Raspberry Pi Email Server Part 2: Dovecot

Powered by Drupal
Submitted by Sam Hobbs on

Dovecot Logo This is the second part of a five part tutorial that will show you how to install a full featured email server on your Raspberry Pi. This tutorial covers Dovecot, which provides SASL authentication and IMAP capabilities.

The parts are:

The Introduction & Contents Page (read first)

Raspberry Pi Email Server Part 1: Postfix

Raspberry Pi Email Server Part 2: Dovecot

Raspberry Pi Email Server Part 3: Squirrelmail

Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin

Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve

Fixing the errors that appeared during dovecot installation

In part 1, when you installed Dovecot I mentioned that you might see some errors like this:

Creating config file /etc/dovecot/conf.d/20-imap.conf with new version
[....] Restarting IMAP/POP3 mail server: dovecotError: socket() failed: Address family not supported by protocol
Error: service(imap-login): listen(::, 143) failed: Address family not supported by protocol
Error: socket() failed: Address family not supported by protocol
Error: service(imap-login): listen(::, 993) failed: Address family not supported by protocol
Fatal: Failed to start listeners
 failed!
invoke-rc.d: initscript dovecot, action "restart" failed.
dpkg: error processing dovecot-imapd (--configure):
 subprocess installed post-installation script returned error exit status 1
Setting up dovecot-ldap (1:2.1.7-7) ...

These errors are caused by the lack of IPv6 support, which I mentioned in the previous tutorial. To remove the errors, open the main dovecot configuration file (/etc/dovecot/dovecot.conf) and find this line:

listen = *, ::

And change it to:

listen = *

The * means “all IPv4 addresses”, the :: means “all IPv6 addresses”. Now restart Dovecot, and you shouldn’t get any errors:

sudo service dovecot restart

Note: since I wrote this tutorial, there have been a few small changes to the default configuration file - you may find that the line is commented (with a # at the start of the line). If so, remember to uncomment it when you make your changes!

Tell Dovecot where your Mailbox is

Open /etc/dovecot/conf.d/10-mail.conf and find this line:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Change it to this:

mail_location = maildir:~/Maildir

Instruct Postfix to use Dovecot SASL

Now we need to tell Postfix that we would like to use Dovecot for SASL authentication. Open /etc/postfix/main.cf and add these lines:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Now tell Dovecot to listen for SASL authentication requests from Postfix. Open /etc/dovecot/conf.d/10-master.conf and comment out the current block that begins with service auth (place a # at the start of each line). Replace it with this:

service auth {
        unix_listener /var/spool/postfix/private/auth {
                mode = 0660
                user = postfix
                group = postfix
        }
}

Now you want to enable plain text logins. Do it by adding these two lines to /etc/dovecot/conf.d/10-auth.conf. Make sure they are not already present in the file, or your settings may be overwritten with the default ones if the default is declared later in the file than the lines you add. If the parameters are already present, you can either modify the existing lines or comment them out and add these new ones:

disable_plaintext_auth = no
auth_mechanisms = plain login

Note that although the logins are in plain text, we will be setting Postfix up later so that it only allows you to use plaintext logins from within SSL/TLS. This means that your login and password will sent in an encrypted session - you wouldn't see them in plain text if you used a packet sniffer, for example. For now, we’re allowing unencrypted plain text logins so that we can test logging in with Telnet. Since the connection is local (from the Pi to the Pi), your password isn’t being sent over any insecure networks so this is fine.

Testing SASL

Creating a new user for testing purposes is a good idea. Let’s call this temporary user testmail and give it the password test1234 Use this command to add the user, and follow the prompts including setting a password.

sudo adduser testmail

Now restart Postfix and Dovecot:

sudo service postfix restart
sudo service dovecot restart

We’re now going to try and send an email after authenticating with SASL. The server is expecting to see a base64 encoded version of your username and password, so we have to convert it first. There are three ways of doing this, so I've given examples below using the testmail username and test1234 password:

#Method No.1
echo -ne '\000testmail\000test1234' | openssl base64

#Method No.2
perl -MMIME::Base64 -e 'print encode_base64("\0testmail\0test1234");'

#Method No.3
printf '\0%s\0%s' 'testmail' 'test1234' | openssl base64

I have discovered that if your password starts with a number, methods 1 and 2 don’t work. Assuming the username and password are testmail and test1234, the commands produce this:

AHRlc3RtYWlsAHRlc3QxMjM0

WARNING: If you’re having problems with authentication and you paste examples to forums or mailing lists, be aware that it is really easy to convert this back into your username and password (hence the creation of a test user). If you're using your real username and password to test, redact it before posting! Now, still logged into the Pi via SSH, you can telnet port 25 to test whether or not SASL is working. There’s only one extra step, which is the AUTH PLAIN command that comes after ehlo but before mail from. For testing, the permit_mynetworks parameter should be commented out under your postfix smtpd_recipient_restrictions block in /etc/postfix/main.cf. If you’re following on from Raspberry Pi Email Server Part 1: Postfix then this should already be the case. If you have to change it, remember to reload postfix (sudo service postfix reload) after you change the value. Here’s an example:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 samhobbs ESMTP Postfix (Debian/GNU)
ehlo facebook.com
250-samhobbs
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3RtYWlsAHRlc3QxMjM0
235 2.7.0 Authentication successful
mail from:testmail
250 2.1.0 Ok
rcpt to:me@externalemail.com
250 2.1.5 Ok
data
354 End data with .
Subject: This is my first email that has been authenticated with Dovecot SASL
Woop woop
.
250 2.0.0 Ok: queued as B87133F768
quit
221 2.0.0 Bye
Connection closed by foreign host.

Now try again but enter the username/password incorrectly (base64 encode something random) – you should get an error message and the email won’t send. If everything went to plan, then SASL is working properly! You can now uncomment permit_mynetworks again.

