Email client connectivity

TyrannosaurHex · November 16, 2020, 7:19am

Ubuntu 20.xx LTS server
EXIM4 + Dovecot as mailservers

Admin user :

3 Users (incl. 1 himself).
1 Webdomain
0 DNS records
0 mail accounts

User 1(example[.]com)

1 webdomain → example[.]com
DNS entries for example[.]com
1 mail domain(example[.]com) with 6 Email accounts with Let’s encrypt SSL.

DNS values for User 1:

MX — example[.]com Priority 0
MX — mail.example[.]com Priority 10

User 2 has a similar configuration.

While all mailboxes are receiving email - as checked through Webmail - none of the users is able to connect email clients to the mail server in question.

I’ve tried running a PHP script from local machine and it gives the following error:

? Attempting to connect to: mail.example[.]com:465
Error: 0 - php_network_getaddresses: getaddrinfo failed: nodename nor servname provided, or not known

I’ve tried a combination of settings, ports(143, 465, 993), STARTLS/SSL. Tried disabling Firewall(iptables and fail2ban) but it isn’t the one causing any problems.

Cross checked DNS-propogation - MX entries have propogated, even then tried removing and re-adding the MX entries but still the same issue.

What am I overlooking?

Raphael · November 16, 2020, 7:51am

Hi @TyrannosaurHex

Thanks for the detailed reports, I would suggest to add webmail.domain.tld and mail.domain.tld records for the domains, then proceed with enabling let’s encrypt ssl for mail (edit mail domain, tick ssl, tick let’s encrypt -> save and wait until finished). Then use SSL (465 for smtps and 993 for imaps) with the domain name mail.domain.tld - should work out of the box and gives you a secure connection .

PS: Could also point out any dns issues, when you request the cert. Also a small note: I don’t understand why you add two mx records with the same target?

TyrannosaurHex · November 16, 2020, 9:19am

Thanks for the response.

Made a little progress after your suggestion of adding the two sub-domains. It seems to be connecting now, however, the self-signed SSL cert for mail is being presented for the admin’s domain and not for the actual domain. Cross checked Let’s Encrypt is enabled for both the domain + mail.

eris · November 16, 2020, 9:32am

Run v-add-lets-encrypt-host to generate a LE certificate for Lets encrypt

TyrannosaurHex · November 17, 2020, 7:32am

Still stuck on this. While connecting email clients to mail.domain.tld the self-signed certificate of admin domain is being presented.

Just to review the setup:

admin[.]com ---- 3 Users(1itself) - 1 Webuser(itself) - 0 DNS - 0 Mail
|
|___example[.]com --- 3 webusers - 1 DNS zone - 1 mail domain
             |
             |_Web Users______example[.]com (LE SSL Enabled)
             | |_________mail[.]example[.]com (LE SSL Enabled)
             | |_________webmail[.]example[.]com (LE SSL Enabled)
             |
             |____Mail Domain _____example[.]com (LE SSL Enabled)

DNS entries include all entries for mail & webmail.

Tried running “v-add-letsencrypt-host example[.]com”. It does not return any messages, so I am guessing it is succeeding. However, this is redundant since LetsEncrypt is already enabled in HestiaCP for example[.]com

Help!

Raphael · November 17, 2020, 7:37am

I suggest to don’t host anything under admin user, you should be warned when you add a webdomain. Please create a own user for it, then add there the web and mail accounts. If it still fails, update us, so we can proceed with further debug.

TyrannosaurHex · November 17, 2020, 10:47am

The admin domain was a different one than the domain facing this issue. Anyhow did a complete reinstall and this time no web-domain under admin user, still the self-signed root-certificate gets served to the emails account under domain1.tld.

Edit: So this is 100% related to mail SNI not working.

falzo · November 17, 2020, 2:25pm

what do you put as servernames in the client?

jtdoank · November 24, 2020, 6:56pm

also waiting for solutions for this
hehehe, testing everything as same as @TyrannosaurHex

still the same result cannot connect using email client

jtdoank · November 24, 2020, 6:58pm

on my case is

mail.domain.tld

for the servername on the email client

falzo · November 24, 2020, 7:29pm

mail.domain.tld should be correct. did you try to telnet to it from the box where your client is running on? or at least ping to make sure, the ip is resolved properly?

if it resolves, what does the logfiles (dovecot) say about the connection attempt? you obviouslly wanna search for your local IP and the correct timestamp

jtdoank · November 24, 2020, 7:42pm

done all you said,
beside checking the logfiles

javiermillar · November 30, 2020, 7:03pm

I have configured hestiacp and I cannot get the mail to work correctly, when sending the emails they arrive at Spam, when I try to add an account with a thunderbirds client it tells me that the smtp server without encryption …

Felix · November 30, 2020, 8:18pm

The below tests should be done on Windows 10 command line.

