Thunderbird not fetching mails from server anymore

HI, my admin is not available…
yesterday Thunderbird out of the blue said something like “access to daniel@myserver.com is rejected” - for all my domains on my Webmin server.

My admin did something (not available right now) and the error messages stopped…but since then I cannot view/get emails with my PC’s Thunderbird - it works still on ie gmail on Android.
So something is broken between my Thunderbird PC and my Webmin server (seems I use Dovecot and Postfix).
Any idea how to check for whats wrong?
Thunderbird says “connected to dan@myserver.com” … but it dioes not download the new mails I see in Usermin… also I for testing deleted the PW, but Thunderbird is not asking for new one… looks blocked ?

Thx
Dan

My first guess would be that you locked yourself out. Can you access the sites on the server (or SSH, Telnet, ping, etc.) from the IP from which TBird won’t connect?

Richard

1 Like

HI Richard, thank you!

I can access everything just fine, ie Webmin, webistes etc from this PC/IP…
I tried to lower the threshold of TLS version, since (the newly updated) Thunderbird has raised the bar to TLS 1.2 with new V78… but still… nothing moves since yesterday

I for testing reasons deleted one of the email adresses…when I try to recreate it on TB, I cannot, get the error message “Unable to log in at server. Possibly wrong configuration, username or password”.

If I am blocked, I ahve no idea where :frowning:
Thx for coming to my aid

UPDATE: I found this in some Webmin log file:

Sep 12 18:45:52 web auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=daniel@XXXXX.de rhost=31.16.159.41 user=daniel@xxxxx.de

Could this have to do with it? TB keeps saying it cannot connect to server?

Dan

am digging myself through system logs

somehome ONE of my email accounts on that server still work /are received

found this log in var/log/mailog, does that make any sense to you?
Sep 12 20:05:04 web dovecot: imap-login: Login: user=daniel@xxxd.de, method=PLAIN, rip=31.xx.xx.xx, lip159.xx.xx.xx, mpid=28899, TLS, session=<8Y8OpCGvwLcfEJ8p>
Sep 12 20:05:05 web dovecot: imap-login: Login: user=daniel@xxxd.de, method=PLAIN, rip=31.xx.xx.xx, lip159.xx.xx.xx, mpid=29060, TLS, session=
Sep 12 20:05:07 web dovecot: imap-login: Login: user=daniel@xxxd.de, method=PLAIN, rip=31.xx.xx.xx, lip159.xx.xx.xx, mpid=29271, TLS, session=<4rkwpCGvxbcfEJ8p>
Sep 12 20:05:37 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=31.xx.xx.xx, lip159.xx.xx.xx, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=
Sep 12 20:05:37 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=31.xx.xx.xx, lip159.xx.xx.xx, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=
Sep 12 20:05:37 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=31.xx.xx.xx, lip159.xx.xx.xx, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<8osIpiGvtfkfEJ8p>
Sep 12 20:05:37 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=31.xx.xx.xx, lip159.xx.xx.xx, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=
Sep 12 20:05:37 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=31.xx.xx.xx, lip159.xx.xx.xx, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<AYwIpiGvt/kfEJ8p>
Sep 12 20:05:37 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=31.xx.xx.xx, lip159.xx.xx.xx, TLS: SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=
Sep 12 20:05:38 web dovecot: imap-login: Login: user=daniel@pxxe.com, method=PLAIN, rip=31.xx.xx.xx, lip159.xx.xx.xx, mpid=31532, TLS, session=
Sep 12 20:05:54 web dovecot: imap-login: Login: user=daniel@pxxe.com, method=PLAIN, rip=31.xx.xx.xx, lip159.xx.xx.xx, mpid=31677, TLS, session=<kMECpyGvz/kfEJ8p>

31.xx.xx.xx is my local IP
159.xx.xx.xx is my server with webmin

Whatever you see in the logs, could this also explain why I cannot create a new email account (existing on server) with Thunderbird? Get error “unable to log in to server”, when I create the email-account…TB is even able to load the server’s settings…but clicking “Done” for email creation breaks with above error
Thx a million
Dan

In TBird, try this:

Option > Advanced > Certificate >> Uncheck “Query OCSP responder servers to confirm the validity of certificates.”

Then close TBird, delete the pkcs11.txt file from the profile, restart TBird, and try again.

I’m assuming it’s a TBird problem because GMail connects, and Gmail is usually fussier than TBird. Otherwise I’d assume the problem is the cert or a bad entry in dovecot.conf.

Richard

1 Like

HI Richard, Thank you so much for your help!!

Gmail/Goolge also does not like my server anymore… it seems to have worked (Google mail on Android) for some time - not sure - but after a while google found out that I had changed PW for that account and since then i cannot login anymore…so its also Gmail.

I did as suggested, but no change…also I cannot create a new email account (I had deleted one of my email accounts and tried to recreate it)

What would be the best log to find the issue? maillog?
There as above shown I seem to have a certificate issue… ?

Thank you so much…
am In Berlin time, so we probably have a time gap

Dan

HI, in the hopes that rerunning Lets encrypt would fix the issue, I tried. I must say that we just recently moved (admin & me) the server from a cpanel server, since then some hickups with CA imo.

But, since IT is not for the faint of heart, I get this:
Requesting a certificate for cxxxd.de, *.cxxxd.de from Let’s Encrypt …
… request failed : Web-based validation failed : Wildcard hostname *.cxxxd.de can only be validated in DNS mode, DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for cxxxd.de
dns-01 challenge for cxxxd.de
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification…
Challenge failed for domain cxxxd.de
Challenge failed for domain cxxxd.de
dns-01 challenge for cxxxd.de
dns-01 challenge for cxxxd.de
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cxxxd.de
    Type: unauthorized
    Detail: No TXT record found at _acme-challenge.cxxxd.de

    Domain: cxxxd.de
    Type: unauthorized
    Detail: No TXT record found at _acme-challenge.cxxxd.de

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

I am pretty sure that I set the Anames etc correcty at domain host.
What file is LE looking for?

THx a million

Dan

it gets better and better… in Usermin it seems that that email account I am looking at did not receive any email since friday evening…which cant be
;(
something is messed up royally
oh dear

ok, enough IT for now…family time :slight_smile: back later

Hi Dan,

If there’s a possible DNS issue, we need the actual domain. Or you can run a check at https://mxtoolbox.com/dnscheck.aspx and/or https://dnschecker.org.

Some other possibilities…

I’m not sure how you did the migration (in-place or moved to a new server), but if the nameserver names OR IP addresses have changed, the nameservers have to be registered (or re-registered, if the names are the same but the IP’s changed) with your registrar.

If the server’s IP address(es) stayed the same, but the nameserver names or IP addresses changed, then it’s possible that YOU would be able to access your server / site(s) by hostname / domain name(s), but the rest of the world would not. This would be due to client-side caching on your local computer. Your computer maintains a cache of the IP’s of recently-accessed domains to reduce DNS calls. So even if your DNS is misconfigured, YOU might be able to access your server / sites by hostname even though the rest of the would cannot.

I don’t know if Gmail does DNS caching, either on their servers or on the device; but if they do, that rather than the password change could explain why it stopped working. But I really don’t know if they cache, so that’s just speculation.

That’s why at this point the thing you need to do is determine whether the rest of the world can resolve your hostname / domain name(s). Until that’s certain, then there’s really no point in trying anything else. If your hostname / nameservers / domain name(s) can’t be resolved, then nothing else will work.

Richard

1 Like

HI Richard,
thank you so much!

It worked all (after move about 2 months ago) till Thursday/Friday.

Will do the suggested checks above later after my wife had enough of me :slight_smile:

Would it be ok to send you my domain by personal message, too?
Thx a million again

Dan

Hi Dan,

You have some major DNS issues:

Your SOA (Start of Authority) is wrong. This site should give you a better idea of what it should look like. (Linking is easier than typing all that stuff out.)

“NS - Name Server” should the name of your primary nameserver. For example:

server1.example.tld NS - Name Server ns1.example.tld

You have 8.8.8.8, which is one of Google’s public DNS servers. That’s fine for an upstream resolver and would be added to /etc/resolv.conf if you wanted to use it, but that’s not what should go in your DNS record.

You might also have have additional “NS - Name Server” entries for any additional nameservers that you run. For example:

server1.example.tld	NS - Name Server 	ns1.example.tld
server1.example.tld	NS - Name Server 	ns2.example.tld

Also, you probably need to add a loopback entry in /etc/resolv.conf to tell your nameserver to query itself. For example:

nameserver 127.0.0.1

If your host assigns your IP using DHCP reservations, you may have to make that file immutable. Basically you have to check it after a reboot and see if that last line has disappeared. If so, then

chattr +i /etc/resolv.conf

will prevent it from being changed, even by root. If root ever needs to change it, then root would have to execute

chattr -i /etc/resolv.conf

to remove the immutability. All of this would only be necessary if your host uses DHCP because it would overwrite /etc/resolv.conf every time the server boots. This is more common on VPS’s than metal servers.

You also should enable DMARC and set a policy. It doesn’t so much matter what the policy is as it does that you have one. I use monitor with no issues.

You can send me your domain name / hostname if you want, but I’ll be running in and out today (and besides, you’ve already posted the things I’d be looking for).

In a nutshell, you need to clean up DNS before mail can be expected to work. How it got hosed, I have no idea; but you need to un-hose it.

Richard

1 Like

HI Richard, thank you so much!

There was an issue with the registrar, which should have been resolved. Whyx does stuff like this always happen on weekends?

Thunderbird still does not want to connect, but could I ask you to run your check again, if the issues for you are now resolved?
Thx a million

Dan

@RJM_Web_Design and wow!! how much effort you put into helping me!! THANK YOU!!!

Dan

Hi Dan,

You’re welcome.

I didn’t check anything other than what you posted. Just make the changes to DNS and run the checks again. I suspect that will take care of the problems.

Richard

1 Like

The mail server is reachable and receptive. I wasn’t able to send a mail because I didn’t have a valid address to send it to, but it accepted my telnet connection and talked to me.

Have you tried checking your mail with webmail? It may be that the server issues (other than the SOA problem, which is minor) are fixed now, and now it’s a TBird problem. Also, is Android able to collect and send mail?

Richard

1 Like

Hi Richard,
again, thank you so much…very much appreciated!

I dropped stubborn TB and revived Outlook, which connects without any issues… but… mail account is like frozen … I received one internal mail there (which I do not understand, seems someone tries to use my mail server, but thats the next issue)
I am looking into Usermin, Android etc… can connect, but mail account is … dead … as it seems all my other mail accounts on that server are… this is very strange and am afraid to loose business …

Hope my admin has some time for me today :frowning: But he worked on it yesterday and also to him all seems ok…

Again, so much appreciate all your help you provided! And you really know your way around servers

Dan

Hi Dan,

You’re welcome, and thank you.

Using telnet to connect to your server using the email address you provided privately, the server accepted my request, BUT…

  1. The first “mail from:” address I provided was rejected with a “Bad sender address syntax” error. It was a legitimate address using Fastmail.com.

  2. The second “mail from:” address I tried, using an email address on an account on one of my own servers, was accepted, but…

  3. When using the email you provided as the “rcpt to:” address, the address was rejected with an error of “Recipient address rejected: Greylisted for 60 seconds”.

     220 web.[redacted].de ESMTP Postfix
     EHLO web.[redacted].de
     250-web.[consultd].de
     250-PIPELINING
     250-SIZE 10240000
     250-VRFY
     250-ETRN
     250-STARTTLS
     250-AUTH PLAIN LOGIN
     250-AUTH=PLAIN LOGIN
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250 DSN
     mail from: [redacted]@fastmail.com
     501 5.1.7 Bad sender address syntax
     mail from: richard@[redacted].com
     250 2.1.0 Ok
     rcpt to: [redacted@redacted].de
     450 4.2.0 <[redacted@redacted].de>: Recipient address rejected: Greylisted for 60 seconds
    

At this point, I would check the settings on the mail for that particular address and account. And, of course, disable greylisting.

You might also want to create a temporary address on the same account just for testing, and see if it can receive mail. You can publish it here if you like and then delete it when it’s served its purpose.

In a nutshell, your server is accepting connection requests on port 25, but rejecting mail to the specific address you provided me. That’s where the diagnostic stands now.

Richard