Separating Incoming email (unauthenticated) from Outgoing Email (SASL authenticated)

It’s probably a good idea to have a dedicated port for sending outgoing email…here’s why: Port 25 doesn’t require (but does offer) SSL/TLS encryption. If you mess up configuring your mail client you could end up letting it authenticate with SASL over insecure connections. Using a different port that only accepts SSL/TLS connections removes the risk that a poorly configured email client could be sending your password unencrypted over dodgy networks. There are two ports you can use for this:

  1. 465: SMTP over SSL
  2. 587: Email submission

587 is the “official” port for email clients (like K9 mail, Thunderbird and Outlook) to use when submitting messages to the Mail Submission Agent (your email server) – the submission may be encrypted or unencrypted depending on the server configuration. 465 was a port that was assigned for SMTP with SSL/TLS before the STARTTLS protocol was introduced, back in the days when you chose your port and that decided on the type of connection you were going to get (encrypted or unencrypted). STARTTLS changed things because it allows you to connect with an unencrypted connection (like the one you get with Telnet), and then upgrade to an encrypted connection without changing port… so when STARTTLS was introduced, SMTPS on port 465 was removed from the standard because you could do the same thing with a single port (25). However, I think there is some value in specifying a port for submission that only accepts SSL/TLS encrypted connections, and won’t work if the connection isn’t encrypted. This means that if you misconfigure your email client it just won’t work, instead of working and sending your password in an unencrypted format. So, anyway… Here’s how to set up Postfix to listen on port 465 for encrypted connections. The first step is telling Postfix to listen on port 465, so open /etc/postfix/master.cf and uncomment the line:

smtps     inet  n       -       -       -       -       smtpd

Now restart Postfix:

sudo service postfix restart

Test whether Postfix is listening on port 465:

telnet localhost 465
Trying 127.0.0.1...                                                                           
Connected to localhost.                                                                       
Escape character is '^]'.
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
ehlo samhobbs.co.uk
250-samhobbs
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

OK, so now it’s listening on the right port, but it’s allowing unencrypted connections. Here’s how you force TLS on port 465: open /etc/postfix/master.cf and find the line you uncommented earlier. Below it are some options, you want to edit them so that they look like this (i.e. uncomment lines 2 and 3):

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes

Line 3 is forcing TLS on port 465, and line 2 means that connections to port 465 have a different label in the logs, which can be useful for debugging.

sudo service postfix restart

Now try connecting with Telnet again… you should be able to establish a connection, but not receive any prompts from the server:

telnet localhost 465                                            
Trying 127.0.0.1...                                                                           
Connected to localhost.
Escape character is '^]'.
exit
exit
Connection closed by foreign host.

Now try openssl:

openssl s_client -connect localhost:465 -quiet
depth=0 CN = samhobbs
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = samhobbs
verify return:1
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
quit
221 2.0.0 Bye

Good: we are able to start a TLS encrypted connection. We got some errors because the certificate is self-signed (it's not signed by a certificate that is in the trusted root store on the server) but this is OK because we're just using the certificate for testing for now. When you come back later to set up a proper certificate, you can use this command to verify it. The -CApath option tells openssl where the trusted certificates are stored on your system:

openssl s_client -connect localhost:465 -quiet -CApath /etc/ssl/certs

Successful validation looks something like this:

sam@samhobbs:~$ openssl s_client -connect localhost:465 -quiet -CApath /etc/ssl/certs
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1                                                                              
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1                                                                              
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1                                                                              
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = samhobbs.co.uk                 
verify return:1                                                                              
220 samhobbs.co.uk ESMTP Postfix (Ubuntu)                                                    
quit                                                                                         
221 2.0.0 Bye

There are a couple more changes we want to make here: first, tell Postfix to only advertise SASL authentication over encrypted connections (so that you don’t accidentally send your password in the clear). Open /etc/postfix/main.cf and add this line:

smtpd_tls_auth_only = yes
sudo service postfix reload

Now connect to port 25 and you shouldn’t see AUTH advertised:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
ehlo samhobbs.co.uk
250-samhobbs.co.uk
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Lastly, we want to override the smtp_recipient_restrictions for port 465 so that it doesn't accept incoming messages from unauthenticated users. At first, I didn't make this change and I noticed that some spam emails were coming in on port 465 and bypassing my spam filter, which I configured to scan all incoming email on port 25, but not 465 because I only expected it to be used for outgoing email. We can do this by overriding the smtp_recipient_restrictions list for port 465 in /etc/postfix/master.cf. Open master.cf and find the smtps line. Add a new recipient restrictions list option like this:

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

Now reload postfix:

sudo service postfix reload

Perfect! Postfix configuration is now complete.

Testing IMAP

There are two main protocols for fetching mail: POP and IMAP. The main difference between them is what they do with emails when they collect them: a POP client will fetch email from your server and remove it from the server when it’s done. This is inconvenient if you want to connect with two or more devices (like a phone and a computer) and have complete copies of all your emails on both. IMAP, on the other hand, makes a copy of the emails on the server and leaves the originals there. For this reason, I think IMAP is much more useful than POP and I didn’t even bother to set up POP on my server. We can now test the IMAP server with Telnet in a similar way to SMTP & SASL testing earlier. This time, we’ll be using port 143, the standard port for IMAP. The stages are:

  1. establish a connection with telnet localhost 143
  2. log in with a login "USERNAME" "PASSWORD"" (not base64 encoded this time)
  3. select inbox to see messages inside b select inbox
  4. logout with c logout

In case you're wondering, the "a b c" thing is done because a client can send multiple commands to the server at once, and they might not come back in the same order depending on what they are. So, the responses have the same letter as the commands they are responding to so that the client doesn't get muddled. Here’s an example, using the testmail user we created earlier:

telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login "testmail" "test1234"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in
b select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1385217480] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
* OK [NOMODSEQ] No permanent modsequences
b OK [READ-WRITE] Select completed.
c logout
* BYE Logging out
c OK Logout completed.
Connection closed by foreign host.

