We are running HestiaCP 1.4.2 on Ubuntu 20.04. Plain vanilla installation.
We have a 3rd party app that needs to connect to the POP3 server to receive incoming email, but I have been unable to get it to work. The 3rd party app uses whatever library it has and has very limited configuration capability. However, the 3rd party able connects without issue to outlook.office365.com on port 995 with “SSL Enabled” and “STARTTLS Disabled”. (We’re hoping to move away from outlook.office365.com to HestiaCP/dovecot.)
I can enable/disable SSL on the 3rd party app, enable/disable STARTTLS, and change the port it tries to connect to. I’ve tried all combinations of SSL/STARTTLS/port 995,110 with no success.
I can see that dovecot it listening on the correct ports:
~$ sudo lsof -Pnl +M -i4 | egrep 'dovecot'
dovecot 704 0 21u IPv4 31809 0t0 TCP *:110 (LISTEN)
dovecot 704 0 23u IPv4 31811 0t0 TCP *:995 (LISTEN)
dovecot 704 0 38u IPv4 31824 0t0 TCP *:143 (LISTEN)
dovecot 704 0 40u IPv4 31826 0t0 TCP *:993 (LISTEN)
The error messages I see in /var/log/dovecot.log are the following:
Jun 05 17:24:31 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=40.113.206.110, lip=67.130.83.99, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<8VfVFAjEyPUocc5u>
and
Jun 05 17:23:08 pop3-login: Info: Disconnected (no auth attempts in 30 secs): user=<>, rip=40.113.206.110, lip=67.130.83.99, TLS handshaking: Connection closed, session=<reXZDwjE5/Qocc5u>
The first error is generated when SSL is enabled on the 3rd party app, regardless of whether STARTTLS is enabled or not.
The second error message is generated if I disable SSL in the 3rd party app, again regardless of STARTTLS setting.
Ideally, I’d like to get this working with SSL enabled and STARTTLS disabled since it’s my understanding that that is the most secure configuration.
Has anyone else had a problem with connections to the HestiaCP/dovecot POP3 server? Any ideas on what I can change to configure our server to accept the connection?