I configured a Mail server with postfix, dovecot and mysql from the documentation.
When I add a mail address in Outlook, it refused.
I tried everything what I can find, but nothing helps.
Can somebody help me and give me a simple and good instruction?
Thanks a lot.
/etc/dovecot/dovecot.conf
auth_mechanisms = plain login mail_gid = vmail mail_home = /var/vmail/mailboxes/%d/%n mail_location = maildir:~/mail:LAYOUT=fs mail_privileged_group = vmail mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacat> namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * quota = maildir:User quota quota_exceeded_message = Benutzer %u hat das Speichervolumen überschritten. /> sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/act> sieve_before = /var/vmail/sieve/global/spam-global.sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = imap pop3 imaps pop3s lmtp sieve ssl_disable = no service anvil { unix_listener anvil { group = vmail mode = 0666 } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { port = 4190 } } #service stats { # unix_listener stats-reader { # group = vmail # mode = 0666 # user = vmail # } #} ssl = required ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_cert_file = </etc/ssl.crt/domain.crt ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECD> ssl_key = </etc/ssl/private/dovecot.pem ssl_dh = </etc/dovecot/dh.pem #ssl_key_file = </etc/ssl.key/domain.key ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes ssl_dh_parameters_length = 2048 stats_writer_socket_path = userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } verbose_ssl = yes version_ignore = yes protocol imap { imap_idle_notify_interval = 29 mins mail_max_userip_connections = 20 mail_plugins = " quota imap_quota imap_sieve" } protocol lmtp { mail_plugins = " sieve notify push_notification" postmaster_address = admin@domain } !include conf.d/*.conf /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes /etc/dovecot/conf.d/10-ssl.conf
Letsencypt is empty so I add dovecot.pem like the documentation.
#ssl_dh_parameters_length = 2048 ssl_dh=</etc/dovecot/dh.pem ssl = required ssl_prefer_server_ciphers = yes verbose_ssl = yes # Preferred permissions: root:root 0444 ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem # Preferred permissions: root:root 0400ssl_key = </etc/ssl/private/dovecot.pem #ssl_key = </etc/letsencrypt/live/domaine/privkey.pem ssl_cipher_list = HIGH:!DH:!aNULL /etc/postfix/main.cf
## ## Netzwerkeinstellungen ## mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 inet_interfaces = 127.0.0.1, ::1, ip myhostname = mail.domain ## ## Mail-Queue Einstellungen ## maximal_queue_lifetime = 1h bounce_queue_lifetime = 1h maximal_backoff_time = 15m minimal_backoff_time = 5m queue_run_delay = 5m ## ## TLS Einstellungen ## Quelle: https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=> ## ### Allgemein tls_preempt_cipherlist = no tls_ssl_options = NO_COMPRESSION tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA2> ### Ausgehende SMTP-Verbindungen (Postfix als Sender) smtp_tls_security_level = dane smtp_dns_support_level = dnssec smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_ciphers = medium smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt ### Eingehende SMTP-Verbindungen smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 !TLSv1.2 !TLSv1.3 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_cert_file=/etc/acme.sh/mail.domain/fullchain.pem smtpd_tls_key_file=/etc/acme.sh/mail.domain/privkey.pem smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem ## ## Lokale Mailzustellung an Dovecot ## virtual_transport = lmtp:unix:private/dovecot-lmtp ## ## Spamfilter und DKIM-Signaturen via Rspamd ## smtpd_milters = inet:localhost:11332 non_smtpd_milters = inet:localhost:11332 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = accept ## ## Server Restrictions für Clients, Empfänger und Relaying ## (im Bezug auf S2S-Verbindungen. Mailclient-Verbindungen werden in master.cf > ## ### Bedingungen, damit Postfix als Relay arbeitet (für Clients) smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination ### Bedingungen, damit Postfix ankommende E-Mails als Empfängerserver entgegenn> ### check_recipient_access prüft, ob ein account sendonly ist smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/> ### Bedingungen, die SMTP-Clients erfüllen müssen (sendende Server) smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_p> reject_unknown_client_hostname ### Wenn fremde Server eine Verbindung herstellen, müssen sie einen gültigen Ho> smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname # Clients blockieren, wenn sie versuchen zu früh zu senden smtpd_data_restrictions = reject_unauth_pipelining ## ## Restrictions für MUAs (Mail user agents) ## mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_dom> mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sende> mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject ## ## MySQL Abfragen ## proxy_read_maps = proxy:mysql:/etc/postfix/sql/aliases.cf proxy:mysql:/etc/postfix/sql/accounts.cf proxy:mysql:/etc/postfix/sql/domains.cf proxy:mysql:/etc/postfix/sql/recipient-access.cf proxy:mysql:/etc/postfix/sql/sender-login-maps.cf proxy:mysql:/etc/postfix/sql/tls-policy.cf virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf local_recipient_maps = $virtual_mailbox_maps ## ## Sonstiges ## ### Maximale Größe der gesamten Mailbox (soll von Dovecot festgelegt werden, 0 > mailbox_size_limit = 0 ### Maximale Größe eingehender E-Mails in Bytes (50 MB) message_size_limit = 52428800 ### Keine System-Benachrichtigung für Benutzer bei neuer E-Mail biff = no ### Nutzer müssen immer volle E-Mail Adresse angeben - nicht nur Hostname append_dot_mydomain = no ### Trenn-Zeichen für "Address Tagging" recipient_delimiter = + ### Keine Rückschlüsse auf benutzte Mailadressen zulassen disable_vrfy_command = yes /etc/postfix/master.cf
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== ### ### SMTP-Serverbindungen aus dem Internet ### Authentifizuerung hier nicht erlaubt (Anmeldung nur via smtps/submission!) smtp inet n - y - 1 smtpd -o smtpd_sasl_auth_enable=no ### ### SMTPS Service (Submission mit implizitem TLS - ohne STARTTLS) - Port 465 ### Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtp> ### smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_relay_restrictions=$mua_relay_restrictions -o milter_macro_daemon_name=ORIGINATING -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf -o smtpd_helo_required=no -o smtpd_helo_restrictions= -o cleanup_service_name=submission-header-cleanup ### ### Submission-Zugang für Clients (mit STARTTLS - für Rückwärtskompatibilität) > ### submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_relay_restrictions=$mua_relay_restrictions -o milter_macro_daemon_name=ORIGINATING -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/sender-login-maps.cf -o smtpd_helo_required=no -o smtpd_helo_restrictions= -o cleanup_service_name=submission-header-cleanup ### ### Weitere wichtige Dienste für den Serverbetrieb ### pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache ### ### Cleanup-Service um MUA header zu entfernen ### submission-header-cleanup unix n - n - 0 cleanup -o header_checks=regexp:/etc/postfix/submission_header_cleanup For dh.pem I used this
openssl dhparam 4096 > /etc/dovecot/dh.pem The dovecot.pem is generated by dovecot.
file /etc/acme.sh/mail.domain/fullchain.pem /etc/acme.sh/mail.domain/fullchain.pem: ASCII text ls -la /etc/acme.sh/mail.domain/fullchain.pem -rw-r--r-- 1 root root 769 Nov 4 15:59 /etc/acme.sh/mail.domain/fullchain.pem The Logile:
Nov 05 12:17:59 mail systemd[1]: Started Dovecot IMAP/POP3 email server. Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'pop3s' protocol is no longer necessary, remove it Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:55: ssl_disable has been renamed to ssl Nov 05 12:17:59 mail dovecot[845]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:113: ssl_dh_parameters_length is no longer needed Nov 05 12:17:59 mail dovecot[845]: config: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'imaps' protocol is no longer necessary, remove it Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:54: 'pop3s' protocol is no longer necessary, remove it Nov 05 12:17:59 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:55: ssl_disable has been renamed to ssl Nov 05 12:18:00 mail dovecot[845]: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:113: ssl_dh_parameters_length is no longer needed Nov 05 12:24:32 mail dovecot[845]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<hmbf0WYJm3AoY55F> Nov 05 13:23:01 mail dovecot[845]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<2i39omcJm+0oY55F> The fullchain.pem has 1kb and the privkey.pem too. I remove and changed the nessercery parts on line 54 and 55. But the other error still comes.
