* TLDR ; if you have connection problems, not only make sure you have added the required rules to your firewall, but also make sure ($ iptables -L -v
) that the rules are in the correct order! *
It's been a few days now, and I can't figure out why my IMAP set up (on port 993) refuses to work (with Dovecot, version 2.2.22). The connection does not succeed, for some reason I don't see.
Troubleshooting the connection with openssl: Connecting on port 993 does not work:
$ openssl s_client -connect my-domain.com:993
returns:
connect: Connection timed out
connect:errno=110
But the port used (993) seems open:
$ ufw status
returns:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
25/tcp ALLOW Anywhere
587/tcp ALLOW Anywhere
993/tcp ALLOW Anywhere
143/tcp ALLOW Anywhere
465/tcp ALLOW Anywhere
110/tcp ALLOW Anywhere
995/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
25/tcp (v6) ALLOW Anywhere (v6)
587/tcp (v6) ALLOW Anywhere (v6)
993/tcp (v6) ALLOW Anywhere (v6)
143/tcp (v6) ALLOW Anywhere (v6)
465/tcp (v6) ALLOW Anywhere (v6)
110/tcp (v6) ALLOW Anywhere (v6)
995/tcp (v6) ALLOW Anywhere (v6)
My dovecot config is:
$ dovecot -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-38-generic x86_64 Ubuntu 16.04.1 LTS ext4
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = sha1
mail_debug = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocols = imap pop3 lmtp
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_cert = </etc/ssl/localcerts/www.my-domain.com.chained.crt
ssl_key = </etc/ssl/localcerts/www.my-domain.com.key
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
verbose_ssl = yes
EDIT 1:
Key and certificate do match:
$ (openssl x509 -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.crt | openssl md5 ;\
openssl rsa -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.key | openssl md5) | uniq
returns only 1 identifier:
(stdin)= cfcbed2e4061910c47c5008d8732e522
EDIT 2:
Enabling maximum logging for Dovecot, with:
auth_verbose=yes
auth_debug=yes
auth_debug_passwords=yes
mail_debug=yes
verbose_ssl=yes
auth_verbose_passwords=sha1
returns:
$ tail -f /var/log/mail.log
dovecot: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3, lmtp (core dumps disabled)
[...]
dovecot: lmtp(5491): Connect from local
dovecot: lmtp(info@my-domain.com): +rg7LUpw6ldzFQAAxWOCog: msgid=<57ea704a99e89_b638aedb491d2@chbh.mail>: saved mail to INBOX
dovecot: lmtp(5491): Disconnect from local: Successful quit
EDIT 3:
Connecting via SSL to the webserver (Nginx) which uses the same certificate and key on port 443 works totally fine:
$ openssl s_client -connect my-domain.com:443
EDIT 4:
I used the same version of Dovecot, the same Dovecot configuration and the same certificate+key on the old server, where the IMAP connection with Dovecot worked totally fine.
EDIT 5:
Trying to establish the connection on the IMAP port 993 (via openssl s_client
) with the parameter -dtls1
seems to do something:
$ openssl s_client -connect my-domain.com:993 -dtls1 -debug
returns (very slowly) something like this:
CONNECTED(00000003)
write to 0x1425de0 [0x142f970] (202 bytes => 202 (0xCA))
0000 - 16 fe ff 00 00 00 00 00-00 00 00 00 bd 01 00 00 ................
0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........y.n}%
0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...K.N.p....r...
0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V.
[...]
0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1.......
00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................
00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................
00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#.......
read from 0x1425de0 [0x142b413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write to 0x1425de0 [0x1434ed0] (202 bytes => 202 (0xCA))
0000 - 16 fe ff 00 00 00 00 00-00 00 01 00 bd 01 00 00 ................
0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........y.n}%
0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...K.N.p....r...
0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V.
[...]
00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................
00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................
00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#.......
[...]
0070 - 45 00 44 00 43 00 42 c0-0e c0 04 00 2f 00 96 00 E.D.C.B...../...
0080 - 41 c0 12 c0 08 00 16 00-13 00 10 00 0d c0 0d c0 A...............
0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1.......
00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................
00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................
00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#.......
read from 0x1e8dde0 [0x1e93413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF))
139876009338520:error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired:d1_lib.c:495:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 2424 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : DTLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1474892601
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
…and then the connection is closed.