Adding TLS support

Now that we know IMAP is working, we need to enable IMAPS (imap with SSL/TLS). The standard port for this is 993. Many other tutorials that were written for older versions of dovecot will tell you to do this in different ways that won’t work, I tried 3 different methods before I ended up with a working one. First, edit /etc/dovecot/conf.d/10-master.conf, find the “service imap-login” block and uncomment the port and SSL lines so that it looks like this:

service imap-login {
  inet_listener imap {
    port = 143
  } 
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

Edit 14/10/2015: the default dovecot configuration files changed recently after Jessie became the new stable distribution of Debian, which caused some users problems; TLS on port 993 used to be enabled by default but now it isn't. We need to re-enable it. In /etc/dovecot/conf.d/10-ssl.conf, find ssl = no and change it to:

ssl = yes

There have been some security vulnerabilities discovered in older versions of the SSL protocol in recent times. SSLv2 is disabled by default, but it doesn't harm to explicitly disable it again. SSLv3 is vulnerable to an attack called POODLE, so we will disable it too. In the same file, find the ssl_protocols parameter line, uncomment it and add !SSLv3 to the end, like this:

ssl_protocols = !SSLv2 !SSLv3

Edit 02/09/2017: if you're using Debian Stretch or later, or one of its derivatives, then you will need to edit that line to match the following. The SSLv2 option is no longer recognised as an option for ssl_protocols because it has been removed entirely:

ssl_protocols = !SSLv3

For some bizarre reason, the Dovecot package for Raspberry Pi (and possibly newer versions of Ubuntu) does not create a self-signed certificate during installation like it used to. So, we have to create one manually. If you look in /usr/share/dovecot/ you will find the script that used to be used to generate the certificate; we can use it ourselves to simplify the process. The script is located at /usr/share/dovecot/mkcert.sh and looks like this:

#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=/etc/dovecot
KEYDIR=/etc/dovecot/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
  echo "$SSLDIR/certs directory doesn't exist"
  exit 1
fi

if [ ! -d $KEYDIR ]; then
  echo "$SSLDIR/private directory doesn't exist"
  exit 1
fi

if [ -f $CERTFILE ]; then
  echo "$CERTFILE already exists, won't overwrite"
  exit 1
fi

if [ -f $KEYFILE ]; then
  echo "$KEYFILE already exists, won't overwrite"
  exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo 
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

If you were going to use this certificate for any significant length of time, it would be worth editing the parameters in the config file it uses (/usr/share/dovecot/dovecot-openssl.cnf) to set the proper common name and contact details on the certificate. However, I suggest you leave the defaults as they are, use this certificate just for testing, and then come back later and generate a new cert when everything is working (more on that later). You must be in the same folder as the configuration file when you run the script, or it will not find the config and the certificate generation will fail. The following two commands will change to the right folder and then execute the script:

cd /usr/share/dovecot
sudo ./mkcert.sh

You should see a message "writing new private key to '/etc/dovecot/private/dovecot.pem'" and then some details about the certificate. Next, find the following two lines in /etc/dovecot/conf.d/10-ssl.conf and uncomment them:

#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem

Now reload dovecot to apply the changes:

sudo service dovecot reload

Since IMAPS is a connection over SSL/TLS, we can’t use Telnet to test it. Instead, we use openssl to create a secure connection. There are two versions of the command, one will show you LOADS of information about the certificate used to encrypt the connection, and the other will suppress this info. I recommend trying the long version out of interest, but both will work the same for the test: For full information:

openssl s_client -connect localhost:993

For minimal information:

openssl s_client -connect localhost:993 -quiet

I won’t print the output of the first command, because it’s ridiculously long. Here’s an example of the second, including a login test:

admin@samhobbs /etc/dovecot/conf.d $ openssl s_client -connect localhost:993 -quiet
depth=0 O = Dovecot mail server, OU = samhobbs, CN = samhobbs, emailAddress = root@samhobbs.co.uk
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = samhobbs, CN = samhobbs, emailAddress = root@samhobbs.co.uk
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login "testmail" "test1234"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in
b logout
* BYE Logging out
b OK Logout completed.
Connection closed by foreign host.

Good stuff: SSL/TLS is working on port 993, and you can log in successfully. Note that by default Dovecot uses a “snakeoil” self-signed certificate. SSL/TLS certificates are used for two purposes: encryption and verification. The “snakeoil” certificate will encrypt your content but it won’t verify that you’re talking to your server – you could be talking to someone imitating your server (anyone can create a self-signed certificate claiming to be any website). If you’d like to get your certificate signed without forking out loads of money to a cert signing authority, I’d recommend CAcert. I've written a tutorial explaining how to generate your own cert and get it signed here. If you opt for a commercial certificate, you can use the CAcert tutorial to generate the certificate and then this tutorial will explain the differences in the installation/configuration of commercial certificates once you have it signed. If you're testing a proper certificate, use this command to tell openssl where the trusted root certificates are stored:

openssl s_client -connect localhost:993 -quiet -CApath /etc/ssl/certs

Tidying up and enabling WAN access

Before opening the ports on your router to the world, it’s a good idea to delete that test user because the password is so easy to guess.

sudo userdel testmail

Also, if you still use the "pi" login, for goodness' sake change the password from "raspberry"! You can do this using the passwd command when logged in as pi:

passwd

Or you can achieve the same thing when logged in as another user by using sudo to gain root privileges:

sudo passwd pi

Now you can open a few ports on your router’s firewall. Make sure your Pi has a static LAN IP address and then forward these ports from WAN to its LAN IP address:

  • Port 25 for SMTP (used for receiving emails)
  • Port 465 for secure SMTP (used for sending emails after SASL authentication)
  • Port 993 for IMAPS (used to receive emails on your phone/tablet/computer)

Here’s an example on my router, running OpenWrt: openwrt-port-forwards-raspberry-pi-email-server.png

Setting up IMAP Email Clients

I’m now going to run through setting up IMAP email clients quickly, using K9 Mail on Android and Thunderbird on GNU/Linux as examples. The setup for Thunderbird on Windows and Mac OSX should be very similar. The basics are this:

  • Select an IMAP connection
  • Your login is your username only (omit @yourdomain.com), and you password is…your password!
  • For incoming emails: select use SSL/TLS always and the program should automatically select port 993
  • For outgoing emails: select SSL/TLS always. The program may suggest port 587, but you want port 465

K9 Mail

Open K9 Mail and select add new account. Type in your account information (you@yourdomain.com and password) and then select manual setup. Select IMAP and then enter your information as follows… Incoming email: K9 Incoming Email Settings Outgoing email: K9 Outgoing Email Settings

Thunderbird

Open Thunderbird, and then click Account Actions –> Add Mail Account. Fill in your password and email address, which is your username followed by your fully qualified domain name (FQDN), i.e. username@yourdomain.com: Thunderbird Step 1: Mail Account Setup Thunderbird will try to auto-detect settings and fail. Don’t worry, this is normal. Select “manual config”:  Thunderbird Step 2: TB will try to autodetect settings, and fail. Select “Manual Config" Now edit the settings as appropriate. I had to remove a period (.) from in front of my “server hostname”, and edit the SSL and Authentication settings. If you select “SSL/TLS” for both incoming and outgoing, ports 993 and 465 are automatically selected: Thunderbird Step 3: Edit the settings so that they match these (but change them to match your username and domain name!) Now try emailing yourself from your external email address, and see if your email gets through. If you are having problems, be sure to check you’ve set up an MX record as well as a DNS A record.

