Failed to start Dovecot after add ssl certificate

Discussion in 'Installation/Configuration' started by Frédéric URBANIAK, May 9, 2022.

  1. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    Hello,
    sorry for my bad english, i'm french ;)

    I followed the tutorial https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
    I'm blocked just after the step 2 "Replacing the certificate with the Let's Encrypt certificate"
    When i want to restart dovecot i have error

    [email protected]:/etc/postfix# systemctl restart dovecot
    Job for dovecot.service failed because the control process exited with error code.
    See "systemctl status dovecot.service" and "journalctl -xe" for details.


    [email protected]:/etc/postfix# systemctl status dovecot
    * dovecot.service - Dovecot IMAP/POP3 email server
    Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
    Active: failed (Result: exit-code) since Mon 2022-05-09 08:14:27 UTC; 2min 54s ago
    Docs: man:dovecot(1)
    http://wiki2.dovecot.org/
    Process: 20045 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
    Process: 20216 ExecStart=/usr/sbin/dovecot (code=exited, status=89)
    Main PID: 237 (code=exited, status=0/SUCCESS)

    May 09 08:14:27 ip107 systemd[1]: Starting Dovecot IMAP/POP3 email server...
    May 09 08:14:27 ip107 dovecot[20216]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 7: ssl_cert: Can't open file /etc/postfix/smtpd.cert: No such file or directory
    May 09 08:14:27 ip107 systemd[1]: dovecot.service: Control process exited, code=exited status=89
    May 09 08:14:27 ip107 systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
    May 09 08:14:27 ip107 systemd[1]: dovecot.service: Unit entered failed state.
    May 09 08:14:27 ip107 systemd[1]: dovecot.service: Failed with result 'exit-code'.
    You have new mail in /var/mail/root


    But when i verify in /etc/postfix i have smtpd.cert

    Can you help me please?
     
  2. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    the files smtp.cert and smtpd.key are empty...
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig creates its own le cert automatically at install time since ISPConfig 3.2, so it's not recommended to use this guide anymore on ISPConfig 3.2 onwards. In case the cert creation failed at install time due to an invalid hostname setup, then rerun the ispconfig update with --force option and let ISPConfig create a new LE cert.
     
  4. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    ln -s /root/.acme.sh/mail.example.com/fullchain.cer smtpd.cert
    ln -s /root/.acme.sh/mail.example.com/mail.example.com.key smtpd.key
    i haven't /root/acme.sh/ directory
     
  5. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    When i checked with https://www.sslshopper.com/ssl-checker.html it's ok after create new domain mail.myname.com
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have a directory /etc/letsencrypt/ ?
     
  7. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    When i have create my siteweb and mails i have create on the same domain as mydomain.fr but i have'nt create mail.mydomain.fr
    But i use certificate who are not the good. On my other domains, it's the same certificate who is asset.
    i have problems with outlook.com and hotmail.com who blocked me. Gmail place my mails on spam.
    How to use correctly mails ? i must to create new mail on mail.mydomain.com and replace ? can i deplace old mails on the new box?
     
  8. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    yes
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then the guide is not compatible with your setup at all, you should have used the builtin way from ISPConfig installer to generate the SSL cert. the guide is for recent setups that use acme.sh.

    To fix your setup, you must find the SSL cert and key in /etc/letsenccrypt/live/mail.example.com/ folder and link the SSL config to these files instead.
     
    Frédéric URBANIAK likes this.
  10. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    sorry but i'm not very good.
    my setup is like this:
    website : mydomain.fr
    email domain : mydomain.fr
    email : [email protected]
    DNS record : MX mydomain.fr mail.mydomain.fr 10 3600
    A mail xxx.xxx.xxx.xxx 0 3600

    this config is the same on my differents domains.

    How to configure with ssl mail with good certificat for each box ?

    If in understand i must create website mail.mydomain.fr with ssl let's encrypt, but after i'm in the fog.
    I don't want to lose my mail data, just get an ssl certificate for my mailboxes.
    Should I recreate the mailboxes on the new domain mail.mydomain.fr and move the data?
     