1. DNS checks

nslookup mail.example.com
nslookup webmail.example.com

Both should resolve to an IP address

2. Connectivity test
You may need to enable the telnet option in Windows for the following tests.

telnet mail.example.com 993

You should get a completely black screen. Pressing CTRL+] should get you a telnet prompt and pressing q inside the telnet prompt (followed by the Enter key) should get you out of telnet.
If you don’t get a completely black screen by running the above command then your server is either ( a ) not listening for connections on port 993 (aka dovecot service is not running) or ( b ) your firewall is not configured to allow connections to port 993, or ( c ) your IP has been blacklisted after many unsuccessful connection attempts.

Solutions:
( a ) Check that the service is running by issuing the following command on the server

systemctl status dovecot

Should get something like this:

dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: active (running) since …

If not, then you need to check your server/service.

( b ) In Hestia UI go to Settings > Firewall and make sure there is an ALLOW rule for ports 143,993 (IMAP).

( c ) In Hestia UI go to Settings > Firewall > Manage Banned IPs and make sure the IP of your computer’s connection is not listed there.

3. Server name / hostname certificate
To get a valid TLS certificate for your server, you need to have a fully qualified domain name, that resolves to the server’s IP. For example, if the server’s hostname is server1.ultraserver.com, then you need to have an A record (server1) in the ultraserver.com zone, pointing to the IP of the server.

For email, it is also preferred to have a reverse DNS (rDNS) name too. So that the IP of the server resolves to the server’s hostname. You may need to contact your server operator/host, or you might be able to change that in the server’s control panel. To check if you have a correct rDNS name, run the following on your Windows PC:
nslookup xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is your server’s IPv4 address.

If those check OK, then run the Hestia command on the server (as already suggested)
v-add-letsencrypt-host
(no parameters!) This should get your server a valid TLS certificate for the name server1.ultraserver.com that will replace the self-signed one.

4. TLS certificate for email domain
If both 1. DNS Checks are successful then go to Hestia UI Login the user who is hosting the example.com zone/mail > click Mail tab > click the pencil icon next to example.com to edit the mail domain > check the option “Enable SSL for this domain” > click save. This will get you a valid TLS certificate for the names mail.example.com and webmail.example.com

5. One domain name for both server name and mail domain
If you only have one domain name (e.g. onedomain.com) that will both host email and be the DNS server of the domain and the server’s hostname (e.g. server1.onedomain.com) then do the following.

Setup Hestia and set the server’s hostname to server1.onedomain.com
Create new Hestia user (e.g. u1) and login that user
Click on the DNS tab and then click Add DNS zone, fill in the domain name onedomain.com and click Save. This will create the DNS zone with the correct settings.
Click Mail tab and then click on Add Mail domain. Fill in the domain name onedomain.com and click Save.
Go to your registrar and set the authoritative DNS of the onedomain.com to your server’s name/IP. This will complete the DNS setup of the onedomain.com domain so you can start getting Let’s Encrypt Certificates.

Lupu · December 1, 2020, 9:56am

Awesome guide @Felix Thanks for your effort

jtdoank · December 4, 2020, 10:22am

i have this case on my vps
but
on my other vps, i don’t get this case and working nicely
please check my post on other thread for the detail

strange isn’t?

spam case i user smtp relay for the solution

Raphael · December 4, 2020, 10:58am

No, it’s all about IP reputation and listening .

jtdoank · December 4, 2020, 11:08am

hehehe…
can you inform more

so sorry if make you troublesome in some point

eris · December 4, 2020, 12:14pm

So IP have an bad reputation due to spam / other issues and building an decent reputation takes time…

jtdoank · December 4, 2020, 1:00pm

Thanks bro…sadly that the ip is
Hehehe

Anyway Hestia keep rocking