mail server not listening on port 993 and 995

Discussion in 'Postfix' started by Zauny, Feb 14, 2014.

  1. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    i have an Ubuntu server with Postfix, Courier and mysql. I have configured SSL/TLS but my mail server is not listening on port 993 and 995 (well only for tcp6 and not tcp) hence I cannot connect and authenticate with SSL/TLS protocol.

    I have tried adding them via the iptables:
    iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT

    and still nothing...
     


  2. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    Are POP and IMAP configured in Courier to listen on ports 995 and 993 respectively? If you telnet to those ports do you get 'connected'?

    # telnet localhost 993
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.

    You might also want to try making a connection using openssl in case this is an SSL problem rather than a Courier or network issue.

    # openssl s_client -connect localhost:993
    CONNECTED(00000004)
    depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
    verify error:num=10:certificate has expired
    notAfter=Jan 15 17:41:43 2012 GMT
    verify return:1
    depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
    notAfter=Jan 15 17:41:43 2012 GMT
    verify return:1
    ---
    Certificate chain
    0 s:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
    i:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIICQzCCAaygAwIBAgIJAMn42ROqF9QsMA0GCSqGSIb3DQEBBQUAMFgxFDASBgNV
    BAsTC0lNQVAgc2VydmVyMRkwFwYDVQQDExBpbWFwLmV4YW1wbGUuY29tMSUwIwYJ
    KoZIhvcNAQkBFhZwb3N0bWFzdGVyQGV4YW1wbGUuY29tMB4XDTExMDExNTE3NDE0
    M1oXDTEyMDExNTE3NDE0M1owWDEUMBIGA1UECxMLSU1BUCBzZXJ2ZXIxGTAXBgNV
    BAMTEGltYXAuZXhhbXBsZS5jb20xJTAjBgkqhkiG9w0BCQEWFnBvc3RtYXN0ZXJA
    ZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKegsa8Qi43R
    +i4242ENk07Q3f0mPY3Hj9GcjfzLN2zVZ5SC0JIXhwzDB/+xpwAZSuqJ88Ou7M/L
    5M1rwM6ztph7sU4E8xO47SYRumbzbJ6unDAMooD1UfVk+W5jQyp1YEnuDZubgPj2
    lc/mXVn0/9cmyPBF7b9J7nZsyl+Kcia/AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
    AwIGQDANBgkqhkiG9w0BAQUFAAOBgQB8oSNk2E7+QrVfDx75o9E+CJjNxf6jTDCw
    GglRDHXSg92CF8L5JiK603gmNdWz+LtYQ0mVFKiZBKE5/UDyac2Xso6GfEH2nhir
    k83CE6s1xm2hnzuFr0V45YtibFB00okrFthExdO3psvFrA4IP4Bao4e+lhWrxxyn
    G7AquLhQIg==
    -----END CERTIFICATE-----
    subject=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
    issuer=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1147 bytes and written 340 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    SSL-Session:
    Protocol : TLSv1
    Cipher : DHE-RSA-AES256-SHA
    Session-ID: A7BE27E4BA01EC8E84A8D143ACA501AA1FAB27409BFA73FA6AF7DBB5958E21F2
    Session-ID-ctx:
    Master-Key: 8AC518C3F3F1D53C32CF3D04FE1703BB8786C0F79600627D266683DE62021F0D9B89BC4FB45776747048DD9BC7EC6682
    Key-Arg : None
    Start Time: 1392403953
    Timeout : 300 (sec)
    Verify return code: 10 (certificate has expired)
    ---
    * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
     

  3. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    root@mail:~# openssl s_client -connect localhost:993
    CONNECTED(00000003)
    depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
    verify error:num=10:certificate has expired
    notAfter=May 4 22:53:25 2011 GMT
    verify return:1
    depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
    notAfter=May 4 22:53:25 2011 GMT
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
    i:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIC/zCCAmigAwIBAgIJAOWrXB7xeHWlMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMRwwGgYDVQQK
    ExNDb3VyaWVyIE1haWwgU2VydmVyMS0wKwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdl
    bmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQBgNVBAMTCWxvY2FsaG9zdDElMCMGCSqG
    SIb3DQEJARYWcG9zdG1hc3RlckBleGFtcGxlLmNvbTAeFw0xMDA1MDQyMjUzMjVa
    Fw0xMTA1MDQyMjUzMjVaMIG1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAP
    BgNVBAcTCE5ldyBZb3JrMRwwGgYDVQQKExNDb3VyaWVyIE1haWwgU2VydmVyMS0w
    KwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQ
    BgNVBAMTCWxvY2FsaG9zdDElMCMGCSqGSIb3DQEJARYWcG9zdG1hc3RlckBleGFt
    cGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1hNoBT0+7gc/DlKl
    p1ISSPCufoyGXXBuLKYxPpgjqvJ4gvunRHGZuZ6TOAlNOUR0fFe8r2jBw9cfWgFH
    j36vKkQw5gvH6s75whZD06sXMPq/rvsiI5tcVIjcJkvD7cDBm3jYlnKUiniDDTcc
    TbR3+fevSbdKXU9+gF6ytHR/HOMCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZA
    MA0GCSqGSIb3DQEBBQUAA4GBACvx5pQ3hYo9Zaq23omww9zsj9R+uyQ0zlpHdPwT
    Onbooeq5c8ExqJFURwNVKsgpJyTmRl3r0Xyuzwc1X5rkgkD+w2UJGsdSAx/x9u0s
    F3P3Q4FHD4XVkcCsyIvEYj6UqIHtLhcHKf/aQXLy9QQxii7klI1p67FM0QG4Q5hF
    vb1t
    -----END CERTIFICATE-----
    subject=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
    issuer=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 933 bytes and written 316 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    Session-ID: 8703A8816E67668B612454E152D0B135CA75D16C5265BC169E7CCC440763AA76
    Session-ID-ctx:
    Master-Key: 19ADC2650B5A519EB554C0D41DD7C098D4F479111F541606223094AA727218A4B1252960A0D49D57D9F89DFC743C41DD
    Key-Arg : None
    Start Time: 1392406785
    Timeout : 300 (sec)
    Verify return code: 10 (certificate has expired)
    ---
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
    closed
     