I trid another thing:
openssl s_client -crlf -connect mail.domain:993 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 313 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) I forget to uncomment one thing.
GNU nano 5.4 /etc/dovecot/conf.d/10-ssl.conf #ssl_dh_parameters_length = 2048 #ssl_dh=</etc/dovecot/dh.pem ssl = required ssl_prefer_server_ciphers = yes verbose_ssl = yes ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem ssl_key = </etc/acme.sh/mail.domain/privkey.pem ssl_dh = </etc/postfix/dh2048.pem # Preferred permissions: root:root 0444 #ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem # Preferred permissions: root:root 0400 #ssl_key = </etc/ssl/private/dovecot.pem #ssl_key = </etc/letsencrypt/live/domain/privkey.pem ssl_cipher_list = HIGH:!DH:!aNULL Nov 5 12:09:22 mail dhclient[695]: XMT: Solicit on ens192, interval 115870ms. Nov 5 12:09:22 mail dhclient[695]: RCV: Advertise message on ens192 from fe80::250:56ff:fea8:3303. Nov 5 12:09:22 mail dhclient[695]: RCV: Advertise message on ens192 from fe80::250:56ff:fe8b:ad44. Nov 5 12:09:32 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<b8o6nGYJ6wooY55F> Nov 5 12:10:01 mail CRON[36330]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/revisium-antivirus/scripts/ra_executor_run.php') Nov 5 12:10:03 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<v50LnmYJy0MoY55F> Nov 5 12:10:33 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<WMPhn2YJ6cAoY55F> Nov 5 12:10:45 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.98.222.141, lip=ip, session=<q2OOoGYJsfI0Yt6N> Nov 5 12:10:47 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.101.83.53, lip=ip, session=<xuavoGYJz2IoZVM1> Nov 5 12:10:51 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.154.205, lip=ip, session=<J/fvoGYJ7Dg0YZrN> Nov 5 12:11:04 mail dovecot: imap-login: Error: Failed to initialize SSL servermpty: user=<>, rip=40.99.158.69, lip=ip, session=<mW26oWYJnXUoY55F> Thanks for your answer.
I edit the config file
GNU nano 5.4 /etc/dovecot/conf.d/10-ssl.conf #ssl_dh_parameters_length = 2048 ssl_dh=</etc/dovecot/dh.pem ssl = required ssl_prefer_server_ciphers = yes verbose_ssl = yes ssl_cert = </etc/acme.sh/mail.domain/fullchain.pem ssl_key = </etc/acme.sh/mail.domain/privkey.pem ssl_dh = </etc/postfix/dh2048.pem # Preferred permissions: root:root 0444 #ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_cert = </etc/letsencrypt/live/domain/fullchain.pem # Preferred permissions: root:root 0400 #ssl_key = </etc/ssl/private/dovecot.pem #ssl_key = </etc/letsencrypt/live/domain/privkey.pem ssl_cipher_list = HIGH:!DH:!aNULL But stillI get an error:
Nov 5 11:59:46 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<IpxHeWYJXSooY55F> Nov 5 12:00:01 mail CRON[36176]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew) Nov 5 12:00:01 mail CRON[36177]: (psaadm) CMD (/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/monitoring/scripts/cloud-alerts.php') Nov 5 12:00:16 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<nC4We2YJYsMoY55F> Nov 5 12:00:25 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.145.245, lip=ip, session=<qu+ae2YJ1vw0YZH1> Nov 5 12:00:27 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.97.174.221, lip=ip, session=<4+y7e2YJSVc0Ya7d> Nov 5 12:00:31 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=52.98.144.213, lip=ip, session=<G078e2YJNvA0YpDV> Nov 5 12:00:47 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=40.99.158.69, lip=ip, session=<MNjlfGYJR7MoY55F> 
file /etc/acme.sh/mail.domain/fullchain.pemandls -la /etc/acme.sh/mail.domain/fullchain.pemreturn? Edit your question to include this information.