[Gelöst] FreeBSD 11.1 Dovecot Postfix Schluckauf?

User avatar
Proteus
Posts: 256
Joined: 2013-04-14 05:08
Location: Holzgerlingen

[Gelöst] FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Proteus »

Hallo,

immer mal wieder hat mein Mail-Server Schluckauf indem das es hin und wieder vorkommt das Mails einfach nicht gesendet bzw. empfangen werden. Nach einem Neustart der Service funktioniert es dann wieder. Ich starte meine Programme z.B. nach einem Update mit service -R. Und dann muss ich dovecot und postfix doch nochmal manuell neustarten, dann funktioniert es auch wieder.

Meldung aus dem Log, ich habe die Pfade nochmals geprüft und alle Zertifikate sind dort wo sie sein sollen:

dovecot.conf

Code: Select all

Nov  4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [46.237.215.154]$
Nov  4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL failed: where=0x2002: unknown state [46.237.215.154]$
Nov  4 09:03:22 phoenix-blog dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=46.237.215.154, lip=213.202.230.17, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<7nqypyNdAKwu7dea>$
Nov  4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [46.237.215.154]$
Nov  4 09:03:22 phoenix-blog dovecot: imap-login: Warning: SSL failed: where=0x2002: unknown state [46.237.215.154]$
Nov  4 09:03:22 phoenix-blog dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=46.237.215.154, lip=213.202.230.17, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<qJS0pyNd8L4u7dea>$
Ich verstehe das Verhalten nicht so ganz.

EDIT

Hier meine confs, die Pfade stimmmen.

Code: Select all

auth_mechanisms = plain login
auth_verbose = yes
first_valid_gid = 5000
first_valid_uid = 5000
hostname = mail.phoenix-blog.de
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
last_valid_gid = 5000
last_valid_uid = 5000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = *, ::
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>
mail_location = maildir:/data/vmail/%d/%n
namespace inbox {
  inbox = yes
  mailbox Archives {
    auto = subscribe
    special_use = \Archive
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
}
passdb {
  args = scheme=ssha512 username_format=%u /usr/local/etc/dovecot/passwd
  default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
  driver = passwd-file
  override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Archive:storage=+1G
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
postmaster_address = postmaster@phoenix-blog.de
protocol imap {
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
}
protocols = imap lmtp
quota_full_tempfail = yes
sendmail_path = /usr/local/sbin/sendmail
service auth {
  unix_listener /data/spool/postfix/private/auth {
    group = postfix
    user = postfix
    mode = 0660
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
  process_min_avail = 2
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 0
  }
}
ssl = required
# ssl_ca = </etc/ssl/mail/www.phoenix-blog.de.ca
ssl_cert = </etc/ssl/mail/www.phoenix-blog.de.crt
ssl_cipher_list = EECDH+ECDSA+CHACHA20 EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+AESGCM EECDH+ECDSA+AES256 EECDH+AES256 EECDH+ECDSA+AES128 EECDH+AES128 EECDH+ECDSA+3DES EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES !CAMELLIA !SEED !IDEA !RC2 !RC4 !kSRP !kGOST !kECDHr !kECDHe !kDHr !kDHd !aDSS !aPSK !aNULL !eNULL !MEDIUM !LOW !EXPORT
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/mail/www.phoenix-blog.de.key
ssl_options = NO_COMPRESSION
ssl_parameters_regenerate = 6 hours
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
  args = username_format=%u /usr/local/etc/dovecot/passwd
  default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
  driver = passwd-file
  override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
verbose_proctitle = yes
verbose_ssl = yes

main.cf

Code: Select all

always_add_missing_headers = yes
allow_percent_hack = no
biff = no
compatibility_level = 2
data_directory = /data/db/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
fast_flush_domains =
home_mailbox = .maildir/
inet_interfaces = all
inet_protocols = all
lmtp_tls_fingerprint_digest = sha1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated
mail_spool_directory = /data/vmail
mailbox_size_limit = 0
masquerade_domains = $mydomain
masquerade_exceptions = root, mailer-daemon
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = phoenix-blog.de
myhostname = mail.$mydomain
mynetworks_style = host
notify_classes = data, protocol, resource, software
openssl_path = /usr/local/bin/openssl
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_dnsbl_action = enforce

postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
  list.dnswl.org=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].1*-4
  list.dnswl.org=127.0.[0..255].2*-6
  list.dnswl.org=127.0.[0..255].3*-8
  zen.spamhaus.org=127.0.0.9*25
  zen.spamhaus.org=127.0.0.3*10
  zen.spamhaus.org=127.0.0.2*5
  zen.spamhaus.org=127.0.0.[4..7]*3
  zen.spamhaus.org=127.0.0.[10..11]*3
  swl.spamhaus.org*-10
  bl.mailspike.net=127.0.0.2*10
  bl.mailspike.net=127.0.0.10*5
  bl.mailspike.net=127.0.0.11*4
  bl.mailspike.net=127.0.0.12*3
  bl.mailspike.net=127.0.0.13*2
  bl.mailspike.net=127.0.0.14*1
  wl.mailspike.net=127.0.0.16*-2
  wl.mailspike.net=127.0.0.17*-4
  wl.mailspike.net=127.0.0.18*-6
  wl.mailspike.net=127.0.0.19*-8
  wl.mailspike.net=127.0.0.20*-10
  backscatter.spameatingmonkey.net*2
  bl.ipv6.spameatingmonkey.net*2
  bl.spameatingmonkey.net*2
  ix.dnsbl.manitu.net*2
  bl.spamcop.net*2
  db.wpbl.info*2
  psbl.surriel.com*2
  torexit.dan.me.uk*2
  tor.dan.me.uk*1
  safe.dnsbl.sorbs.net*1
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_whitelist_threshold = 0
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /data/spool/postfix
recipient_delimiter = +
remote_header_rewrite_domain = domain.invalid
show_user_unknown_table_name = no
smtp_dns_support_level = enabled
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtpd_client_auth_rate_limit = 20
smtpd_client_port_logging = yes
smtpd_client_restrictions =
  sleep 1,
  permit
smtpd_data_restrictions =
  reject_unauth_pipelining,
  reject_multi_recipient_bounce,
  permit
smtpd_end_of_data_restrictions =
  permit
smtpd_etrn_restrictions =
  reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  permit
#smtpd_log_access_permit_actions = static:all
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  check_recipient_access pcre:${config_directory}/recipient_checks.pcre,
  permit
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination,
  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit
smtpd_tls_CAfile = /etc/ssl/mail/www.phoenix-blog.de.ca
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mail/www.phoenix-blog.de.crt
smtpd_tls_ciphers = medium
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/mail/www.phoenix-blog.de.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
swap_bangpath = no
tls_daemon_random_bytes = 64
tls_high_cipherlist = EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256 EECDH+AES128 EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES
tls_medium_cipherlist = EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256 EECDH+AES128 EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES AESGCM AES256 AES128 3DES
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_ssl_options = NO_COMPRESSION
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
unknown_local_recipient_reject_code = 450
virtual_alias_domains = hash:${config_directory}/virtual_alias_domains
virtual_alias_maps = hash:${config_directory}/virtual_alias_maps
virtual_gid_maps = static:5000
virtual_mailbox_base = /data/vmail
virtual_mailbox_domains = hash:${config_directory}/virtual_mailbox_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:${config_directory}/virtual_mailbox_maps
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000
Last edited by Proteus on 2017-11-09 14:00, edited 1 time in total.
LG
Proti

https://phoenix-blog.de

"Die Kamera wird bei hohen ISO Werten aber rauschen. Nichts ahnend hielt er sich die Kamera ans Ohr!"
Top

User avatar
Joe User
Project Manager
Project Manager
Posts: 11518
Joined: 2003-02-27 01:00
Location: Hamburg

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Joe User »

Statt `service -R`solltest Du eher

Code: Select all

service dovecot restart ; service postfix restart
verwenden, da `service -R`alle Dienste neu startet und dabei bei per pkg/Ports installierten Diensten nicht auf etwaige Abhängigkeiten achten kann, da diese im Regelfall nicht im jeweiligen Initscript berücksichtigt sind beziehungsweise werden können.
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.
Top

User avatar
Proteus
Posts: 256
Joined: 2013-04-14 05:08
Location: Holzgerlingen

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Proteus »

Ich update mein System mit deinem update-ports Script. Nichts über pkg, außer ich deinstalliere mal was und baue wieder etwas aus den Ports..

Mir machen die SSL Meldungen irgendwie Kopfzerbrechen.
LG
Proti

https://phoenix-blog.de

"Die Kamera wird bei hohen ISO Werten aber rauschen. Nichts ahnend hielt er sich die Kamera ans Ohr!"
Top

User avatar
Joe User
Project Manager
Project Manager
Posts: 11518
Joined: 2003-02-27 01:00
Location: Hamburg

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Joe User »

Die SSL Meldungen sollten nach den Restarts (wie von mir vorgeschlagen) von Dovecot und Postfix so nicht mehr auftreten. Falls doch, dann wäre wichtig zu wissen, ob die Verbindungsversuche von Dir oder Dritten stammen.
Was sind das für Zertifikate? Welche Einstellungen hast Du in Thunderbird vorgenommen?
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.
Top

User avatar
Proteus
Posts: 256
Joined: 2013-04-14 05:08
Location: Holzgerlingen

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Proteus »