  4. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    also they don't show up in netstat
    root@mail:~# netstat -nat |grep 993
    tcp6 0 0 :::993 :::* LISTEN
    root@mail:~# netstat -nat |grep 995
    tcp6 0 0 :::995 :::* LISTEN
    root@mail:~#
     
  5. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    You are able to make a connection to Courier on port 993 which means you don't have a networking problem.

    I see in the CAPABILITY response that only one login method is enabled: "AUTH=PLAIN".

    That means that other methods are disabled such as the following:

    AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=GSSAPI AUTH=MSN AUTH=NTLM

    AUTH=LOGIN is where you send username and password in the clear so if you are attempting that kind of login it is going to be rejected by Courier. Try doing a PLAIN login or modifying your Courier config to permit AUTH=LOGIN.

    -Rick
     
  6. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    how and where can I enable AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=GSSAPI AUTH=MSN AUTH=NTLM...?
     
  7. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    I'm not familiar with configuring Courier but a Google search suggests you might want to take a look at /usr/lib/courier/etc/imapd. That is apparently its IMAP configuration file.

    -Rick
     
  8. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    What need to do is to allow user to connect via SSL/TLS...
     
  9. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    If you have the AUTH=LOGIN fixed then a user just has to configure his mail client by clicking the TLS or SSL button in his settings.

    Can you do a normal user/password login now? I doubt many PC e-mail clients permit you to do PLAIN logins. If CAPABILITY now shows AUTH=LOGIN try this after openssl s_client connects and see if it says OK or NO/BAD.

    1 login <user> <password>

    -Rick
     
  10. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    Do you have a load balancer in front of the server?

    I handle SSL by enabling SSL at the load balancer for ports 993 995, but each individual server is running regular pop3d and imapd.
     
  11. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    but shouldn't I see the port open when I do a netstat -nat ...?
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
    but all I am seeing is
    tcp6 0 0 :::995 :::* LISTEN

    how can I resolve this...
     
  12. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    @popowich no, I do not have a load balancer in front of the server...
     
  13. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    Some questions:

    What do your Courier logs show?

    Did you try to log into Courier as suggested?

    Did you get Courier's AUTH LOGIN working?

    Your openSSL s_client session shows that you _are_ able to access port 993 or you would not have gotten this: Courier-IMAP ready. I wouldn't worry too much about what netstat shows. Focus on whether you can log in and if not, why not.

    When you get the "Courier-IMAP ready" prompt type in: "1 login <user> <password>" and tell us what you see.

    -Rick
     
  14. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    Rick, Popwick, sorry about the delay in responding but was on another project. when I got the "Courier-IMAP ready" prompt and type in:
    1 login <myusername> <mypassword>
    I got...
    1 OK LOGIN Ok.
     
  15. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    So what's the problem? Looks like it is working. You can connect to port 993 from the openSSL client, Courier answers, and you can log in. If you can't do the same from a mail client then there's something wrong with its settings.

    -Rick
     
  16. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,001
    Likes Received:
    120
    If it's only listening on localhost, and/or there is a server based firewall, and/or there is a network based hardware firewall or ACL, mail programs won't be able to connect.
     
  17. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    You're right the error was in my client setting for IMAP, I got IMAP to authenticate using TLS for both incoming and outgoing emails. However I amstill having trouble with POP3 configuration when I tell my client to use SSL encryption to connect to the server (port 995). Regular POP3 (port 110) with TLS encryption on outgoing (port 25) works fine...

    How can I get SSL for incoming POP3 to work...?
     
  18. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    Courier may not be configured for POP on port 995. Try the openSSL s_client again and see what it tells you:

    openssl s_client -connect <localhost:995>

    If Courier is not listening on port 995 you'll get something like this:

    openssl s_client -connect localhost:995
    connect: Connection refused
    connect:errno=146

    -Rick
     
  19. Zauny

    Zauny Valued Member

    Joined:
    Sep 4, 2013
    Messages:
    34
    Likes Received:
    0
    I got the following...
    root@mail:~# openssl s_client -connect localhost:995
    CONNECTED(00000003)
    write:errno=104
    root@mail:~#
     
  20. rfs9999

    rfs9999 IMAP Tools

    Joined:
    Oct 27, 2013
    Messages:
    114
    Likes Received:
    6
    A quick Google search suggests this may be a POP configuration issue in your Courier setup.

    -----------------------------------------------------------------
    puzzling dot org: Courier IMAP/POP SSL errors
    When I do 'openssl s_client -connect myhostname:995', I get: CONNECTED(00000003) write:errno=104

    You need to change your TLS_PROTOCOL configuration file variable, and possibly (if you have it) your SSL_PROTOCOL variable to allow SSL version 2.

    -------------------------------------------------------------

    You might want to compare your IMAP and POP config settings.
    Maybe POP SSL is not configured right.

    /etc/courier/courier-imap-ssl

    /etc/courier/courier-pop-ssl

    -Rick
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...