Unable to receive mails TLS certificate error

Hi,
I recently upgraded by debian and ran ispconfig_update and i think i messed up when re configuring the SSL.

Code:

`
$systemctl status dovecot
 dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; en
   Active: active (running) since Sat 2022-07-30 18:23:55
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 5616 (dovecot)
    Tasks: 6 (limit: 1166)
   Memory: 7.6M
   CGroup: /system.slice/dovecot.service
           ├─5616 /usr/sbin/dovecot -F
           ├─5617 dovecot/anvil
           ├─5618 dovecot/log
           ├─5619 dovecot/config
           ├─5641 dovecot/auth
           └─5642 dovecot/stats

Jul 30 18:28:12 server1 dovecot[5618]: config: Warning: Yo
Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Error:
Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Disconn
Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Error:
Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Disconn
Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Error:
Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Disconn
Jul 30 18:31:51 server1 dovecot[5618]: auth-worker(5904):
Jul 30 18:31:53 server1 dovecot[5618]: pop3-login: Disconn
Jul 30 18:49:47 server1 dovecot[5618]: imap-login: Disconn
root@server1:/home/carrierc# systemctl dovecot status
Unknown operation dovecot.
root@server1:/home/carrierc# systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2022-07-30 18:23:55 IST; 27min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 5616 (dovecot)
    Tasks: 6 (limit: 1166)
   Memory: 7.6M
   CGroup: /system.slice/dovecot.service
           ├─5616 /usr/sbin/dovecot -F
           ├─5617 dovecot/anvil
           ├─5618 dovecot/log

the lines standing out int he ouptut

Code:

please set ssl_dh=</etc/dovecot/dh.pem
You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem

attached the output of `doveconf -a`

 

The systemctl status dovecot output has lines cut, the important error messages are cut short.
ispconfig_update.sh --force
should generate new certificate. You may need to restart postfix and dovecot.

 

Thanks Taleman,
Prior i tried to force update ispconfig but SSL wizard would not show up.
Here is the required full output

Code:

$ systemctl status dovecot
dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2022-07-30 22:34:40 IST; 6min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 24592 (dovecot)
    Tasks: 6 (limit: 1166)
   Memory: 7.2M
   CGroup: /system.slice/dovecot.service
           ├─24592 /usr/sbin/dovecot -F
           ├─24593 dovecot/anvil
           ├─24594 dovecot/log
           ├─24595 dovecot/config
           ├─24751 dovecot/auth
           └─24752 dovecot/stats

Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<jEjp0gjlKOt6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<jEjp0gjlKOt6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<VaXr0gjlOut6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<VaXr0gjlOut6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<Tf3r0gjlQOt6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<Tf3r0gjlQOt6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<hTTs0gjlOOt6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<hTTs0gjlOOt6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<uJzs0gjlUOt6rhE7>
Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<uJzs0gjlUOt6rhE7>
$systemctl status dovecot
dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2022-07-30 22:34:40 IST; 7s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 24592 (dovecot)
    Tasks: 4 (limit: 1166)
   Memory: 3.7M
   CGroup: /system.slice/dovecot.service
           ├─24592 /usr/sbin/dovecot -F
           ├─24593 dovecot/anvil
           ├─24594 dovecot/log
           └─24595 dovecot/config

Jul 30 22:34:40 server1 systemd[1]: Started Dovecot IMAP/POP3 email server.
Jul 30 22:34:40 server1 dovecot[24592]: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, pop3, lmtp


[QUOTE="Taleman, post: 437847, member: 143306"]The systemctl status dovecot output has lines cut, the important error messages are cut short.
ispconfig_update.sh --force
should generate new certificate. You may need to restart postfix and dovecot.[/QUOTE]

 

i tried another ispconfig_update --force and here is how it went.

Code:

Reconfigure Services? (yes,no,selected) [yes]:
Configuring Postfix
Configuring Dovecot
Configuring Mailman
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Jailkit
Configuring AppArmor
Configuring Database
Updating ISPConfig
ISPConfig Port [8080]:
Create new ISPConfig SSL certificate (yes,no) [no]: yes
Checking / creating certificate for server1.example.com
Using certificate path /root/.acme.sh/server1.example.com
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/server1.example.com
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y
Reconfigure Crontab? (yes,no) [yes]:
Updating Crontab
Restarting services ...
Update finished.

another problem according to htf_report is both acme.sh and certbot are installed.

 

That is not good. You should remove one of them. acme.sh is what recent ISPConfig versions prefer. Examine old threads about having both certbot and acme.sh installed, I found this one: https://forum.howtoforge.com/threads/isp-config-no-ssl.88626/
You have not shown that htf_report. And should have started this thread on ISPConfig forum.
You should follow this: https://forum.howtoforge.com/threads/please-read-before-posting.58408/
Especially this part: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/

 

Have you done that?

