[Solved] Debian 11 + IMAP 143 + SMTP 587 + STARTTLS [ISPConfig 3.2.8.p2 + Roundcube 1.60]

Discussion in 'Installation/Configuration' started by Vintche Dass, Nov 7, 2022.

Tags:
  1. Vintche Dass

    Vintche Dass New Member

    Good afternoon,

    1. SITUATION
      • 01 # I am in production with a Debain 11 server.
      • 02 # For the installation of ISPConfig 3, I took this tutorial as support but without roundcube installation (-- no roundcube) :
      • 03 # I use ISPConfig to manage domains, email addresses, etc. It's a configuration where all services are on the same server, using several domains.
      • 04 # Each domain has its own certificate generated by "Let'sEncrypt" from "ISPConfig". On this point, everything is functional. The domains have been given an "A+" rating by "ssllabs.com".
      • 05 # I've installed "Roundcube 1.6.0" ( "RC") after main install.
      • 06 # I am trying to set up the server correctly to use IMAP (143) and SMTP (587) in STARTTLS only.
      • 07 # Of course, in the "RC" configuration (config.inc.php), I have tried many configurations when the expected parameters by referring to the possibilities present in the "defaults.inc.php".
        Code:
        /var/www/roundcube/config/config.inc.php
      • 08 # Nothing does it, except. I made a basic test in "25" without any authentication, the test mail went out of the server and was delivered to the destination server.
      • 09 # In the files I publish here, of the configurations of each service, I have replaced the sensitive information by generic ones.
      • 10 # I didn't touch anything in the "Postfix" and "Dovecot" conf files.
        Dovecot file conf header :
    2. My request
      • What should I do/modify to set IMAP (143) and SMTP (587) with STARTTLLS ?[/B]
    3. Server
      • Détails
    4. CONF FILES
      • Index (See the contents of the 3 files, below in the first answer)
      Code:
      # 1 | (Roundcube)  config.inc.php
# 2 | (postfix)  main.cf
# 3 | (dovecot)  dovecot.conf


    • ENDING
      Thank you for your time to read and if you have a solution, I would appreciate it.

      Sincerely,
      Vincente.
     
    Vintche Dass, Nov 7, 2022
    #1
    carmelocarrillo likes this.
  2. Vintche Dass

    Vintche Dass New Member

    • # 1 | (Roundcube) config.inc.php
      Code:
      <?php

/*
 +-----------------------------------------------------------------------+
 | Local configuration for the Roundcube Webmail installation.           |
 |                                                                       |
 | This is a sample configuration file only containing the minimum       |
 | setup required for a functional installation. Copy more options       |
 | from defaults.inc.php to this file to override the defaults.          |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 +-----------------------------------------------------------------------+
*/

$config = [];

// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
//$config['db_dsnw'] = 'mysql://roundcube_bdd_user_name:roundcube_bdd_user_pass@localhost/roundcube_bdd_name';

// IMAP host chosen to perform the log-in.
// See defaults.inc.php for the option description.
$config['imap_host'] = 'localhost:143';

// SMTP server host (for sending mails).
// See defaults.inc.php for the option description.
$config['smtp_host'] = 'localhost:587';

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'Roundcube Webmail';

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
//$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
$config['des_key'] = '5d2d5d2sldoP*$^ùDJKDl25';

// List of active plugins (in plugins/ directory)
$config['plugins'] = [
    'acl',
    'additional_message_headers',
    'archive',
    'attachment_reminder',
    'autologon',
    'debug_logger',
    'emoticons',
    'enigma',
    'filesystem_attachments',
    'help',
    'hide_blockquote',
    'http_authentication',
    'identicon',
    'identity_select',
    'jqueryui',
    'krb_authentication',
    'managesieve',
    'markasjunk',
    'new_user_dialog',
    'new_user_identity',
    'newmail_notifier',
    'reconnect',
    'redundant_attachments',
    'show_additional_headers',
    'squirrelmail_usercopy',
    'subscriptions_option',
    'userinfo',
    'vcard_attachments',
    'virtuser_file',
    'virtuser_query',
    'zipdownload',
    'jqueryui',
    'ispconfig3_account',
    'ispconfig3_autoreply',
    'ispconfig3_autoselect',
    'ispconfig3_spam',
    'ispconfig3_fetchmail',
    'ispconfig3_filter',
    'ispconfig3_forward',
    'ispconfig3_wblist',
];

// skin name: folder from skins/
$config['skin'] = 'elastic';

$config['enable_spellcheck'] = true;

// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
$config['enable_installer'] = false;

    • # 2 | (postfix) main.cf
      Code:
      # See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = ns544124.ip-144-217-78.net
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = ns544124.ip-144-217-78.net, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users =
authorized_mailq_users = nagios, icinga
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
message_size_limit = 0

    • # 3 | (dovecot) dovecot.conf
      Code:
      # Do not change this file, as changes will be overwritten by any ISPConfig update.
# Put your custom settings in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master.
# To start using those changes, do a force upgrade and let it reconfigure your services. (ispconfig_update.sh --force)
listen = *,[::]
protocols = imap pop3 lmtp sieve
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
mail_max_userip_connections = 100
mail_plugins = quota
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  quota = dict:user::file:/var/vmail/%d/%n/.quotausage

  # no longer needed, as 'sieve' is in userdb extra fields:
  sieve=/var/vmail/%d/%n/.sieve

  sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve
  sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
  sieve_max_script_size = 2M
  sieve_max_actions = 100
  sieve_max_redirects = 25
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
  user = root
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
   # For higher volume sites, it may be desirable to increase the number of active listener processes.
   # A range of 5 to 20 is probably good for most sites
#   process_min_avail = 5
  }
}
lmtp_rcpt_check_quota = yes
service imap-login {
  client_limit = 1000
  process_limit = 512
}
protocol imap {
  mail_plugins = $mail_plugins quota imap_quota
  auth_verbose = yes
}
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
  mail_plugins = $mail_plugins quota
  auth_verbose = yes
}
protocol lda {
postmaster_address = [email protected]
  mail_plugins = $mail_plugins sieve quota
}
protocol lmtp {
postmaster_address = [email protected]
  mail_plugins = $mail_plugins quota sieve
}

service stats {
    unix_listener stats-reader {
        user = vmail
        group = vmail
        mode = 0660
    }

    unix_listener stats-writer {
        user = vmail
        group = vmail
        mode = 0660
    }
}

service quota-status {
  executable = quota-status -p postfix
  unix_listener /var/spool/postfix/private/quota-status {
    group = postfix
    mode = 0660
    user = postfix
  }
  client_limit = 1
}
plugin {
  quota_status_success = DUNNO
  quota_status_nouser = DUNNO
  quota_status_overquota = "552 5.2.2 Mailbox is full"
}

imap_capability=+SPECIAL-USE XLIST
namespace inbox {
  inbox = yes
  separator = .
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
}