Stuck in spam filters?

A few people have contacted me recently to say that their email server is working fine but their emails are getting sent to Gmail's spam folder. If you are experiencing problems like this (or even if you're not), try setting up an SPF and/or PTR record as explained in my DNS basics tutorial. You might also want to check if your domain name or IP address are on any blacklists. There's a handy website called MX toolbox that lets you do this (choose blacklist check from the dropdown menu).

Almost done…

Good news! If you’ve reached this far and everything is working, then you’re almost done. The next step (Webmail with Squirrelmail) is optional but by far the easiest of the three steps. If you’ve hit a rut, please post a comment and I’ll try and help you out. If not… continue to Raspberry Pi Email Server Part 3: Squirrelmail

Comments

For Dovecot do you believe I need to set up the WAN connection if I am just looking to make Dovecot receive a local email and forward it on as an authenticated one? This will be a remote system that is just set up to forward emails on from a PLC that sends on IMAP and needs something to Authenticate it such as the Raspberry Pi I am using.

Thanks so much for your guide Sam, I've been pushing through it over the last few days and I've really gotten a lot out of it.
I feel I'm getting close but I'm still having a few issues.

I'm able to send mail between users on my pi/domain but I can neither receive nor deliver mail to external accounts. I've got Thunderbird running on a secondary machine and it's able to get access to the inboxes. NMAP indicates that the ports I'm trying to use (25, 465, 993) are all open and I've able to connect via openssl on the secondary. As far as I can tell the A and MX settings look good.

Emails in both directions seem to go through (no bounce backs) but never show up in the respective inboxes. Looking at the logs it seems like connections are timing out. I've tried gmail and yahoo with no success. I've got a dynamic IP but I hope that's not the cause.

Any advice would be appreciated. In the meantime I'll continue to dig through the discussion here. Domain is jarva.tech, root is a viable username, and address is 73.249.17.204.

Hi Erik, Sounds like your ISP is blocking port 25 which is quite common on dynamic ranges, is there any way you could get a static IP address? Sam

That seems to be the case. I can telnet jarva.tech 25 on my laptop without issues but remote services list the port as closed.

I'll look into options to get around this on comcast. Looks like it might be possible to relay the outgoing through their servers and use a redirect service to reroute incoming mail to another port.

Andrew Happ

Mon, 05/16/2016 - 06:15

Hi Sam,

What an incredible bit of work you have done in documenting this project and presenting it in a way that even I can progress through it. I think I have almost completely worked through to the end of Part 2 with just one outstanding niggling issue. I am using Windows XP as the client computer and I have tried both Outlook 2003 and Thunderbird as the email clients. In Thunderbird I have both incoming and outgoing email working without a problem now. Initially Thunderbird nagged there was something wrong with security certificates but somehow I coerced it into working without updating any certificates for Thunderbird.

I had a similar experience with Outlook 2003 prior to trying Thunderbird. Outlook receives email without a problem. When I attempt to send an email from Outlook I get the following dire message:

The server you are connected to is using a security certificate that could not be verified. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

It then fails to send the email.

I followed through your tutorial for obtaining and applying certificates from CAcert and that all seems to have worked as you have described.

Outlook is the client that I need to get working for the time being. I am hoping you might be able to help me tame Outlook so that it talks nicely to the Raspberry Pi SMTP.

Best regards,
Andrew

Hi Andrew, Since you have already imported the CAcert root certificate into windows, and it works for IMAP but not SMTP, I think you probably forgot to change the cert in your Postfix settings and you're still sending the old snakeoil cert (otherwise you'd get a failure for IMAP too if the OS didn't trust the CAcert root cert). Also, I just want to check you know that XP doesn't get security updates anymore? Make sure you have a good backup that isn't attached to the computer at all times (external HDD not always plugged in for example). There's so much ransomware these days. Sam

Sounds like you manually overrode the certificate error in Thunderbird though, right? That's probably why it works in Thunderbird and not Outlook. We should look for a solution to the problem instead of hiding the symptoms... Can you do the openssl test on port 465 (just connect without the -quiet option so it displays information about the cert) and post the output please? Same for port 993, so we can compare the certificates sent by postfix and dovecot. Sam

Andrew Happ

Wed, 05/18/2016 - 01:29

Hi Sam,
Thank you for your encouraging words.

The requested output from the two openssl commands are recorded below.

