Cannot Connect any server via IMAP

**Operating system:Linux
**OS version:Centos 8

It has been a couple of weeks, installing virtual servers and so far, none of the email addresses can connect to any servers via IMAP; barely POP3 through 110/465 ports.

I’ve tried different options, like “Format for usernames that include domain” in Server Templates, to use username.domain and username@domain, but nothing works. Some of the Email Clients will not allow to set an account without the @domain.tld; what would you recommend then?

This is a log entry at /var/log/maillog:

Dec 22 14:53:18 host dovecot[1570]: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=test@domain.tld, method=PLAIN, rip=50…72, lip=172.33333.184, TLS, session$

I also noticed that /etc/dovecot/conf.d/10-master.conf has “commented” all lines regarding IMAP ports and although I “uncommented” them, still nothing happens.

service imap-login {
inet_listener imap {
# port = 143
}
inet_listener imaps {
# port = 993
# ssl = yes

Firewall ports 25, 110, 993, 995, 465, 587 and 53 (TCP/UDP) are open in the AWS instance’s Security and Webmin’s FirewallD; however, just Telent is responding on port 110 with +OK Dovecot ready, all other ports are unreachable.

Installed Roundcube scripts are working on each server and accessible via https://domain.tld/roundcube; but we’d like to connect from other Email clients and manually configuring those clients.

Outlook auto-configuration XML is not working either; although Outlook is trying to connect to https://domain.tld/autodiscover/autodiscover.xml, it responds "Something went wrong and Outlook couldn’t setup your account.

The New user email message details doesn’t seem to be configured for IMAP use:

Your mailbox has been set up successfully as follows :
Email address: ${MAILBOX}@${DOM}
POP3 login: ${USER}
POP3 password: ${PLAINPASS}
SMTP server: mail.${DOM}
POP3 server: mail.${DOM}
${IF-FTP}
FTP login: Enabled
Home directory: ${HOME}
${ELSE-FTP}
FTP login: Disabled
${ENDIF-FTP}

I’ve searched all articles in Forum, and none of them provide a step-by-step instructions; neither Virtualmin documentation.
Would somebody be nice to share instructions?

As root or sudo, run dovecot -n.

What is the auth_mechanism?

What’s drivers are listed for userdb and passdb?

Are imap and pop3 enabled in protocols?

What is the path for ssl_cert?

Do all the entries for all the domains appear to follow the correct format? They should be something along the lines of:

    local_name domain.tld {
      ssl_cert = </home/[user]/ssl.combined
      ssl_key = </home/[user]/ssl.key
    }

Richard

Hi @RJM_Web_Design,

In the /etc/dovecot/dovecot.conf file:

  • there is no auth_mechanism line
  • I don’t see any mention either to userdb and passdb
  • protocols = imap pop3 are enabled
  • there is no additional mention to ssl_cert other than this below:

!include_try local.conf
local_name domain.tld {
ssl_cert = </home/[user]/ssl.combined
ssl_key = </home/[user]/ssl.key
}

Notice [user] is the admin user, created with the Virtual Server.

Regards,
Alberto

Grrr… Ignore my previous post. I was reading the output of dovecot -n rather than the /etc/dovecot/dovecot.conf file itself. My apolgies. I’ll edit the post.

Run dovecot -n and take note of the values for auth_mechanism, userdb, passdb, and the path to ssl_cert.

Run cat /etc/dovecot/conf.d/10-ssl.conf, in the first section, do you have ssl = yes?

If not, make it so, save the file, restart dovecot, and cat /etc/dovecot/conf.d/10-ssl.conf again, noting the paths to ssl_cert and ssl_key after the next set of comments.

Then run dovecot -n again and check the values.

Richard

This was discussed here in the forums recently. Evidently, Outlook’s auto-config is looking for a .json file instead of .xml.

Hi @RJM_Web_Design,

Running dovecot -n, returns:

#2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-master.conf line 70: Invalid size: $default_vsz_limit

/etc/dovecot/conf.d/10-ssl.conf already has ssl = yes and the paths as

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

If you don’t have certbot package installed, install it, and re-request a certificate for virtual server.

