FTP Not Working

Discussion in 'ISPConfig 3 Priority Support' started by OwnYourOwn, Jun 20, 2019.

  1. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Have setup server 3 times using Perfect Server Ubuntu 10.04 LEMP and everything works except FTP. SSL works.

    Researched: "TLS connection was non-properly terminated." and nothing suggested to fix it worked.

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Require explicit FTP over TLS

    Status: Resolving address of mydomain.com
    Status: Connecting to 123.45.67.89:21...
    Status: Connection established, waiting for welcome message...
    Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response: 220-You are user number 1 of 50 allowed.
    Response: 220-Local time is now 07:41. Server port: 21.
    Response: 220-This is a private system - No anonymous login
    Response: 220 You will be disconnected after 15 minutes of inactivity.
    Command: AUTH TLS
    Response: 234 AUTH TLS OK.
    Status: Initializing TLS...
    Status: Verifying certificate...
    Status: TLS connection established.
    Command: USER domain-mynet-com
    Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
    Status: Server did not properly shut down TLS connection
    Error: Could not read from socket: ECONNABORTED - Connection aborted
    Error: Could not connect to server

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Only use plain FTP (insecure)

    Status: Resolving address of mydomain.com
    Status: Connecting to 123.45.67.89:21...
    Status: Connection established, waiting for welcome message...
    Status: Logged in
    Status: Retrieving directory listing of "/web"...
    Command: CWD /web
    Response: 250 OK. Current directory is /web
    Command: TYPE I
    Response: 200 TYPE is now 8-bit binary
    Command: PASV
    Response: 227 Entering Passive Mode (123,45,67,89,85,147)
    Command: MLSD
    Error: Connection timed out after 20 seconds of inactivity
    Error: Failed to retrieve directory listing

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Don't know if the following is the reason.

    On ISPConfig setup. got error:

    Configuring Postgrey
    Configuring Postfix
    Can't load /root/.rnd into RNG
    140495726641600:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
    Generating a RSA private key

    I checked /root for .rnd and it's not there.

    Also, ~# needrestart - always produces:

    Outdated processor microcode
    │ Processor microcode update
    │ The currently running processor microcode revision is 0x1 which is not the expected microcode revision 0x5000021.

    [email protected]:~# grep 'stepping\|model\|microcode' /proc/cpuinfo
    model : 85
    model name : Virtual CPU 82d9ed4018dd
    stepping : 4
    microcode : 0x1
    (on all cpu's)

    [email protected]:~# dmesg | grep microcode
    [ 0.017410] MDS: Vulnerable: Clear CPU buffers attempted, no microcode

    Tried:

    sudo apt-get install microcode.ctl intel-microcode

    After reboot Still Get:

    [email protected]:~# dmesg | grep microcode
    [ 0.006046] MDS: Vulnerable: Clear CPU buffers attempted, no microcode


    Upgraded to 18.10 and saw error:

    Setting up linux-firmware (1.175.4) ...
    update-initramfs: Generating /boot/initrd.img-4.18.0-22-generic
    cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries nor crypto modules. If that's on purpose, you may want to uninstall the 'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs integration and avoid this warning.

    Tried:

    [email protected]:~# update-initramfs -u (didn't change anything)

    After updating to 18.10, everything still works except FTP.

    Nothing in nginx or site error logs

    Would appreciate any help.
    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    TLS: Thats probably an incompatibility of your FTP Program (FileZilla) with older pure-ftpd versions which was introduced by FileZilla. https://forum.filezilla-project.org/viewtopic.php?f=1&t=50496 Try a different FTP client and you will see that it works (except that you might have to set the passive ports as described below).
    Non-TLS: Your server seems to be behind a router or firewall, this means you have to define a passive port range in the FTP server and firewall: https://www.faqforge.com/linux/cont...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/

    I don't think that it was a good idea that you updated a supported Ubuntu LTS version to an Ubuntu Desktop version which is not supported by ISPConfig. Not supported means in this terms that neither the ispconfig updater recognizes it nor does ISPConfig itself, so if any config or program path changed between 18.04 and 18.10, then your setup will break. It can not be predicted if it will continue to work stable. We do not test nor support the non-LTS releases.
     
    Last edited: Jun 20, 2019
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    And I hope you used the 18.04 guide (which is the recent one) and not the 10.04 guide (which is 9 years old).
     
