I've a big problem. Dovecot won't recieve mail with the ssl/tls configuration. The config is the same as on my old server (Ubuntu 14.04) where it works. With the original config file it works also. dovecot.conf (the added part) listen = *,[::] protocols = imap pop3 imaps pop3s auth_mechanisms = plain login disable_plaintext_auth = yes log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail postmaster_address = [email protected] ssl_dh_parameters_length = 2048 ssl = required ssl_require_crl = yes ssl_cert = </etc/ssl/private/ispserver.pem ssl_key = </etc/ssl/private/ispserver.pem ssl_ca = </etc/ssl/private/ispserver.pem ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECD HE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128 -SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE -ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHA HE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-G CM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIAES-CBC3-SHA:!aNULL:!eNULL:!EXPORT :!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes ssl_dh_parameters_length = 2048 [ ...default config ] netstat -ntlp | grep LISTEN ... tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 12952/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 12952/dovecot ... tcp6 0 0 :::993 :::* LISTEN 12952/dovecot tcp6 0 0 :::995 :::* LISTEN 12952/dovecot openssl s_client -connect localhost:995 -> output is the correct cert and at the end +OK Dovecot ready. openssl s_client -connect localhost:993 -> output is the correct cert and at the end * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. But if I try to telnet from my PC telnet 192.168.xxx.xxx 993 or telnet 192.168.xxx.xxx 995 I get only black screen? but if I try ports 25, 587 I get "220 my.domain.si ESMTP (Ubuntu)" Did I forgot to config something? Is there any other way to test it?
I enabled the log and I got this when I tryed to telnet: master: Info: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disabled) 2017-05-31 09:50:10 config: Warning: service auth { client_limit=1000 } is lower than required under max. load (2800) 2017-05-31 09:50:10 config: Warning: service anvil { client_limit=1000 } is lower than required under max. load (2703) 2017-05-31 09:50:44 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<FPVtLc1QXqwAAAAAAAAAAAAAAAAAAAAB> 2017-05-31 09:51:43 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.123.15] 2017-05-31 09:51:43 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.123.15] 2017-05-31 09:51:43 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.123.15] 2017-05-31 09:51:44 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<f18CMc1QbKwAAAAAAAAAAAAAAAAAAAAB> 2017-05-31 09:52:27 imap-login: Debug: SSL error: Disconnected running commands telnet 192.168.xxx.xxx imap or 192.168.xxx.xxx pop3 works!
It was a permission problem and not ssl/tls. The custom config file had 640 permissions, changing them to 644 solved the problem.