IMAP connection with Dovecot keeps failing (time-out)
You have a DROP rule before ufw
rules which deny imaps
connections. And this is not the only rule which can create problems. You should check how they got there, maybe you used -I
instead of -A
in before.rules
or after.rules
.
1381K 214M ACCEPT all -- lo any anywhere anywhere
222K 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
398 23248 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
7903 443K ACCEPT tcp -- any any anywhere anywhere multiport dports http,https
7460 441K DROP all -- any any anywhere anywhere
All above rules are inserted before ufw
rules and can make problems. For example, if you configure ufw
to deny http or https, these rules will allow these ports anyway.
Related videos on Youtube
TomDogg
Updated on September 18, 2022Comments
-
TomDogg over 1 year
* TLDR ; if you have connection problems, not only make sure you have added the required rules to your firewall, but also make sure (
$ iptables -L -v
) that the rules are in the correct order! *
It's been a few days now, and I can't figure out why my IMAP set up (on port 993) refuses to work (with Dovecot, version 2.2.22). The connection does not succeed, for some reason I don't see.
Troubleshooting the connection with openssl: Connecting on port 993 does not work:
$ openssl s_client -connect my-domain.com:993
returns:
connect: Connection timed out connect:errno=110
But the port used (993) seems open:
$ ufw status
returns:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 25/tcp ALLOW Anywhere 587/tcp ALLOW Anywhere 993/tcp ALLOW Anywhere 143/tcp ALLOW Anywhere 465/tcp ALLOW Anywhere 110/tcp ALLOW Anywhere 995/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6) 587/tcp (v6) ALLOW Anywhere (v6) 993/tcp (v6) ALLOW Anywhere (v6) 143/tcp (v6) ALLOW Anywhere (v6) 465/tcp (v6) ALLOW Anywhere (v6) 110/tcp (v6) ALLOW Anywhere (v6) 995/tcp (v6) ALLOW Anywhere (v6)
My dovecot config is:
$ dovecot -n # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.4.0-38-generic x86_64 Ubuntu 16.04.1 LTS ext4 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = sha1 mail_debug = yes mail_location = maildir:/var/mail/vhosts/%d/%n mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap pop3 lmtp service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } ssl = required ssl_cert = </etc/ssl/localcerts/www.my-domain.com.chained.crt ssl_key = </etc/ssl/localcerts/www.my-domain.com.key userdb { args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n driver = static } verbose_ssl = yes
EDIT 1:
Key and certificate do match:
$ (openssl x509 -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.crt | openssl md5 ;\ openssl rsa -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.key | openssl md5) | uniq
returns only 1 identifier:
(stdin)= cfcbed2e4061910c47c5008d8732e522
EDIT 2:
Enabling maximum logging for Dovecot, with:
auth_verbose=yes auth_debug=yes auth_debug_passwords=yes mail_debug=yes verbose_ssl=yes auth_verbose_passwords=sha1
returns:
$ tail -f /var/log/mail.log dovecot: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3, lmtp (core dumps disabled) [...] dovecot: lmtp(5491): Connect from local dovecot: lmtp([email protected]): +rg7LUpw6ldzFQAAxWOCog: msgid=<[email protected]>: saved mail to INBOX dovecot: lmtp(5491): Disconnect from local: Successful quit
EDIT 3:
Connecting via SSL to the webserver (Nginx) which uses the same certificate and key on port 443 works totally fine:
$ openssl s_client -connect my-domain.com:443
EDIT 4:
I used the same version of Dovecot, the same Dovecot configuration and the same certificate+key on the old server, where the IMAP connection with Dovecot worked totally fine.