  4. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Thanks for your response.
    Reinstalled 18.04 with 18.04 guide (not 10.04 - typo)
    Same results - everything works but FTP.
    Neither CyberDuck or WinSCP worked with or without port and firewall changes.
    Disabled firewall and neither CyberDuck or WinSCP worked.
    Can receive email on port 995 but can't send on 465
    Disabled UFW firewall and was able to send on 465
    Using ISPConfig / UFW firewall

    https://ftptest.net/
    Status: Resolving address of 123.45.67.89
    Status: Connecting to 123.45.67.89
    Warning: The entered address does not resolve to an IPv6 address.
    Status: Connected, waiting for welcome message...
    Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Reply: 220-You are user number 1 of 50 allowed.
    Reply: 220-Local time is now 15:48. Server port: 21.
    Reply: 220-This is a private system - No anonymous login
    Reply: 220-IPv6 connections are also welcome on this server.
    Reply: 220 You will be disconnected after 15 minutes of inactivity.
    Command: CLNT https://ftptest.net on behalf of 2600:1700:bcc1:e30:d56f:e839:88e0:cd38
    Reply: 530 You aren't logged in
    Command: AUTH TLS
    Reply: 234 AUTH TLS OK.
    Status: Performing TLS handshake...
    Status: TLS handshake successful, verifying certificate...
    Status: Received 1 certificates from server.
    Status: cert[0]: subject='C=US,ST=STATE,L=CITY,O=BIZ\5c, Inc.,OU=SMARTZ,CN=cloud.mydomain.com,[email protected]' issuer='C=US,ST=STATE,L=CITY,O=BIZ\5c, Inc.,OU=SMARTZ,CN=cloud.mydomain.com,[email protected]'
    Command: USER mydomain-com
    Error: Could not read from socket: Error in the pull function.

    Tried both TLS and Plain FTP and got same results
    Disabled UFW Firewall and got same result

    Thanks for your help.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    For email: please post the content of the /etc/postfix/master.cf file of your server. And the sending port is 587 for sending secure email over tls, 465 is usable as well but normally one uses 587 today.
    For FTP: Run the test script from here https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ as root and post the result. Then run the command 'cat /etc/pure-ftpd/conf/PassivePortRange' and post the result as well. Where do you host that server, some data centers have external firewalls which may block FTP ports as well independently of what you configure in your local firewall.

    Please do not reinstall again as that's not necessary. There is no issue in the tutorial, used it a few days ago to install a server and FTP works fine, so we have to just find out which firewall blocks your FTP access.
     
  6. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Thanks for your response.

    /etc/postfix/master.cf
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    #
    # Postfix master process configuration file. For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (no) (never) (100)
    # ==========================================================================
    smtp inet n - y - - smtpd
    #smtp inet n - y - 1 postscreen
    #smtpd pass - - y - - smtpd
    #dnsblog unix - - y - 0 dnsblog
    #tlsproxy unix - - y - 0 tlsproxy
    submission inet n - y - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o smtpd_tls_auth_only=yes
    # -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    # -o smtpd_recipient_restrictions=
    # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    smtps inet n - y - - smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    # -o smtpd_recipient_restrictions=
    # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    #628 inet n - y - - qmqpd
    pickup unix n - y 60 1 pickup
    cleanup unix n - y - 0 cleanup
    qmgr unix n - n 300 1 qmgr
    #qmgr unix n - n 300 1 oqmgr
    tlsmgr unix - - y 1000? 1 tlsmgr
    rewrite unix - - y - - trivial-rewrite
    bounce unix - - y - 0 bounce
    defer unix - - y - 0 bounce
    trace unix - - y - 0 bounce
    verify unix - - y - 1 verify
    flush unix n - y 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - y - - smtp
    relay unix - - y - - smtp
    -o syslog_name=postfix/$service_name
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - y - - showq
    error unix - - y - - error
    retry unix - - y - - error
    discard unix - - y - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - y - - lmtp
    anvil unix - - y - 1 anvil
    scache unix - - y - 1 scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent. See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    # mailbox_transport = lmtp:inet:localhost
    # virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus unix - n n - - pipe
    # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix - n n - - pipe
    # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
    flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman unix - n n - - pipe
    flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
    ${nexthop} ${user}

    dovecot unix - n n - - pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

    amavis unix - - - - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o smtp_bind_address=


    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes


    127.0.0.1:10027 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o milter_default_action=accept
    -o milter_macro_daemon_name=ORIGINATING
    -o disable_dns_lookups=yes
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     
  7. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    [email protected]:~# cat htf_report.txt | more

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.1dev


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.2.19-0ubuntu***.***.***.***

