Mail clients fail to connect but webmail works perfectly

Discussion in 'Installation/Configuration' started by kyferez, Jun 5, 2018.

  1. kyferez

    kyferez Member

    So I'm trying to add an account to Thunderbird, or Outlook. I enter the servername, username, password, etc. Firewall allow ports.

    Thunderbird errors saying "Thunderbird failed to find the settings for your email account".

    I've tried IMAP and POP3 in Thunderbird. Maillog shows this for IMAP and I get no logs for POP3:
    Jun 5 14:33:39 s02 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=MY_PUBLIC_IP, lip=SERVER_LOCAL_IP, session=<7lH3SeltvwBHOFfr>

    For IMAP using SSL/TLS, I get this:
    Jun 5 15:46:03 s02 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=MY_PUBLIC_IP, lip=SERVER_LOCAL_IP, TLS: SSL_read() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<EQjhTOptHABHOFfr>

    Firewall is set by ISPConfig and TCP ports allowed are: 20,21,25,53,80,110,143,443,587,993,995,3306,8080,8081,8822,10000 and UDP ports are: 53,3306 so you can see I have the necessary ports open.

    netstat shows the services listening on 25, 143, 993, 587, and 465.

    Also a test from MXToolbox shows SMTP open and not an open relay.

    Mail sends and receives fine using Roundcube; I have my SPF, DKIM, and PTR records all setup and get very good results (9.7 out of 10) on https://www.mail-tester.com

    I found that a common local ISP (Comcast) blocks outbound port 25, so I need to be able to use SSL/TLS for Outgoing, so I think the SSL Alert above is my primary issue...
     
    Last edited: Jun 5, 2018
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

  3. kyferez

    kyferez Member

    ztk.me,

    Thank you. I have a couple questions however. My server hosts several domains that need to send main. How do I handle that? Would it be a scenario where all clients login using the mail.myPrimaryDomain.com for secure access since myPrimaryDomain.com will have the valid postfix/dovecot certs and that's what my rDNS points to?

    Is there plans for ISPConfig to handle creating these certs as part of the server-config in the future?
     
  4. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    usually I suggest use rdns of mailserver as mailname valid domain name and MX entry + use it for setup in your clients.
    You can ( maybe premium ) add multiple postfix instances handling different certs for incoming mail from clients who do not know much about email headers or even outgoing on different ip for those who do.

    the other option would be using a certificate with multiple CommonName or SubjAltName names. but again usually for incoming since the incoming from the receiver might see an matching rdns/helo pair thus expecting a cert for said rdns
     
  5. kyferez

    kyferez Member

    Humm, I installed LetsEncrypt during the CentOS 7.4 guide, but I have no LetsEncrypt options at ISPConfig panel > Sites > Website > Website Name > SSL.

    I do have the SSL and LetsEncrypt SSL checkboxes enabled for the site.
     
  6. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    thats sufficient. the SSL tab itself is used for custom created certs ( either by yourself or by a company like $issuer_you_trust )
     
  7. kyferez

    kyferez Member

    Yes but I would like to use LetsEncrypt for a valid cert, and it's not on the SSL tab like I've read it's supposed to be so I can't create one in ISPConfig. I'd like to fix that.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    No, it's not supposed to be on the SSL tab. like @ztk.me pointed out, just enable the SSL and Let's encrypt checkbox to activate SSL with Let's encrypt for the website. SSL in websites is not related to the mail system. Let's encrypt SSL certs are stored by certbot in /etc/letsencrypt/.... in the filesystem and in case that you want to use one of them for the mail system, then change the mail system config to point to it:

    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
     
  9. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    so you are missing the LE checkbox right below the SSL checkbox at the first page after clicking on a wbsite?
    Or does it not work? Then we need logs, infos about what went wrong - how to debug that has been mentioned several times on the forum, there are some letsencrypt specific threads aswell for centos ( I think ).
     
  10. kyferez

    kyferez Member

    Till, ztk.me,

    Thanks. My bad on this - I read the section "Securing ISPConfig Website With Let's Encrypt SSL" on this page wrong https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    The wording "If the above is done, go back to ISPConfig panel > Sites > Website > Website Name, then click SSL and Let's Encrypt check buttons" confused me to think I was supposed to go to the SSL tab then check the Let's Encrypt check button. Perhaps rewording to this could avoid confusion for others: "If the above is done, go back to ISPConfig panel > Sites > Website > Website Name, then check the boxes for both SSL and Let's Encrypt.

    Thanks!
     
    ztk.me likes this.
  11. kyferez

    kyferez Member

  12. kyferez

    kyferez Member

    Fixed it. Added this to /etc/postfix/master.cf and then restarted postfix service.
    Code:
    submission inet n - n - - smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    
    smtps inet n - n - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    Restart service: service postfix restart
    Verify: netstat -autn | grep -E '(465|587)'
     

Share This Page