Good afternoon Tell me this thing, I recently discovered a problem with the mail server, existing mail accounts are working correctly and normally, but if you create a new mail and try to connect it via IMAP, then in the Dovecot logs you get an error of the format “Oct 20 11:52:13 imap -login: Error: Failed to initialize SSL server context: Can’t load SSL certificate (ssl_cert setting): error:0A00008B:SSL routines::unknown command: section=system_default, cmd=system_default, arg=hestia_openssl_sect: user=<> , rip=xxx, lip=xxx, session=<YW0d/SEI9M1beouE>” The webmail certificate was updated via lets encrypt with the standard functionality, without dancing with a tambourine, please help in this situation, the latest release panel is v1.8.8
Hello @Ap4uuk,
I don’t know how to resolve your issue and it is strange that this happens only with new mail accounts (or are you talking about a new mail domain?) but the error message points to these sections in /etc/ssl/openssl.cnf
[ssl_sect]
system_default = hestia_openssl_sect
[hestia_openssl_sect]
Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
Options = PrioritizeChaCha
Could you please show your system and openssl versions?
lsb_release -a
openssl version
Also show the output of these commands (change USER
by your real user and DOMAIN
by the real domain):
cat /etc/dovecot/conf.d/domains/DOMAIN.conf
ls -lh /home/USER/conf/mail/DOMAIN/ssl/
openssl x509 -noout -pubkey -in /home/USER/conf/mail/DOMAIN/ssl/DOMAIN.pem | openssl md5
openssl pkey -pubout -in /home/USER/conf/mail/DOMAIN/ssl/DOMAIN.key | openssl md5
Hello, @sahsanu !
Вывод команды lsb_release:
root@panel:~# lsb_release -a
LSB Version: core-11.1.0ubuntu4-noarch:security-11.1.0ubuntu4-noarch
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
Вывод команды openssl version:
root@panel:~# openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
1:
root@panel:~# cat /etc/dovecot/conf.d/domains/imw-rpg.ru.conf
local_name mail.imw-rpg.ru {
ssl_cert = </home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.pem
ssl_key = </home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.key
}
2:
root@panel:~# ls -lh /home/amores/conf/mail/imw-rpg.ru/ssl/
total 20K
-rw-r–r-- 1 amores mail 3,7K окт 20 11:50 imw-rpg.ru.ca
-rw-r–r-- 1 amores mail 2,1K окт 20 11:50 imw-rpg.ru.crt
-rw-r–r-- 1 amores mail 3,2K окт 20 11:50 imw-rpg.ru.key
-rw-r–r-- 1 amores mail 5,8K окт 20 11:50 imw-rpg.ru.pem
3:
root@panel:~# openssl x509 -noout -pubkey -in /home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.pem | openssl md5
MD5(stdin)= 8a4b9973be9d3fbe53bcc4d80d0f4893
4:
root@panel:~# openssl pkey -pubout -in /home/amores/conf/mail/imw-rpg.ru/ssl/imw-rpg.ru.key | openssl md5
MD5(stdin)= 8a4b9973be9d3fbe53bcc4d80d0f4893
@sahsanu Maybe the problem is that in this config this parameter is duplicated with different values?
no, I’m adding a new account to the mail domain and I connected a new account via Outlook using the IMAP protocol
Using the webmail it works fine? Because that is really strange.
I don’t know whether that will solve the issue but you should not have a duplicated system_default
option. Comment the line that points to system_default_sect
I haven’t checked this, now I’ll try to comment out the line, what additionally needs to be restarted for the changes to take effect? Now I will check and let you know if I was able to log in via the webmail
I don’t think you would need to restart anything, but just in case, restart dovecot
@sahsanu
It didn’t help, I made changes, restarted dovecot additionally Exim4, no result, the same error in Outlook sounds like this: “Could not connect to the incoming message server (IMAP) using the specified encryption method, Check the encryption method of the incoming message server (IMAP) and try again."
You can connect to other mail users using the same conf in Outlook?
Did you try via webmail?
What are the options used in Outlook to configure imap?
I specified the settings in Outlook that Hestia gives when creating or changing parametrs an account, logging in via web mail works correctly, there are no problems with this, I haven’t tried it, I’m afraid that if I delete the current account from Outlook, then I won’t be able to log into it again, the new accounts that I add, does not work.
Порты SSL/TLS: 993 and 465
Change port to 143 (no starttls and no ssl/tls) and you should be able to login. I don’t know the reason but you are not serving any certificate neither in port 143+starttls nor on port 993:
$ openssl s_client -connect mail.imw-rpg.ru:993
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
$ openssl s_client -starttls imap -connect mail.imw-rpg.ru:143
CONNECTED(00000003)
407799D7DF7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 341 bytes and written 343 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
With pop3 you have the same issue but TLS in smtp port 465 works fine.
So seems dovecot is not configured correctly or there is any other strange issue…
Show the output of:
grep -r include_try /etc/dovecot/
cat /etc/dovecot/conf.d/10-ssl.conf
root@panel:~# grep -r include_try /etc/dovecot/
/etc/dovecot/dovecot.conf:!include_try conf.d/domains/*.conf
root@panel:~# cat /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
ssl_cert = </usr/local/hestia/ssl/certificate.crt
ssl_key = </usr/local/hestia/ssl/certificate.key
From and up to version 2.2
#ssl_dh_parameters_length = 4096
From version 2.3
ssl_dh = </etc/ssl/dhparam.pem
everything is there, valid certificates
the question is what could break it, nothing critical was introduced into the system.
I can’t see any problem in that conf.
Could you please show the size and number of lines in dhparam?
ls -lh /etc/ssl/dhparam.pem
grep -c '' /etc/ssl/dhparam.pem
And you also said that this key /usr/local/hestia/ssl/certificate.key
and cert /usr/local/hestia/ssl/certificate.crt
are ok… right?
Looks like he’ll live another 4 days
Command output:
1:
root@panel:~# ls -lh /etc/ssl/dhparam.pem
-rw-r–r-- 1 root root 769 июн 3 17:45 /etc/ssl/dhparam.pem
2:
root@panel:~# grep -c ‘’ /etc/ssl/dhparam.pem
13
dhparam.pem looks fine too
They do, Hestia create them in those dirs and then copy them to user’s homedir:
cp -f $USER_DATA/ssl/mail.$domain.crt $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.crt
cp -f $USER_DATA/ssl/mail.$domain.key $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key
cp -f $USER_DATA/ssl/mail.$domain.pem $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem
Try to check dovecot log just in case you can see any other error because I’m running out of ideas
This needs to be done from the user account where is Web mail installed?
out: cp: cannot stat ‘/ssl/mail…crt’: No such file or directory
omg…
An error has occurred: We appreciate your enthusiasm - keep it up! However, you have reached the maximum number of replies for new users on day one (this limit is in place for the safety of the community). You will be able to add new answers after 21 hours.
really? @sahsanu
I received a letter stating that restrictions on sending messages have been lifted, but in fact there are still restrictions, I cleared cookies and cache, it didn’t help((
UPDv1.3:
I got the achievement, but still sending messages is not available((( help…
“Regular user.
This reward is awarded when you reach Trust Level 1. Thank you for staying on the forum and reading the threads and immersing yourself in the interests of our community. Restrictions placed on newcomers have now been lifted; You have all the basic community features, such as sending private messages, reporting, editing wiki posts, and the ability to post multiple images and links at once.”
No no, you don’t need to execute those commands, I was just showing the part of the function in Hestia that copies the certs from the location that you said was not used