EDIT 5:
Trying to establish the connection on the IMAP port 993 (via
openssl s_client
) with the parameter-dtls1
seems to do something:$ openssl s_client -connect my-domain.com:993 -dtls1 -debug
returns (very slowly) something like this:
CONNECTED(00000003) write to 0x1425de0 [0x142f970] (202 bytes => 202 (0xCA)) 0000 - 16 fe ff 00 00 00 00 00-00 00 00 00 bd 01 00 00 ................ 0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........y.n}% 0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...K.N.p....r... 0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V. [...] 0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1....... 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... read from 0x1425de0 [0x142b413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF)) write to 0x1425de0 [0x1434ed0] (202 bytes => 202 (0xCA)) 0000 - 16 fe ff 00 00 00 00 00-00 00 01 00 bd 01 00 00 ................ 0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........y.n}% 0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...K.N.p....r... 0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V. [...] 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... [...] 0070 - 45 00 44 00 43 00 42 c0-0e c0 04 00 2f 00 96 00 E.D.C.B...../... 0080 - 41 c0 12 c0 08 00 16 00-13 00 10 00 0d c0 0d c0 A............... 0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1....... 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... read from 0x1e8dde0 [0x1e93413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF)) 139876009338520:error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired:d1_lib.c:495: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 2424 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : DTLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1474892601 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
...and then the connection is closed.
However, using the parameters
-tls1
(TLSv1) or-tls1_1
(TLSv1.1) or-tls1_2
(TLSv1.2) returns the time out message:connect: Connection timed out
andconnect:errno=110
EDIT 6:
If I enable the secure POP port 995 in Dovecot, restart it, open this port in the firewall, and then try:
openssl s_client -connect my-domain.com:995
...I also get the time-out error
connect: Connection timed out
andconnect:errno=110
, apparently indicating that the source of the problem applies for both IMAP and POP.EDIT 7:
The right processes seem to listen on the right ports:
$ netstat -tulpn
returns:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2827/nginx tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 2327/opendkim tcp 0 0 127.0.0.1:2812 0.0.0.0:* LISTEN 1918/monit tcp 0 0 127.0.0.1:34305 0.0.0.0:* LISTEN 2915/public tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2269/mysqld tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2827/nginx tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2249/sshd tcp6 0 0 :::25 :::* LISTEN 2597/master tcp6 0 0 :::993 :::* LISTEN 2306/dovecot tcp6 0 0 :::995 :::* LISTEN 2306/dovecot tcp6 0 0 :::587 :::* LISTEN 2597/master tcp6 0 0 :::110 :::* LISTEN 2306/dovecot tcp6 0 0 :::143 :::* LISTEN 2306/dovecot tcp6 0 0 :::465 :::* LISTEN 2597/master
EDIT 8:
Telnet works only on ports 80 and 443 (used by Nginx), all other ports don't seem to respond (time-out).
EDIT 9:
I just did a port scan using
nmap 12.34.56.78
and it showed only22/tcp | open | ssh
and80/tcp | open | http
and443/tcp | open | https
. If you look at the result fromufw status
posted above, you can see that I allowed a whole list of ports that are not "found" by nmap. What is the reason of and the solution for that? (I know it's not my network or provider - I can connect to my old/"identical" server and the nmap scan shows the required IMAPs port as "open").EDIT 10:
$ iptables -L -v
returns:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 118K 7235K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https 118K 7228K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh 118K 7226K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https 118K 7226K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh 1381K 214M ACCEPT all -- lo any anywhere anywhere 222K 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 398 23248 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 7903 443K ACCEPT tcp -- any any anywhere anywhere multiport dports http,https 7460 441K DROP all -- any any anywhere anywhere 0 0 ufw-before-logging-input all -- any any anywhere anywhere 0 0 ufw-before-input all -- any any anywhere anywhere 0 0 ufw-after-input all -- any any anywhere anywhere 0 0 ufw-after-logging-input all -- any any anywhere anywhere 0 0 ufw-reject-input all -- any any anywhere anywhere 0 0 ufw-track-input all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all -- any any anywhere anywhere 0 0 ufw-before-forward all -- any any anywhere anywhere 0 0 ufw-after-forward all -- any any anywhere anywhere 0 0 ufw-after-logging-forward all -- any any