1

I'm having an issue with Postfix+Dovecot configuration in Ubuntu 16.04. I could configure my mailboxes and I can correctly send and receive emails and now I wanted to set up POP3+IMAP.
The problem I'm having is that when connecting I always get the wrong certificate

root@server:~# openssl s_client -connect server:993 #with or without servername parameter CONNECTED(00000003) depth=0 CN = localhost.localdomain verify return:1 --- Certificate chain 0 s:/CN=localhost.localdomain i:/CN=localhost.localdomain

Then it does not return the certificate configured in /etc/dovecot/conf.d/10-ssl.conf. In this file I specify the ssl, ssl_cert, ssl_key, ssl_key_password and verbose_ssl. For building the certificate I concatenated the "example.com" crt, the CA bundle and the key all in same file.
The certificate used was issued for "example.com" (no subdomain), and I configured my server /etc/postfix/main.cf to include "example.com" as myhostname and as mydestination fields. My MX record also points to "example.com"
The hostname of the machine is "server"

The only weird messages in the log are:

May 20 01:33:47 server dovecot: lda(root): Error: chdir(/root/) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup) missing +x perm: /root, dir owned by 0:0 mode=0700) May 20 01:33:47 server dovecot: lda(root): Error: chdir(/root) failed: Permission denied May 20 01:33:47 server dovecot: lda(root): Error: User initialization failed: Namespace '': stat(/root/Maildir) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup) missing +x perm: /root, dir owned by 0:0 mode=0700) May 20 10:58:47 server dovecot: lda: Fatal: Invalid user settings. Refer to server log for more information. May 20 01:33:47 server dovecot: lda: Fatal: Invalid user settings. Refer to server log for more information. May 20 09:26:07 server postfix/smtpd[23663]: warning: cannot get RSA certificate from file "/etc/ssl/certs/mail_with_key_creationbyte_com.crt": disabling TLS support May 20 09:26:07 server postfix/smtpd[23663]: warning: TLS library problem: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:708:

The root folder already has root:root 0700 permission.
Any ideas of which commands to use to debug this? I'm blind on how dovecot decides which certificate to serve..

Improve this question
2
  • 3
    What other configuration changes did you make to dovecot? And did you restart it? Commented May 20, 2018 at 6:19
  • Yes I have restarted it many times after applying the changes. Other changes to the dovecot server are the ones instructed to configure an imap/pop3 server here namecheap.com/support/knowledgebase/article.aspx/9795/69/… Commented May 20, 2018 at 15:28

1 Answer 1

Reset to default
1

There were several problems here:

The 10-ssl.conf file was being replaced by this of higher numeration: /etc/dovecot/conf.d/99-mail-stack-delivery.conf

So no matter what I entered in 10-ssl.conf it always returned the default configured in 99-mail-stack-delivery.conf (the default certificate was the localhost.localdomain)

I was also pointing to the wrong port. I needed to use port 143

The error I was getting about the certificate was because the cat command had malformed it like this: ----- END CERTIFICATE ---------- BEGIN CERTIFICATE ----- (missing a new line between the two)

Then there was a difference between the SMTP certificate in postfix config file and the certificate specified in 99-mail-stack-delivery.conf The one in postfix I configured it using an encrypted key file but SMTP does not allow encrypted keys. So I had to point to the unencrypted key in the postfix config.

Hope all this information helps a newbie like me to install the email server.

The most useful tools I used were:

# summary and validation of all config dovecot -n # errors and verbosing tail -f /var/log/dovecot.log openssl s_client -connect example.com:143 -servername example.com -starttls imap openssl s_client -connect example.com:143 -servername example.com -starttls imap

With these 2 you can check your certificates and if the service works

Check for email queue: mailq command

Check ~/Maildir{cur,new,tmp} folders exist and have right permissions (youruser:youruser 0700)

Turn on logging for Outlook: File -> Options -> Advanced -> Other -> Enable troubleshooting logging. Logs will be in AppData\Local\Temp\Outlook Logging

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.