Customers are reporting that they are unable to connect on the settings we issued for POP3 connections, which were to use TLS on port 995. Upon running we are seeing We are using the main server domain to connect, so I'm wondering why we see the above, since the certificate for that domain is the LetsEncrypt certificate and therefore is not self signed and it seems to working fine for IMAP connections, etc. The error, displayed to the user is: We get the same error on Port 110 using StartTLS (although we don't want to support this method if we can avoid it). Using no security on port 110 is successful. Thanks for your tireless support! Our Setup: ISPConfig 3.1 dev Ubuntu 18.04
Are the customers connected to customerdomain.com:995? because if so, that domain is not added to your LE certificate for the mailserver and will result in a SSL/TLS warning.
No Th0m, I've advised the customers to use the server domain, not their own. Customers are (and we are testing on) our main server fqdn, same host as ISPConfig is running on. The certificate is working for IMAP and for the Control Panel site, but for some reason not for port 995 with POP3.
If imap (port 993?) works but pop3 (995) shows a different certificate, ensure you have restarted (not reload) dovecot, and then I'd start looking at where your connections actually end up, ie. is it to the same server? the mail log shows the connection from your client for both the working imap and non-working pop3 connections?
I was testing using Thunderbird, which complained of the certificate being incorrect and I was able to examine the certificate. I is for the correct domain, but it's not the LE certificate. It is self-signed, but I wouldn't have knowingly done this, since I know that self-signed doesn't cut it and that I have LE available, but searching history for SSL commands at the CLI revealed the following command: Not sure what guide I was following at that time, that led me to do that, just 92 commands into my new server build. I don't see it in the ISPConfig setup guide for Ubuntu 18.04. So I have to choose what to do from here: Do I follow this guide again: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ ? Would this replace existing certificates or add additional? Should I remove existing first? If so, where from? Do I identify the location of the self-signed certificate on the server and remove it and then see what breaks (if anything)? If so, where will I find it and how will I identify it? I'd really appreciate your advice on this, since I still haven't fully understood how these certificates are stored and integrated with the system and the server is already live. Thanks guys.
that commands definitely in the 18.04 perfect server tutorial (apache), in the install pureftpd and quota section. don't see how the ftpd cert would show up in mail though, only thing i can think of is the mails cert are symlinks to the ispserver certs and those wrongly symlink to the original self signed ftpd certs instead of the ftpd certs being symlinks to the ispserver certs. seems an unlikely mistake to make though. would need to completely mistype the commands in the tutorials, swapping symlink source and destination.
Thanks Till for this. I'll give that a try on Sunday. I'm out of time now for this week (Sabbath in a few hours). Thanks also @nhybgtvfr for your inputs. It's a mystery to me how exactly I managed to mess this up. It's a good thing I chose ISPconfig with it's great support community.
I'm still waiting for feedback from the users, but according to my own testing, I think this has fixed it. Thanks everyone for your assistance.