!include_try conf.d/99-ispconfig-custom-config.conf
root@ns544124:/var/www/roundcube/config# cat /etc/dovecot/dovecot.conf
# Do not change this file, as changes will be overwritten by any ISPConfig update.
# Put your custom settings in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master.
# To start using those changes, do a force upgrade and let it reconfigure your services. (ispconfig_update.sh --force)
listen = *,[::]
protocols = imap pop3 lmtp sieve
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
mail_max_userip_connections = 100
mail_plugins = quota
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  quota = dict:user::file:/var/vmail/%d/%n/.quotausage

  # no longer needed, as 'sieve' is in userdb extra fields:
  sieve=/var/vmail/%d/%n/.sieve

  sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve
  sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
  sieve_max_script_size = 2M
  sieve_max_actions = 100
  sieve_max_redirects = 25
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
  user = root
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
   # For higher volume sites, it may be desirable to increase the number of active listener processes.
   # A range of 5 to 20 is probably good for most sites
#   process_min_avail = 5
  }
}
lmtp_rcpt_check_quota = yes
service imap-login {
  client_limit = 1000
  process_limit = 512
}
protocol imap {
  mail_plugins = $mail_plugins quota imap_quota
  auth_verbose = yes
}
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
  mail_plugins = $mail_plugins quota
  auth_verbose = yes
}
protocol lda {
postmaster_address = [email protected]
  mail_plugins = $mail_plugins sieve quota
}
protocol lmtp {
postmaster_address = [email protected]
  mail_plugins = $mail_plugins quota sieve
}

service stats {
    unix_listener stats-reader {
        user = vmail
        group = vmail
        mode = 0660
    }

    unix_listener stats-writer {
        user = vmail
        group = vmail
        mode = 0660
    }
}

service quota-status {
  executable = quota-status -p postfix
  unix_listener /var/spool/postfix/private/quota-status {
    group = postfix
    mode = 0660
    user = postfix
  }
  client_limit = 1
}
plugin {
  quota_status_success = DUNNO
  quota_status_nouser = DUNNO
  quota_status_overquota = "552 5.2.2 Mailbox is full"
}

imap_capability=+SPECIAL-USE XLIST
namespace inbox {
  inbox = yes
  separator = .
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
}

!include_try conf.d/99-ispconfig-custom-config.conf
     
    Vintche Dass, Nov 7, 2022
    #2
    carmelocarrillo likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Nothing, as it is already configured like this and used as the default when external mail clients connect o your server for years now. You can find detailed step-by-step instructions here on how to add an email account and how to set up an email client and which exact settings and server name needs to be used:

    https://www.howtoforge.com/ispconfig-email-account/

    The email system uses a central SSL cert which is issued for the hostname of your server and all email clients must use this hostname if they want to connect to the server. Adding SSL certs for the http/https protocol (websites) is not related to email and the connection of email clients to your server. Roundcube connects on localhost, using SSL there makes not much sense and that's why it is not used there. Of course, you can do that and let Roundcúbe connect to your external IP via imaps and smtps but it will just slow down your system.
     
    till, Nov 7, 2022
    #3
  4. Vintche Dass

    Vintche Dass New Member

    Good evening Till,

    Thank you for your response. The shared link in the tutorial you created does not (unless I am mistaken) address my request.
    Everything I saw in the tutorial from IPSConf to IMAP client via TLS is basic to me.
    I've been using SOGo since 2013, its interface is not foreign to me. Adding, managing domains, emails, etc. is basic. Especially since version 3.2, you have added many features

    Where I get stuck is the instructions for Roundcube to communicate with Postfix/Dovecot over TLS. Because Roundcube does not have the instruction of connection with login in TLS, etc.
    As I've wrote, if I turn Roundcube in SMTP 25 old way, it's works : email sent from server 1 and received by server 2.

    All the information I could find is specific to versions prior to Roundcube 1.6.0, and this latest version has taken a turn in its config.inc.php compared to previous versions.
    Remerber, I did not install Roundcube via the ISPConfig script but in a later step manually, to access version 1.6.0. instead of 1.4.3 which came with the ISPConfig script.

    Until now (since 2013), I was using SOGo, so I had a great habit, and the SOGo installation was making the changes on Postfix/Dovecot with the questions/answers to be filled in, to be validated during said SOGo installation.

    Or I miss something, but it's not with ISPConfig GUI domain, email setting.
    I'm still stuck.

    Regards,
    Vincente

    PS : Thanks for putting my request in the right space, I hadn't found another section, due to lack of experience on HowTo.
     
    Vintche Dass, Nov 7, 2022
    #4
    carmelocarrillo likes this.
  5. Vintche Dass

    Vintche Dass New Member

    Here is what I did to install Roundcube after ISPConfig, php 8.1

    For each validated operation, I write a guide/tuto/memo at each step. This serves as a work support.
    ( I have replaced the sensitive information by generic ones.)

    # 12. # Installation of "Roundcube 1.6.0" ("RC")
    Code:
    ##############################################################
# 12. # Installation of "Roundcube 1.6.0" ("RC")

# 12.1 - Downloading the archive of the latest version :
wget https://github.com/roundcube/roundcube_dbb_name/releases/download/1.6.0/roundcube_dbb_name-1.6.0-complete.tar.gz

  *** Checking the latest version :
  https://roundcube.net/download/


# 12.2.1. # Unzip the archive :
tar xvf roundcube_dbb_name-1.6.0-complete.tar.gz

# 12.2.2. # Create the final folder in "/server_path_roundcube" :
mkdir -p /server_path_roundcube

# 12.2.3. # Move the content of the decompression and rename its destination folder "roundcube" :
mv roundcube_dbb_name-1.6.0 /server_path_roundcuberoundcube

# 12.2.4. # Move to the final destination URL "/server_path_roundcuberoundcube" :
cd /server_path_roundcuberoundcube

# 12.2.5. # Allocate the rights of the user " " to the folder "temp" and "logs" which are in the folder "roundcube" :
chown www-data:www-data temp/ logs/ -R

# 12.3.1. # Install the dependencies :
apt install software-properties-common

# 12.3.2. # The continuation by validating by the choice "2" for "Apache" : ( !!!! Attention, the command puts an error by adding a PDA of Ubuntu )
add-apt-repository ppa:ondrej/php