For Port 465:
Output not redirected to file
http://imgur.com/rS7jrEB

Output redirected to file

CONNECTED(00000003)
---
Certificate chain
0 s:/CN=happaus.net
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/zCCA+egAwIBAgIDEgmnMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE2MDUxNTIyNDIyM1oXDTE2MTExMTIyNDIyM1owFjEU
MBIGA1UEAxMLaGFwcGF1cy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC23knnlXeMyNIzv46lSHoiseVhzPcvADC5UIIJN+CZ/yJy1Xtw6khgAi09
5EMOs6dr9qADRMv61WBV5fJrVDW6ZEUXxAUHWLMEGw58ioHNluTP8mnbWBrCh+Cl
0b+Zz7WAd7pqwiR5AfhG/eFHcHWHDomVQSFog8XuEQnj9hfy6+kW21NCOuxuv4Ew
cXS4+QXKxNYJzmeY1e/mzzs4jsXN5kI1T/G5w6YE0n/evm0gPB3L86sSy5UV3/7m
wSC9A8D0xueBeKB2TQFVmUSIUBfu37C9De8hIFTMFgneSOcmLwNvnH0+UuRTtbCt
PGuagKXV8vV1xHewui6m9SjW2+jfg5X5jgb5ssaesDfEF+ORNX8QE/O9eInikb13
eZSUbdB1eOwBgCiTj7+sXNfTBlnONupYaXe3J81m9j5QyRkO1eQXxXLTEM+AoRO1
sl2eQbnKEPxBkVE3I6kEiWTY6KUJJrrvfhljLXH7/Nxr2jDv9hO8W9cb/+F1R0D3
ufa5iMV34owLjmid+zWmUIsPkxKs09Enqh4eyaH+t7aGZowcK1NOxfZkxKnsOzHY
H6kiUIQ+LwkFT2lhnqqzBPGkjCvR+vqy92rDRWMxNdYe0oeZGyDJ0dG20cn+evtY
wVpqmRI8JkJeOfEBcaVW9OKh85F1mqXI6HZw9xj98AtZP9lneQIDAQABo4HyMIHv
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQGA1UdJQQtMCsGCCsGAQUF
BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMDMGCCsGAQUFBwEB
BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wMQYDVR0f
BCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMQYD
VR0RBCowKIILaGFwcGF1cy5uZXSgGQYIKwYBBQUHCAWgDQwLaGFwcGF1cy5uZXQw
DQYJKoZIhvcNAQELBQADggIBAClK+bN3UvIgz63gNRdG6QXnVNPG5HReW2cVh5H0
SmqQMgepLgjw5sKOCImdia4LGeRuIvXqVtrPSgZqh84V6KYoW36So6/u61xyPDad
jbGfm7NKpQhFd5ovLOAeBQiCVUzV9nYjGpL6rIQ/p8qArnm9/AAhM/DNSeG2UF1H
DROVgqD6DL4GcA4cxplhmeMacmQFzW2HCweJ9oQmpDAC0e0VdUAuHhav14C6ZG/s
Ms9RYJ4p4hWL5szWkXXQjsidlVCm4DY6y/MMCpQ1IMb7xEO7u9vVbes8sKZmKQ+c
vNHQcp+3+2MPgJwUrJLvZUL2ArxYoKNxjqd1yf84e1tBtAKeq98v5FLNIj7OKmhL
NH7rWmEpT59IbOQsdvsxcV1RsYsh5wWD36973/ZeWZUV8aySmGWIudW+GPf4cuSZ
OjLC89zWAAPWagQEBfr34w2dEKbvZd7zVYJx9K0whvahqSkgoWIHFyBL2aHxagaQ
5ilid1sX6pAplNnYaYa5sT/OFiNf58SXx8h3yiSGrTX5ZvbJo3ZfO+wcTrp5S0Q/
MgGyWItFgWpyiTNj4xs5slXDrzb0pyhYj8xMdP1YPnfI9nTRnOLc10npw1lB+byI
5ZzNcUlmbOVDOa/y1ExiHEmfNKwnhD1Zp3I0pGMtR4yiK1lvKX8ABDdrcIOxMrPY
nLC5
-----END CERTIFICATE-----
subject=/CN=happaus.net
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 2454 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 07E4D3D04C8A6AB62B16A69CB50BAB6FC1228EFEBB7422FF8742461B2502CCAB
Session-ID-ctx:
Master-Key: 714FBABBE4023AC5E49249DD731A51E7CF04CEE583F296330C110061D548F5FE3DA812D20200DC2AB7DDE1D2675D2F08
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d6 28 6e a1 00 38 3e 9d-f7 8f 69 dc 35 78 97 ef .(n..8>...i.5x..
0010 - 7d 33 ac 53 7b a2 63 74-ea 89 95 86 44 6e 07 25 }3.S{.ct....Dn.%
0020 - fd 64 57 b0 56 1c 66 9c-f0 e9 89 51 42 d8 e8 7d .dW.V.f....QB..}
0030 - 73 ec 4d b9 a0 ce 93 9f-1d 10 d1 3e 14 8a 20 7e s.M........>.. ~
0040 - 36 fe c4 55 d8 0d cd c6-0d 72 c7 19 82 8b ef be 6..U.....r......
0050 - 6c 34 cd cf f5 89 cf 58-93 57 25 c1 58 b2 8d 44 l4.....X.W%.X..D
0060 - 1b 40 7e 2b 60 46 bb 1f-41 aa ff 58 d1 8e d7 22 .@~+`F..A..X..."
0070 - 6a 88 15 1d 9d 26 e9 72-24 18 d8 17 1b 11 0f cd j....&.r$.......
0080 - 7e 42 cf 6f d4 e0 8d a4-15 5b e0 9b 47 d5 5f b5 ~B.o.....[..G._.
0090 - b0 39 5b eb 69 eb c9 5d-54 f6 a4 75 12 d2 cc e2 .9[.i..]T..u....

Start Time: 1463525752
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 happaus.net ESMTP Postfix (Raspbian)
221 2.0.0 Bye
closed

