server linux/CN=skillsearch.ca/emailAddress=webmaster@skillsearch.ca
verify return:1
---
Certificate chain
0 s:/C=CA/ST=Ontario/L=Ottawa/O=Skillsearch Recruting/OU=Mail Server linux/CN=skillsearch.ca/emailAddress=webmaster@skillsearch.ca
i:/C=CA/ST=Ontario/L=Ottawa/O=Skillsearch Recruting/OU=Mail Server linux/CN=skillsearch.ca/emailAddress=webmaster@skillsearch.ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC1TCCAj4CCQDEDVd3h41kuDANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMC
Q0ExEDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEeMBwGA1UEChMV
U2tpbGxzZWFyY2ggUmVjcnV0aW5nMRowGAYDVQQLExFNYWlsIFNlcnZlciBsaW51
eDEXMBUGA1UEAxMOc2tpbGxzZWFyY2guY2ExJzAlBgkqhkiG9w0BCQEWGHdlYm1h
c3RlckBza2lsbHNlYXJjaC5jYTAeFw0wOTEyMTIyMjAwMTdaFw0xMDEyMTIyMjAw
MTdaMIGuMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEPMA0GA1UEBxMG
T3R0YXdhMR4wHAYDVQQKExVTa2lsbHNlYXJjaCBSZWNydXRpbmcxGjAYBgNVBAsT
EU1haWwgU2VydmVyIGxpbnV4MRcwFQYDVQQDEw5za2lsbHNlYXJjaC5jYTEnMCUG
CSqGSIb3DQEJARYYd2VibWFzdGVyQHNraWxsc2VhcmNoLmNhMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDN2Jhqo8iFqLZWS6tns1gJv1Tgfsr4DIiBbyvF9jGu
lwI6ncvabDs/+6BqFzKsmsDCE0G1ac4Q5L6gM4Rb6wVYjPDkdipR+hkF/i1zdTou
zvOV59rUra3Qsy1eZJJ7kqHFpUsv3/te2zGNmTbIvjleO8C1OW/sAspz5MQ6XKKa
/wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIOcYlIN82I6KFL2GDrR0nwPeCCyrwBB
sRm8xNgkC9J1QUyKDQkq8NKPMUwOTZn9wftl3cJ1ENfbchfVHbkdFenU93ddkpVp
HDmMeidu5HtgIOPFIm6c0dcG8JRW2QS33RHtc/AoalQAcwVHCE0tzxU7IQXUI3s3
tO0v+ghnykDm
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Ottawa/O=Skillsearch Recruting/OU=Mail Server linux/CN=skillsearch.ca/emailAddress=webmaster@skillsearch.ca
issuer=/C=CA/ST=Ontario/L=Ottawa/O=Skillsearch Recruting/OU=Mail Server linux/CN=skillsearch.ca/emailAddress=webmaster@skillsearch.ca
---
No client certificate CA names sent
---
SSL handshake has read 1531 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8D7CE11BF5E60C54E5EC35EA49103FBBE8B43E8BB52043501C3704FB733DF361
Session-ID-ctx:
Master-Key: B741F0769A2877066C5FCBE7196D721DDE7DC17CE6AEB6B076A212973F1F825561BDB784EDEE7EA528269E8CB2291FB9
Key-Arg : None
Krb5 Principal: None
Start Time: 1260722460
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
. OK Capability completed.
How I connected SSL/TLS trough 143, and same if i using openssl trough 995 or 993.