# 12.3.3. # Launch the MAJ checks :
apt update

# 12.3.4. # Install (or check if alreaduy installed) the necessary "PHP 8.1" extensions and validate the installation with "O" :
apt install php-net-ldap2 php-net-ldap3 php-imagick php8.1-fpm php8.1-common php8.1-gd php8.1-imap php8.1-mysql php8.1-curl php8.1-zip php8.1-xml php8.1-mbstring php8.1-bz2 php8.1-intl php8.1-gmp

# 12.4.1. # Creation of a database "MariaDB" for "Roundcube". To connect under the prompt "MariaDB":
mysql -u root -p

  *** Enter the PSWD "root" of "MySQL

# 12.4.2. # Create the database "roundcube_dbb_name" (The name can be changed) :
  # Create the "roundcub-user-name" user who will manage the "roundcube_dbb_name" database:
  # Give the user rights on his DBB :
  # Flush privileges
  # Finish by exiting the "MariaDB" prompt:
 
CREATE DATABASE roundcube_dbb_name DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER roundcube_user_name@localhost IDENTIFIED BY 'password_roundcube_user_name';
GRANT ALL PRIVILEGES ON roundcube_dbb_name.* TO roundcube_user_name@localhost;
flush privileges;
exit;


# 12.5. # Import the initial tables (structure) into the "roundcube_dbb_name" database:
mysql -u root -p roundcube_dbb_name < /server_path_roundcuberoundcube/SQL/mysql.initial.sql

  *** Enter the PSWD "root" of "MySQL"
 
  "-u root" = import will be performed under the authority of the user "root
  "-p" = impose the request of the PSWD of the user "root
  "roundcube_dbb_name" = The name of the DB of "RC
  "<" = The direction in which the copy will be performed. Example : "A < B" = the data present in "B" will be copied in "A
  "/server_path_roundcuberoundcube/SQL/mysql.initial.sql" = the local URL where the file containing the tables to be incorporated into the DB of "RC".

# 12.6.1. #  At this point domains have already been created in "ISPConfig" so it is not necessary to create a "roundcube.conf" but to modify a "*.vhost" of the subdomain that will be used for access to the "RC" Webmail.

  *** For example: The domain "mail.domain.ex" has been created for this purpose.
  Just edit its "mail.domain.ex.vhost" and replace the "DocumentRoot" by the local URL of the "Roundcube" folder.

  *** For example the subdomain applied here is: "mail.domain.ex"


# 12.6.2. # Goes into :
cd /etc/apache2/sites-available

# 12.6.3. # Make a copy--backup of "mail.domain.ex.vhost" keeping the rights, owner, gropue :
cp -r mail.domain.ex.vhost mail.domain.ex.vhost.BAK
ls

# 12.6.4. # Edit the file :
nano mail.domain.ex.vhost

# 12.6.5. # In the file, search for all the :
-------------------------------------------------------------------------------------------
DocumentRoot /var/www/clients/client0/web3/web
-------------------------------------------------------------------------------------------

  *** Be careful, the variables "client0" and "web3" can be different, modify them according to those already present in the file.

# 12.6.6. # Replace the 04 "DocumentRoot /server_path_roundcubeclients/client0/web3/web" by :
-------------------------------------------------------------------------------------------
#   DocumentRoot /var/www/clients/client0/web3/web
DocumentRoot server_path_to_roundcube/
-------------------------------------------------------------------------------------------

  *** Here, it is present 04 times, but it can also vary according to the instructions validated at the time of the creation, of the parameter settings on the subdomain.


# 12.6.7. # To finish, reload the "Apache" service:
systemctl reload apache2


# 12.7-1. # Configure "RC". Go to the local URL:
cd /server_path_roundcuberoundcube/config/

# 12.7-2. # Duplicate a copy of "config.inc.php.sample" and rename it at the same time :
cp config.inc.php.sample config.inc.php

# 12.7-3. # Edit the file :
nano /server_path_roundcuberoundcube/config/config.inc.php


# 12.7.4.1. # Replace:
-------------------------------------------------------------------------------------------
$config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcube_dbb_name';
-------------------------------------------------------------------------------------------

# 12.7.4.2. # With :
-------------------------------------------------------------------------------------------
//$config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcube_dbb_name';
$config['db_dsnw'] = 'mysql://roundcube_user_name:password_roundcube_user_name@localhost/roundcube_dbb_name';
-------------------------------------------------------------------------------------------

  *** "password_roundcube_user_name" being the PWD of the user "roundcube_user_name" to access the DB "roundcube_dbb_name".


# 12.7.5.1. # Replace :
-------------------------------------------------------------------------------------------
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
-------------------------------------------------------------------------------------------

# 12.7.5.2. # With :
-------------------------------------------------------------------------------------------
//$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
$config['des_key'] = '205d8d2s23sIYUFHDN!$d-2s';
-------------------------------------------------------------------------------------------


# 12.7.6.1. # Replace :
-------------------------------------------------------------------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = [
'archive',
zipdownload',
];
-------------------------------------------------------------------------------------------

# 12.7.6.2. # By :
-------------------------------------------------------------------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = [
'acl',
'additional_message_headers',
'archive',
'attachment_reminder',
'autologon',
'debug_logger',
'emoticons',
'enigma',
'filesystem_attachments',
'help',
hide_blockquote',
'http_authentication',
'identicon',
'identity_select',
'jqueryui',
'krb_authentication',
'managesieve',
'markasjunk',
'new_user_dialog',
'new_user_identity',
'newmail_notifier',
'password',
'reconnect',
'redundant_attachments',
'show_additional_headers',
'squirrelmail_usercopy',
'subscriptions_option',
'userinfo',
'vcard_attachments',
'virtuser_file',
'virtuser_query',
zipdownload',
];
-------------------------------------------------------------------------------------------


# 12.7.7. # At the end of the file, add the line :
-------------------------------------------------------------------------------------------
$config['enable_spellcheck'] = true;
-------------------------------------------------------------------------------------------


# 12.7.8. # At the bottom/end of the file, add these lines to activate the "RC" installer, then save and close the file ("CTRL+W" + "O" + Valid):
-------------------------------------------------------------------------------------------
// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
$config['enable_installer'] = true;
-------------------------------------------------------------------------------------------


# 12.8. # Sset the "php.ini" "Time Zone"

# 12.8.1. # Edit the "php.ini" file of the three versions of "PHP" to set the "Time Zone":
nano /etc/php/7.4/fpm/php.ini
nano /etc/php/8.0/fpm/php.ini
nano /etc/php/8.1/fpm/php.ini

# 12.8.2. # Search :
-------------------------------------------------------------------------------------------
;date.timezone =
-------------------------------------------------------------------------------------------

# 12.8.3. # Replace with :
-------------------------------------------------------------------------------------------
;date.timezone =
date.timezone = MyTimeZone/The capital city
-------------------------------------------------------------------------------------------