However, using the parameters -tls1
(TLSv1) or -tls1_1
(TLSv1.1) or -tls1_2
(TLSv1.2) returns the time out message: connect: Connection timed out
and connect:errno=110
EDIT 6:
If I enable the secure POP port 995 in Dovecot, restart it, open this port in the firewall, and then try:
openssl s_client -connect my-domain.com:995
…I also get the time-out error connect: Connection timed out
and connect:errno=110
, apparently indicating that the source of the problem applies for both IMAP and POP.
EDIT 7:
The right processes seem to listen on the right ports:
$ netstat -tulpn
returns:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2597/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2827/nginx
tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 2327/opendkim
tcp 0 0 127.0.0.1:2812 0.0.0.0:* LISTEN 1918/monit
tcp 0 0 127.0.0.1:34305 0.0.0.0:* LISTEN 2915/public
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2306/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2306/dovecot
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2269/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 2597/master
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2306/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2306/dovecot
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2827/nginx
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2597/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2249/sshd
tcp6 0 0 :::25 :::* LISTEN 2597/master
tcp6 0 0 :::993 :::* LISTEN 2306/dovecot
tcp6 0 0 :::995 :::* LISTEN 2306/dovecot
tcp6 0 0 :::587 :::* LISTEN 2597/master
tcp6 0 0 :::110 :::* LISTEN 2306/dovecot
tcp6 0 0 :::143 :::* LISTEN 2306/dovecot
tcp6 0 0 :::465 :::* LISTEN 2597/master
EDIT 8:
Telnet works only on ports 80 and 443 (used by Nginx), all other ports don't seem to respond (time-out).
EDIT 9:
I just did a port scan using nmap 12.34.56.78
and it showed only 22/tcp | open | ssh
and 80/tcp | open | http
and 443/tcp | open | https
. If you look at the result from ufw status
posted above, you can see that I allowed a whole list of ports that are not "found" by nmap. What is the reason of and the solution for that? (I know it's not my network or provider – I can connect to my old/"identical" server and the nmap scan shows the required IMAPs port as "open").
EDIT 10:
$ iptables -L -v
returns:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https
118K 7235K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh
387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https
488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https
118K 7228K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
118K 7226K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh
387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https
387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https
488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https
118K 7226K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
1381K 214M ACCEPT all -- lo any anywhere anywhere
222K 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
398 23248 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
7903 443K ACCEPT tcp -- any any anywhere anywhere multiport dports http,https
7460 441K DROP all -- any any anywhere anywhere
0 0 ufw-before-logging-input all -- any any anywhere anywhere
0 0 ufw-before-input all -- any any anywhere anywhere
0 0 ufw-after-input all -- any any anywhere anywhere
0 0 ufw-after-logging-input all -- any any anywhere anywhere
0 0 ufw-reject-input all -- any any anywhere anywhere
0 0 ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- any any anywhere anywhere
0 0 ufw-before-forward all -- any any anywhere anywhere
0 0 ufw-after-forward all -- any any anywhere anywhere
0 0 ufw-after-logging-forward all -- any any anywhere anywhere
0 0 ufw-reject-forward all -- any any anywhere anywhere
0 0 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 53 packets, 3160 bytes)
pkts bytes target prot opt in out source destination
1575K 531M ufw-before-logging-output all -- any any anywhere anywhere
1575K 531M ufw-before-output all -- any any anywhere anywhere
537 97799 ufw-after-output all -- any any anywhere anywhere
537 97799 ufw-after-logging-output all -- any any anywhere anywhere
537 97799 ufw-reject-output all -- any any anywhere anywhere
537 97799 ufw-track-output all -- any any anywhere anywhere
Chain f2b-HTTPS (4 references)
pkts bytes target prot opt in out source destination
1547K 228M RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain f2b-SSH (2 references)
pkts bytes target prot opt in out source destination
235K 14M RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain f2b-nginx-http-auth (2 references)
pkts bytes target prot opt in out source destination
975K 128M RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain f2b-sshd (2 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any 62-210-106-228.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable
235K 14M RETURN all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
0 0 ufw-not-local all -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
1381K 214M ACCEPT all -- any lo anywhere anywhere
194K 317M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
537 97799 ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
112 10791 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
300 22604 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Best Answer
You have a DROP rule before
ufw
rules which denyimaps
connections. And this is not the only rule which can create problems. You should check how they got there, maybe you used-I
instead of-A
inbefore.rules
orafter.rules
.All above rules are inserted before
ufw
rules and can make problems. For example, if you configureufw
to deny http or https, these rules will allow these ports anyway.