[SOLVED] Mail server problems


#1

Hello there! I’m setting up my new web ecosystem with EasyEngine and as far as wordpress+nginx installation is all good. The problem comes with the mail server set up. I’ve followed every rule from the tutorials section (I’ve needed a couple of workarounds though) but I’m hitting with the same wall over and over again during the last couple of days. I’ve managed to set up VimbAdmin properly, and I’ve created some mailboxs for various domains. The email accounts send and receive emails perfect from Roundcube except for gmail accounts. When I send some test to gmail, I realize my mail@example.com works fine sending to gmail, but it does not receive from gmail.

The issue is seems to be SSL/TLS related, but I cant figure out to fix this problem.

The mail.log shows this warning/error

vps postfix/smtpd[9592]: warning: cannot get RSA private key from file "/etc/postfix/postfix.pem": disabling TLS support
vps postfix/smtpd[9592]: warning: TLS library problem: error:0B080074:x509 certificate routines:X509_check_private_key:key valu mismatch:x509_cmp.c:340:
vps postfix/smtpd[9592]: connect from mail-vk0-f42.google.com[209.85.213.42]
vps postfix/smtpd[9592]: lost connection after STARTTLS from mail-vk0-f42.google.com[209.85.213.42]

I’ve researched (a lot!) and I’ve checked my private key openssl rsa -in /etc/postfix/postfix.pem -check -noout

And I’ve got that RSA key ok

Also I’ve checked the certificate openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout

And I’ve got that ok message too.

But the gmail issue continues even when it seems everything’s ok.

The second issue I’ve found is checking the IMAP test. When I’ve tried openssl s_client -crlf -connect mydomain.com:993

I’ve always got: connect: Connection refused connect:errno=111

My firewall is set to allow in at that port 993 ALLOW IN Anywhere

So I really don’t know why the IMAP test doesn’t work. As far as I can guess, the two issues are SSL related, so I’m getting frustated because I’ve deeply googled and I didn’t find the solution to fix that problems.

I really hope you can help me, please!!! Regards D.


SSL/TLS and dovecot support for email stack
#2

I have EE full mail stack running for a few years now, can you share postconf -n and doveconf -n. I am no expert but feel your pain, perhaps I can help. RTcamp uses google apps for their email so the docs fall off pretty quick when it comes to setting up the mail stack.

Perhaps directory permission on /etc/ssl?

One thing that helped me with dovecot was I created my own file in /etc/dovecot/conf.d/

named it 98-whatever and used that file for all my changes to keep them in one place. I am happy to share my configs.


#3

Hello wcat! Thanks for your response.

I’ve been trying some workarounds and I’ve managed to solve both issues.

The IMAP test didn’t work on 993 port because dovecot ssl config was not set up /etc/dovecot/conf.d/10-ssl.conf Dovecot was not listening the 993 port without the proper config file setting up

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

Save - Reload dovecot service - port 993 is officially open.

The STARTTLS issue was really hard but the solution was being back to the begining: I’ve made a brand new self-Signed SSL certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/newmail.key -out /etc/nginx/ssl/newmail.crt

Then get that certicate to work in /etc/postfix/main.cf /etc/dovecot/conf.d/10-ssl-conf

And reload-restart both services. service postfix reload service postfix restart service dovecot reload service dovecot restart

Problems solved! The funny thing is I’ve followed the mail server set up tutorial step by step and I didn’t modify any of that initial (and presumible working) certificate, but I suppose that anything went wrong somehow in the way.

I hope this experience helps to anyone who would find himself in this desperately-wanting-to-die situation.

Regards! D.


#4

Hey Deivri

interested in quota? Here is my 98-wcat.conf I created #mail_privileged_group = vmail

mail_plugins = quota

## ssl ##
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
ssl_dh_parameters_length = 4096
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DE$
ssl_prefer_server_ciphers = yes


## quotas ##
plugin {
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M
  quota_rule3 = Sent:storage=+100M
}

plugin {
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
}

service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  # use some unprivileged user for executing the quota warnings
  user = vmail
  unix_listener quota-warning {
  mode = 0666
  }
}

#service quota-warning {
#  executable = script /usr/local/bin/quota-warning.sh
#  user = vmail
#  unix_listener quota-warning {
#    user = vmail
#    mode = 0666
#  }
#}

plugin {
  quota = maildir:User quota
}

protocol lda {
  mail_plugins = quota
}

protocol imap {
  mail_plugins = quota imap_quota
}

protocol lmtp {
    mail_plugins = quota
}

protocol pop3 {
  mail_plugins = quota
}

plugin {
    quota_grace = 10%%
    # 10% is the default
    quota_status_success = DUNNO
    quota_status_nouser = DUNNO
    quota_status_overquota = "552 5.2.2 Mailbox is full"
}

service quota-status {
    executable = quota-status -p postfix
    inet_listener {
        port = 12340
        # You can choose any port you want
    }
    client_limit = 1
}

and cron found on vimbadmin site.

10 3 * * * /var/www/22222/htdocs/vimbadmin/bin/vimbtool.php -a mailbox.cli-get-sizes

#5

Also this script that will regenerate Dovecot dhparam once a month.

#!/bin/bash
# Regenerates our Diffie-Hellman parameters periodically.
# Author: James F. Carter; 2015-07-14
# Uses bash-isms (arithmetic expressions). 

# How old is the DH parm file?  Specify the max age in integer days.
maxage=30
dhfile=/etc/postfix/dh4096.pem
if [ -r $dhfile ] ; then
    mtime=`stat -c %Y $dhfile`
    now=`date +%s`
    if [ $((now-mtime)) -lt $((86400*maxage)) ] ; then exit 0 ; fi
fi
echo "=== Regenerating the Diffie-Hellman group file (crypto)"
mkdir -p /tmp/system
openssl dhparam -out $dhfile.new 4096 2> /tmp/system/diffie.errs && \
    mv $dhfile.new $dhfile
sshfile=/etc/ssh/moduli
ssh-keygen -G $sshfile.can -b 2048 && \
    ssh-keygen -T $sshfile.new -f $sshfile.can && \
    mv $sshfile.new $sshfile && \
    rm $sshfile.can

30 2 * * * /root/regenerate-DH.sh

#6