# 12.9. # Restart/Reload services :
service mysql restart
systemctl restart php7.4-fpm
systemctl restart php8.0-fpm
systemctl restart php8.1-fpm
systemctl reload apache2


# 12.10-1. # From a browser > to the page to continue/complete the installation/parameterization/initialization settings of "RC":
https://mail.domain.ex/installer/?_step=1


# 12.10-2. # Part 1 : "Check environnment
Everything should be set to "ok" as to what the server needs (not all features are set to "ok" though as they are not useful depending on the server conf)

# 12.10-3. # Part 2 : "Create config
Nothing to do, if everything is ok, it's automated.

# 12.10-4. # Part 3 : "Test config
No need for the test because no existing address, so do nothing in this part.


12.# 11. # Once the installation is finished, you have to delete the "installer" folder in "/server_path_roundcuberoundcube/installer/" :
cd /server_path_roundcuberoundcube/
ls
rm -r installer


# 12.12-1. # It is also necessary to change the instruction of "l'installerr" in the file "config.inc.php". Edit the file :
nano config.inc.php
OR
nano /server_path_roundcuberoundcube/config/config.inc.php

# 12.12-2. # Change "true" by "false" of the activation of the "installer" of "RC" in this file, at the bottom/end of the file, then save and close the file ("CTRL+W" > "O" > Valid) :

# 12.# 12.2-1. # File BEFORE modifications :
-------------------------------------------------------------------------------------------
// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
$config['enable_installer'] = true;
-------------------------------------------------------------------------------------------

# 12.# 12.2.1. # File AFTER modifications :
-------------------------------------------------------------------------------------------
// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
$config['enable_installer'] = false;
-------------------------------------------------------------------------------------------


# 12.13. # Done for this section. In the browser, go to the URL to check the main page of "Roundcube" :
https://mail.domain.ex/
     
    Vintche Dass, Nov 7, 2022
    #5
    carmelocarrillo likes this.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Connecting RoundCube via SSL makes no sense as it communicates with postfix and dovecot via localhost, using SSL there does not give you any real benefits and is not needed security-wise as the data is not transferred over the public network and does not leave your server. It just makes your server slower, that's why it is not recommended to do this. Roundcube should communicate on port 25 with postfix on localhost as it's a locally installed webmail client. As I mentioned already, your whole mail system (postfix and dovecot) is configured already for starttls, so it works out of the box for any client that connects to it via starttls on the usual ports. So unlike SOGo, there is no manual configuration required in ISPConfig to get starttls or its email cert working.

    If you want to configure Roundcube to use starttls, even if it's discouraged to do so, then you must configure it in the same way you configure any external mail client, and that's what is described in the tutorial I posted the link to, so you should know that already as you mentioned in your answer. e.g. for RoundCube, you would use:

    $config['smtp_server'] = 'ssl://server.host.name:587';

    and imap server is either:

    $config['default_host'] = 'ssl://server.host.name';
    or:
    $config['default_host'] = 'ssl://server.host.name:993';

    where server.host.name is the hostname of the server, if you don't know it, then run:

    hostname -f

    command to get the hostname.

    But as mentioned, it just slows down your server and instead or routing traffic securely inside your own system, you now route it over the external interface. So better leave the setup as it was correctly set up on localhost with port 25.

    Changes in postfix or dovecot are not needed in any case, as the system is correctly configured.
     
    till, Nov 7, 2022
    #6
    carmelocarrillo and pyte like this.
  7. Vintche Dass

    Vintche Dass New Member

    Good morning Till,

    Thank you for your answers and participation. I know it takes your time and I'm not the only one asking for help.
    I waited to do some tests before answering you.

    • You are quite right regarding the communication between RC webmail (Roundcube) < > Dovecot < > Postfix since these three are on the same server, so in localhost of this Server #1.
      So I've changed the setting of config.inc.php of RC to switch SMTP PORT from 587 to 25.

    • On the other hand, I don't understand why this, and over the past two days, I have tried many possibilities:
      • !!! I can send emails but I don't receive any !!!
        • Case #1/3: If I send an email from this server (Server #1) > Server #1:
          => Result: It's distributed, visible, accessible in RC (Of course, it's in loacalhost, but that proves to me that it's functional.
          • Here are the email headers displayed in RC, email sent by Server #1 > received by Server #1 :
            Code:
            --------------------------------------------------------------------------------------------
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from ServerXXX
    by ServerXXX with LMTP
    id EwG3xxxxxxxxxxxxxxxAfKA
    (envelope-from <[email protected]>)
    for <[email protected]>; Tue, 08 Nov 2022 13:17:39 +0100
Received: from "roundcube.domain.ex" (localhost [IPv6:::1])
    (Authenticated sender: [email protected])
    by ServerXXX (Postfix) with ESMTPA id 045xxxxxx703
    for <[email protected]>; Tue, 8 Nov 2022 13:17:38 +0100 (CET)
MIME-Version: 1.0
Date: Tue, 08 Nov 2022 13:17:37 +0100
From: "Test Control | domain.ex" <[email protected]>
To: [email protected]
Subject: Test 6
Message-ID: <[email protected]>
X-Sender: [email protected]
Organization: =?UTF-8?Q?MY_OG_=C2=AE?=
--------------------------------------------------------------------------------------------
        • Case #2/3: If I send an email from this server (Server #1) > Server #2 (Other external server):
          => Result: It is distributed, visible, accessible in the Thunderbird IMAP / SMTP client (From distant others computers Windows and Linux Mint v.21 (Vanessa)).

        • Case #3/3: If I send an email from Server #2 (outgoing SMTP) > Server #1 (incoming IMAP) :
          => Result: The email is right sent (Sent folder) on and from Server #2 but is not distributed, visible in the RC of Server #1.

    • Here is part of the configuration of the config.inc.php of RC:
      Code:
      [...]

// IMAP host chosen to perform the log-in.
// See defaults.inc.php for the option description.
$config['imap_host'] = 'localhost:143';

// SMTP server host (for sending mails).
// See defaults.inc.php for the option description.
//$config['smtp_host'] = 'localhost:587';
$config['smtp_host'] = 'localhost:25';

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

[...]

