webmail cannot connect

Hey
Proxmox cluster. running ISPConfig 3.2.7p1
pm01: panel, web01, mx1, mx2, ns1, ns2
pm02: webmail.
The installation i followed, is the automated script. https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

My webmail.server cannot connect to mx2.server, states "Connection to IMAP server failed". If i tail /var/log/roundcube/errors.log on webmail server this is what is logged..

Code:

[06-Feb-2022 12:33:25 +0000]: <-------> IMAP Error: Login failed for [email protected] against mx2.tlwebservices.co.uk from 212.159.153.1. Could not connect to ssl://mx2.tlwebservices.co.uk:993: Unknown reason in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)</code>
and on mx2.server, this is the output from /var/log/mail.log
<code>
Feb  6 12:37:38 mx2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=212.159.153.8, lip=212.159.153.5, TLS handshaking: SSL_accept() failed: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert number 45, session=<-------------->
Feb  6 12:37:42 mx2 dovecot: doveadm(212.159.153.4): Error: doveadm client disconnected before handshake: Connection closed

It does state in that log.. sslv3 alert certificate expired
Why would the cert have expired and not been renewed??

 

just ran ssl cert checker https://www.ssllabs.com/ssltest/analyze.html, shows all good with an 'A'

 

This was a fresh install in September last year.
And now I have started to use it, migrating sites and emails over.

 

Thanks for that.
If I force update, that will run new cert?

 

Yes.
You could also do https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ so we could see what OS is running on those hosts and to rule out the usual suspects.

 

Code:

##### SERVER #####
IP-address (as per hostname): [localhost]
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 11 (bullseye)

[INFO] uptime:  20:47:38 up  9:35,  1 user,  load average: 0.00, 0.00, 0.00

[INFO] memory:
               total        used        free      shared  buff/cache   available
Mem:           1.9Gi       1.4Gi        74Mi       7.0Mi       431Mi       356Mi
Swap:          974Mi        73Mi       901Mi

[INFO] systemd failed services status:
  UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.7p1

all servers are same version, created at same time

 

I think you should use [ code ] code [ / code ] without space instead of < code > code < / code >.

 

I have.. I followed this tutorial https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu, page 3 states..

Code:

Replace the hostnames with the correct hostnames for your main and secondary mail server. This config should be updated if the template changes, so make sure you verify this when updating ISPConfig.

Now we are going to add a website for this server in ISPConfig. Go to Sites -> Add new website and add the website "mx1.example.com". Make sure you create this on the correct server (mx1.example.com). Disable auto-subdomain, and enable SSL + Let's Encrypt. Then, go to options, and paste this in the Apache directives section:

RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
Header set Access-Control-Allow-Origin https://mx2.example.com
Replace mx2.example.com with the hostname of the secondary nameserver.

has this tutorial been superseded ?

 

Thanks till, i did indeed not do this step..
when running

Code:

root@mx1:/etc/postfix# apt install incron
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package incron is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'incron' has no installation candidate

it fails to install incron

 

Hi Th0m, i didnt do this step, i thought it wasnt needed, my mistake. as lets encrypt was installed with the system.
I should read all the documentation, not just skim..
content of roundcube config..

Code:

<?php
/*
+-----------------------------------------------------------------------+
| Local configuration for the Roundcube Webmail installation.           |
|                                                                       |
| This is a sample configuration file only containing the minimum       |
| setup required for a functional installation. Copy more options       |
| from defaults.inc.php to this file to override the defaults.          |
|                                                                       |
| This file is part of the Roundcube Webmail client                     |
| Copyright (C) The Roundcube Dev Team                                  |
|                                                                       |
| Licensed under the GNU General Public License version 3 or            |
| any later version with exceptions for skins & plugins.                |
| See the README file for a full license statement.                     |
+-----------------------------------------------------------------------+
*/
$config = array();
// Do not set db_dsnw here, use dpkg-reconfigure roundcube-core to configure database!
include_once("/etc/roundcube/debian-db-roundcube.php");
// The IMAP host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
$config['default_host'] = 'ssl://mx2.tlwebservices.co.uk';
//$config['default_host'] = 'tls://mx2.tlwebservices.co.uk';

