It seems like every time I upgrade Ubuntu, dovecot+postfix breaks. Maybe its just my luck, but it has gotten fairly annoying to be the only service that breaks after any upgrade.
This time I spent hours last weekend reinstalling, uninstalling and reinstalling postfix and dovecot about 4 or 5 times. Sad to say here I don’t know quite what fixed it but I was able to receive mail.
Now today I found out I wasn’t able to send mail. So back into debug mode again to resolve that.
While doing some tests I realized that i couldn’t even log into my mail server under smtp (port 25). After some digging around I came across this little post:
http://www.howtoforge.com/ubuntu-11.10-saslauthd-sasl-plain-authentication-failed-no-mechanism-available
The most important part here was a new line and change to an existing one:
auxprop_plugin: sql sql_engine: mysql
Which for me was that auxprop_plugin went from mysql to sql and I added the new line below. This after a proper service restart resolved that problem. However I still had a problem of connecting to mail across SMTP+SSL (ie SMTPS on 465).
First off, I discovered my SSL certs for dovecot where outdated (expired it seems). While this shouldn’t of been causing the problem, I reissued the certificates. A quick search turned up makecert.sh and I was quickly back in business after backing up, deleting and generating the new certificates. I did modify the file and generate longer certificates though so it wouldn’t expire as fast (default is 1 year).
In my research, I found out a helpful command would tell me if SSL was working:
$ openssl s_client -connect mail.sleepycode.com:465 CONNECTED(00000003) 482:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-44/src/ssl/s23_clnt.c:607:
It failed as you can see. I will also mention you can test just TLS here by using:
openssl s_client -starttls smtp -connect mail.sleepycode.com:465
I ran this command on the server directly, and it did give me more output, which became my basis for google searches.
openssl s_client -connect mail.sleepycode.com:465 CONNECTED(00000003) 139900418954912:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 226 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
This problem here after many google searches not turning up too many results, I stumbled onto this blog post, which had my answer.http://abing.gotdns.com/posts/2008/getting-postfix-to-run-smtps-on-port-465/
smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING
I had the options commented out. So while the service was running on 465, the options where not set to enable TLS on that port. A few quick changes and service restart later, everything was working. Which leaves me with another note of being more careful doing file merging when using SSH during a upgrade. I most likely botched the file at that time.
Thanks for this. I was having trouble with this for days,