    • Also, I did some tests on Server #1.
      1. postconf -n
        Code:
        --------------------------------------------------------------------------------------------
# postconf -n

address_verify_negative_refresh_time = 60s
address_verify_sender_ttl = 15686s
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
authorized_flush_users =
authorized_mailq_users = nagios, icinga
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
compatibility_level = 2
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
greylisting = check_policy_service inet:127.0.0.1:10023
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 0
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = serverXXX, localhost, localhost.localdomain
myhostname = serverXXX
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
non_smtpd_milters = inet:localhost:11332
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_dns_support_level = dnssec
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_restriction_classes = greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
--------------------------------------------------------------------------------------------

      2. After sending an email from Server 2 > Server 1, here are the logs of Server 1:
        • 2.1. /var/log/daemon.log
        • 2.2. /var/log/daemon.log
        • 2.3. /var/log/mail.log
        • 2.4. /var/log/postfix.log

        In the reports published, I replaced        :
        • Hostname by : ServerXXX
        • Ipv4 by : "IP_v4_serverXXX"
        • Ipv6 by : "IP_v6_serverXXX"
        • Mac Adress by : "MAC_Adress_serverXXX"
        • The domain mane tested by : domain.ex
        • 2.1. tail -f /var/log/daemon.log
          Code:
          --------------------------------------------------------------------------------------------
# tail -f /var/log/daemon.log

Nov  9 14:16:41 serverXXX NetworkManager[2348]: <info>  [1667999801.3903] device (eno4): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
Nov  9 14:16:41 serverXXX NetworkManager[2348]: <info>  [1667999801.3922] device (eno4): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Nov  9 14:16:41 serverXXX NetworkManager[2348]: <info>  [1667999801.3945] device (eno4): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
Nov  9 14:16:41 serverXXX NetworkManager[2348]: <info>  [1667999801.3956] dhcp4 (eno4): activation: beginning transaction (timeout in 45 seconds)
Nov  9 14:16:41 serverXXX avahi-daemon[2342]: Joining mDNS multicast group on interface eno4.IPv6 with address "IP_v6_serverXXX".
Nov  9 14:16:41 serverXXX avahi-daemon[2342]: New relevant interface eno4.IPv6 for mDNS.
Nov  9 14:16:41 serverXXX avahi-daemon[2342]: Registering new address record for "IP_v6_serverXXX" on eno4.*.
Nov  9 14:16:41 serverXXX named[2429]: listening on IPv6 interface eno4, "IP_v6_serverXXX"%3#53
Nov  9 14:16:43 serverXXX telnetd[1292155]: ttloop: peer died: EOF
Nov  9 14:16:44 serverXXX in.telnetd[1292159]: connect from 1.156.56.39 (1.156.56.39)
Nov  9 14:17:15 serverXXX telnetd[1292159]: ttloop: peer died: EOF
Nov  9 14:17:16 serverXXX in.telnetd[1292182]: connect from 1.156.56.39 (1.156.56.39)
[...]
Nov  9 14:34:56 serverXXX NetworkManager[2348]: <warn>  [1668000896.3792] device (eno4): Activation: failed for connection 'Connexion filaire 1'
Nov  9 14:34:56 serverXXX NetworkManager[2348]: <info>  [1668000896.3800] device (eno4): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')
Nov  9 14:34:56 serverXXX avahi-daemon[2342]: Withdrawing address record for "IP_v6_serverXXX" on eno4.
Nov  9 14:34:56 serverXXX avahi-daemon[2342]: Leaving mDNS multicast group on interface eno4.IPv6 with address "IP_v6_serverXXX".
Nov  9 14:34:56 serverXXX avahi-daemon[2342]: Interface eno4.IPv6 no longer relevant for mDNS.
Nov  9 14:34:56 serverXXX named[2429]: no longer listening on "IP_v6_serverXXX"%3#53
Nov  9 14:34:56 serverXXX NetworkManager[2348]: <info>  [1668000896.4009] dhcp4 (eno4): canceled DHCP transaction
Nov  9 14:34:56 serverXXX NetworkManager[2348]: <info>  [1668000896.4010] dhcp4 (eno4): state changed timeout -> terminated
Nov  9 14:34:58 serverXXX ntpd[2504]: Deleting interface #1508 eno4, "IP_v6_serverXXX"%3#123, interface stats: received=0, sent=0, dropped=0, active_time=178 secs
Nov  9 14:35:02 serverXXX mariadbd[169836]: 2022-11-09 14:35:02 95295 [Warning] Aborted connection 95295 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
--------------------------------------------------------------------------------------------

        • 2.2. tail -f /var/log/syslog
          Code:
          --------------------------------------------------------------------------------------------
# tail -f /var/log/syslog
Nov  9 14:35:01 serverXXX CRON[1331812]: (www-data) CMD (php -f "install_path_of_nextcloud"/cron.php)
Nov  9 14:35:02 serverXXX pure-ftpd: (?@::1) [INFO] New connection from ::1
Nov  9 14:35:02 serverXXX pure-ftpd: (?@::1) [INFO] Logout.
Nov  9 14:35:02 serverXXX mariadbd[169836]: 2022-11-09 14:35:02 95295 [Warning] Aborted connection 95295 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
Nov  9 14:35:02 serverXXX dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<bh5CuQntZMIAAAAAAAAAAAAAAAAAAAAB>
Nov  9 14:35:02 serverXXX dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<3j9CuQntlM8AAAAAAAAAAAAAAAAAAAAB>
Nov  9 14:35:02 serverXXX postfix/smtpd[1331910]: connect from localhost[::1]
Nov  9 14:35:02 serverXXX postfix/smtpd[1331910]: lost connection after CONNECT from localhost[::1]
Nov  9 14:35:02 serverXXX postfix/smtpd[1331910]: disconnect from localhost[::1] commands=0/0
Nov  9 14:35:09 serverXXX kernel: [509980.922068] [UFW BLOCK] IN=eno3 OUT= MAC="MAC_Adress_serverXXX":00:d7:8f:c0:1d:41:08:00 SRC=62.233.50.245 DST="IP_v4_serverXXX" LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=31125 PROTO=TCP SPT=40851 DPT=48836 WINDOW=1024 RES=0x00 SYN URGP=0
--------------------------------------------------------------------------------------------

        • 2.3. tail -f /var/log/mail.log
          Code:
          #tail -f /var/log/mail.log
--------------------------------------------------------------------------------------------
Nov  9 14:55:02 serverXXX postfix/smtpd[1333338]: lost connection after CONNECT from localhost[::1]
Nov  9 14:55:02 serverXXX postfix/smtpd[1333338]: disconnect from localhost[::1] commands=0/0
.
------------ MY TEST START -------------
Nov  9 14:56:59 serverXXX dovecot: imap-login: Aborted login (auth failed, 2 attempts in 10 secs): user=<"user_email_test">, method=PLAIN, rip="IP_v4_serverXXX", lip="IP_v4_serverXXX", TLS, session=<lQspBwrtmrSQ2U5y>

