I cannot access webmail.domain.com


I am running Virtualmin 6.08, Webmin 1.941 and Usermin 1.791 on Debian Linux 8 running on a VPS.

I do not seem to be able to access any of my email accounts whether via usermin or via webmail.domain.com.

When Itry to access through webmail I get this error:

This site can’t be reached

webmail.xorex.rocks ’s server IP address could not be found.


When I try through usermin I get this error:

An error occured listing mail in this folder: Failed to login to POP3 server: [PRIVACY REQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

Right, I do not recall doing anything to change this and I do believe I was originally able to access the mail accounts so I have probably done something to cause this issue.

I do not use POP3, only IMAP. All servers are secured through letsencrypt, however I do not know if this certification extends to the mail server.

I have checked with the host command and forward and reverse calls appear to be working.

Can anyone offer some ideas for me to try please?



perhaps a dns issue (dns probe finished no domain)

have you checked via some tools such as mxtoolbox to ensure your dns is resolving?

Hi Adam, thanks for the reply.

I am not a DNS expert (!) so am stabbing in the dark when I do anything with it. However, when I checked the DNS Zone on my VPS (at OVH) I saw that mail.xorex.rocks was directed to xorex.rocks but the IMAP, POP3 and SMTP were still pointing to ovh servers. I have changed them all to point to xorex.rocks. These were all CNAME records which I (think I) understand.

However there are some others that are SVR or TXT records that I do not. Here is the full DNS listing. Can you help me make sure they are correct? I know that the NS entries have to remain as they are but the rest are a mystery to me.

Domain. TTL Type Target

xorex.rocks. 0 NS dns109.ovh.net.

xorex.rocks. 0 NS ns109.ovh.net.

xorex.rocks. 0 MX 1 mail.xorex.rocks.

xorex.rocks. 60 A

xorex.rocks. 0 TXT “1|www.xorex.rocks”

xorex.rocks. 600 SPF “v=spf1 include:mx.ovh.com ~all”

autoconfig.xorex.rocks. 0 CNAME mailconfig.ovh.net.

autodiscover.xorex.rocks. 0 CNAME mailconfig.ovh.net.

_autodiscover._tcp.xorex.rocks. 0 SRV 0 0 443 mailconfig.ovh.net.

ftp.xorex.rocks. 0 CNAME xorex.rocks.

imap.xorex.rocks. 0 CNAME xorex.rocks.

_imaps._tcp.xorex.rocks. 0 SRV 0 0 993 ssl0.ovh.net.

mail.xorex.rocks. 0 CNAME xorex.rocks.

pop3.xorex.rocks. 0 CNAME xorex.rocks.

smtp.xorex.rocks. 0 CNAME xorex.rocks.

_submission._tcp.xorex.rocks. 0 SRV 0 0 465 ssl0.ovh.net.

www.xorex.rocks. 0 TXT “3|welcome”

www.xorex.rocks. 0 TXT “l|gb”

www.xorex.rocks. 0 CNAME xorex.rocks.

Hmmm. Im not sure about a lot of those dns records.
Also , why are you using ovh nameserver if this is a vps? Is ovh also your registrar? If the above records are with ovh then you need to disable bind dns for the domain in virtualmin (outlined below in this post)

All that is needed to resolve the dns error is a single A record…something like
xorex.rocks A record (use your vps ip addres here)TTL= 300 (this is the number of seconds and i have initially set for 5 minutes)

For email, you dont use webmail.xerox.rocks necessarily…“webmail.” is a subdomain used by some email programs online access…but its not always used by outlook or thunderbird email clients, they will simply follow the informaiton about “incoming and outgoing mail server” that you enter when setting up your email client app. (ie server1.xerox.rocks or bad1.xorex.rocks or whatever your call your server… host.domain.com)

So for mail record, you do something like…
xerox.rocks mx record (use your server ip address here) 5 (emai record priority)

You appear to have an mxrecord pointing at a name…that is not actually the rule for mxrecords. If I am not mistaken and MX record must point at an ipaddress.

You then need 2 further records for mail…an spf record and a _dmarc record. Best to use online tools to generate these (google each …ie spf generator or _dmarc record generator)

if you are using virtualmin to control dns, then you would need to setup your system as a nameserver…this requires registering glue record with your domain registrar. I would suggest you do not use this option initially. So in Virtualmin>Edit Virtual Server, disable dns for you website. see below,

Then just:

  1. point a single A record at your VPS in your registrars domain console where zone records go (this will get website working)
  2. add your mx, spf, _DMARC records (this will get email dns working)

I forgot one other thing, you also need to ensure that you have setup a “reverse ptr” with ovh. Failure to do this will cause you problems down the track with mail. reverse ptr is used to help with email server security checks and is one of the first ports of call in determining if your mail server is an authentic one or hacker (criminals are slack asses and almost always cant be bothered with such things)

I am not sure if xorex.rocks is your full domain name or whether its xorexrocks.com?


