Hi, I recently upgraded by debian and ran ispconfig_update and i think i messed up when re configuring the SSL. Code: ` $systemctl status dovecot dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; en Active: active (running) since Sat 2022-07-30 18:23:55 Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 5616 (dovecot) Tasks: 6 (limit: 1166) Memory: 7.6M CGroup: /system.slice/dovecot.service ├─5616 /usr/sbin/dovecot -F ├─5617 dovecot/anvil ├─5618 dovecot/log ├─5619 dovecot/config ├─5641 dovecot/auth └─5642 dovecot/stats Jul 30 18:28:12 server1 dovecot[5618]: config: Warning: Yo Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Error: Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Disconn Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Error: Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Disconn Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Error: Jul 30 18:28:12 server1 dovecot[5618]: imap-login: Disconn Jul 30 18:31:51 server1 dovecot[5618]: auth-worker(5904): Jul 30 18:31:53 server1 dovecot[5618]: pop3-login: Disconn Jul 30 18:49:47 server1 dovecot[5618]: imap-login: Disconn root@server1:/home/carrierc# systemctl dovecot status Unknown operation dovecot. root@server1:/home/carrierc# systemctl status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-07-30 18:23:55 IST; 27min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 5616 (dovecot) Tasks: 6 (limit: 1166) Memory: 7.6M CGroup: /system.slice/dovecot.service ├─5616 /usr/sbin/dovecot -F ├─5617 dovecot/anvil ├─5618 dovecot/log the lines standing out int he ouptut Code: please set ssl_dh=</etc/dovecot/dh.pem You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem attached the output of `doveconf -a`
The systemctl status dovecot output has lines cut, the important error messages are cut short. ispconfig_update.sh --force should generate new certificate. You may need to restart postfix and dovecot.
Thanks Taleman, Prior i tried to force update ispconfig but SSL wizard would not show up. Here is the required full output Code: $ systemctl status dovecot dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-07-30 22:34:40 IST; 6min ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 24592 (dovecot) Tasks: 6 (limit: 1166) Memory: 7.2M CGroup: /system.slice/dovecot.service ├─24592 /usr/sbin/dovecot -F ├─24593 dovecot/anvil ├─24594 dovecot/log ├─24595 dovecot/config ├─24751 dovecot/auth └─24752 dovecot/stats Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<jEjp0gjlKOt6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<jEjp0gjlKOt6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<VaXr0gjlOut6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<VaXr0gjlOut6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<Tf3r0gjlQOt6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<Tf3r0gjlQOt6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<hTTs0gjlOOt6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<hTTs0gjlOOt6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<uJzs0gjlUOt6rhE7> Jul 30 22:39:04 server1 dovecot[24594]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xx.xx.xxx.xxx, session=<uJzs0gjlUOt6rhE7> $systemctl status dovecot dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-07-30 22:34:40 IST; 7s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 24592 (dovecot) Tasks: 4 (limit: 1166) Memory: 3.7M CGroup: /system.slice/dovecot.service ├─24592 /usr/sbin/dovecot -F ├─24593 dovecot/anvil ├─24594 dovecot/log └─24595 dovecot/config Jul 30 22:34:40 server1 systemd[1]: Started Dovecot IMAP/POP3 email server. Jul 30 22:34:40 server1 dovecot[24592]: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, pop3, lmtp [QUOTE="Taleman, post: 437847, member: 143306"]The systemctl status dovecot output has lines cut, the important error messages are cut short. ispconfig_update.sh --force should generate new certificate. You may need to restart postfix and dovecot.[/QUOTE]
i tried another ispconfig_update --force and here is how it went. Code: Reconfigure Services? (yes,no,selected) [yes]: Configuring Postfix Configuring Dovecot Configuring Mailman Configuring Spamassassin Configuring Amavisd Configuring Getmail Configuring BIND Configuring Pureftpd Configuring Apache Configuring vlogger Configuring Apps vhost Configuring Jailkit Configuring AppArmor Configuring Database Updating ISPConfig ISPConfig Port [8080]: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for server1.example.com Using certificate path /root/.acme.sh/server1.example.com Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/server1.example.com Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y Reconfigure Crontab? (yes,no) [yes]: Updating Crontab Restarting services ... Update finished. another problem according to htf_report is both acme.sh and certbot are installed.
That is not good. You should remove one of them. acme.sh is what recent ISPConfig versions prefer. Examine old threads about having both certbot and acme.sh installed, I found this one: https://forum.howtoforge.com/threads/isp-config-no-ssl.88626/ You have not shown that htf_report. And should have started this thread on ISPConfig forum. You should follow this: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ Especially this part: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
Have you done that? Your problem comes from Dovecot upgrade by upgrading Debian. Please read and understand: https://doc.dovecot.org/installatio...2.2-to-2.3/#diffie-hellman-parameters-for-ssl The DH Parameters that you have set are too small for modern communication, that is what the error message is telling you: You have to use at minimum a 2048 bit key. You can generate them by yourself (which is not guaranteed to be secure) or use one of the recommended in the corresponding RFC: https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 Use ffdhe2048 or better ffdhe4096. You can also download them here: https://github.com/internetstandards/dhe_groups
Hi Stein, Did the change you mentioned with a little help from here. The dovecot error is gone. Code: $systemctl status dovecot dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-08-01 04:40:15 IST; 2min 47s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 2999 (dovecot) Tasks: 4 (limit: 1166) Memory: 3.6M CGroup: /system.slice/dovecot.service ├─2999 /usr/sbin/dovecot -F ├─3000 dovecot/anvil ├─3001 dovecot/log └─3002 dovecot/config Aug 01 04:40:15 server1 systemd[1]: Started Dovecot IMAP/POP3 email server. Aug 01 04:40:15 server1 dovecot[2999]: master: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap, pop3, lmtp (core dumps disabled) However still i am not getting any mails.