Nov  9 14:57:14 serverXXX dovecot: imap-login: Aborted login (auth failed, 2 attempts in 6 secs): user=<"user_email_test">, method=PLAIN, rip="IP_v4_serverXXX", lip="IP_v4_serverXXX", TLS, session=<ewBRCArtotmQ2U5y>
------------ MY TEST END -------------
.
Nov  9 15:00:02 serverXXX dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<blOqEgrtJKcAAAAAAAAAAAAAAAAAAAAB>
Nov  9 15:00:02 serverXXX dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<DVqqEgrt5J4AAAAAAAAAAAAAAAAAAAAB>
Nov  9 15:00:02 serverXXX postfix/smtpd[1333623]: connect from localhost[::1]
Nov  9 15:00:02 serverXXX postfix/smtpd[1333623]: lost connection after CONNECT from localhost[::1]
Nov  9 15:00:02 serverXXX postfix/smtpd[1333623]: disconnect from localhost[::1] commands=0/0
Nov  9 15:00:56 serverXXX dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=::1, lip=::1, TLS, session=<nFnqFQrtPtIAAAAAAAAAAAAAAAAAAAAB>
--------------------------------------------------------------------------------------------

        • 2.4. tail -f /var/log/postfix.log
          Code:
          --------------------------------------------------------------------------------------------
# tail -f /var/log/postfix.log  (NO "postfix.log")

tail: unable to open '/var/log/postfix.log' for reading: No such file or folder
tail: no file left
--------------------------------------------------------------------------------------------


      3. I listened to the active services of "Dovecot" and I notice that there is no IMAP listening. Although if I'm not talking nonsense, IMAP / POP3 are active only when a used email user logs in.

        ps auxw|grep "dovecot"
        Code:
        --------------------------------------------------------------------------------------------
# ps auxw|grep "dovecot"

root     1031806  0.0  0.0   4704  3528 ?        Ss   nov.08   0:02 /usr/sbin/dovecot -F
dovecot  1031808  0.0  0.0   4220  1004 ?        S    nov.08   0:00 dovecot/anvil
root     1031815  0.0  0.0   4488  2816 ?        S    nov.08   0:00 dovecot/log
dovecot  1031850  0.0  0.0   9488  5280 ?        S    nov.08   0:01 dovecot/stats
root     1031851  0.0  0.0   7172  4816 ?        S    nov.08   0:03 dovecot/config
root     1332388  0.0  0.0   6284   712 pts/2    S+   14:43   0:00 grep dovecot
--------------------------------------------------------------------------------------------

      4. "Dovecot" service
        • 4.1. I stopped the "Dovecot" service.
        • 4.2. Restarted it.
        • 4.3. Then checked its status.
        Code:
        sudo systemctl stop dovecot.service
sudo systemctl start dovecot.service
sudo systemctl status dovecot.service
        Code:
        --------------------------------------------------------------------------------------------
(GREEN LIGHT) dovecot.service - Dovecot IMAP/POP3 email server
     Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-11-09 14:51:30 CET; 2s ago
       Docs: man:dovecot(1)
             http://wiki2.dovecot.org/
   Main PID: 1332825 (dovecot)
      Tasks: 4 (limit: 19021)
     Memory: 3.2M
        CPU: 65ms
     CGroup: /system.slice/dovecot.service
             ├─1332825 /usr/sbin/dovecot -F
             ├─1332827 dovecot/anvil
             ├─1332828 dovecot/log
             └─1332829 dovecot/config

nov. 09 14:51:30 serverXXX systemd[1]: Starting Dovecot IMAP/POP3 email server...
nov. 09 14:51:30 serverXXX dovecot[1332825]: master: Dovecot v2.3.13 (89f716dc2) starting up for imap, pop3, lmtp, sieve (core dumps disabled)
nov. 09 14:51:30 serverXXX systemd[1]: Started Dovecot IMAP/POP3 email server.
--------------------------------------------------------------------------------------------
     
    Last edited: Nov 10, 2022
    Vintche Dass, Nov 10, 2022
    #7
    carmelocarrillo likes this.
  8. Vintche Dass

    Vintche Dass New Member

    • 5. I made some tests with Telnet to check the functioning of ports and services.

    • 5.1. Checking ports
      Code:
      telnet "IP_v4_serverXXX" 143
      Code:
      # telnet "IP_v4_serverXXX" 143

--------------------------------------------------------------------------------------------
Trying IPv4_serveurXXX...
Connected to "IP_v4_serverXXX"
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
--------------------------------------------------------------------------------------------

    • 5.2. Audit of services
      Code:
      doveconf protocols listen
      Code:
      # doveconf protocols listen

--------------------------------------------------------------------------------------------
protocols = imap pop3 lmtp sieve
listen = *,[::]
--------------------------------------------------------------------------------------------

    • 5.3. Checking IMAP with a domain
      Code:
      telnet domain.ex 143
      Code:
      # telnet domain.ex 143

--------------------------------------------------------------------------------------------
Trying "IP_v4_serverXXX"...
Connected to domain.ex.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
--------------------------------------------------------------------------------------------

    • 5.4. Verify that authenticated connections are allowed
      Code:
      telnet localhost 143
a login "email_adress_tested" "password_email_adress_tested"
      Code:
      telnet localhost 143
a login "email_adress_tested" "password_email_adress_tested"

--------------------------------------------------------------------------------------------
a login "email_adress_tested" "password_email_adress_tested"
Trying "IP_v4_serverXXX"...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
--------------------------------------------------------------------------------------------

    • 5.5. Verify that remote connections to a domain are allowed
      (To be performed from another server/station, as all local IP addresses are considered secure) :
      • Tested from Server #1 (But localhost test)
      • Tested from Server #2
      • Tested from an external remote station
      Code:
      telnet mail.domain.ex 143
a login "email_adress_tested" "password_email_adress_tested"
      Code:
      # telnet mail.domain.ex 143
a login "email_adress_tested" "password_email_adress_tested"

--------------------------------------------------------------------------------------------
a login "email_adress_tested" "password_email_adress_tested"
Trying "IP_v4_serverXXX"...
Connected to mail.domain.ex.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
--------------------------------------------------------------------------------------------

    • 5.6. Test using the imap port and the STARTTLS command (also works with the imap port)
      (To be performed from another server/station, as all local IP addresses are considered secure) :
      • Tested from Server #1 (But localhost test)
      • Tested from Server #2
      • Tested from an external remote station

      Code:
      openssl s_client -connect mail.domain.ex:143 -starttls imap
      Code:
      # openssl s_client -connect mail.domain.ex:143 -starttls imap

--------------------------------------------------------------------------------------------
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = serverXXX
verify return:1
---
Certificate chain
 0 s:CN = serverXXX
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFOjCCBCK xxxx [...] xxxxQ0JwO4Cw==
-----END CERTIFICATE-----
subject=CN = serverXXX