Kannst du dich nicht erinnern als wir damals stundenlang versucht haben mit Outlook die Mails herrunterzuladen mit SSL/TLS bzw. StartSSL/TLS? Es hatte dann doch noch funktioniert. Die Zertifikate habe ich bei Host Europe gekauft. Und wie gesagt das Problem ist erst seit kurzem.
LG
Proti

https://phoenix-blog.de

"Die Kamera wird bei hohen ISO Werten aber rauschen. Nichts ahnend hielt er sich die Kamera ans Ohr!"
Top

User avatar
Joe User
Project Manager
Project Manager
Posts: 11518
Joined: 2003-02-27 01:00
Location: Hamburg

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Joe User »

Da fehlt das Intermediate-Zertifikat und daher kann das Zertifikat nicht validiert werden:

Code: Select all

echo "QUIT" | /usr/local/bin/openssl s_client -connect mail.phoenix-blog.de:993 -showcerts -state
Zudem ist das Zertifikat auf www.phoenix-blog.de ausgestellt und nicht auf mail.phoenix-blog.de
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.
Top

User avatar
Proteus
Posts: 256
Joined: 2013-04-14 05:08
Location: Holzgerlingen

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Proteus »

Das werde ich jetzt gleich mal probieren. ich melde mich dann.
LG
Proti

https://phoenix-blog.de

"Die Kamera wird bei hohen ISO Werten aber rauschen. Nichts ahnend hielt er sich die Kamera ans Ohr!"
Top

User avatar
Proteus
Posts: 256
Joined: 2013-04-14 05:08
Location: Holzgerlingen

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Proteus »

Joe User wrote:
2017-11-06 19:14
Zudem ist das Zertifikat auf www.phoenix-blog.de ausgestellt und nicht auf mail.phoenix-blog.de
Wie konnte ich das über Jahre übersehen? Blöde Routine! :smiling_imp:

Danke vielmals!
LG
Proti

https://phoenix-blog.de

"Die Kamera wird bei hohen ISO Werten aber rauschen. Nichts ahnend hielt er sich die Kamera ans Ohr!"
Top

User avatar
Proteus
Posts: 256
Joined: 2013-04-14 05:08
Location: Holzgerlingen

Re: FreeBSD 11.1 Dovecot Postfix Schluckauf?

Post by Proteus »

Fehler sind nicht mehr vorhanden. Danke!

Code: Select all

 tail -f /var/log/maillog
Nov  8 11:12:44 phoenix-blog postfix/submission/smtpd[60026]: connect from HSI-KBW-46-237-215-154.hsi.kabel-badenwuerttemberg.de[46.237.215.154]:51122
Nov  8 11:12:45 phoenix-blog postfix/submission/smtpd[60026]: Anonymous TLS connection established from hsi-kbw-46-237-215-154.hsi.kabel-badenwuerttemberg.de[46.237.215.154]:51122: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  8 11:12:46 phoenix-blog postfix/submission/smtpd[60026]: 3yX2DG2fRGz29lW: client=HSI-KBW-46-237-215-154.hsi.kabel-badenwuerttemberg.de[46.237.215.154]:51122, sasl_method=LOGIN, sasl_username=admin@phoenix-blog.de
Nov  8 11:12:46 phoenix-blog postfix/cleanup[63071]: 3yX2DG2fRGz29lW: message-id=<000f01d3587a$1bd6c230$53844690$@phoenix-blog.de>
Nov  8 11:12:46 phoenix-blog postfix/qmgr[54393]: 3yX2DG2fRGz29lW: from=<admin@phoenix-blog.de>, size=3373, nrcpt=1 (queue active)
Nov  8 11:12:46 phoenix-blog postfix/smtp[63717]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.69.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov  8 11:12:46 phoenix-blog postfix/smtp[63717]: 3yX2DG2fRGz29lW: to=<tempelwars@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.69.26]:25, delay=1.5, delays=1.2/0/0.12/0.21, dsn=2.0.0, status=sent (250 2.0.0 OK 1510135958 d35si1155989edd.352 - gsmtp)
Nov  8 11:12:46 phoenix-blog postfix/qmgr[54393]: 3yX2DG2fRGz29lW: removed
Nov  8 11:12:48 phoenix-blog dovecot: imap-login: Login: user=<admin@phoenix-blog.de>, method=PLAIN, rip=46.237.215.154, lip=213.202.230.17, mpid=66650, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=<WvPx7XVds8cu7dea>
Nov  8 11:12:48 phoenix-blog postfix/submission/smtpd[60026]: disconnect from HSI-KBW-46-237-215-154.hsi.kabel-badenwuerttemberg.de[46.237.215.154]:51122 ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Nov  8 11:13:21 phoenix-blog dovecot: imap(admin@phoenix-blog.de): Logged out in=1099 out=42458
Nov  8 11:13:25 phoenix-blog dovecot: imap(admin@phoenix-blog.de): Logged out in=3549 out=37480
LG
Proti

https://phoenix-blog.de

"Die Kamera wird bei hohen ISO Werten aber rauschen. Nichts ahnend hielt er sich die Kamera ans Ohr!"
Top