For Port 993:
Output not redirected to file
http://imgur.com/4lF2H76

Output redirected to file

CONNECTED(00000003)
---
Certificate chain
0 s:/CN=happaus.net
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/zCCA+egAwIBAgIDEgmnMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE2MDUxNTIyNDIyM1oXDTE2MTExMTIyNDIyM1owFjEU
MBIGA1UEAxMLaGFwcGF1cy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC23knnlXeMyNIzv46lSHoiseVhzPcvADC5UIIJN+CZ/yJy1Xtw6khgAi09
5EMOs6dr9qADRMv61WBV5fJrVDW6ZEUXxAUHWLMEGw58ioHNluTP8mnbWBrCh+Cl
0b+Zz7WAd7pqwiR5AfhG/eFHcHWHDomVQSFog8XuEQnj9hfy6+kW21NCOuxuv4Ew
cXS4+QXKxNYJzmeY1e/mzzs4jsXN5kI1T/G5w6YE0n/evm0gPB3L86sSy5UV3/7m
wSC9A8D0xueBeKB2TQFVmUSIUBfu37C9De8hIFTMFgneSOcmLwNvnH0+UuRTtbCt
PGuagKXV8vV1xHewui6m9SjW2+jfg5X5jgb5ssaesDfEF+ORNX8QE/O9eInikb13
eZSUbdB1eOwBgCiTj7+sXNfTBlnONupYaXe3J81m9j5QyRkO1eQXxXLTEM+AoRO1
sl2eQbnKEPxBkVE3I6kEiWTY6KUJJrrvfhljLXH7/Nxr2jDv9hO8W9cb/+F1R0D3
ufa5iMV34owLjmid+zWmUIsPkxKs09Enqh4eyaH+t7aGZowcK1NOxfZkxKnsOzHY
H6kiUIQ+LwkFT2lhnqqzBPGkjCvR+vqy92rDRWMxNdYe0oeZGyDJ0dG20cn+evtY
wVpqmRI8JkJeOfEBcaVW9OKh85F1mqXI6HZw9xj98AtZP9lneQIDAQABo4HyMIHv
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQGA1UdJQQtMCsGCCsGAQUF
BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMDMGCCsGAQUFBwEB
BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wMQYDVR0f
BCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMQYD
VR0RBCowKIILaGFwcGF1cy5uZXSgGQYIKwYBBQUHCAWgDQwLaGFwcGF1cy5uZXQw
DQYJKoZIhvcNAQELBQADggIBAClK+bN3UvIgz63gNRdG6QXnVNPG5HReW2cVh5H0
SmqQMgepLgjw5sKOCImdia4LGeRuIvXqVtrPSgZqh84V6KYoW36So6/u61xyPDad
jbGfm7NKpQhFd5ovLOAeBQiCVUzV9nYjGpL6rIQ/p8qArnm9/AAhM/DNSeG2UF1H
DROVgqD6DL4GcA4cxplhmeMacmQFzW2HCweJ9oQmpDAC0e0VdUAuHhav14C6ZG/s
Ms9RYJ4p4hWL5szWkXXQjsidlVCm4DY6y/MMCpQ1IMb7xEO7u9vVbes8sKZmKQ+c
vNHQcp+3+2MPgJwUrJLvZUL2ArxYoKNxjqd1yf84e1tBtAKeq98v5FLNIj7OKmhL
NH7rWmEpT59IbOQsdvsxcV1RsYsh5wWD36973/ZeWZUV8aySmGWIudW+GPf4cuSZ
OjLC89zWAAPWagQEBfr34w2dEKbvZd7zVYJx9K0whvahqSkgoWIHFyBL2aHxagaQ
5ilid1sX6pAplNnYaYa5sT/OFiNf58SXx8h3yiSGrTX5ZvbJo3ZfO+wcTrp5S0Q/
MgGyWItFgWpyiTNj4xs5slXDrzb0pyhYj8xMdP1YPnfI9nTRnOLc10npw1lB+byI
5ZzNcUlmbOVDOa/y1ExiHEmfNKwnhD1Zp3I0pGMtR4yiK1lvKX8ABDdrcIOxMrPY
nLC5
-----END CERTIFICATE-----
subject=/CN=happaus.net
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 2486 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5B6EE5478EF793C685D3A74159C6641A204246711CB71490E0C0278D796B8F93
Session-ID-ctx:
Master-Key: D2B1112C1876DE76399B7CDB0226CE55982669F84FB643EB4AC54A01F9EBC0A86124A9B760E9E870F7F790B4CAED5871
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 1f 2d d6 3d fd 43 77 f5-7f 33 bf 33 aa 39 a3 b2 .-.=.Cw..3.3.9..
0010 - 33 70 99 be 52 84 99 e5-0e 8a 75 fb 37 87 70 4f 3p..R.....u.7.pO
0020 - 56 ed fa bb aa 32 c3 43-6a 9e 14 99 66 dd 27 24 V....2.Cj...f.'$
0030 - 1c 99 26 ec 7e 77 94 dc-4f f7 1e ba 53 ac 57 7f ..&.~w..O...S.W.
0040 - 2f ca d7 bf 32 13 69 32-63 de ec d6 78 d8 f8 eb /...2.i2c...x...
0050 - 43 d0 97 dc 4c 33 99 b0-2e 6c 57 ca 6f 96 c1 42 C...L3...lW.o..B
0060 - f8 38 52 bb 48 21 92 4d-dc ec 1b 8b 96 b8 41 83 .8R.H!.M......A.
0070 - ee a0 94 1b 70 42 39 84-3e 45 24 fc 64 78 d4 ce ....pB9.>E$.dx..
0080 - 0c c7 1d d9 33 de ff 24-62 0b a2 2b 92 b6 cd cb ....3..$b..+....
0090 - 91 38 34 87 c6 70 cf f7-ae c6 7d 7f e7 cf 39 60 .84..p....}...9`

Start Time: 1463525588
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
quit BAD Error in IMAP command received by server.

Nothing jumps out at me from that, I don't understand why Outlook is not accepting the certificate :/. If you were getting a different error (i.e. not one about the root cert not being trusted), I would say it could be due to XP's TLS libraries not being able to use certain cipher suites or TLS versions (connecting directly with TLS is different to connecting with a plain text connection and upgrading with STARTTLS, which would explain why it works for IMAP but not SMTP). I'll do some tests at home later and see if I can find anything out. Sam

Hello Sam,

I have repeated my Outlook 2003 testing with both Windows 7 Pro and Windows 8 Pro. (Outlook 2003 is not strictly supported on Win 8 but I have used that combination successfully for several years). I am getting the same results with XP, 7 and 8.

The error message I originally reported to you was:

The server you are connected to is using a security certificate that could not be verified. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

That error occurs on starting Outlook, and not when sending mail as I originally stated. Sorry for my mistake in reporting. If I persist with Outlook and then attempt to send mail I do get the following error message:

Task '192.168.10.185 - Sending' reported error (0x800CCC7D) : 'Your outgoing (SMTP) server does not support SSL-secured connections. If SSL-secured connections have worked in the past, contact your server administrator or Internet service provider (ISP).'

Regards,
Andrew

Andrew, Thanks for the additional information. What do you see in /var/log/mail.log when you attempt to connect? Presumably it's a TLS handshake error of some kind? Sam

Andrew Happ

Sat, 05/21/2016 - 01:20

In reply to by Sam Hobbs

Thank you very much Sam for your feedback.

I have taken a snippet from mail.log where references to TLS are made.