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: XXXXXX, 253 bits
---
SSL handshake has read 4974 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
. OK Pre-login capabilities listed, post-login capabilities have more.
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D7795DAD xxxxxx xxxxxxxx xxxxxxxx 827554
    Session-ID-ctx:
    Resumption PSK: E94xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1649D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 49 5e xx xx xx xx xx xx xx xx xx xx 58 f7   I^.~].w.......X.
    0010 - 24 37 xx xx xx xx xx xx xx xx xx xx d1 b7   $7...*h...}0Qv..
    0020 - b5 fc xx xx xx xx xx xx xx xx xx xx c1 c3   ......q..P-.....
    0030 - 11 85 xx xx xx xx xx xx xx xx xx xx d2 81   ...Jr...o..eL...
    0040 - 20 61 xx xx xx xx xx xx xx xx xx xx 2c cb    a_.....:J....,.
    0050 - 0c 7c xx xx xx xx xx xx xx xx xx xx db f0   .|.h.uYz`....&..
    0060 - b0 9a xx xx xx xx xx xx xx xx xx xx c5 7f   ....P.B5`.n&....
    0070 - 93 06 xx xx xx xx xx xx xx xx xx xx 1c d3   ..!.z...0..W.5..
    0080 - 04 d9 xx xx xx xx xx xx xx xx xx xx e9 8b   ..N.yc...2.-....
    0090 - db 68 xx xx xx xx xx xx xx xx xx xx 07 1f   .h@...;.'B......
    00a0 - 77 81 xx xx xx xx xx xx xx xx xx xx 07 b7   w......&.....0..
    00b0 - 10 81xx xx xx xx xx xx xx xx xx xx 18 1c   ......B.3.......
    00c0 - f5 43 xx xx xx xx xx xx xx xx xx xx e3 91   .C.V...=.h4..J..

    Start Time: 1667997854
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8552294C02xxxxxx xxxxxxxx xxxxxxxxC50CBF2B6
    Session-ID-ctx:
    Resumption PSK: 6AF4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx81B4B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 49 5e xx xx xx xx xx xx xx xx xx xx 58 f7   I^.~].w.......X.
    0010 - 0d dd xx xx xx xx xx xx xx xx xx xx 08 0d   ..2.j!.... ZXH..
    0020 - 7c 69 xx xx xx xx xx xx xx xx xx xx 76 c5   |i#.......T...v.
    0030 - d2 34 xx xx xx xx xx xx xx xx xx xx e3 ee   .4"..{.u_....W..
    0040 - 17 ba xx xx xx xx xx xx xx xx xx xx d4 a0   ..r.\...;.b..I..
    0050 - 74 50 xx xx xx xx xx xx xx xx xx xx 79 e3   tP......y.!\..y.
    0060 - 16 e3 xx xx xx xx xx xx xx xx xx xx 12 75   ..#..u}..m.).W.u
    0070 - c7 69 xx xx xx xx xx xx xx xx xx xx fc c2   .iRv*...m....2..
    0080 - a3 ca xx xx xx xx xx xx xx xx xx xx bd e8   ....A&C..Q .|v..
    0090 - 88 60xx xx xx xx xx xx xx xx xx xx 6f 82   .`..F./o;J&]Cjo.
    00a0 - 88 e6 xx xx xx xx xx xx xx xx xx xx 8e 3f fd   ....%......_y.?.
    00b0 - 9d 74 xx xx xx xx xx xx xx xx xx xx0 2f ff   .t./......iO.0/.
    00c0 - 38 eb xx xx xx xx xx xx xx xx xx xx 67 48   8.kb=./...L...gH

    Start Time: 1667997854
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
--------------------------------------------------------------------------------------------

    • 5.7. Now I've test to check that if finds INBOX of test email adress
      Code:
      telnet mail.domain.ex 143
a login "email_adress_tested" "password_email_adress_tested"
b select inbox
      !!! I was unable to connect to the address !!!

      Code:
      # telnet mail.domain.ex 143
a login "email_adress_tested" "password_email_adress_tested"
b select inbox

--------------------------------------------------------------------------------------------
Trying "IP_v4_serverXXX"...
Connected to mail.domain.ex.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
* BYE Disconnected for inactivity.
Connection closed by foreign host.
-bash: !4: event not found
-bash: b : command not found
--------------------------------------------------------------------------------------------
    • 6. Then I did some tests with "Mutt".
      • 6.1.
        Code:
        mutt -f imaps://"email_adress_tested"
      • 6.1.2.
        Code:
        ----------------------------------------------
/home/debian/Mail does not exist. Create it? ([yes]/no): n
----------------------------------------------
      • 6.1.3.
        Code:
        ----------------------------------------------
This certificate belongs to :
   serverXXX.XXX

This certificate was issued by :
   R3
   Let's Encrypt

        US

This certificate is valid
from xxxxxx
to xxxx

Attention ! The server name does not match the certificate

-- Mutt : Verification of the SSL certificate (certificate 3 of 3 in the chain)
(r)eject, accept (once), (a)ccept always : a
----------------------------------------------
      • 6.1.4.
        Code:
        ----------------------------------------------
Password for "email_adress_tested" : password_email_adress_tested
----------------------------------------------
      • 6.1.5.
        Code:
        ----------------------------------------------
Authentifcation PLAIN
Connexion...
The connection failed
----------------------------------------------
    • 7. Finally, I tried to add the email account taken for testing on Server #1's domain (domain.ex) into a Thunderbird set up and running with other addresses that are on Server #2.
      (I specify that there is no link, service between the two servers).


      • 7.1. The account is set up manually:
        ----------------------------------------------
        • email address
        • password of the email address
        • domain of the address : mail.domain.ex
        • IMAP port: 143 STARTLLS
        • STMP port: 573 STARTLLS
        • User authentication: full email address
        • Password authentication: email address password
        • Test settings" : all is good > "Add the account".
          And from there, Thunderbird displays a certificate alert offering no other choice to view :
          "Add a final exception" does not work, the alert keeps coming back, mentioning:
          " Warning! The server name does not match the certificate "
          ----------------------------------------------


        • 7.2. View the certificate (always from the Thunderbird alarm window):
          ----------------------------------------------
          SSL server certificate

          Issued for
          Common Name (CN): ServerXXX
          Organization (O): <Not part of certificate>
          Organization Unit (OU): <Not part of certificate>
          Serial number: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

          Issued by
          Common Name (CN): R
          Organization (O): Let's Encrypt
          Organization Unit (OU): <Not part of certificate>
          ----------------------------------------------


        • 7.3. The contents (standard folder (incoming mail, drafts, sent mail, etc.) are not displayed in the tree structure of the newly added account, each time the mouse is clicked in the "directory" of the address, the Thunderbird alarm window returns.