It is a VPS provided by/through OVH who is also the registrar for the domain so the default setting for a domain allocated to them uses their nameservers and mail references. I wondered about setting up my own nameservers but once more it is an area of black magic for me! [Have now organised. See below]

The webmail message is from using a web browser to access the mail account. To access mail via a browser directly Virtualmin uses webmail.domain.name doesn’t it? Neither usermin nor webmail are working for me. The only way I can see mail is through the virtualmin interface. I can receive email into the accounts but cannot send mail out at the moment. It tells me it has sent but nothing arrives at my email account.

My MX record is xorex.rocks. 0 MX 1 mail.xorex.rocks. TTL is 0 (I copied this from the OVH setup) so mail.xorex.rocks is my mail server but I have assumed that is what virtualmin sets up? [Yes I have confirmed this in the server config section]

Anyway, I read up about DNS and now understand (a bit about) the BIND server so have done two things. Requested from OVH to make my server a nameserver for the xorex.rocks account and set my nameservers to ns1.xorex.rocks and ns2.xorex.rocks and set them both up in BIND as NS and A records. Checked BIND config and it is happy.

whois still reports NS with OVH so I think we need to wait until the transfer occurs and OVH confirm that my nameserver is attached to the domain. Once it transfers the BIND entries will take over and OVH becomes redundant.

While waiting for the nameservers to transfer, I corrected the MX record and added an A record to match it. It is correct on my BIND server.

The spf record exists on the OVH details and also on BIND (although OVH uses ~ and BIND uses ? as the moderator.

I am unsure about the dmarc record. I have activated it on Virtualmin but have not yet had enough time to read it up and set it up but will try to do that today (as I am now suffering from flu or a virus and cannot get out).

Full domain name is xorex.rocks, no .com.

I have setup a reverse DNS (which I assume is the same as the PTR reference?).

Will write again when the tranfer (glue) occurs.


You don’t have a DNS entry for webmail.xorex.rocks which is why it doesn’t work.

You should be able to access Usermin on https://yourservername.tld:20000

Thanks Adam.

I have added the DNS record and now webmail.xorex.rocks takes me to my Usermin account so that bit is sorted.

However the Usermin error that I shared in my original post:

An error occured listing mail in this folder: Failed to login to POP3 server: [PRIVACY REQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

is still there so I still cannot access the mail account through Usermin.



Here is a screen shot of the error that I get no matter which account I log into.


This is becoming increasingly bizare! I thought I would use the AppleMail connection doctor to see if it could give me any insight. So I set up a new account for xorex@xorex.rocks and it autoconfigured and worked!

However, it is working to the extent that it is viewing the inbox on the server over IMAP. It is still not sending any emails out. This is the same whether I try it from my applemail or directly on the server.

I am going to play with the smtp server but welcome any more input.


I think I have found the problem, I just do not know where to fix it (yet).

I checked the postfix modules one by one and finally got to message queue which has six messages (three of mine and three generated by the server) sitting there waiting to go out. When I read through the queue they all timed out on delivery over port 25 which is the old non-secure port. Here is some of the data I extracted from the queue:

…connect to mail.xorex.site[]:25: Connection timed out|
…connect to mx5.mail.icloud.com[]:25: Connection timed out|

I found this explanation for port 25 issues (the quote below) and I suspect OVH have closed it off (my server still goes through theirs so I assume there closure affects my server). Or maybe virtualmin has closed (or not default opened) port 25 on my server.

“Most Internet service providers now block all outgoing port 25 traffic from their customers as an anti-spam measure. For the same reason, businesses will typically configure their firewalls to only allow outgoing port 25 traffic from their designated mail servers.”

I assume that if I change the outgoing default port to the correct value of 465 or 587 it will work. Looking at the firewall smtp 25 is open on my server so I suspect it is OVH that are preventing it going out. I appear to have opened 587 (as I think this is the preferred port for OVH).

My problem now is finding where to set the smtp default to port 587 to try to flush them out. I will keep looking but if you know please pass it on!


Well, I found lots of references to opening ports on postfix by amending the main.cf file but no matter what I do (including rebooting the entire server) it is still trying to send on port 25.

Any advice?


Everyone says the same thing;

… uncomment submission-line in /etc/postfix/master.cf
submission-module will then relay all incoming smtp to postfix using port 587.

My problem is that even having done that it still tries to use 25.

Here is my master.cf

Postfix master process configuration file. For details on the format

of the file, see the master(5) manual page (command: “man 5 master” or

on-line: http://www.postfix.org/master.5.html).

Do not forget to execute “postfix reload” after editing this file.


service type private unpriv chroot wakeup maxproc command + args

(yes) (yes) (yes) (never) (100)


smtp inet n - - - - smtpd

587 inet n - n - - smptd

-o smtpd_sasl_auth_enable=yes
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp

-o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache


Interfaces to non-Postfix software. Be sure to examine the manual

pages of the non-Postfix software to find out what options it wants.

Many of the following services use the Postfix pipe(8) delivery

agent. See the pipe(8) man page for information about ${recipient}

and other message envelope options.


maildrop. See the Postfix MAILDROP_README file for details.

Also specify in main.cf: maildrop_destination_recipient_limit=1

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}


Recent Cyrus versions can use the existing “lmtp” master.cf entry.