debug mode Code: $/usr/local/ispconfig/server/server.sh 01.08.2022-04:55 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 01.08.2022-04:55 - DEBUG [server:217] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. However no such lock file .ispconfig_lock can be found to be removed attached is the htf_report. while the dovecot errors are gone, do not know why i am still unable to get mails due to certificate errors. i am also getting notified by thunderird whenever i check for new mails. (attached file, tlserror.png)
Did you read what the htf_report says? Code: [INFO] php (cli) version is 7.3.31-1~deb10u1 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.0.33 The PHP versions for both should be the same. Have you added additional PHP versions? The default PHP must be set to the OS default. That host may run out of memory, are there in syslog entries about out of memory? The debug log says it was removed. Is there anything wrong is this regard? Have you restarted postfix and dovecot after new certificate was generated?
ISPConfig removed the lock, so the debug output is fine. When you want to debug a software, then you must do the action that you want to debug to get the debug information about that action. From your post, you did not activate LE again, so the debug output was not showing anything besides "nothing to do here".
Hi Taleman, I have fixed the php-cgi issue by installing php7.3-cgi. I didnt have any memory issues. yes, i restarted and still getting the certificate error. (pictures above from client side thunderbird. One odd thing to note is after force updating isp config the detected certificate mechanism is acme.sh. However htf_report shows certbot. Unfortunately no mails yet. attached is the latest htf_report
Code: ##### RUNNING SERVER PROCESSES ##### [WARN] I could not determine which web server is running. [WARN] I could not determine which mail server is running. [WARN] I could not determine which pop3 server is running. [WARN] I could not determine which imap server is running. [WARN] I could not determine which ftp server is running. That from htf_report. Something has gone wrong. Have you examined my e-mail setup tutorial? Link in my signature.
Don't worry, I believe that you thought that both reports were run as root, but the first one definitely was not run as root user as it shows the typical permission errors which must occur in that case. The new report from #14 is fine now. The report shows that the mail system is up. Which exact errors do you get in the mail.log now when you receive emails? Does webmail work? Do you get an SSL error when logging into the ISPConfig interface?
I believe the main issue is with the certificates. Since, I have bot certbot and acme.sh installed there is a conflict somewhere. Can you please guide me on how to remove all certificates of both certbot and acme.sh, uninstall certbot because newer systems are following acme.sh. Then i could follow the acme.sh setup from scratch. Is it possible and will it resolve the mails not receiving due to certificate issue. @ahrasis i have always followed your tutorial on letsencrypt issues. Can you please chip in and help resolve the issue for me, please.
inputs >> in lowercase Which exact errors do you get in the mail.log now when you receive emails? >> attached popup screenshot from thunderbird (tlserror.png) Does webmail work? >> webmail roundcube: Connection to storage server failed. Do you get an SSL error when logging into the ISPConfig interface? >> prior upgrade i had SSL error. it is now magically gone, means i dont have any SSL error when logging to server1.example.com partial output of mulitlog Code: /var/log$ multitail daemon.log debug syslog apache2/error.log auth.log fail2ban.log mail.info php7.0-fpm.log syslog mail.log pure-ftpd/transfer.log ispconfig/auth.log --mergeall legacy directory /var/run/, updating /var/run/dovecot/master.pid → /run/dovecot/master.pid; please update the unit file accordingly. 04] auth.log 3MB - 2022/08/01 19:37:24 2022-08-01 19:37:36,582 fail2ban.filter [574]: INFO [postfix-sasl] Found 141.98.10.203 - 2022-08-0 1 19:37:36 .... 06] mail.info 5MB - 2022/08/01 19:36:06 [01-Aug-2022 14:55:09] NOTICE: ready to handle connections [01-Aug-2022 14:55:10] NOTICE: systemd monitor interval set to 10000ms hoping i have provided the info you are looking for.
Hi Taleman, Consider myself as a dummy. I have gone through the links provided in #5. They mainly seems to address issues when letsencrypt fails to issue certificate and the errors associated with it. With the little understanding I have, it seems I have certificates from both the schemes (certbot and acme.sh). Also ispconfig_update.sh --force tends to use acme.sh and pick up existing certificates and thereby I am unable to create another fresh valid certificate. Thanks for your understanding and support.
ok, so you have a new and valid cert then which means the original SSL issue is already resolved. Redarding Thunderbird, the most likely reason is that you use the wrong imap and smtp server name now. You must use the exact same (sub) domain that you use to login to ISPConfig, which is the hostname of the server and the SSL cert for all services is issued for that hostname. You can also see the bane that must be used on the shell by issuing the command: hostname -f As it's quite likely that your ispconfig login and hostname is not imap..... as shown in the screenshot, this indicates the use of a wrong name for the connection in the mail client, so you must alter the imap and smtp server name in thunderbird then to match the hostname.