##############################################

But when I connect to mail.skiilsearch.ca via telnet on port 995 or 993 it is just hung with error :
telnet mail.skillsearch.ca 995
Trying XXX.XXX.XXX.XXX...
Connected to mail.skillsearch.ca (XXX.XXX.XXX.XXX).
Escape character is '^]'.
And error message from log is:
dovecot: Dec 13 02:28:29 Warning: pop3-login: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [XXX.XXX.XXX.XXX]
And here out put of dovecot -n:
# 1.0.7: /etc/dovecot.conf
log_path: /var/log/dovecot
info_log_path: /var/log/dovecot_info
listen: mail.skillsearch.ca
ssl_listen: mail.skillsearch.ca
ssl_cert_file: /etc/pki/dovecot/private/dovecot_ca.pem
ssl_cipher_list: ALL:!LOW:!SSLv2
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: maildir:~/Maildir
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/imap
mail_plugin_dir(imap): /usr/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh
imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh
imap_client_workarounds(pop3): outlook-idle
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
auth default:
mechanisms: plain login
passdb:
driver: pam
userdb:
driver: passwd
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix


Any answer or idea will be welcome. And i would like say thank you ahead for everybody.
 
Old 12-13-2009, 02:25 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
What's the error?? Looks fine to me. Running on port 993 / 995 will be pure SSL connections, so as soon as you telnet to them it'll expect to negotiate SSL, which you can't. To test it, why are you not still using s_client? just remove the -starttls option and parameters and you should be away.
 
Old 12-14-2009, 06:17 AM   #3
volga629
Member
 
Registered: Dec 2009
Posts: 67

Original Poster
Rep: Reputation: 21
Thank you on quick response, yes i tested with KMail and looks fine. 995 and 993 + 143 and 110 with TLS.
 
Old 12-14-2009, 05:38 PM   #4
volga629
Member
 
Registered: Dec 2009
Posts: 67

Original Poster
Rep: Reputation: 21
Question Postfix error time out !!!!!

warning: 64.20.227.133: address not listed for hostname recover.mxtoolbox.com
Dec 14 17:10:06 mail postfix/smtpd[29071]: connect from unknown[64.20.227.133]
Dec 14 17:10:17 mail postfix/smtpd[29071]: lost connection after CONNECT from unknown[64.20.227.133]



And here postfix -n output:


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = 192.168.20.4, 127.0.0.1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, skillsearch.ca
mydomain = skillsearch.ca
myhostname = mail.skillsearch.ca
mynetworks = 192.168.20.0/24, 208.124.197.0/29 127.0.0.0/8
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 208.124.197.3
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/postfix/private/CA_Mail.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/postfix/private/postfix_ca.pem
smtpd_tls_key_file = /etc/pki/postfix/private/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

Any help WELCOME !!!!
 
Old 12-14-2009, 05:43 PM   #5
volga629
Member
 
Registered: Dec 2009
Posts: 67

Original Poster
Rep: Reputation: 21
Unhappy Postfix error time out !!!!!

Quote:
Originally Posted by volga629 View Post
warning: 64.20.227.133: address not listed for hostname recover.mxtoolbox.com
Dec 14 17:10:06 mail postfix/smtpd[29071]: connect from unknown[64.20.227.133]
Dec 14 17:10:17 mail postfix/smtpd[29071]: lost connection after CONNECT from unknown[64.20.227.133]



And here postfix -n output:


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = 192.168.20.4, 127.0.0.1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, skillsearch.ca
mydomain = skillsearch.ca
myhostname = mail.skillsearch.ca
mynetworks = 192.168.20.0/24, 208.124.197.0/29 127.0.0.0/8
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 208.124.197.3
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/postfix/private/CA_Mail.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/postfix/private/postfix_ca.pem
smtpd_tls_key_file = /etc/pki/postfix/private/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

Any help WELCOME !!!!
I belive just small misconfiguration.
 
Old 12-15-2009, 02:06 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
what's the error?? Things are allowed to lose connection, it happens...
 
Old 12-15-2009, 07:04 AM   #7
volga629
Member
 
Registered: Dec 2009
Posts: 67

Original Poster
Rep: Reputation: 21
Here the problem i checked all configuration twice and couldn't find any problems, in my mind only maybe with timing option or limit amount of connection, but cannot find any configuration related to that.
 