    ##### PORT CHECK #####


    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Unknown process (nginx:) (PID 958)
    [INFO] I found the following mail server(s):
    Postfix (PID 1446)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 778)
    [INFO] I found the following imap server(s):
    Dovecot (PID 778)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 1516)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:110 (778/dovecot)
    [anywhere]:143 (778/dovecot)
    [anywhere]:80 (958/nginx:)
    [anywhere]:8080 (958/nginx:)
    [anywhere]:465 (1446/master)
    [anywhere]:8081 (958/nginx:)
    [anywhere]:21 (1516/pure-ftpd)
    ***.***.***.***:53 (795/named)
    [localhost]:53 (795/named)
    ***.***.***.***:53 (746/systemd-resolve)
    [anywhere]:22 (832/sshd)
    [anywhere]:25 (1446/master)
    [localhost]:953 (795/named)
    [anywhere]:443 (958/nginx:)
    [anywhere]:993 (778/dovecot)
    [anywhere]:995 (778/dovecot)
    [localhost]:10023 (1125/postgrey)
    [localhost]:10024 (1664/amavisd-new)
    [localhost]:10025 (1446/master)
    [localhost]:10026 (1664/amavisd-new)
    [localhost]:10027 (1446/master)
    [anywhere]:587 (1446/master)
    [localhost]10 (778/dovecot)
    [localhost]43 (778/dovecot)
    *:*:*:*::*:80 (958/nginx:)
    *:*:*:*::*:8080 (958/nginx:)
    *:*:*:*::*:465 (1446/master)
    *:*:*:*::*:21 (1516/pure-ftpd)
    *:*:*:*::*:53 (795/named)
    *:*:*:*::*:22 (832/sshd)
    *:*:*:*::*:25 (1446/master)
    *:*:*:*::*:953 (795/named)
    *:*:*:*::*:993 (778/dovecot)
    *:*:*:*::*:995 (778/dovecot)
    *:*:*:*::*:10023 (1125/postgrey)
    *:*:*:*::*:10024 (1664/amavisd-new)
    *:*:*:*::*:10026 (1664/amavisd-new)
    *:*:*:*::*:3306 (1016/mysqld)
    *:*:*:*::*:587 (1446/master)



    ##### IPTABLES #####
    Chain INPUT (policy DROP)
    target prot opt source destination
    ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0
    ufw-before-input all -- [anywhere]/0 [anywhere]/0
    ufw-after-input all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0
    ufw-reject-input all -- [anywhere]/0 [anywhere]/0
    ufw-track-input all -- [anywhere]/0 [anywhere]/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0
    ufw-before-forward all -- [anywhere]/0 [anywhere]/0
    ufw-after-forward all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0
    ufw-reject-forward all -- [anywhere]/0 [anywhere]/0
    ufw-track-forward all -- [anywhere]/0 [anywhere]/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0
    ufw-before-output all -- [anywhere]/0 [anywhere]/0
    ufw-after-output all -- [anywhere]/0 [anywhere]/0
    ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0
    ufw-reject-output all -- [anywhere]/0 [anywhere]/0
    ufw-track-output all -- [anywhere]/0 [anywhere]/0

    Chain ufw-after-forward (1 references)
    target prot opt source destination

    Chain ufw-after-input (1 references)
    target prot opt source destination
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138
    ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139
    ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67
    ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68
    ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST

    Chain ufw-after-logging-forward (1 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-after-logging-input (1 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

    Chain ufw-after-logging-output (1 references)
    target prot opt source destination

    Chain ufw-after-output (1 references)
    target prot opt source destination

    Chain ufw-before-forward (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    ufw-user-forward all -- [anywhere]/0 [anywhere]/0

    Chain ufw-before-input (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
    DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
    ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68
    ufw-not-local all -- [anywhere]/0 [anywhere]/0
    ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353
    ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900
    ufw-user-input all -- [anywhere]/0 [anywhere]/0

    Chain ufw-before-logging-forward (1 references)
    target prot opt source destination

    Chain ufw-before-logging-input (1 references)
    target prot opt source destination

    Chain ufw-before-logging-output (1 references)
    target prot opt source destination

    Chain ufw-before-output (1 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    ufw-user-output all -- [anywhere]/0 [anywhere]/0

    Chain ufw-logging-allow (0 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

    Chain ufw-logging-deny (2 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
     
  8. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Chain ufw-not-local (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST
    RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-reject-forward (1 references)
    target prot opt source destination

    Chain ufw-reject-input (1 references)
    target prot opt source destination

    Chain ufw-reject-output (1 references)
    target prot opt source destination

    Chain ufw-skip-to-policy-forward (0 references)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-skip-to-policy-input (7 references)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0