Your problem comes from Dovecot upgrade by upgrading Debian. Please read and understand: https://doc.dovecot.org/installatio...2.2-to-2.3/#diffie-hellman-parameters-for-ssl

The DH Parameters that you have set are too small for modern communication, that is what the error message is telling you:

You have to use at minimum a 2048 bit key. You can generate them by yourself (which is not guaranteed to be secure) or use one of the recommended in the corresponding RFC: https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
Use ffdhe2048 or better ffdhe4096. You can also download them here: https://github.com/internetstandards/dhe_groups

 

Hi Stein,
Did the change you mentioned with a little help from here. The dovecot error is gone.

Code:

$systemctl status dovecot
dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-08-01 04:40:15 IST; 2min 47s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 2999 (dovecot)
    Tasks: 4 (limit: 1166)
   Memory: 3.6M
   CGroup: /system.slice/dovecot.service
           ├─2999 /usr/sbin/dovecot -F
           ├─3000 dovecot/anvil
           ├─3001 dovecot/log
           └─3002 dovecot/config

Aug 01 04:40:15 server1 systemd[1]: Started Dovecot IMAP/POP3 email server.
Aug 01 04:40:15 server1 dovecot[2999]: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, pop3, lmtp (core dumps disabled)

However still i am not getting any mails.

 

debug mode

Code:

$/usr/local/ispconfig/server/server.sh
01.08.2022-04:55 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
01.08.2022-04:55 - DEBUG [server:217] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished server.php.

However no such lock file .ispconfig_lock can be found to be removed
attached is the htf_report.

while the dovecot errors are gone, do not know why i am still unable to get mails due to certificate errors. i am also getting notified by thunderird whenever i check for new mails. (attached file, tlserror.png)

 

Did you read what the htf_report says?

Code:

[INFO] php (cli) version is 7.3.31-1~deb10u1
[INFO] php-cgi (used for cgi php in default vhost!) is version 7.0.33

The PHP versions for both should be the same. Have you added additional PHP versions? The default PHP must be set to the OS default.
That host may run out of memory, are there in syslog entries about out of memory?

The debug log says it was removed. Is there anything wrong is this regard?
Have you restarted postfix and dovecot after new certificate was generated?

 

Hi Taleman,
I have fixed the php-cgi issue by installing php7.3-cgi. I didnt have any memory issues.
yes, i restarted and still getting the certificate error. (pictures above from client side thunderbird.

One odd thing to note is after force updating isp config the detected certificate mechanism is acme.sh. However htf_report shows certbot.

Unfortunately no mails yet. attached is the latest htf_report

 

Code:

##### RUNNING SERVER PROCESSES #####

[WARN] I could not determine which web server is running.
[WARN] I could not determine which mail server is running.
[WARN] I could not determine which pop3 server is running.
[WARN] I could not determine which imap server is running.
[WARN] I could not determine which ftp server is running.

That from htf_report. Something has gone wrong.
Have you examined my e-mail setup tutorial? Link in my signature.

 

It is very shameful. I did exactly that. Attached is the htf_report run as su

 

I believe the main issue is with the certificates. Since, I have bot certbot and acme.sh installed there is a conflict somewhere. Can you please guide me on how to remove all certificates of both certbot and acme.sh, uninstall certbot because newer systems are following acme.sh. Then i could follow the acme.sh setup from scratch. Is it possible and will it resolve the mails not receiving due to certificate issue.
@ahrasis
i have always followed your tutorial on letsencrypt issues. Can you please chip in and help resolve the issue for me, please.

 

I seem to have answerd that in #5.

 

inputs >> in lowercase
Which exact errors do you get in the mail.log now when you receive emails?
>> attached popup screenshot from thunderbird (tlserror.png)
Does webmail work?
>> webmail roundcube: Connection to storage server failed.
Do you get an SSL error when logging into the ISPConfig interface?
>> prior upgrade i had SSL error. it is now magically gone, means i dont have any SSL error when logging to server1.example.com
partial output of mulitlog

Code:

/var/log$ multitail daemon.log debug syslog apache2/error.log auth.log fail2ban.log mail.info php7.0-fpm.log syslog mail.log pure-ftpd/transfer.log ispconfig/auth.log --mergeall
legacy directory /var/run/, updating /var/run/dovecot/master.pid → /run/dovecot/master.pid; please update the unit file accordingly.
04] auth.log                                                                        3MB - 2022/08/01 19:37:24
2022-08-01 19:37:36,582 fail2ban.filter         [574]: INFO    [postfix-sasl] Found 141.98.10.203 - 2022-08-0
1 19:37:36
....
06] mail.info                                                                       5MB - 2022/08/01 19:36:06
[01-Aug-2022 14:55:09] NOTICE: ready to handle connections
[01-Aug-2022 14:55:10] NOTICE: systemd monitor interval set to 10000ms

hoping i have provided the info you are looking for.

 

Hi Taleman,
Consider myself as a dummy.
I have gone through the links provided in #5. They mainly seems to address issues when letsencrypt fails to issue certificate and the errors associated with it.
With the little understanding I have, it seems I have certificates from both the schemes (certbot and acme.sh). Also ispconfig_update.sh --force tends to use acme.sh and pick up existing certificates and thereby I am unable to create another fresh valid certificate.
Thanks for your understanding and support.