      • Thank you Till for your experience and skills. If you can see what it's all about, I would be grateful.

        Regards,
        Vincente
     
    Last edited: Nov 10, 2022
    Vintche Dass, Nov 10, 2022
    #8
    carmelocarrillo likes this.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    You can test your mail system like this:

    Login to Roundcube with an account you created in ISPConfig, then send an email to the exact same email address that you logged into RoundCube. Does this email arrive within your inbox in RoundCube after a few seconds? If yes, your mail system works properly and you must search for issues outside of your server like firewalls and DNS MX records of the email domains. If it does not arrive, then post the exact lines that got added to the mail.log file for this RoundCube emails ending attempt.

    Btw. It might be easier and safe for you a lot of time if you contact Business support here https://www.ispconfig.org/get-support/?type=ispconfig and let @Th0m check your mail system setup for you.
     
    Last edited: Nov 10, 2022
    till, Nov 10, 2022
    #9
    carmelocarrillo likes this.
  10. Vintche Dass

    Vintche Dass New Member

    Good morning Till,

    Thank you for your answer.
    • It was so simple that I didn't think about it anymore, thinking that the UFW firewall was well set up regarding the rules I assigned to it.

    • I did a test:
      1. I turned off the UFW firewall service.
      2. I checked the status of the firewall.
      3. I sent a test email from Server #2 > Server #1 (Server XXX) from an email address of a domain managed by Server #2 to a test email address of a domain managed by Server #1:
        Code:
        [email protected] > [email protected]
=> Ex: [email protected] > [email protected]

      4. Server #2 (Server XXX) has received the test email, visible in Roundcube!
      5. I restarted the firewall, checked its status and listed all the existing and active rules:.
        Code:
        ufw status numbered
        Code:
        # ufw status numbered
--------------------------------------------------------------------------------------------
[ 1] xxxxxxx/tcp                  ALLOW IN    Anywhere    #(SSH custom IPv4)
[ 2] xxxxxxx/tcp                  ALLOW IN    Anywhere   #(ISPConfig GUI IPv4)
[ 3] xxxxxxx/tcp                  ALLOW IN    Anywhere  #(ISPConfig Apps Vhost IPv4)
[ 4] xxxxxxx/tcp                  ALLOW IN    Anywhere   #(Custom xtra service IPv4)
[ 5] xxxxxxx/tcp                   ALLOW IN    Anywhere  #(Custom xtra service IPv4)
[ 6] xxxxxxx/tcp                   ALLOW IN    Anywhere  #(Redis Cache IPv4)
[ 7] 123/tcp                    ALLOW IN    Anywhere  #(NTP IPv4)
[ 8] 143/tcp                    ALLOW IN    Anywhere  #(IMAP TLS IPv4)
[ 9] xxxxxxx/tcp                   ALLOW IN    Anywhere  #(MySQL IPv4)
[10] 80/tcp                     ALLOW IN    Anywhere  #(HTTP IPv4)
[11] 443/tcp                    ALLOW IN    Anywhere  #(HTTPS IPv4)
[12] 53                         ALLOW IN    Anywhere  #(DSN)
[13] 587/tcp                    ALLOW IN    Anywhere  #(SMTP TLS IPv4)
[14] 22                         DENY IN     Anywhere  #(Regular SSH IPv4)
[15] 25                         DENY IN     Anywhere  #(POP3 IPv4)
[16] 993                        DENY IN     Anywhere  #(IMAP SSL IPv4)
[17] 995                        DENY IN     Anywhere  #(POP3 SSL IPv4)
[18] xxxxxxx:xxxxxxx/tcp            ALLOW IN    Anywhere  #(FTP/FTPs passif custom)
[19] 23                         DENY IN     Anywhere  #(Telnet IPv4)

[20] 143/tcp (v6)               ALLOW IN    Anywhere (v6)  #(IMAP TLS IPv6)
[21] xxxxxxx/tcp (v6)              ALLOW IN    Anywhere (v6)  #(MySQL IPv6)
[22] 80/tcp (v6)                ALLOW IN    Anywhere (v6)  #(HTTP IPv6)
[23] 443/tcp (v6)               ALLOW IN    Anywhere (v6)  #(HTTPS IPv6)
[24] 53 (v6)                    ALLOW IN    Anywhere (v6)  #(DSN IPv6)
[25] 587/tcp (v6)               ALLOW IN    Anywhere (v6)  #(SMTP TLS IPv6)
[26] 22 (v6)                    DENY IN     Anywhere (v6)  #(Regular SSH IPv6)
[27] 25 (v6)                    DENY IN     Anywhere (v6)  #(POP3 IPv6)
[28] 993 (v6)                   DENY IN     Anywhere (v6)  #(IMAP SSL IPv6)
[29] 995 (v6)                   DENY IN     Anywhere (v6)  #(POP3 SSL IPv6)
[30] 23 (v6)                    DENY IN     Anywhere (v6)  #(Telnet IPv6)
--------------------------------------------------------------------------------------------

      6. Knowing that the blocking comes from a firewall port, I performed tests to open ports that are currently blocked because they do not need to be used.
      7. I deleted the rule of the 25/TCP blocked in IPv4 and allowed it, so open in IPv4.
      8. Result: All test emails sent from Server #2 > Server #1 appeared in Roundcube!
      9. So what I don't understand is the need to open port 25/TCP IPv4 on the network outside the localhost ???
      10. My goal is to use only ports 143 (IMAP TLS STARTTLS) and 587 (SMTP TLS STARTTLS) for the EMAIL service.
        The POP3 services should not be used and functional, nor the 993, 995 in SSL.

      11. Apart from the port 25/TCP issue, are there any other ports that need to be opened against my list?

    Regards,
    Vincente
     
    Vintche Dass, Nov 10, 2022
    #10
    carmelocarrillo likes this.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Port 25 is the port that all SMTP users worldwide use to communicate with each other, when you block port 25, no mail can be received. See lists of standard service ports, this is not ISPConfig specific, it applies to any mail system.

    Makes no sense if you want to run an email server and want to receive emails.
     
    till, Nov 10, 2022
    #11
    carmelocarrillo likes this.
  12. Vintche Dass

    Vintche Dass New Member

    Good afternoon Till,

    Thank you for your answer. I fixed, everything is fine about email server.
    I have an other trouble with "sieve" file, the foward function from email 1 to email 2 without keeping any email at email 1 doesn't work. I will open a new thread about this.

    Regards,
    Vincente
     
    Vintche Dass, Nov 12, 2022
    #12
    carmelocarrillo likes this.

Share This Page