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  12. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    thanks for your reply but i'm not sure to understand all of directives

    my setup :
    websites : exemple.fr, exemple2.fr, exemple3.fr
    email domain : exemple.fr, exemple2.fr, exemple3.fr
    email : [email protected]exemple.fr, [email protected]exemple.fr, [email protected]exemple2.fr, [email protected]exemple2.fr ...etc
    DNS record : MX exemple.fr mail.exemple.fr 10 3600; A mail xxx.xxx.xxx.xxx 0 3600

    MX exemple2.fr mail.exemple2.fr 10 3600; A mail xxx.xxx.xxx.xxx 0 3600
    MX exemple3.fr mail.exemple3.fr 10 3600; A mail xxx.xxx.xxx.xxx 0 3600


    for the moment, all mailboxes use the same certificat ssl who is wrong, i must forced on messaging software the certificat.
    outlook and hotmail blocked all mail adress, Gmail accept but push all mails in spam directory

    can i keep my mailboxes or i must to create new mailboxes on a new domain?
    i must remove MX DNS record on exemple.fr ? and add MX DNS record on mail.exemple.fr ?
    can i use mail.exemple.fr, mail.exemple2.fr and mail.exemple3.fr or only one?
    sorry for this questions but it's confused for me
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    All MX records should point to server1.example.com, which would be the hostname of your mailserver. And you should have a valid SSL cert for that hostname.

    Your end users connect to server1.example.com, or imap.example.com and smtp.example.com, where example.com is your main domain (so not the customer domains).

    And you can add a valid SSL cert as explained in that guide.
     
    Frédéric URBANIAK likes this.
  14. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    i can keep actualy mailboxes?
    i must change MX record like this for customer domains?
    MX exemple2.fr mail.principaldomain.fr 10 3600 ?
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes.
     
  16. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    the customers can continue to use mail.exemple2.fr on messaging software or they must change to mail.domainprincipal.fr ?
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  18. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    it's good for certificate ssl with mx dns record and on my messaging software, now i haven't error message for certificat.
    But gmail send always my mails in spam :( and outlook.com block already my sent
    <[email protected]>: host
    eur.olc.protection.outlook.com[104.47.18.225] said: 550 5.7.1
    Unfortunately, messages from [my.ip.ser.ver] weren't sent. Please contact
    your Internet service provider since part of their network is on our block
    list (S3150). You can also refer your provider to
    http://mail.live.com/mail/troubleshooting.aspx#errors.
    [VI1EUR06FT052.eop-eur06.prod.protection.outlook.com] (in reply to MAIL
    FROM command)

    I sent a request a few days ago here is their response

    We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.

    Not qualified for mitigation
    54.37.126.107
    Our investigation has determined that the above IP(s) do not qualify for mitigation.

    Please ensure your emails comply with the Outlook.com policies, practices and guidelines found here: http://mail.live.com/mail/policies.aspx.

    To have Deliverability Support investigate further, please reply to this email with a detailed description of the problem you are having, including specific error messages, and an agent will contact you.

    Regardless of the deliverability status, Outlook.com recommends that all senders join two free programs that provide visibility into the Outlook.com traffic on your sending IP(s), the sending IP reputation with Outlook.com and the Outlook.com user complaint rates.

    Junk Email Reporting program (JMRP) When an Outlook.com user marks an email as "junk", senders enrolled in this program get a copy of the mail forwarded to the email address of their choice. It allows senders to see which mails are being marked as junk and to identify mail traffic you did not intend to send. To join, please visit

    https://sendersupport.olc.protection.outlook.com/snds/JMRP.aspx

    Smart Network Data Services program (SNDS). This program allows you to monitor the ‘health’ and reputation of your registered IPs by providing data about traffic such as mail volume and complaint rates seen originating from your IPs. To register, please visit http://postmaster.live.com/snds/.

    There is no silver bullet to maintaining or improving good IP reputation, but these programs help you proactively manage your email eco-system to help better ensure deliverability to Outlook.com users.

    Thank you,
    Outlook.com Deliverability Support
     
  19. Frédéric URBANIAK

    Frédéric URBANIAK New Member

    after contact ovh i must send form to microsoft to deblock the situation ;)
    but for gmail have you a solution for mails who go directly in spams?
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Regarding email from outlook and live.com, this is the normal response, I've never seen them admit that there is a problem in the first attempt of contacting them. Double-check that your setup is correct and then contact them again by answering the mail as the email suggests. But that's a completely different topic and not related to the SSL issue you opened the thread for. Using a central SSL cert is recommended and does not cause any deliverability problems, all larger mail systems do that.
     
    Frédéric URBANIAK likes this.

Share This Page