Postfix-dovecot problem?

Discussion in 'Installation/Configuration' started by jamby, Oct 28, 2020.

  1. jamby

    jamby New Member

    HI! I have a vps with perfect server installed ubuntu 16.04 LTS and ispconfig 3.1x. Working well 3 more years. I seeing the log files on var/log and mail.err is many error lines now. And now is mailserver randomly not working good. My users randomly not sending and receiving mails! What is this and any issue? I not found working solution!!!
    Oct 27 22:04:40 katmandu dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Oct 27 22:04:41 katmandu dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Oct 27 22:04:42 katmandu dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Oct 27 22:04:43 katmandu dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Oct 27 22:04:44 katmandu dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Oct 27 22:04:44 katmandu dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Oct 27 22:42:17 katmandu dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Oct 27 22:45:33 katmandu postfix/submission/smtpd[32228]: fatal: no SASL authentication mechanisms
    Oct 27 23:05:00 katmandu dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 27 23:25:08 katmandu dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
    Please help me!
    Best regards Jamby from hungary!
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Did you upgrade to ISPConfig 3.2?
     
  3. Steini86

    Steini86 Active Member

    The problem might be that the cipherlist in postfix does not fit the accepted protocols.
    Use this as a guide to adjust your settings in /etc/postfix/main.cf:
    https://ssl-config.mozilla.org/#ser...fig=intermediate&openssl=1.1.1d&guideline=5.6
    You probably want to to change the following lines (they should already exist) to look like:
    Code:
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_mandatory_ciphers = medium
    
    smtpd_tls_dh1024_param_file = /etc/postfix/dhparam.pem
    
    tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    tls_preempt_cipherlist = no
    Also, execute:
    Code:
    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/postfix/dhparam.pem
    to get predefined dh params. If you have clients which need TLS1.1 (old outlook, windows7, etc..) then use the "old" settings of the website above
     
  4. jamby

    jamby New Member

    Yes i upgarde to ispconfig 3.2. The error still exists. Users cant receiving mails from dovecot ssl 993 port. Cant connect error. Normail imap logn without ssl is working well.
     
  5. jamby

    jamby New Member

    I seeing a new lines the mail.err file:
    Oct 31 04:43:23 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 04:43:24 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 06:36:05 xx amavis[18019]: (18019-14) (!!)AV: ALL VIRUS SCANNERS FAILED
    Oct 31 06:36:16 xx amavis[15401]: (15401-17) (!!)AV: ALL VIRUS SCANNERS FAILED
    Oct 31 10:23:23 xxu dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 10:36:03 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 10:37:02 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 10:38:02 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 10:41:02 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 10:47:02 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 10:59:00 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 11:23:00 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    Oct 31 12:11:00 xx dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  7. jamby

    jamby New Member

    Yes a making chiphers settings and this error is eliminating. Others in error log. IMAP ssl login not working. All ssl mail login is disconnected.
    why? ispconfig 3.2 update is wrong?
     
  8. jamby

    jamby New Member

    My mail server is absolutly mess.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  10. jamby

    jamby New Member

    Hi taleman. The reuslts is:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    IP-address(es) (as per ifconfig): ***.***.***.***
    [WARN] ip addresses from hostname differ from ifconfig output. Please check your ip settings.
    [INFO] OS version is Ubuntu 16.04.7 LTS
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.2


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.0.33-0ubuntu***.***.***.***

    ##### PORT CHECK #####

    [WARN] Port 22 (SSH server) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 1724)
    [INFO] I found the following mail server(s):
    Unknown process (smtpd) (PID 816)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 1364)
    [INFO] I found the following imap server(s):
    Dovecot (PID 1364)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 1861)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [localhost]:10024 (1683/amavisd-new)
    [localhost]:9000 (1269/php-fpm.conf))
    [localhost]:10025 (5150/master)
    [localhost]:9001 (1124/php-fpm.conf))
    [localhost]:10026 (1683/amavisd-new)
    [localhost]:10027 (5150/master)
    [anywhere]:587 (5150/master)
    [localhost]:11211 (1267/memcached)
    [anywhere]:110 (1364/dovecot)
    [anywhere]:143 (1364/dovecot)
    [anywhere]:2223 (1317/sshd)
    [anywhere]:10000 (1711/perl)
    [anywhere]:465 (5150/master)
    [anywhere]:21 (1861/pure-ftpd)
    ***.***.***.***:53 (1261/named)
    [localhost]:53 (1261/named)
    [anywhere]:25 (816/smtpd)
    [localhost]:953 (1261/named)
    [anywhere]:993 (1364/dovecot)
    [anywhere]:995 (1364/dovecot)
    *:*:*:*::*:10024 (1683/amavisd-new)
    *:*:*:*::*:3306 (1623/mysqld)
    *:*:*:*::*:10026 (1683/amavisd-new)
    *:*:*:*::*:3050 (1345/firebird)
    [localhost]10 (1364/dovecot)
    [localhost]43 (1364/dovecot)
    *:*:*:*::*:2223 (1317/sshd)
    *:*:*:*::*:8080 (1724/apache2)
    *:*:*:*::*:80 (1724/apache2)
    *:*:*:*::*:8081 (1724/apache2)
    *:*:*:*::*:21 (1861/pure-ftpd)
    *:*:*:*::*:53 (1261/named)
    *:*:*:*::*:953 (1261/named)
    *:*:*:*::*:443 (1724/apache2)
    *:*:*:*::*:993 (1364/dovecot)
    *:*:*:*::*:995 (1364/dovecot)




    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-named-refused-tcp tcp -- [anywhere]/0 [anywhere]/0 multiport dports 53,953
    f2b-named-refused-udp udp -- [anywhere]/0 [anywhere]/0 multiport dports 53,953
    f2b-pureftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21
    f2b-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993
    f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25
    f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-dovecot-pop3imap (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-named-refused-tcp (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-named-refused-udp (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-postfix-sasl (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-sshd (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0
     
  11. jamby

    jamby New Member

    I have this error on my mail.err
    dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
    many lines
    and user mail boxes cant connet to imap ssl methode only normal connect without ssl
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What's in your /etc/dovecot/dovecot.conf? And what mail clients are having that problem?
     

Share This Page