So I'm trying to add an account to Thunderbird, or Outlook. I enter the servername, username, password, etc. Firewall allow ports. Thunderbird errors saying "Thunderbird failed to find the settings for your email account". I've tried IMAP and POP3 in Thunderbird. Maillog shows this for IMAP and I get no logs for POP3: Jun 5 14:33:39 s02 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=MY_PUBLIC_IP, lip=SERVER_LOCAL_IP, session=<7lH3SeltvwBHOFfr> For IMAP using SSL/TLS, I get this: Jun 5 15:46:03 s02 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=MY_PUBLIC_IP, lip=SERVER_LOCAL_IP, TLS: SSL_read() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<EQjhTOptHABHOFfr> Firewall is set by ISPConfig and TCP ports allowed are: 20,21,25,53,80,110,143,443,587,993,995,3306,8080,8081,8822,10000 and UDP ports are: 53,3306 so you can see I have the necessary ports open. netstat shows the services listening on 25, 143, 993, 587, and 465. Also a test from MXToolbox shows SMTP open and not an open relay. Mail sends and receives fine using Roundcube; I have my SPF, DKIM, and PTR records all setup and get very good results (9.7 out of 10) on https://www.mail-tester.com I found that a common local ISP (Comcast) blocks outbound port 25, so I need to be able to use SSL/TLS for Outgoing, so I think the SSL Alert above is my primary issue...
use a proper configured ssl part for your postfix. try this for a start https://www.howtoforge.com/community/threads/pfs-letsencrypt-for-postfix-dovecot-pureftpd.77499/
ztk.me, Thank you. I have a couple questions however. My server hosts several domains that need to send main. How do I handle that? Would it be a scenario where all clients login using the mail.myPrimaryDomain.com for secure access since myPrimaryDomain.com will have the valid postfix/dovecot certs and that's what my rDNS points to? Is there plans for ISPConfig to handle creating these certs as part of the server-config in the future?
usually I suggest use rdns of mailserver as mailname valid domain name and MX entry + use it for setup in your clients. You can ( maybe premium ) add multiple postfix instances handling different certs for incoming mail from clients who do not know much about email headers or even outgoing on different ip for those who do. the other option would be using a certificate with multiple CommonName or SubjAltName names. but again usually for incoming since the incoming from the receiver might see an matching rdns/helo pair thus expecting a cert for said rdns
Humm, I installed LetsEncrypt during the CentOS 7.4 guide, but I have no LetsEncrypt options at ISPConfig panel > Sites > Website > Website Name > SSL. I do have the SSL and LetsEncrypt SSL checkboxes enabled for the site.
thats sufficient. the SSL tab itself is used for custom created certs ( either by yourself or by a company like $issuer_you_trust )
Yes but I would like to use LetsEncrypt for a valid cert, and it's not on the SSL tab like I've read it's supposed to be so I can't create one in ISPConfig. I'd like to fix that.
No, it's not supposed to be on the SSL tab. like @ztk.me pointed out, just enable the SSL and Let's encrypt checkbox to activate SSL with Let's encrypt for the website. SSL in websites is not related to the mail system. Let's encrypt SSL certs are stored by certbot in /etc/letsencrypt/.... in the filesystem and in case that you want to use one of them for the mail system, then change the mail system config to point to it: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
so you are missing the LE checkbox right below the SSL checkbox at the first page after clicking on a wbsite? Or does it not work? Then we need logs, infos about what went wrong - how to debug that has been mentioned several times on the forum, there are some letsencrypt specific threads aswell for centos ( I think ).
Till, ztk.me, Thanks. My bad on this - I read the section "Securing ISPConfig Website With Let's Encrypt SSL" on this page wrong https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ The wording "If the above is done, go back to ISPConfig panel > Sites > Website > Website Name, then click SSL and Let's Encrypt check buttons" confused me to think I was supposed to go to the SSL tab then check the Let's Encrypt check button. Perhaps rewording to this could avoid confusion for others: "If the above is done, go back to ISPConfig panel > Sites > Website > Website Name, then check the boxes for both SSL and Let's Encrypt. Thanks!
So I have POP3 working securely following your guide at https://www.howtoforge.com/community/threads/pfs-letsencrypt-for-postfix-dovecot-pureftpd.77499. However, the server isn't listening on ports 587 or 465 for secure SMTP when I do a netstat. Ideas?
Fixed it. Added this to /etc/postfix/master.cf and then restarted postfix service. Code: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Restart service: service postfix restart Verify: netstat -autn | grep -E '(465|587)'