After doing the above, go to SSL Certificate > Service Certificate page and click Copy to Dovecot button. However, it should be done automatically and over-write a global, default Dovecot certificate located at /10-ssl.conf file.

Outlook auto-configuration XML** is not working either

It should work for an older versions of Outlook, which you presumably got, considering it’s calling autoconfig.xml file but only if it’s enabled on Email Settings > Mail Client Configuration page.

Thanks @Ilia,

Would you know where is the location of feature-mail.pl?

Installing the patch is returning:

error: unrecognized arguments: -o /usr/share/webmin/virtual-server/feature-mail.pl

ls: cannot access ‘/usr/share/webmin/virtual-server/feature-mail.pl’: No such file or directory

1 Like

cerbot package was already installed:

[centos@host ~]$ sudo dnf install certbot python3-certbot-apache mod_ssl
Last metadata expiration check: 2:25:54 ago on Wed 23 Dec 2020 12:06:09 PM PST.
Package certbot-1.10.1-1.el8.noarch is already installed.
Package python3-certbot-apache-1.10.1-1.el8.noarch is already installed.
Package mod_ssl-1:2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

Certificates have also been previously copied to Dovecot and to Postfix, through SSL Certificate > Service Certificate

I’m running the latest version of Outlook, coming with Office365, and the autoconfig is enabled.

I’m assuming that’s the value for vsz_limit in the section

service imap {
    # Most of the memory goes to mmap()ing files. You may need to increase this
    # limit if you have huge mailboxes.
    vsz_limit = $default_vsz_limit
    
    # Max. number of IMAP processes (connections)
    #process_limit = 1024
    }

If so, please try commenting out vsz_limit = $default_vsz_limit (change it to #vsz_limit = $default_vsz_limit), restart Dovecot, and run dovecot -n again.

That’s not a required setting. I don’t even think the limit is enabled by default.

Richard

Hi @RJM_Web_Design,

[centos@host ~]$ dovecot -n
#2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
#OS: Linux 4.18.0-240.1.1.el8_3.x86_64 x86_64 CentOS Linux release 8.2.2004 (Core)
#Hostname: host.domain.tld
doveconf: Error: ssl enabled, but ssl_dh not set
local_name domain.tld {
ssl_cert = </home/[user]/ssl.combined
ssl_key = # hidden, use -P to show it
}

dovecot -n doesn’t return too much, but after running dovecot config, I found:

auth_mechanisms = plain login

userdb {
args =
auth_verbose = default
default_fields =
driver = passwd
name =
override_fields =
result_failure = continue
result_internalfail = continue
result_success = return-ok
skip = never
}

passdb {
args =
auth_verbose = default
default_fields =
deny = no
driver = pam
master = no
mechanisms =
name =
override_fields =
pass = no
result_failure = continue
result_internalfail = continue
result_success = return-ok
skip = never
username_filter =
}

You can see the whole file, by clicking here

Okay, so it didn’t fail due to the vzc_limit error this time. That’s good.

I think your remaining problems are all SSL-related. Have you read this page yet?

You probably just have to define the path to dh.pem at this point, but reading the whole page wouldn’t hurt.

Also, I’m assuming the hostname was redacted in the page you uploaded?

Richard

Thanks @RJM_Web_Design,

I’ve updated the following parameters:

ssl = yes
#Preferred permissions: root:root 0444
ssl_cert = </etc/ssl/certs/dovecot.pem
#Preferred permissions: root:root 0400
ssl_key = </etc/ssl/private/dovecot.pem

Notice the above refers to the ssl directory, but the actual location within conf.d/10-ssl.conf is pki, I checked the files and changed permissions in this last location.

Also generated openssl dhparam -out /etc/dovecot/dh.pem 4096, then
added ssl_dh = </etc/dovecot/dh.pem to /etc/dovecot/conf.d/10-ssl.conf

Restarted dovecot and could see responding properly when running dovecot -n, but still cannot connect via IMAP; the email client (in this case Outlook) is returning We couldn’t log on to the incoming (IMAP) server. Please check your email address and password and try again. I have tried IMAP in ports 143 (No Encryption), 993 (SSL/TLS)

I wonder if the issue is related to the fact that Outlook requires the username including @domain.tld and the System Settings -> Server Template is set to username.domain?


