POP3 Connection Failure

mmoo9154 · June 5, 2021, 6:03pm

We are running HestiaCP 1.4.2 on Ubuntu 20.04. Plain vanilla installation.

We have a 3rd party app that needs to connect to the POP3 server to receive incoming email, but I have been unable to get it to work. The 3rd party app uses whatever library it has and has very limited configuration capability. However, the 3rd party able connects without issue to outlook.office365.com on port 995 with “SSL Enabled” and “STARTTLS Disabled”. (We’re hoping to move away from outlook.office365.com to HestiaCP/dovecot.)

I can enable/disable SSL on the 3rd party app, enable/disable STARTTLS, and change the port it tries to connect to. I’ve tried all combinations of SSL/STARTTLS/port 995,110 with no success.

I can see that dovecot it listening on the correct ports:

~$ sudo lsof -Pnl +M -i4 | egrep 'dovecot'
dovecot      704        0   21u  IPv4  31809      0t0  TCP *:110 (LISTEN)
dovecot      704        0   23u  IPv4  31811      0t0  TCP *:995 (LISTEN)
dovecot      704        0   38u  IPv4  31824      0t0  TCP *:143 (LISTEN)
dovecot      704        0   40u  IPv4  31826      0t0  TCP *:993 (LISTEN)

The error messages I see in /var/log/dovecot.log are the following:

Jun 05 17:24:31 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=40.113.206.110, lip=67.130.83.99, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<8VfVFAjEyPUocc5u>

and

Jun 05 17:23:08 pop3-login: Info: Disconnected (no auth attempts in 30 secs): user=<>, rip=40.113.206.110, lip=67.130.83.99, TLS handshaking: Connection closed, session=<reXZDwjE5/Qocc5u>

The first error is generated when SSL is enabled on the 3rd party app, regardless of whether STARTTLS is enabled or not.

The second error message is generated if I disable SSL in the 3rd party app, again regardless of STARTTLS setting.

Ideally, I’d like to get this working with SSL enabled and STARTTLS disabled since it’s my understanding that that is the most secure configuration.

Has anyone else had a problem with connections to the HestiaCP/dovecot POP3 server? Any ideas on what I can change to configure our server to accept the connection?

mmoo9154 · June 5, 2021, 6:27pm

FWIW… When I try to connect to the HestiaCP/dovecot POP3 server using Mozilla Thunderbird using the same login credentials I use for the 3rd party app, it works successfully. But, only if I connect to port 995 with “SSL/TLS” and with “Normal password” for the “Authentication method”.

If I try to change the Authentication method to “Encrypted password”, it fails but I get a slightly different error message than what I see when the 3rd party app fails to connect:

Jun 05 18:23:54 pop3-login: Info: Disconnected (no auth attempts in 2 secs): user=<>, rip=72.200.109.181, lip=67.130.83.99, TLS, session=<4dor6QjEum1IyG21> Jun 05 18:23:54 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=40.113.206.110, lip=67.130.83.99, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<NCww6QjEHdMocc5u>

Raphael · June 5, 2021, 8:10pm

Have you enabled mail ssl in hestia? If yes, mail.domain.tld with SSL/TLS on Port 995 (and without startssl) should work out of the box.

Personaly, I would stay on Microsoft Exchange Online - e-mail delivery is not worth the hassle .

mmoo9154 · June 5, 2021, 10:38pm

Really appreciate the tip about staying with MS Exchange Online, but it’s not an option.

We do have SSL enabled. That’s why I can connect to [email protected] on port 995 with SSL/TLS and “Normal password” when I connect from Thunderbird.

I still need to figure out how to configure HestiaCP so that the 3rd party app can connect. And, I’d love to know how to configure HestiaCP/dovecot so that Thunderbird could connect with “Encrypted password”. I suspect that might fix the issue with the 3rd party app.

Any ideas where to look for answers?

mmoo9154 · June 6, 2021, 12:00am

Great article in the Dovecot documentation for anyone following after me. Clarified the SSL v TLS v STARTTLS question that has been nagging at me for a while: SSL — Dovecot documentation

pluto · June 7, 2021, 2:48am

I’ve had issues with people using old email clients to connect to Hestia, which result in those sort of error messages. Basically dovecot is moving to a more modern SSL config, to discourage the old, insecure protocols. But when you do that, old email clients (eg Outlook 2013 and even earlier) can’t connect. Probably the correct thing to do is to persuade them to upgrade their software, or change to a free, modern email client like Thunderbird. But people don’t like to change.

So, if you’re in that position, then look at /etc/dovecot/conf.d/10-ssl.conf. If you comment out this line, it drops back to the (insecure) TLSv1 config

#ssl_min_protocol=TLSv1.2

And now old Outlooks can connect. Note you are deliberately making your server less secure.