Send timeouts using IMAP and TLS wildcard Cert

So I have a godaddy wildcard cert and I installed it and used the copied it via the buttons in SSL management.

This worked fine for months, but recently IMAP emails started timing out on sends.

I looked into it and I dont see many errors. The errors manifest themselves as Roundcube timing out on sends, or MS Outlook timing out on sends (with the message eventually sending)

Outlook sometimes throws:

Task ‘ - Sending’ reported error (0x8004210B) : ‘The operation timed out waiting for a response from the sending (SMTP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).’"

however that email eventually goes through.

roundcube sometimes throws a “timeout” too.

/var/log/mail.log shows nothing wierd
/roundcube/errors no errors

everything worked fine until a day ago.

I re keyed the cert but that didn’t help either.

There is nothing in this message that indicates an issue with SSL. It is your own assumption that the certificate is at fault - how correct that is remains to be seen.

The timeout error could be triggered due to a number of causes - see

Well when looking at the logs initially it complained about a chain certificate error, so then I re-keyed it per the recommendation of Godaddy so yeah I dont know what to look at – the problem is it eventually does go in outlook, but roundcube not so much

Error: SSL: Stacked error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46

that is the issue I’m seeing that made me think SSL

I am ignoring your hypothesis about the SSL cert and investigating a theory of my own: could you check mail logs for process limit warnings?

Webmin -> System -> System Logs and view mail log. Then in the box next to Only show lines with text, enter “process limit” without the quotes. Hit Refresh. Any results found?

1 Like

I think you may have bingo on your card sir
Jun 23 11:18:53 mail postfix/master[1406]: warning: service "submission" (587) has reached its process limit "100": new clients may experience noticeable delays

Ha! I have saved you a fortune in hair transplant bills.

Next, let’s check if your server is being subjected to a brute force attack.

grep -w "connect from" /var/log/mail.log | awk -F"[" '{print$3}' | awk -F"]" '{print$1}' |sort -n |uniq -c |sort -nr | head -25

If it is, then you should find ways to contain the brute force attack; if not then your process limit of 100 is being reached due to valid use and you should consider increasing it, keeping in mind the corresponding increase in resources that will be required to serve a greater number of processes.

Thanks very much!


  1. So yeah looks like there are way too many connection from way too many places, what is the best way to deal with these dynamically? I have Config Firewall Installed but its disabled now

  2. Fail2Ban? If so what type of jail?

Thanks !

This is what I setup, how can I see what ips are going to jail?

sudo fail2ban-client status postfix-sasl

fail2ban-client status postfix-sasl

Sorry but the jail 'postfix-sasl' does not exist

When I restart fail2ban I get an error 

````● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
   Active: failed (Result: start-limit-hit) since Fri 2020-07-17 02:27:56 EDT; 49s ago
     Docs: man:fail2ban(1)
  Process: 2156 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)

Jul 17 02:27:56 systemd[1]: fail2ban.service: Control process exited, code=exited status=255
Jul 17 02:27:56 systemd[1]: Failed to start Fail2Ban Service.
Jul 17 02:27:56 systemd[1]: fail2ban.service: Unit entered failed state.
Jul 17 02:27:56 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Jul 17 02:27:56 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Jul 17 02:27:56 systemd[1]: Stopped Fail2Ban Service.
Jul 17 02:27:56 systemd[1]: fail2ban.service: Start request repeated too quickly.
Jul 17 02:27:56 systemd[1]: Failed to start Fail2Ban Service.
Jul 17 02:27:56 systemd[1]: fail2ban.service: Unit entered failed state.
Jul 17 02:27:56 systemd[1]: fail2ban.service: Failed with result 'start-limit-hit'.

Its like the screenshot of what I did to enable is making it fail to start, but I dont see the problem

The key error message is

Failed to restart server : ERROR No file(s) found for glob /var/log/mail.warn ERROR Failed during configuration: Have not found any log file for postfix-sasl jail

but %(postfix_log)s is the log which translates out to /var/log/mail.warn which doesn’t exist so i manually put in /var/log/mail.log and that seemed to work

Fail 2 Ban works like a champ and has now banned a boat load of ips, thanks!

Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed: 23
|  |- Total failed:     1644
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 26
   |- Total banned:     26
   `- Banned IP list:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.