    Chain ufw-skip-to-policy-output (0 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain ufw-track-forward (1 references)
    target prot opt source destination

    Chain ufw-track-input (1 references)
    target prot opt source destination

    Chain ufw-track-output (1 references)
    target prot opt source destination
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW

    Chain ufw-user-forward (1 references)
    target prot opt source destination

    Chain ufw-user-input (1 references)
    target prot opt source destination
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081
    ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:10000
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53
    ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:3306

    Chain ufw-user-limit (0 references)
    target prot opt source destination
    LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable

    Chain ufw-user-limit-accept (0 references)
    target prot opt source destination
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain ufw-user-logging-forward (0 references)
    target prot opt source destination

    Chain ufw-user-logging-input (0 references)
    target prot opt source destination

    Chain ufw-user-logging-output (0 references)
    target prot opt source destination

    Chain ufw-user-output (1 references)
    target prot opt source destination
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    This was an attempt to send from my email client which failed with client error:

    -> [SMTP] [2019-06-22 10:09:01] Connect to "mail.my-domain.com", Port: 587, TLS: Yes (1.2)
    An error occurred. - Error connecting with SSL. - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

    (MAIL.LOG)
    Jun 22 10:08:51 cloud dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=4907, secured, session=<yAn09OqLhugAAAAAAAAAAAAAAAAAAAAB>
    Jun 22 10:08:51 cloud dovecot: imap([email protected]): Logged out in=155 out=1135
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    I am able to send & recieve with Roundcube

    Everthing is A.O.K. by dnsstuff.com

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    (SYSLOG) This was an attempt to FTP from FileZilla

    Jun 22 11:17:52 cloud dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=8138, secured, session=<K3PA6+uL3ukAAAAAAAAAAAAAAAAAAAAB>
    Jun 22 11:17:52 cloud dovecot: imap([email protected]): Logged out in=155 out=1135
    Jun 22 11:17:55 cloud pure-ftpd: ([email protected]) [INFO] New connection from 12.345.67.89
    Jun 22 11:17:56 cloud pure-ftpd: ([email protected]) [ERROR] TLS renegociation

    (DID NOT KNOW DOVECOT WAS ACTIVATED WHILE USING FTP?)
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    [email protected]:~# cat /etc/pure-ftpd/conf/PassivePortRange
    cat: /etc/pure-ftpd/conf/PassivePortRange: No such file or directory
    [email protected]:~#


    No errors in site or nginx logs

    Using VULTR for hosting. You can setup a VULTR firewall but I haven't.

    Currently have VULTR production server running Debian 10 with nginx without any problems.

    I had also setup Ubuntu 16.04 / nginx a few days ago on VULTR and had no problems with anything. Tried upgrading 16.04 to 18.04 - All kinds of problems.

    Thanks again for your help.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Please stop the ufw firewall for the tests to ensure that its firewall rules do not cause the problems, you can use the test script to see if all rules have been removed. Actually, the firewall is not needed anyway as you run services only that shall be accessible and that's why the firewall is off by default.
    2) You used FileZilla again which has a TLS 1.3 issue, I posted that at the beginning in #2, so you can't use that for the FTP test as it's known that the pure-ftpd version from ubuntu 18.04 does not work with FileZilla, it works with other FTP clients tough. The link in #2 lists also sugegstions what you can do.
    3) You did not setup the passive port range as I suggested and opened it in the firewall, see my post #2, but this is needed for FTP when you activate a firewall on your server.
    4) When Email works fine with roundcube, then the overall email setup of the system is ok, master.cf is fine as well. If I read the message here correctly:

    -> [SMTP] [2019-06-22 10:09:01] Connect to "mail.my-domain.com", Port: 587, TLS: Yes (1.2)
    An error occurred. - Error connecting with SSL. - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

    then your mail client might try to use the old SSLv3 and this is disabled in current OpenSSL versions like the one that ships with Ubuntu 18.04. Redo the email test by using a different desktop email client, you can e.g. use thunderbird portable which does not need to be installed: https://portableapps.com/apps/internet/thunderbird_portable as Thunderbird is known to work well and to support recent SSL standards.
     
  10. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Thanks so much for your help. Setting up the passive port range solved the problem. I had set it up on 18.10 (which didn't work) but failed to do it again when I went back to 18.04. I reverted back to FileZilla 3.39 which is working. For whatever reason my email client (OE Classic Pro) works on port 465 and wont on 587?
    Thanks for your great product!
     
    till likes this.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I think that's fine, both ports offer the same functionality. so if it works with 465, then I would just leave it as it is, it's not worth to further investigate in my opinion.
     

Share This Page