May 21 09:05:11 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.168.10.100, lip=192.168.10.185, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=
May 21 09:05:23 raspberrypi dovecot: imap-login: Disconnected (auth failed, 1 attempts in 12 secs): user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, TLS: Disconnected, session=
May 21 09:06:00 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, mpid=5552, TLS, session=<2o1aIk4zUwDAqApk>
May 21 09:06:01 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, mpid=5560, TLS, session=
May 21 09:06:01 raspberrypi dovecot: imap(ajh): Disconnected: Logged out in=218 out=2105
May 21 09:06:01 raspberrypi dovecot: imap(ajh): Disconnected: Disconnected in IDLE in=112 out=718
May 21 09:08:14 raspberrypi postfix/anvil[5525]: statistics: max connection rate 3/60s for (smtps:192.168.10.100) at May 21 09:04:51
May 21 09:08:14 raspberrypi postfix/anvil[5525]: statistics: max connection count 1 for (smtps:192.168.10.100) at May 21 09:04:12
May 21 09:08:14 raspberrypi postfix/anvil[5525]: statistics: max cache size 1 at May 21 09:04:12
May 21 09:11:47 raspberrypi postfix/smtpd[5561]: connect from unknown[168.187.255.197]
May 21 09:11:47 raspberrypi postfix/smtpd[5561]: lost connection after CONNECT from unknown[168.187.255.197]
May 21 09:11:47 raspberrypi postfix/smtpd[5561]: disconnect from unknown[168.187.255.197]
May 21 09:12:15 raspberrypi postfix/smtps/smtpd[5564]: connect from unknown[192.168.10.100]
May 21 09:12:21 raspberrypi postfix/smtps/smtpd[5564]: NOQUEUE: reject: RCPT from unknown[192.168.10.100]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=
May 21 09:12:23 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, mpid=5577, TLS, session=
May 21 09:12:23 raspberrypi postfix/smtps/smtpd[5564]: disconnect from unknown[192.168.10.100]
May 21 09:12:23 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, mpid=5585, TLS, session=
May 21 09:12:57 raspberrypi dovecot: imap(ajh): Disconnected: Logged out in=218 out=2155

I have been trying varying Outlook settings (eg requiring / not requiring authentication) and I’m afraid I have not been careful documenting that. I should go back and work through cause and effect in a more disciplined way.

i'm getting connection refused when I try and connect on port 465:
[nemo@localhost ~]$ openssl s_client -connect happaus.net:465
connect: Connection refused
connect:errno=111
I tried from my phone, and from my server just to make sure. What are the settings that work with Thunderbird? Are you sure it's TLS on port 465? Sam

I am sorry my server is not behaving. The following snippet from mail.log may be related to your attempts. The last bit of the attachment (from May 21 21:40:56 onward) is my use of Thunderbird in successfully emailing out.

May 21 20:53:38 raspberrypi postfix/smtpd[5964]: connect from unknown[195.158.100.38]
May 21 20:53:38 raspberrypi postfix/smtpd[5968]: warning: hostname as7p38.access.maltanet.net does not resolve to address 195.158.100.38: Name or service not known
May 21 20:53:38 raspberrypi postfix/smtpd[5968]: connect from unknown[195.158.100.38]
May 21 20:53:38 raspberrypi postfix/smtpd[5964]: lost connection after CONNECT from unknown[195.158.100.38]
May 21 20:53:38 raspberrypi postfix/smtpd[5964]: disconnect from unknown[195.158.100.38]
May 21 20:53:38 raspberrypi postfix/smtpd[5968]: lost connection after CONNECT from unknown[195.158.100.38]
May 21 20:53:38 raspberrypi postfix/smtpd[5968]: disconnect from unknown[195.158.100.38]
May 21 20:55:10 raspberrypi dovecot: imap-login: Aborted login (no auth attempts in 11 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:17 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS: Disconnected, session=
May 21 20:55:20 raspberrypi dovecot: imap-login: Aborted login (no auth attempts in 11 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:22 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS: Disconnected, session=
May 21 20:55:26 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS: Disconnected, session=
May 21 20:55:27 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:30 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 3 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<8YO/C1gzcABVGSte>
May 21 20:55:32 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 6 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS: SSL_read() syscall failed: Connection reset by peer, session=
May 21 20:55:33 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS handshaking: SSL_accept() failed: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number, session=
May 21 20:55:39 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 41 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<+dU9DFgzdABVGSte>
May 21 20:55:41 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:43 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 11 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:45 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<9FyZDFgzTgBVGSte>
May 21 20:55:46 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:47 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS handshaking: SSL_accept() failed: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number, session=
May 21 20:55:50 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 4 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:54 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:58 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 4 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:55:59 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:56:00 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=
May 21 20:56:04 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 35 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS: SSL_read() syscall failed: Connection reset by peer, session=
May 21 20:56:04 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=85.25.43.94, lip=192.168.10.185, TLS, session=
May 21 20:56:59 raspberrypi postfix/anvil[5969]: statistics: max connection rate 2/60s for (smtp:195.158.100.38) at May 21 20:53:38
May 21 20:56:59 raspberrypi postfix/anvil[5969]: statistics: max connection count 1 for (smtp:195.158.100.38) at May 21 20:53:38
May 21 20:56:59 raspberrypi postfix/anvil[5969]: statistics: max cache size 1 at May 21 20:53:38
May 21 21:26:51 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, mpid=6031, TLS, session=
May 21 21:27:01 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, mpid=6040, TLS, session=
May 21 21:40:56 raspberrypi postfix/smtps/smtpd[6041]: connect from unknown[192.168.10.100]
May 21 21:40:57 raspberrypi postfix/smtps/smtpd[6041]: 3094F1C4E: client=unknown[192.168.10.100], sasl_method=PLAIN, sasl_username=ajh
May 21 21:40:57 raspberrypi postfix/cleanup[6055]: 3094F1C4E: message-id=<57404945.4020306@happaus.net>
May 21 21:40:57 raspberrypi postfix/qmgr[825]: 3094F1C4E: from=, size=614, nrcpt=1 (queue active)
May 21 21:40:57 raspberrypi postfix/smtps/smtpd[6041]: disconnect from unknown[192.168.10.100]
May 21 21:41:07 raspberrypi postfix/smtp[6056]: 3094F1C4E: to=, relay=mx3.hotmail.com[65.55.33.119]:25, delay=11, delays=0.03/0.02/6.4/4.1, dsn=2.0.0, status=sent (250 <57404945.4020306@happaus.net> Queued mail for delivery)
May 21 21:41:07 raspberrypi postfix/qmgr[825]: 3094F1C4E: removed
May 21 21:41:08 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.100, lip=192.168.10.185, mpid=6065, TLS, session=
May 21 21:41:53 raspberrypi dovecot: imap(ajh): Disconnected: Logged out in=1123 out=1663
May 21 21:41:53 raspberrypi dovecot: imap(ajh): Disconnected: Logged out in=655 out=2506
May 21 21:41:53 raspberrypi dovecot: imap(ajh): Disconnected: Logged out in=351 out=1506
May 21 21:44:17 raspberrypi postfix/anvil[6046]: statistics: max connection rate 1/60s for (smtps:192.168.10.100) at May 21 21:40:56
May 21 21:44:17 raspberrypi postfix/anvil[6046]: statistics: max connection count 1 for (smtps:192.168.10.100) at May 21 21:40:56
May 21 21:44:17 raspberrypi postfix/anvil[6046]: statistics: max cache size 1 at May 21 21:40:56

My Thunderbird is configured with SSL/TLS on port 465.