It does not recommend username@domain, because the Postfix mail server has problems with SMTP authentication.

I really don’t know much about Outlook. I haven’t used it in about 20 years and haven’t supported it since I sold my tech support business about 10 years ago.

I do know that I use username@domain with no issues connecting using any mail client at all, save for PUSH not working on Apple Mail, which is a client-side limitation. It works fine with Thunderbird, Canary, Android, K9, and every other client I’ve tried; but I’ve never tried it with Outlook.

I’ve created an account on a domain I use as a dedicated honeypot and will send you the credentials shortly by private message. Please set it up in Outlook and try to connect.

Can you connect using other IMAP clients or using telnet / openssl?

Also, I’d keep an eye out on the mail logs / firewall / fail2ban to make sure the IP Outlook is using isn’t being blocked due to “bad” login attempts.

Richard

Maybe what helped me recently is worth a try. Domains on local_name lines in /etc/dovecot.conf were replaced with mail server names.

local_name mail.domain.tld {
ssl_cert = </home/user/ssl.combined
ssl_key = </home/user/ssl.key
}
1 Like

Hi @RJM_Web_Design,

I changed to username@domain and restarted dovecot but still cannot connect; do I need to do something else to apply username@domain?

Please check the maillog below:

Dec 24 11:22:07 host dovecot[316364]: pop3-login: Login: user=< test >, method=PLAIN, rip=50.x.x.x, lip=172.x.x.x, mpid=316377, session=
Dec 24 11:22:08 host dovecot[316364]: pop3(test)<316377>: Disconnected: Logged out top=0/0, retr=0/0, del=0/25, size=1012060
Dec 24 11:23:11 host dovecot[316364]: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=test@domain.tld, method=PLAIN, rip=50.x.x.x, lip=172.x.x.x, TLS, sessi$
Dec 24 11:23:20 host postfix/smtpd[316808]: connect from unknown[183.136.225.45]
Dec 24 11:23:20 host milter-greylist[773]: smfi_getsymval failed for {daemon_port}, using default smtp port

Notice POP3 works with username when Server Template is set to username.domain, but IMAP doesn’t work using username@domain.
This is a Microsoft forum, talking about this situation when using usernames instead of email addresses; somebody suggests using an Alias on the server side and I wonder if that is what the Vistualmin’s help refers about The username@domain option is not recommended unless you are migrating users from another system that already uses it. The Postfix mail server has problems with SMTP authentication by users with an @ in the username, and requires that an extra Unix user be created for each mailbox for mail delivery to work.

@RJM_Web_Design, I tried your dedicated honeypot account and could connect it via IMAP, without any problem; it’s frustrating and weird, but definitely an issue coming in the default installation of Virtualmin

Sorry @ramin, replacing local_name with mail server name didn’t work and FYI, my domain has also defined a wildcard domain as local_name *.domain.tld

Can other clients besides Outlook connect?

I’m actually within shouting range of competent with Dovecot, and I’m stumped at the moment.

Richard

Oh well, I thought I’d throw the idea into the mix. My issue was more about certs and SNI and had nothing to do with Outlook.

I also tried Thunderbird and failed as well.

Forum’s System sent me a notification saying: spam filter, Akismet, has temporarily hidden my previous post

This was maillog

Dec 24 11:22:07 host dovecot[316364]: pop3-login: Login: user=< test >, method=PLAIN, rip=50.x.x.x, lip=172.x.x.x, mpid=316377, session=
Dec 24 11:22:08 host dovecot[316364]: pop3(test)<316377>: Disconnected: Logged out top=0/0, retr=0/0, del=0/25, size=1012060
Dec 24 11:23:11 host dovecot[316364]: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=test@domain.tld, method=PLAIN, rip=50.x.x.x, lip=172.x.x.x, TLS, sessi$
Dec 24 11:23:20 host postfix/smtpd[316808]: connect from unknown[183.136.225.45]
Dec 24 11:23:20 host milter-greylist[773]: smfi_getsymval failed for {daemon_port}, using default smtp port