mail server not listening on port 993 and 995

Zauny

Valued Member
i have an Ubuntu server with Postfix, Courier and mysql. I have configured SSL/TLS but my mail server is not listening on port 993 and 995 (well only for tcp6 and not tcp) hence I cannot connect and authenticate with SSL/TLS protocol.

I have tried adding them via the iptables:
iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT

and still nothing...
 

rfs9999

IMAP Tools
Are POP and IMAP configured in Courier to listen on ports 995 and 993 respectively? If you telnet to those ports do you get 'connected'?

# telnet localhost 993
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

You might also want to try making a connection using openssl in case this is an SSL problem rather than a Courier or network issue.

# openssl s_client -connect localhost:993
CONNECTED(00000004)
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify error:num=10:certificate has expired
notAfter=Jan 15 17:41:43 2012 GMT
verify return:1
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
notAfter=Jan 15 17:41:43 2012 GMT
verify return:1
---
Certificate chain
0 s:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
i:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICQzCCAaygAwIBAgIJAMn42ROqF9QsMA0GCSqGSIb3DQEBBQUAMFgxFDASBgNV
BAsTC0lNQVAgc2VydmVyMRkwFwYDVQQDExBpbWFwLmV4YW1wbGUuY29tMSUwIwYJ
KoZIhvcNAQkBFhZwb3N0bWFzdGVyQGV4YW1wbGUuY29tMB4XDTExMDExNTE3NDE0
M1oXDTEyMDExNTE3NDE0M1owWDEUMBIGA1UECxMLSU1BUCBzZXJ2ZXIxGTAXBgNV
BAMTEGltYXAuZXhhbXBsZS5jb20xJTAjBgkqhkiG9w0BCQEWFnBvc3RtYXN0ZXJA
ZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKegsa8Qi43R
+i4242ENk07Q3f0mPY3Hj9GcjfzLN2zVZ5SC0JIXhwzDB/+xpwAZSuqJ88Ou7M/L
5M1rwM6ztph7sU4E8xO47SYRumbzbJ6unDAMooD1UfVk+W5jQyp1YEnuDZubgPj2
lc/mXVn0/9cmyPBF7b9J7nZsyl+Kcia/AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOBgQB8oSNk2E7+QrVfDx75o9E+CJjNxf6jTDCw
GglRDHXSg92CF8L5JiK603gmNdWz+LtYQ0mVFKiZBKE5/UDyac2Xso6GfEH2nhir
k83CE6s1xm2hnzuFr0V45YtibFB00okrFthExdO3psvFrA4IP4Bao4e+lhWrxxyn
G7AquLhQIg==
-----END CERTIFICATE-----
subject=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
issuer=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1147 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: A7BE27E4BA01EC8E84A8D143ACA501AA1FAB27409BFA73FA6AF7DBB5958E21F2
Session-ID-ctx:
Master-Key: 8AC518C3F3F1D53C32CF3D04FE1703BB8786C0F79600627D266683DE62021F0D9B89BC4FB45776747048DD9BC7EC6682
Key-Arg : None
Start Time: 1392403953
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
 

Zauny

Valued Member
root@mail:~# openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=10:certificate has expired
notAfter=May 4 22:53:25 2011 GMT
verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
notAfter=May 4 22:53:25 2011 GMT
verify return:1
---
Certificate chain
0 s:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
i:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/zCCAmigAwIBAgIJAOWrXB7xeHWlMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMRwwGgYDVQQK
ExNDb3VyaWVyIE1haWwgU2VydmVyMS0wKwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdl
bmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQBgNVBAMTCWxvY2FsaG9zdDElMCMGCSqG
SIb3DQEJARYWcG9zdG1hc3RlckBleGFtcGxlLmNvbTAeFw0xMDA1MDQyMjUzMjVa
Fw0xMTA1MDQyMjUzMjVaMIG1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAP
BgNVBAcTCE5ldyBZb3JrMRwwGgYDVQQKExNDb3VyaWVyIE1haWwgU2VydmVyMS0w
KwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxEjAQ
BgNVBAMTCWxvY2FsaG9zdDElMCMGCSqGSIb3DQEJARYWcG9zdG1hc3RlckBleGFt
cGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1hNoBT0+7gc/DlKl
p1ISSPCufoyGXXBuLKYxPpgjqvJ4gvunRHGZuZ6TOAlNOUR0fFe8r2jBw9cfWgFH
j36vKkQw5gvH6s75whZD06sXMPq/rvsiI5tcVIjcJkvD7cDBm3jYlnKUiniDDTcc
TbR3+fevSbdKXU9+gF6ytHR/HOMCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZA
MA0GCSqGSIb3DQEBBQUAA4GBACvx5pQ3hYo9Zaq23omww9zsj9R+uyQ0zlpHdPwT
Onbooeq5c8ExqJFURwNVKsgpJyTmRl3r0Xyuzwc1X5rkgkD+w2UJGsdSAx/x9u0s
F3P3Q4FHD4XVkcCsyIvEYj6UqIHtLhcHKf/aQXLy9QQxii7klI1p67FM0QG4Q5hF
vb1t
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
issuer=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
---
No client certificate CA names sent
---
SSL handshake has read 933 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 8703A8816E67668B612454E152D0B135CA75D16C5265BC169E7CCC440763AA76
Session-ID-ctx:
Master-Key: 19ADC2650B5A519EB554C0D41DD7C098D4F479111F541606223094AA727218A4B1252960A0D49D57D9F89DFC743C41DD
Key-Arg : None
Start Time: 1392406785
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
closed
 