anywhere anywhere 0 0 ufw-reject-forward all -- any any anywhere anywhere 0 0 ufw-track-forward all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 53 packets, 3160 bytes) pkts bytes target prot opt in out source destination 1575K 531M ufw-before-logging-output all -- any any anywhere anywhere 1575K 531M ufw-before-output all -- any any anywhere anywhere 537 97799 ufw-after-output all -- any any anywhere anywhere 537 97799 ufw-after-logging-output all -- any any anywhere anywhere 537 97799 ufw-reject-output all -- any any anywhere anywhere 537 97799 ufw-track-output all -- any any anywhere anywhere Chain f2b-HTTPS (4 references) pkts bytes target prot opt in out source destination 1547K 228M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-SSH (2 references) pkts bytes target prot opt in out source destination 235K 14M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-nginx-http-auth (2 references) pkts bytes target prot opt in out source destination 975K 128M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-sshd (2 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any 62-210-106-228.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable 235K 14M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc 0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ufw-user-forward all -- any any anywhere anywhere Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID 0 0 DROP all -- any any anywhere anywhere ctstate INVALID 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc 0 0 ufw-not-local all -- any any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900 0 0 ufw-user-input all -- any any anywhere anywhere Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 1381K 214M ACCEPT all -- any lo anywhere anywhere 194K 317M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 537 97799 ufw-user-output all -- any any anywhere anywhere Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10 0 0 DROP all -- any any anywhere anywhere Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 112 10791 ACCEPT tcp -- any any anywhere anywhere ctstate NEW 300 22604 ACCEPT udp -- any any anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination
-
coladict over 7 yearsSo, you're only testing it with
openssl s_client
? Have you tried an actual email client like Thunderbird? -
TomDogg over 7 yearsYes, I also use Thunderbird (and it can't connect), but I fear it may introduce additional potential error sources, making the situation even more complex. Which is why I then used
openssl s_client
. -
coladict over 7 yearsComparing the configuration with the one on our server, the
inet_listener
definitions for imap, imaps, pop3, pop3s are empty on our end. I'm assuming it just takes some default values. Also a long list added tossl_cipher_list
from some security site that recommended which to enable/disable, but it doesn't look as if your connection reaches that far. -
TomDogg over 7 yearsYes, commented out
inet_listener
values mean default values (I have used this tutorial: linode.com/docs/email/email-with-postfix-dovecot-and-mysql). -
Laurentiu Roescu over 7 yearsI think is the firewall. Can you please post the output of iptables -L -v? I can't be sure but I think you have a drop before ufw rules.
-
TomDogg over 7 years@LaurentiuRoescu - Done, please see: EDIT 10
-
Joe over 7 yearsJust for testing and to verify a problem in the firewall, if you turn off the firewall can you make connections?
-
Joe over 7 yearsIt looks like @LaurentiuRoescu is correct. The accept imaps rule is in the ufw-user-input chain which is in the ufw-before-input chain which is in the INPUT chain after the DROP all from anywhere line. So packets get dropped before any chance to match the imaps rule.
-
-
TomDogg over 7 yearsThank you; unfortunately, this did not change the situation. I interpreted your comment like this: In
/etc/dovecot/conf.d/10-auth.conf
changedisable_plaintext_auth = yes
todisable_plaintext_auth = no
and in/etc/dovecot/conf.d/10-ssl.conf
changessl = required
tossl = yes
, then restart Dovecot. (The log file entries posted above also saySSL negotiation finished successfully [127.0.0.1]
, which makes me doubt that the problem lies with the SSL set up, but I'm no expert.) -
TomDogg over 7 yearsThank you; unfortunately, adding this entry in the file
/etc/hosts
and rebooting doesn't solve the problem - the Dovecot log entries posted above stay the same and the commandopenssl s_client -connect my-domain.com:993
still results in the above mentioned time-out error message. -
Leahkim over 7 yearsYou talk about firewall, what do you get by connecting to nginx by port 993 or 995 (dovecot stopped) ?
-
TomDogg over 7 yearsThanks; the server is currently running in production, so I'd first like to say something else that clearly is fishy: (please see EDIT 9)
-
TomDogg over 7 yearsSo is it safe to say that all "CAPITAL rules" (such as ACCEPT, REJECT, DROP, RETURN, LOG, ...) should always be at the very bottom of a "block"?