immer mal wieder hat mein Mail-Server Schluckauf indem das es hin und wieder vorkommt das Mails einfach nicht gesendet bzw. empfangen werden. Nach einem Neustart der Service funktioniert es dann wieder. Ich starte meine Programme z.B. nach einem Update mit service -R. Und dann muss ich dovecot und postfix doch nochmal manuell neustarten, dann funktioniert es auch wieder.
Meldung aus dem Log, ich habe die Pfade nochmals geprüft und alle Zertifikate sind dort wo sie sein sollen:
dovecot.conf
Code: Select all
Nov 4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [46.237.215.154]$
Nov 4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL failed: where=0x2002: unknown state [46.237.215.154]$
Nov 4 09:03:22 phoenix-blog dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=46.237.215.154, lip=213.202.230.17, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<7nqypyNdAKwu7dea>$
Nov 4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [46.237.215.154]$
Nov 4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL failed: where=0x2002: unknown state [46.237.215.154]$
Nov 4 09:03:22 phoenix-blog dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=46.237.215.154, lip=213.202.230.17, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<qJS0pyNd8L4u7dea>$EDIT
Hier meine confs, die Pfade stimmmen.
Code: Select all
auth_mechanisms = plain login
auth_verbose = yes
first_valid_gid = 5000
first_valid_uid = 5000
hostname = mail.phoenix-blog.de
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
last_valid_gid = 5000
last_valid_uid = 5000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = *, ::
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>
mail_location = maildir:/data/vmail/%d/%n
namespace inbox {
inbox = yes
mailbox Archives {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
}
passdb {
args = scheme=ssha512 username_format=%u /usr/local/etc/dovecot/passwd
default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
driver = passwd-file
override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
plugin {
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = Archive:storage=+1G
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
postmaster_address = postmaster@phoenix-blog.de
protocol imap {
mail_plugins = quota imap_quota
}
protocol pop3 {
mail_plugins = quota
}
protocols = imap lmtp
quota_full_tempfail = yes
sendmail_path = /usr/local/sbin/sendmail
service auth {
unix_listener /data/spool/postfix/private/auth {
group = postfix
user = postfix
mode = 0660
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
process_min_avail = 2
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 0
}
}
ssl = required
# ssl_ca = </etc/ssl/mail/www.phoenix-blog.de.ca
ssl_cert = </etc/ssl/mail/www.phoenix-blog.de.crt
ssl_cipher_list = EECDH+ECDSA+CHACHA20 EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+AESGCM EECDH+ECDSA+AES256 EECDH+AES256 EECDH+ECDSA+AES128 EECDH+AES128 EECDH+ECDSA+3DES EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES !CAMELLIA !SEED !IDEA !RC2 !RC4 !kSRP !kGOST !kECDHr !kECDHe !kDHr !kDHd !aDSS !aPSK !aNULL !eNULL !MEDIUM !LOW !EXPORT
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/mail/www.phoenix-blog.de.key
ssl_options = NO_COMPRESSION
ssl_parameters_regenerate = 6 hours
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
args = username_format=%u /usr/local/etc/dovecot/passwd
default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
driver = passwd-file
override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
verbose_proctitle = yes
verbose_ssl = yesmain.cf
Code: Select all
always_add_missing_headers = yes
allow_percent_hack = no
biff = no
compatibility_level = 2
data_directory = /data/db/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
fast_flush_domains =
home_mailbox = .maildir/
inet_interfaces = all
inet_protocols = all
lmtp_tls_fingerprint_digest = sha1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated
mail_spool_directory = /data/vmail
mailbox_size_limit = 0
masquerade_domains = $mydomain
masquerade_exceptions = root, mailer-daemon
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = phoenix-blog.de
myhostname = mail.$mydomain
mynetworks_style = host
notify_classes = data, protocol, resource, software
openssl_path = /usr/local/bin/openssl
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_dnsbl_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-4
list.dnswl.org=127.0.[0..255].2*-6
list.dnswl.org=127.0.[0..255].3*-8
zen.spamhaus.org=127.0.0.9*25
zen.spamhaus.org=127.0.0.3*10
zen.spamhaus.org=127.0.0.2*5
zen.spamhaus.org=127.0.0.[4..7]*3
zen.spamhaus.org=127.0.0.[10..11]*3
swl.spamhaus.org*-10
bl.mailspike.net=127.0.0.2*10
bl.mailspike.net=127.0.0.10*5
bl.mailspike.net=127.0.0.11*4
bl.mailspike.net=127.0.0.12*3
bl.mailspike.net=127.0.0.13*2
bl.mailspike.net=127.0.0.14*1
wl.mailspike.net=127.0.0.16*-2
wl.mailspike.net=127.0.0.17*-4
wl.mailspike.net=127.0.0.18*-6
wl.mailspike.net=127.0.0.19*-8
wl.mailspike.net=127.0.0.20*-10
backscatter.spameatingmonkey.net*2
bl.ipv6.spameatingmonkey.net*2
bl.spameatingmonkey.net*2
ix.dnsbl.manitu.net*2
bl.spamcop.net*2
db.wpbl.info*2
psbl.surriel.com*2
torexit.dan.me.uk*2
tor.dan.me.uk*1
safe.dnsbl.sorbs.net*1
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_whitelist_threshold = 0
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /data/spool/postfix
recipient_delimiter = +
remote_header_rewrite_domain = domain.invalid
show_user_unknown_table_name = no
smtp_dns_support_level = enabled
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtpd_client_auth_rate_limit = 20
smtpd_client_port_logging = yes
smtpd_client_restrictions =
sleep 1,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
smtpd_end_of_data_restrictions =
permit
smtpd_etrn_restrictions =
reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit
#smtpd_log_access_permit_actions = static:all
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_recipient_access pcre:${config_directory}/recipient_checks.pcre,
permit
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
smtpd_tls_CAfile = /etc/ssl/mail/www.phoenix-blog.de.ca
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mail/www.phoenix-blog.de.crt
smtpd_tls_ciphers = medium
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/mail/www.phoenix-blog.de.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
swap_bangpath = no
tls_daemon_random_bytes = 64
tls_high_cipherlist = EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256 EECDH+AES128 EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES
tls_medium_cipherlist = EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256 EECDH+AES128 EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES AESGCM AES256 AES128 3DES
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_ssl_options = NO_COMPRESSION
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
unknown_local_recipient_reject_code = 450
virtual_alias_domains = hash:${config_directory}/virtual_alias_domains
virtual_alias_maps = hash:${config_directory}/virtual_alias_maps
virtual_gid_maps = static:5000
virtual_mailbox_base = /data/vmail
virtual_mailbox_domains = hash:${config_directory}/virtual_mailbox_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:${config_directory}/virtual_mailbox_maps
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000