Zauny

Valued Member
also they don't show up in netstat
root@mail:~# netstat -nat |grep 993
tcp6 0 0 :::993 :::* LISTEN
root@mail:~# netstat -nat |grep 995
tcp6 0 0 :::995 :::* LISTEN
root@mail:~#
 

rfs9999

IMAP Tools
You are able to make a connection to Courier on port 993 which means you don't have a networking problem.

I see in the CAPABILITY response that only one login method is enabled: "AUTH=PLAIN".

That means that other methods are disabled such as the following:

AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=GSSAPI AUTH=MSN AUTH=NTLM

AUTH=LOGIN is where you send username and password in the clear so if you are attempting that kind of login it is going to be rejected by Courier. Try doing a PLAIN login or modifying your Courier config to permit AUTH=LOGIN.

-Rick
 

Zauny

Valued Member
how and where can I enable AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=GSSAPI AUTH=MSN AUTH=NTLM...?
 

rfs9999

IMAP Tools
I'm not familiar with configuring Courier but a Google search suggests you might want to take a look at /usr/lib/courier/etc/imapd. That is apparently its IMAP configuration file.

-Rick
 

rfs9999

IMAP Tools
If you have the AUTH=LOGIN fixed then a user just has to configure his mail client by clicking the TLS or SSL button in his settings.

Can you do a normal user/password login now? I doubt many PC e-mail clients permit you to do PLAIN logins. If CAPABILITY now shows AUTH=LOGIN try this after openssl s_client connects and see if it says OK or NO/BAD.

1 login <user> <password>

-Rick
 

EQ Admin

EQ Forum Admin
Staff member
Do you have a load balancer in front of the server?

I handle SSL by enabling SSL at the load balancer for ports 993 995, but each individual server is running regular pop3d and imapd.
 

Zauny

Valued Member
but shouldn't I see the port open when I do a netstat -nat ...?
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
but all I am seeing is
tcp6 0 0 :::995 :::* LISTEN

how can I resolve this...
 

rfs9999

IMAP Tools
Some questions:

What do your Courier logs show?

Did you try to log into Courier as suggested?

Did you get Courier's AUTH LOGIN working?

Your openSSL s_client session shows that you _are_ able to access port 993 or you would not have gotten this: Courier-IMAP ready. I wouldn't worry too much about what netstat shows. Focus on whether you can log in and if not, why not.

When you get the "Courier-IMAP ready" prompt type in: "1 login <user> <password>" and tell us what you see.

-Rick
 

Zauny

Valued Member
Rick, Popwick, sorry about the delay in responding but was on another project. when I got the "Courier-IMAP ready" prompt and type in:
1 login <myusername> <mypassword>
I got...
1 OK LOGIN Ok.
 

rfs9999

IMAP Tools
So what's the problem? Looks like it is working. You can connect to port 993 from the openSSL client, Courier answers, and you can log in. If you can't do the same from a mail client then there's something wrong with its settings.

-Rick
 

EQ Admin

EQ Forum Admin
Staff member
If it's only listening on localhost, and/or there is a server based firewall, and/or there is a network based hardware firewall or ACL, mail programs won't be able to connect.
 

Zauny

Valued Member
You're right the error was in my client setting for IMAP, I got IMAP to authenticate using TLS for both incoming and outgoing emails. However I amstill having trouble with POP3 configuration when I tell my client to use SSL encryption to connect to the server (port 995). Regular POP3 (port 110) with TLS encryption on outgoing (port 25) works fine...

How can I get SSL for incoming POP3 to work...?
 

rfs9999

IMAP Tools
Courier may not be configured for POP on port 995. Try the openSSL s_client again and see what it tells you:

openssl s_client -connect <localhost:995>

If Courier is not listening on port 995 you'll get something like this:

openssl s_client -connect localhost:995
connect: Connection refused
connect:errno=146

-Rick
 

Zauny

Valued Member
I got the following...
root@mail:~# openssl s_client -connect localhost:995
CONNECTED(00000003)
write:errno=104
root@mail:~#
 

rfs9999

IMAP Tools
A quick Google search suggests this may be a POP configuration issue in your Courier setup.

-----------------------------------------------------------------
puzzling dot org: Courier IMAP/POP SSL errors
When I do 'openssl s_client -connect myhostname:995', I get: CONNECTED(00000003) write:errno=104

You need to change your TLS_PROTOCOL configuration file variable, and possibly (if you have it) your SSL_PROTOCOL variable to allow SSL version 2.

-------------------------------------------------------------

You might want to compare your IMAP and POP config settings.
Maybe POP SSL is not configured right.

/etc/courier/courier-imap-ssl

/etc/courier/courier-pop-ssl

-Rick
 
Top