Specify in cyrus.conf:

lmtp cmd=“lmtpd -a” listen=“localhost:lmtp” proto=tcp4

Specify in main.cf one or more of the following:

mailbox_transport = lmtp:inet:localhost

virtual_transport = lmtp:inet:localhost


Cyrus 2.1.5 (Amos Gouaux)

Also specify in main.cf: cyrus_destination_recipient_limit=1

#cyrus unix - n n - - pipe

user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}


Old example of delivery via Cyrus.

#old-cyrus unix - n n - - pipe

flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}


See the Postfix UUCP_README file for configuration details.

uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Other external delivery methods.

ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

Next line commented by GJJ as it already exists above.

submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes

and here is main.cf

See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

appending .domain is the MUA’s job.

append_dot_mydomain = no

Uncomment the next line to generate “delayed mail” warnings

#delay_warning_time = 4h

readme_directory = no

TLS parameters

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = xorex.rocks
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_tls_security_level = dane
allow_percent_hack = no
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Does any of this mean anything to you? Can you unravel it for me?

Despite uncommenting the lines I was told, nothing changes. Even commenting out the smtp line does not change things. Something is telling Postfix to use port 25 but I cannot find what it is.



Try adding

relayhost = [mail.yourISP.com]

to main.cf. That will send your outbound email out via your ISP’s mail server which won’t have been blocked for sending email to the rest of the internet. If you are intending to send a lot of email (as in hosting customers etc), I’d suggest you talk to the ISP’s support team and discuss options. Also, they may require users to authenticate prior to sending, in which case you have more work to do before this will work.

Yes if port 25 is blocked you need to use a mail relay host.
When i had a google cloud vps i had this problem and used Sendgrid as relay host for email.

The subdomain webmail.domain.com has nothing to do with your mail issues.virtualmin doesnt need that for email to work.
Your mxrecord should point to your mail server hostname.domain.com. if you called your server webmail.domain.com then fine use that record, but if your server is called geoff1.domain.com then this is the dns mx record you should be using. It depends on what you called your server.

Thanks guys.

For the record, OVH had shut my port 25 last June and I had completely forgotten about it.

The annoying thing is that it was shut as I was experimenting with a proxy server for 2 (yes just 2) days on my server and in that time it was picked up for having an open relay and blacklisted.

Has taken a couple of days to sort but the machine has been cleaned and the blacklist removed and SOME emails are now leaving but one of my servers at bluehost.com is still rejecting emails from this server. I do not want to use a relay host and the email is not critical at the moment (I am building the server to take all my current servers form various hosts to have them on one privately controlled Virtualmin installation and until it is ready nothing is moving). Having said that I want it done asap but at a pace where I can absorb the knowledge some of which is new to me (DOH! DNS over HTTPS, not Homer Simpson) some of which is tightening my existing understanding (DNS and email).

This topic has forked a bit I am afraid. I now can access webmail.domain.com (fork 1) and when I do it presents me with the usermin interface. So far so good. However, I am still stuck unable to read email through the interface (see screenshot in post 8 from Mar 10 above) and I have yet to uncover what is causing that error (Fork 2).

Until I am happy that email is coming and going properly through the server, I do not want to pursue this secondary problem hence this update. I will post more questions on it once email is running properly over the mail server.

However I do have a request. In playing with the Postfix server unnecessarily (as it was blacklisting causing the problem) I have messed up my config files and am getting some error messages running postfix reload. Rather than try to identify why, I thought it would be better to simply replace the main.cf and master.cf files and start again but try as I may, I simply cannot find a vanilla version of the files that are loaded at installation and do not want to re-install postfix as I am uncertain of the effect it would have on existing information relative to my setup in other areas.

Can anyone point me to the vanilla versions for me to upload please?



Hi, I hope you are still following this issue for me.

The error message:

is related to SSL authentication on the dovecot server. If I change the dovecot settings under Webmin:Servers:DovecotIMAP/POP3 Server - module SSL Configuration - Disallow plaintext authentication in non-SSL mode? to No, I can access my mail through usermin as normal.

However, this now means that usermin email access is unsecure. I need to resolve it to ensure the server is properly secured.

After boot, if I go to the Dovecot area again and without making any changes and simply ask it to Apply Configuration, I get the following errors:

Failed to apply configuration :

Error: service(imap-login): listen(, 143) failed: Address already in use
Error: service(imap-login): listen(::, 143) failed: Address already in use
Error: service(imap-login): listen(
, 993) failed: Address already in use
Error: service(imap-login): listen(::, 993) failed: Address already in use

Fatal: Failed to start listeners

If I Apply Configuration a second time it tells me:

Failed to apply configuration : No longer running

However, if I check status with /etc/init.d/dovecot status, it tells me it is running and it gives stats for the previous few logins.

To clear the issue with the Apply Configuration button in webmin I have to execute a stop and start command and Dovecot appears to work properly again.

First request. How do I overcome the “Plaintext authentication disallowed on non-secure (SSL/TLS) connections.” issue so that the server is secured?

Second request. How do I bring these issues to the attention of the webmin team?


This topic was not resolved but is now closed.

This topic is closed.