Old 12-15-2009, 07:08 AM   #8
volga629
Member
 
Registered: Dec 2009
Posts: 67

Original Poster
Rep: Reputation: 21
The server not receiving any connection when i checking from outside it is just timeout give note connected to the host YES and hang about few minutes when send request and timeout and how i said before this is error from maillog
warning: 64.20.227.133: address not listed for hostname recover.mxtoolbox.com
Dec 14 17:10:06 mail postfix/smtpd[29071]: connect from unknown[64.20.227.133]
Dec 14 17:10:17 mail postfix/smtpd[29071]: lost connection after CONNECT from unknown[64.20.227.133]
Thank you.
 
Old 12-15-2009, 08:26 PM   #9
volga629
Member
 
Registered: Dec 2009
Posts: 67

Original Poster
Rep: Reputation: 21
Ok, I researched and find last page in internet, the main problem of all this mess is DNS some reason POSTFIX don't know to reponse right to the names unknown name mean can't get the query for names from DNS. I red about suggestion copy host or resolv.conf into /var/spool/postfix/etc, but in my installation i don't have this folder.
I need assistance with this problem,please and thank you.
 
Old 12-16-2009, 09:30 PM   #10
volga629
Member
 
Registered: Dec 2009
Posts: 67

Original Poster
Rep: Reputation: 21
Here my log output:
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostname: unknown ~? 208.124.197.0/29
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostaddr: 67.222.132.194 ~? 208.124.197.0/29
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostname: unknown ~? 192.168.20.0/24
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostaddr: 67.222.132.194 ~? 192.168.20.0/24
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostname: unknown ~? 192.168.10.64/26
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostaddr: 67.222.132.194 ~? 192.168.10.64/26
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostname: unknown ~? 127.0.0.0/8
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_hostaddr: 67.222.132.194 ~? 127.0.0.0/8
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_list_match: unknown: no match
Dec 16 21:25:20 mail postfix/smtpd[16207]: match_list_match: 67.222.132.194: no match
Dec 16 21:25:20 mail postfix/smtpd[16207]: send attr request = disconnect
Dec 16 21:25:20 mail postfix/smtpd[16207]: send attr ident = smtp:67.222.132.194
Dec 16 21:25:20 mail postfix/smtpd[16207]: private/anvil: wanted attribute: status
Dec 16 21:25:20 mail postfix/smtpd[16207]: input attribute name: status
Dec 16 21:25:20 mail postfix/smtpd[16207]: input attribute value: 0
Dec 16 21:25:20 mail postfix/smtpd[16207]: private/anvil: wanted attribute: (list terminator)
Dec 16 21:25:20 mail postfix/smtpd[16207]: input attribute name: (end)
Dec 16 21:25:20 mail postfix/smtpd[16207]: lost connection after CONNECT from unknown[67.222.132.194]
Dec 16 21:25:20 mail postfix/smtpd[16207]: disconnect from unknown[67.222.132.194]
Dec 16 21:25:20 mail postfix/smtpd[16207]: master_notify: status 1
Dec 16 21:25:20 mail postfix/smtpd[16207]: connection closed
Something cause send disconnect attribute?
Maybe some ideas what is
I started check SASL and DOVECOT, but looks fine.
Thank you

Last edited by volga629; 12-16-2009 at 09:31 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HELP Ip tables configuration for Outlook express allowing SSL port 25 and 995 KarlRojero Linux - Security 12 11-05-2009 09:15 AM
dovecot SSL/TLS non-PAM config went awry molafish Linux - Software 1 03-20-2009 12:59 AM
Simple Mailserver with sendmail, dovecot and SSL/TLS dsh Linux - Server 0 10-16-2008 03:11 PM
Dovecot - TLS doesnt work while SSL does extasic Linux - Server 2 10-07-2008 06:57 PM
"connection refused" on port 993, when not coming from localhost spam4scott Linux - Networking 2 07-14-2003 07:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration