Hello all, thank you again for your help.
Thanks to Edgar Pettijohn's inspiration, we changed /etc/dovecot/conf.d
/10-auth.conf to include login (which did not work) and cram-md5 (whichdid
work):
auth_mechanisms = plain login cram-md5
and we no longer get Connection refused.
Although it doesn't say so explicitly, my reading of
http://wiki2.dovecot.org/Authentication/Mechanisms
is that SSL/TLS puts a wrapper around plaintext passwords,
so you don't need an encrypted password.
However, obviously, you need a scheme to first decrypt the TLS envelope!
So does cram-md5 do that?
Seems to work. Thank you.
So now, as Joseph Tam points out, (thank you for the exposure to nc?cool) we are
back to "Server certificate not installed".
But "the certificate" is installed AFAICT on mail.privustech.com and
dovecot:
So which server? The choices are
? The root server: 70.186.159.22
? The virtual host mail server: mail.privustech.com
? The dovecot server: /etc/dovecot/dovecot.conf
? Something else.
Presumably, as Joseph shows with his nc call, imap calls are to ServerName
mail.privustech.com.
So we need it to exist and we need cert files for that ServerName:
? We can connect, so the server exists and is responding.
? It is configured as a virtual host and has its own Apache2 configuration
files
mail.privustech.com.conf
mail.privustech.com-ssl.conf These in turn specify SSL cert, key, and CA
files with the CN
mail.privustech.com This host is specified as a port 443 vhost, but
changing to 143 had no effect.
I can also connect with https, so the cert is valid.
So I cannot imagine how better to "install" it to a valid host with a
valid cert... ??? :-(
I examined the other possible "servers" and they all seem correctly
established as well. Details of today's angst appended below.
Thanks again for the help and inspiration. Tomorrow is another day.
Best regards, Andy
==========================================
1. The root server is 70.186.159.22
It is configured in /etc/apache2/default-server.conf
This file specifies ServerName as 70.186.159.22 The root server under Apache2
does not have an SSL.conf file, however
the root server also is installed as a virtual host in /etc/apache2/vhosts.d
through
/etc/apache2/vhosts.d/70.186.159.22.conf
/etc/apache2/vhosts.d/70.186.159.22-ssl.conf
The latter file specifies three SSL files:
SSLCertificateFile /etc/apache2/ssl.crt/mail.privustech.com_start.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/mailprivustech.key
SSLCertificateChainFile /etc/apache2/ssl.crt/mailprivustech_root_bundle.crt
Of course, the Common Name (CN) in these files does not match the root
ServerName.
If dovecot connects from the root server rather than mail.privustech.com
that would explain the matter.
We'll check that out tomorrow.
2. We are not, however, trying to connect to the root server, rather to
mail.privustech.com
This virtual host is manifested in Apache2 through
/etc/apache2/vhosts.d/mail.privustech.com.conf
/etc/apache2/vhosts.d/mail.privustech.com-ssl.conf
The ServerName does match the CN in this case.
The port number in the vhost is 443 vice 143, but we changed that with no
effect.
So it does not make sense that an imap connection responds with
"Server certificate not installed"
How more to "install" the cert than to specify it in the vhost
-ssl.conf file?
The mail server vhost StartSSL certificate is
/etc/apache2/ssl.crt/mail.privustech.com_start.crt
and has been validated against its key. Its CN is mail.privustech.com.
3. The dovecot server SSL certificate is specified in the configuration file:
/etc/dovecot/dovecot.conf
It does not specify a key, however it includes all files in
/etc/dovecot/conf.d
This contains a number of files, including
10-auth.conf
10-ssl.conf
The first includes
auth-mechanisms plain login cram-md5
Adding cram-md5 today resolved the "Connection Refused" issue.
Although it doesn't say so explicitly, my reading of
http://wiki2.dovecot.org/Authentication/Mechanisms
is that SSL/TLS puts a wrapper around plaintext passwords,
so you don't need an encrypted database.
However, obviously, you need a scheme to first decrypt the TLS envelope!
So does cram-md5 do that?
Seems to work. Thank you.
Default settings are included but commented out. In particular, plaintext is
by default disabled.
So we uncomment and explicitly declare
disable_plaintext_auth = no Restart: No change. Restore.
/etc/dovecot/conf.d/10-ssl.conf contains explicit referral to the
mail.privustech.com SSL files
discussed above:
ssl = required
ssl_cert = </etc/apache2/ssl.crt/mail.privustech.com_start.crt
ssl_key = </etc/apache2/ssl.key/mailprivustech.key
ssl_ca = </etc/apache2/ssl.crt/mailprivustech_root_bundle.crt So
again, it would appear that the certs are indeed installed.
4. Other possibilities.
We look around for other possible certificate assignment locations that might
be overriding the explicit
settings above.
a. Check /etc/apache2/httpd.conf. It only contains include statements pointing
to the other .conf files.
b. Check the included /etc/apache2/ssl-global.conf.
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
SSLCACertificateFile are all commented out. We haven't needed them in the
past because we had vhosts for all the sites with
their own .conf and -ssl.conf files.
But perhaps they are now needed for the root domain if it, not
mail.privustech.com,
is being answered by dovecot.
So set them up to mail.privustech.com:
SSLCertificateFile /etc/apache2/ssl.crt/mail.privustech.com_start.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/mailprivustech.key
SSLCertificateChainFile /etc/apache2/ssl.crt/mailprivustech_root_bundle.crt
SSLCACertificateFile /etc/apache2/ssl.crt/mailprivustech_root_bundle.crt
Save and restart Apache2.but no change.
c. Default Server
/etc/apache2/default-server.conf specifies the default server as
ServerName 70.186.159.22
We have covered that with 1. and 2. above.
d. Invalid permissions?
.conf and SSL file permissions: all rw-r--r-- root:root
On Wed, 2016-05-04 at 20:01 -0500, Edgar Pettijohn
wrote:> Re-read the following:
>
> 1st
> http://wiki2.dovecot.org/PasswordDatabase
>
> 2nd
> http://wiki2.dovecot.org/Authentication/Mechanisms
>
> then edit /etc/dovecot/conf.d/10-auth.conf
> auth_mechanisms = plain login
>
> On 05/04/16 19:00, C. Andrews Lavarre wrote:
> > Hello all. Thank you for your service.
> >
> > Easy when you know how, but presently I do not. After literally
> > months of research and experimentation we simply cannot log into
> > our PAM / apache2 / postfix / dovecot pop3/imap STARTTLS email
> > server with an ordinary email client, e.g., Evolution or
> > Thunderbird.
> >
> > We can connect to the host server in a host of different ways (no
> > pun intended)?http, https, ssh, vnc, telnet, openssl -sclient
> >
> > Similarly we can connect to postfix and dovecot in yet another
> > number of ways?telnet, openssl -sclient?but cannot log in to the
> > email server with a normal email client (either Evolution or
> > Thunderbird) by either pop3 or imap.
> >
> > SSL certificates are in place, verified, and tested.
> >
> > Part of the problem is the many changes in all the involved
> > operating systems and protocols (e.g., imaps and pop3s are
> > deprecated, openSUSE has migrated to LEAP, etc.) so many of the
> > docs from Google are no longer valid. Additionally, there simply
> > are bugs: Leap 42.1 YAST does not work when it comes to setting up
> > websites. Documented. But I digress.
> >
> > I'm sure it's something really simple, but it evades me.
Research
> > details below. Any help would be more than appreciated.
> >
> > Thanks in advance, Andy
> >
> > ======================= Configuration testing details
> > ======================> >
> > System is:
> > > > Linux openSUSE Leap 42.1
> > > > > > Dovecot --version 2.2.18,
> > > > > > Postfix Version: 2.11.6-3.1
> > > > > > Apache2 Version: 2.4.16-9.1
> >
> > Connections
> > > > 1. Evolution or Thunderbird to pop3 or imap reports:
> > > > > > The reported error was "Could not connect
to
> > mail.privustech.com: Connection refused".
> > > >
> > > > > > Both connect successfully to googlemail.com with
the
> > same protocol:
> > > > > > > > Port 993 SSL on a dedicated port
> >
> > > > > > > > I have also tried
> > > > > > > > > > Port 143 STARTTLS after
connecting
> > > > > > > > > > without success
> >
> > > > > > > > 2. openssl s_client -connect
mail.privustech.com:xxx
> > > > > > > > a. xxx=25, 110, 143 all return
> > > > > > > > > > error:140770FC
> >
> > > > > > > > b. xxx=993, 995 return
> > > > > > > > > > socket: Connection
refused
> > > > > > > > connect:errno=111
> > > > > > > >
> > > > 3.telnet to
> > > > > > a. smtp works.
> > > >
> > > > > > b. pop3
> > > > > > andy at tm2t:~> telnet 70.186.159.22 110
> > > > > > > > ...
> > > > > > > > +OK POP3 2007e.104 server ready <
> > 48fa.572a0769 at privustech.com>
> > > > > > > > ...
> > > > > > > > user andy
> > > > > > > > -ERR Unknown AUTHORIZATION state
command
> >
> > > > > > c. > > > > imap connects but does
not allow login, and
> > should not.
> > > > > > > > > >
> > http://marc.info/?l=imap&m=118775891829506&w=2
> > > > > > > > > > > > > > The
most simple answer
> > is "you cannot TELNET to a modern, correctly-configured,
> > > > > > > > > > > > > > IMAP
server and log in
> > to it."
> > > > > > andy at tm2t:~> telnet 70.186.159.22 143
> > > > > > > > ...
> > > > > > > > * OK [...] privustech.com IMAP4rev1
2007e.404
> > at Wed, 4 May 2016 10:26:28
> > > > > > > > -0400 (EDT)
> > > > > > > > ... A NO Invalid login credentials
> > > > > > > >
> > Modules
> >
> > > > ? Apache2 works just fine. The server is up and answering.
ping
> > works just fine. We have http and https to all vhost sites
> > (privustech, mailprivustech, nptbeyond, gvhl, truthcourage, and
> > their www. subsites).
> >
> > > > ? Postfix reports no errors. We can log in on localhost,
send a
> > message to ourselves and see the message.
> >
> > ? Dovecot:
> > > > > > a. Logging is enabled in 10-logging.conf to
> > /var/log/dovecot.conf but no logging has occurred there.
> > > >
> > > > > > b. doveconf -n throws no errors.
> > > > > >
> >
> > Checks and tests completed
> >
> > > > 1. /etc/hosts is just fine.
> >
> > > > > > 2. Firewall is open for telnet, postfix,
dovecot.
> >
> > > > 3. Added andy to dovecot, postfix groups, in addition to
mail,
> > reset password to ANDYbbs14 at .
> >
> > > > 4. We tried enabling imaps, pop3s, but this command returns
> > errors about these protocols being obsolete.
> > > > > > > >
https://tools.ietf.org/html/rfc2595
> > > > > > > > Use of these ports is discouraged in
favor of
> > the STARTTLS or STLS
> > > > commands.
> >
> > > > > > 5. Reviewed doveconf -n:
> > > > > > > > a. Note, there are no Dovecot
users established
> > other than
> > > > > > > > user postfix
> > > > > > > > group postfix
> > > > > > > > > > service auth {
> > > > > > > > > > unix_listener
auth-userdb {
> > > > > > > > > > > > group = postfix
> > > > > > > > > > > > user = postfix
> > > > > > > > > > }
> > > > > > > > > > }
> > > >
> > > > > > > > > > i. postfix has its own
set of users,
> > including andy, which works just fine within postfix.
> > > > > > > > > > We can send mail and read
mail in the
> > mailbox.
> > > >
> > > > > > b. Authentication is performed by PAM:
> > > > > > > > passdb {
> > > > > > > > driver = pam
> > > > > > > > }
> >
> > > > > > > > i. Examined PAM:
> > > > > > > > > > A. The files
/etc/pam.d/xxx, where xxx
> > = dovecot, pop, imap, are all the same
> > > > > > > > > > > > lavarre:~ # cat
/etc/pam.d/xxx
> > > > > > > > > > > > #%PAM-1.0
> > > > > > > > > > > > auth
include common
> > -auth
> > > > > > > > > > > > account
include common
> > -account
> > > > > > > > > > > > password
include common
> > -password
> > > > > > > > > > > > session
include common
> > -session
> > > > > > > > > > B. They do not resemble at
all the form
> > presented in
> > > > > > > > > >
> > http://wiki2.dovecot.org/PasswordDatabase/PAM
> > > > > > > > > > > > > >
passdb {
> > > > > > > > > > > > > >
driver = pam
> > > > > > > > > > > > > >
args = %s
> > > > > > > > > > > > > > }
> > > > > > > > > > C. Add (B.) to see if that
works: No
> > change.
> > > > > > > > > > Comment out the original
(A.): No
> > change.
> > > > > > > > > > Restore it.
> > > > > > > >
> > > > > > c. SSL is required and apparently configured
correctly
> > > > > > (the less-than symbol '<'causes the
succeeding file to
> > be read into the variable):
> > > > > > > > ssl = required
> > > > > > > > ssl_cert =
> > > > > > > > ssl_dh_parameters_length = 2048
> > > > > > > > ssl_key =
> > > > > > > > ssl_options = no_compression
> > > > > > > > ssl_prefer_server_ciphers = yes
> > > > > > > > userdb {
> > > > > > > > driver = passwd
> > > > > > > > }
> > > > > >
> > > > > > > > > > i. dovecot.pem, both
cert and key, are
> > installed in /etc/ssl as above and verified as a pair with
> > > > > > > > > > openssl x509.
> > > > > > > > > > > > And we point
to them in
> > /etc/dovecot/conf.d/10-ssl.conf as seen in the above.
> >
> > > > 6. Checked listening as it does not appear in doveconf -n:
> > > > > > lavarre:~ # doveconf protocols listen
> > > > > > protocols = imap pop3 lmtp
> > > > > > listen = *, ::
> >
> > > > > > a. conf.d/10-master.conf
> > > > > > > > ports for service xxx-login
{inet_listener} are
> > commented out.
> > > > > > > > In fact, the entire file is commented
out.
> >
> > > > > > > > Uncomment the listeners, restart. But
no
> > change. So undo.