POP3 Connections fail to connect on port 995

Discussion in 'Installation/Configuration' started by snowweb, Sep 10, 2020.

  1. snowweb

    snowweb Member

    Customers are reporting that they are unable to connect on the settings we issued for POP3 connections, which were to use TLS on port 995.
    Upon running
    we are seeing
    We are using the main server domain to connect, so I'm wondering why we see the above, since the certificate for that domain is the LetsEncrypt certificate and therefore is not self signed and it seems to working fine for IMAP connections, etc.
    The error, displayed to the user is:
    We get the same error on Port 110 using StartTLS (although we don't want to support this method if we can avoid it).

    Using no security on port 110 is successful.

    Thanks for your tireless support!

    Our Setup:
    ISPConfig 3.1 dev
    Ubuntu 18.04
     
    Last edited: Sep 10, 2020
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Are the customers connected to customerdomain.com:995? because if so, that domain is not added to your LE certificate for the mailserver and will result in a SSL/TLS warning.
     
  3. snowweb

    snowweb Member

    No Th0m, I've advised the customers to use the server domain, not their own. Customers are (and we are testing on) our main server fqdn, same host as ISPConfig is running on. The certificate is working for IMAP and for the Control Panel site, but for some reason not for port 995 with POP3.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Are you using dovecot or courier? Can you share your config file?
     
  5. snowweb

    snowweb Member

    Using dovecot. Here's /etc/dovecot/dovecot.conf
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If imap (port 993?) works but pop3 (995) shows a different certificate, ensure you have restarted (not reload) dovecot, and then I'd start looking at where your connections actually end up, ie. is it to the same server? the mail log shows the connection from your client for both the working imap and non-working pop3 connections?
     
  7. snowweb

    snowweb Member

    I was testing using Thunderbird, which complained of the certificate being incorrect and I was able to examine the certificate. I is for the correct domain, but it's not the LE certificate. It is self-signed, but I wouldn't have knowingly done this, since I know that self-signed doesn't cut it and that I have LE available, but searching history for SSL commands at the CLI revealed the following command:
    Not sure what guide I was following at that time, that led me to do that, just 92 commands into my new server build. I don't see it in the ISPConfig setup guide for Ubuntu 18.04.

    So I have to choose what to do from here:
    1. Do I follow this guide again: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ ? Would this replace existing certificates or add additional? Should I remove existing first? If so, where from?
    2. Do I identify the location of the self-signed certificate on the server and remove it and then see what breaks (if anything)? If so, where will I find it and how will I identify it?
    I'd really appreciate your advice on this, since I still haven't fully understood how these certificates are stored and integrated with the system and the server is already live. Thanks guys.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    snowweb and Th0m like this.
  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    that commands definitely in the 18.04 perfect server tutorial (apache), in the install pureftpd and quota section.
    don't see how the ftpd cert would show up in mail though, only thing i can think of is the mails cert are symlinks to the ispserver certs and those wrongly symlink to the original self signed ftpd certs instead of the ftpd certs being symlinks to the ispserver certs.
    seems an unlikely mistake to make though. would need to completely mistype the commands in the tutorials, swapping symlink source and destination.
     
  10. snowweb

    snowweb Member

    Thanks Till for this. I'll give that a try on Sunday. I'm out of time now for this week (Sabbath in a few hours).
    Thanks also @nhybgtvfr for your inputs. It's a mystery to me how exactly I managed to mess this up. It's a good thing I chose ISPconfig with it's great support community.
     
  11. snowweb

    snowweb Member

    I'm still waiting for feedback from the users, but according to my own testing, I think this has fixed it.
    Thanks everyone for your assistance.
     

Share This Page