// SMTP server host (for sending mails).
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_server'] = 'tls://mx1.tlwebservices.co.uk';

// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)
$config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'TL Systems Webmail';

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = '-----------------';

// List of active plugins (in plugins/ directory)
// Debian: install roundcube-plugins first to have any
$config['plugins'] = array("jqueryui", "ispconfig3_account", "ispconfig3_autoreply", "ispconfig3_pass", "ispconfig3_spam", "ispconfig3_fetchmail", "ispconfig3_filter", "ispconfig3_forward", "ispconfig3_wblist");

// skin name: folder from skins/
$config['skin'] = 'elastic';

// Disable spellchecking
// Debian: spellchecking needs additional packages to be installed, or calling external APIs
//         see defaults.inc.php for additional informations
$config['enable_spellcheck'] = false;

// ----------------------------------
// USER INTERFACE custom settings
// ----------------------------------
// default messages sort column. Use empty value for default server's sorting,
// or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc'
$config['message_sort_col'] = 'date';

// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$config['language'] = 'en_GB';

// use this format for date display (date or strftime format)
$config['date_format'] = 'd-m-Y';

// use this format for detailed date/time formatting (derived from date_format and time_format)
$config['date_long'] = 'd-m-Y H:i';

// Message size limit. Note that SMTP server(s) may use a different value.
// This limit is verified when user attaches files to a composed message.
// Size in bytes (possible unit suffix: K, M, G)
$config['max_message_size'] = '50M';

// Maximum number of recipients per message (including To, Cc, Bcc).
// Default: 0 (no limit)
$config['max_recipients'] = 30;

// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email address
// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email address
// 4 - one identity with possibility to edit only signature
$config['identities_level'] = 3;

// ----------------------------------
// USER PREFERENCES custom settings
// ----------------------------------

// sort contacts by this col (preferably either one of name, firstname, surname)
$config['addressbook_sort_col'] = 'firstname';

// display remote inline images
// 0 - Never, always ask
// 1 - Ask if sender is not in address book
// 2 - Always show inline images
$config['show_images'] = 1;

// Default interval for auto-refresh requests (in seconds)
// These are requests for system state updates e.g. checking for new messages, etc.
// Setting it to 0 disables the feature.
$config['refresh_interval'] = 300;

// Enables adding of standard separator to the signature
$config['sig_separator'] = false;

// When replying:
// -1 - don't cite the original message
// 0  - place cursor below the original message
// 1  - place cursor above original message (top posting)
// 2  - place cursor above original message (top posting), but do not indent th$
$config['reply_mode'] = 1;

// compose html formatted messages by default
//  0 - never,
//  1 - always,
//  2 - on reply to HTML message,
//  3 - on forward or reply to HTML message
//  4 - always, except when replying to plain text message
$config['htmleditor'] = 1;

// Enables display of email address with name instead of a name (and address in title)
$config['message_show_email'] = true;

 

(Debian Bullseye) ISPConfig 3.2.7p1

 

Code:

##### SERVER #####
IP-address (as per hostname): [localhost]
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 11 (bullseye)

[INFO] uptime:  20:47:38 up  9:35,  1 user,  load average: 0.00, 0.00, 0.00

[INFO] memory:
              total        used        free      shared  buff/cache   available
Mem:           1.9Gi       1.4Gi        74Mi       7.0Mi       431Mi       356Mi
Swap:          974Mi        73Mi       901Mi

[INFO] systemd failed services status:
  UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.7p1

 

I would suggest the use hook instead which can be manually added to the renewal config file of the same as the simplest approach.

However, reading your tutorial in depth, if this in anyway a possible or preferred or recommended or advisable feature for ISPConfig, whichever that is, a further installer_base.lib.php modification can be made, that is, upon update, to detect multiple hostnames supplied by the server's admin in a custom file like hostnames.conf, may be in ISPConfig conf-custom folder, to be detected and read if exist, create any needed vhosts and try to issue LE certificates for them. The needed hooks pre and post are already in there and can already be customized by server admins.

Just a thought.