Added new acc to mail imap protocol eror

Good afternoon Tell me this thing, I recently discovered a problem with the mail server, existing mail accounts are working correctly and normally, but if you create a new mail and try to connect it via IMAP, then in the Dovecot logs you get an error of the format “Oct 20 11:52:13 imap -login: Error: Failed to initialize SSL server context: Can’t load SSL certificate (ssl_cert setting): error:0A00008B:SSL routines::unknown command: section=system_default, cmd=system_default, arg=hestia_openssl_sect: user=<> , rip=xxx, lip=xxx, session=<YW0d/SEI9M1beouE>” The webmail certificate was updated via lets encrypt with the standard functionality, without dancing with a tambourine, please help in this situation, the latest release panel is v1.8.8

Hello @Ap4uuk,

I don’t know how to resolve your issue and it is strange that this happens only with new mail accounts (or are you talking about a new mail domain?) but the error message points to these sections in /etc/ssl/openssl.cnf

[ssl_sect]
system_default = hestia_openssl_sect

[hestia_openssl_sect]
Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
Options = PrioritizeChaCha

Could you please show your system and openssl versions?

lsb_release -a
openssl version

Also show the output of these commands (change USER by your real user and DOMAIN by the real domain):

cat /etc/dovecot/conf.d/domains/DOMAIN.conf
ls -lh /home/USER/conf/mail/DOMAIN/ssl/
openssl x509 -noout -pubkey -in /home/USER/conf/mail/DOMAIN/ssl/DOMAIN.pem | openssl md5
openssl pkey -pubout -in /home/USER/conf/mail/DOMAIN/ssl/DOMAIN.key | openssl md5

Hello, @sahsanu !
Вывод команды lsb_release:
root@panel:~# lsb_release -a
LSB Version: core-11.1.0ubuntu4-noarch:security-11.1.0ubuntu4-noarch
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
Вывод команды openssl version:
root@panel:~# openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
1:
root@panel:~# cat /etc/dovecot/conf.d/domains/imw-rpg.ru.conf
local_name mail.imw-rpg.ru {
ssl_cert = </home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.pem
ssl_key = </home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.key
}
2:
root@panel:~# ls -lh /home/amores/conf/mail/imw-rpg.ru/ssl/
total 20K
-rw-r–r-- 1 amores mail 3,7K окт 20 11:50 imw-rpg.ru.ca
-rw-r–r-- 1 amores mail 2,1K окт 20 11:50 imw-rpg.ru.crt
-rw-r–r-- 1 amores mail 3,2K окт 20 11:50 imw-rpg.ru.key
-rw-r–r-- 1 amores mail 5,8K окт 20 11:50 imw-rpg.ru.pem
3:
root@panel:~# openssl x509 -noout -pubkey -in /home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.pem | openssl md5
MD5(stdin)= 8a4b9973be9d3fbe53bcc4d80d0f4893
4:
root@panel:~# openssl pkey -pubout -in /home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.key | openssl md5
MD5(stdin)= 8a4b9973be9d3fbe53bcc4d80d0f4893

@sahsanu Maybe the problem is that in this config this parameter is duplicated with different values?
Screenshot_4

no, I’m adding a new account to the mail domain and I connected a new account via Outlook using the IMAP protocol

Using the webmail it works fine? Because that is really strange.

I don’t know whether that will solve the issue but you should not have a duplicated system_default option. Comment the line that points to system_default_sect

I haven’t checked this, now I’ll try to comment out the line, what additionally needs to be restarted for the changes to take effect? Now I will check and let you know if I was able to log in via the webmail

I don’t think you would need to restart anything, but just in case, restart dovecot

@sahsanu
It didn’t help, I made changes, restarted dovecot additionally Exim4, no result, the same error in Outlook sounds like this: “Could not connect to the incoming message server (IMAP) using the specified encryption method, Check the encryption method of the incoming message server (IMAP) and try again."

You can connect to other mail users using the same conf in Outlook?

Did you try via webmail?

What are the options used in Outlook to configure imap?

I specified the settings in Outlook that Hestia gives when creating or changing parametrs an account, logging in via web mail works correctly, there are no problems with this, I haven’t tried it, I’m afraid that if I delete the current account from Outlook, then I won’t be able to log into it again, the new accounts that I add, does not work.
Порты SSL/TLS: 993 and 465

Change port to 143 (no starttls and no ssl/tls) and you should be able to login. I don’t know the reason but you are not serving any certificate neither in port 143+starttls nor on port 993:

$ openssl s_client -connect mail.imw-rpg.ru:993                                                                                 
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

$ openssl s_client -starttls imap -connect mail.imw-rpg.ru:143                                                                  
CONNECTED(00000003)
407799D7DF7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 341 bytes and written 343 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

With pop3 you have the same issue but TLS in smtp port 465 works fine.

So seems dovecot is not configured correctly or there is any other strange issue…

Show the output of:

grep -r include_try /etc/dovecot/
cat /etc/dovecot/conf.d/10-ssl.conf

root@panel:~# grep -r include_try /etc/dovecot/
/etc/dovecot/dovecot.conf:!include_try conf.d/domains/*.conf
root@panel:~# cat /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes

ssl_cert = </usr/local/hestia/ssl/certificate.crt
ssl_key = </usr/local/hestia/ssl/certificate.key

From and up to version 2.2

#ssl_dh_parameters_length = 4096

From version 2.3

ssl_dh = </etc/ssl/dhparam.pem

everything is there, valid certificates

the question is what could break it, nothing critical was introduced into the system.

I can’t see any problem in that conf.

Could you please show the size and number of lines in dhparam?

ls -lh /etc/ssl/dhparam.pem
grep -c '' /etc/ssl/dhparam.pem

And you also said that this key /usr/local/hestia/ssl/certificate.key and cert /usr/local/hestia/ssl/certificate.crt are ok… right?

image

Looks like he’ll live another 4 days

Command output:
1:
root@panel:~# ls -lh /etc/ssl/dhparam.pem
-rw-r–r-- 1 root root 769 июн 3 17:45 /etc/ssl/dhparam.pem
2:
root@panel:~# grep -c ‘’ /etc/ssl/dhparam.pem
13

i found webmail certs in there directories

Why don’t they participate in the configs in any way?

dhparam.pem looks fine too

They do, Hestia create them in those dirs and then copy them to user’s homedir:

cp -f $USER_DATA/ssl/mail.$domain.crt $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.crt
cp -f $USER_DATA/ssl/mail.$domain.key $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key
cp -f $USER_DATA/ssl/mail.$domain.pem $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem

Try to check dovecot log just in case you can see any other error because I’m running out of ideas :frowning:

This needs to be done from the user account where is Web mail installed?
out: cp: cannot stat ‘/ssl/mail…crt’: No such file or directory

omg…

An error has occurred: We appreciate your enthusiasm - keep it up! However, you have reached the maximum number of replies for new users on day one (this limit is in place for the safety of the community). You will be able to add new answers after 21 hours.

really? @sahsanu
I received a letter stating that restrictions on sending messages have been lifted, but in fact there are still restrictions, I cleared cookies and cache, it didn’t help((

UPDv1.3:

I got the achievement, but still sending messages is not available((( help…
“Regular user.
This reward is awarded when you reach Trust Level 1. Thank you for staying on the forum and reading the threads and immersing yourself in the interests of our community. Restrictions placed on newcomers have now been lifted; You have all the basic community features, such as sending private messages, reporting, editing wiki posts, and the ability to post multiple images and links at once.”

No no, you don’t need to execute those commands, I was just showing the part of the function in Hestia that copies the certs from the location that you said was not used :wink:

1 Like