Hi Sam, I am also getting
Aug 26 10:43:41 raspberrypi dovecot: imap-login: Disconnected (no auth attempts in 18 secs): user=<>, rip=X.X.X.X, lip=X.X.X.X, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=

When connecting from a client in my LAN where the mail server is connected. I tried with Thunderbird and iOS mail client.

Will you help us or not?

Hello Sam

this is fantastic tutorial all work fine for me.
But I can not find how add more users for using mail server can you explain me how make this if is it possible.

Thanks

Hi, If you followed the tutorial fully then you have already added at least one user ("testmail"). You can use the same procedure to add other users (by creating a system account). Sam

Hi,

thanks for the quick reply. This is good idea but I would like to give the user the ability to set the password itself over a web interface through which it is not possible in squirrelmail. Is there any way to enable assuming I progressed according completely, the instructions from this tutorial.

Thanks

An excellent set of tutorials, and in general the site as a whole is a rather excellent source of knowledge to learn from.

I am not so server orientated as my day to day job is a senior network security managed serviced engineer, however, I am still finding so much good information and learning within your tutorials.

Thanks

Hi Sam
Thanks for the great tutorial and your continuing support. Like other I've hit an error at the Testing IMAP stage and in my mail.err file i get the following

May 23 20:30:54 raspberry-tartlet dovecot: imap(testmail): Error: open(/var/mail/testmail) failed: Permission denied (euid=1003(testmail) egid=1003(testmail) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775)
May 23 20:30:54 raspberry-tartlet dovecot: imap(testmail): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2016-05-23 20:30:54]

I've read comments of people with similar problems and its down to Dovecot not knowing where the mailbox is. But I've checked (and double checked) my 10-mail.conf file and there is only one uncommented line for mail_locations, and it is
mail_location = maildir:~/Maildir

Have you got any other thoughts on what the problem might be?

Thanks

Mike

I had already tried that and couldn't see anything obvious
grep -r -H "mail_location" /etc/dovecot
generates
grep: /etc/dovecot/private: Permission denied
grep: /etc/dovecot/dovecot-dict-auth.conf.ext: Permission denied
/etc/dovecot/conf.d/10-mail.conf:# path given in the mail_location setting.
/etc/dovecot/conf.d/10-mail.conf:# mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-mail.conf:# mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/dovecot/conf.d/10-mail.conf:# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
/etc/dovecot/conf.d/10-mail.conf:# mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/dovecot/conf.d/10-mail.conf:mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-mail.conf: # mail_location, which is also the default for it.
/etc/dovecot/conf.d/10-mail_backup.conf:# path given in the mail_location setting.
/etc/dovecot/conf.d/10-mail_backup.conf:# mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-mail_backup.conf:# mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/dovecot/conf.d/10-mail_backup.conf:# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
/etc/dovecot/conf.d/10-mail_backup.conf:mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/dovecot/conf.d/10-mail_backup.conf: # mail_location, which is also the default for it.
/etc/dovecot/conf.d/10-mail.conf.save:# path given in the mail_location setting.
/etc/dovecot/conf.d/10-mail.conf.save:# mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-mail.conf.save:# mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/dovecot/conf.d/10-mail.conf.save:# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
/etc/dovecot/conf.d/10-mail.conf.save:#mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/dovecot/conf.d/10-mail.conf.save: # mail_location, which is also the default for it.
grep: /etc/dovecot/dovecot-dict-sql.conf.ext: Permission denied
grep: /etc/dovecot/dovecot-sql.conf.ext: Permission denied

Mike

That output clearly shows that 10-mail_backup.conf is the problem! If you want that file to be ignored by Dovecot, change the extension to something other than .conf, i.e. 10-mail.bak Sam

Andrew Happ

Wed, 06/01/2016 - 02:43

My Raspberry Pi email server is now working solidly except for issues with incoming delivery times. I have done a statistical analysis of mail from one source (ZNET Newsletter) sent periodically to both my RPi server and to my Hotmail account. I have taken a sample of 10 mail-drops to each of those destinations. The RPi is taking on average 243 minutes to receive the mail whereas the Hotmail account receives it on average in 20 minutes. Sending mail to my PRi using an alternate mail client that uses my ISP’s SMTP usually take more than a day for delivery. The header seems to indicate that it is sitting on my ISP’s server all that time. On the other hand if I send mail directly out of Hotmail (webmail) to my RPi, delivery times are normal (2 to 4 minutes)

I am using Outlook 2003 on Windows XP as my client to the RPi, as I mentioned in an earlier post. This continues to have a problem with root certificate verification each time the client is started, but normal operation seems to proceed once I acknowledge that warning.

Does this excessive delivery time to the RPi from more than one source and route ring any bells as to the possible cause? I am assuming that the Outlook / Root Certificate issue is not somehow causing the long delivery times, but that’s just a hunch on my part. Before I launch deeper into resolving the Certificate problem I would like to be a bit more confident I’ll end up with a server with reasonable delivery times to it. Outgoing mail from the RPi, using smtp2go, seems to be all working fine.

My ISP doesn’t encourage users with their own email servers (understandably), so I wouldn’t expect to get an answer there. I am also getting delays on the Znet feed which I assume is not handled by my ISP email servers. Thanks for your feedback which tells me that there is nothing obvious on the RPi to troubleshoot.

Hi...sam

i cant send email from my server to other like gmail, yahoo and etc but i can receive from them.. i also cant dig mydomain MX it says no servers could be reached. i already inserted MX record in my namecheap domain control panel..

help pls

thanks in advance

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.