I can't send or receive email through my email server

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite
1












I am using SSL to encrypt my email server's communications. However, when I try to send messages to it or retrieve messages from it, it fails to do so.
Here is what it says in /var/log:



Oct 28 15:29:36 (server name) dovecot[602]: master: Error: service(imap-login): command startup failed, throttling for 16 secs
Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY


And here is my postfix main.cf:



# Server information
mydomain = (domain name)
myorigin = (domain name)
# Various other parameters use these two variables as default values.

# SMTP service
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/(domain name)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(domain name)/privkey.pem
# This allows STARTTLS to be used on all incoming SMTP connections.
# Note that `postfix` must be added to the `ssl-cert` group to be able
# to access files in /etc/ssl/private.

# Policies
mynetworks = [::1]/128, 127.0.0.0/8, [::ffff:127.0.0.0]/104
# This lists the IP addresses that are considered "trusted" and can use # this server to send mail to the outside (i.e. to other domains). By # default, only "localhost" is allowed. From everyone else only mail to # domains in $mydestination will be accepted.
# This lists the IP addresses that are considered "trusted" and can use
# this server to send mail to the outside (i.e. to other domains). By
# default, only "localhost" is allowed. From everyone else only mail to
# domains in $mydestination will be accepted.
mydestination = (domain name), localhost
# List of domains to accept mail for, from any IP address.
# Delivery
alias_maps = hash:/etc/aliases
# This keeps system-wide aliases. It's good to set it explicitly because
# the default value sometimes includes NIS, which doesn't make sense.
recipient_delimiter = +
# Tells postfix to split the local part of addresses at the first '+', # so-called "plus-addressing": mail sent to diti+foo@ will be delivered # to the diti@ mailbox.
# Tells postfix to split the local part of addresses at the first '+',
# so-called "plus-addressing": mail sent to diti+foo@ will be delivered
# to the diti@ mailbox.
mynetworks_style = subnet
home_mailbox = Mail/
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


And my master.cf:



#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about $recipient
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r $sender -m $extension $user
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m $extension $user
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
$nexthop $user


And here is my dovecot config:



##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = apop

##
## Password and user databases
##

passdb
driver = pam
args = %s


# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext


Here is the output of doveconf -n:



# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-4-686-pae i686 Debian 9.2
auth_mechanisms = login
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox
inbox = yes
location =
mailbox Drafts
special_use = Drafts

mailbox Junk
special_use = Junk

mailbox Sent
special_use = Sent

mailbox "Sent Messages"
special_use = Sent

mailbox Trash
special_use = Trash

prefix =

passdb
args = %s
driver = pam

passdb
driver = pam

protocols = " imap"
service auth
unix_listener /var/spool/postfix/private/auth
group = postfix
mode = 0660
user = postfix


service imap-login
inet_listener imaps
port = 993
ssl = yes


service pop3-login
inet_listener pop3s
port = 995
ssl = yes


ssl_cert = /etc/letsencrypt/live/(domain name)/fullchain.pem
ssl_key = # hidden, use -P to show it
userdb
driver = passwd



What am I doing wrong here? all of the required ports are open. I am using Thunderbird as an email client.







share|improve this question






















  • Please provide the output of doveconf -n, which prints Dovecot's current configuration.
    – Jens Erat
    Oct 28 '17 at 21:30














up vote
1
down vote

favorite
1












I am using SSL to encrypt my email server's communications. However, when I try to send messages to it or retrieve messages from it, it fails to do so.
Here is what it says in /var/log:



Oct 28 15:29:36 (server name) dovecot[602]: master: Error: service(imap-login): command startup failed, throttling for 16 secs
Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY


And here is my postfix main.cf:



# Server information
mydomain = (domain name)
myorigin = (domain name)
# Various other parameters use these two variables as default values.

# SMTP service
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/(domain name)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(domain name)/privkey.pem
# This allows STARTTLS to be used on all incoming SMTP connections.
# Note that `postfix` must be added to the `ssl-cert` group to be able
# to access files in /etc/ssl/private.

# Policies
mynetworks = [::1]/128, 127.0.0.0/8, [::ffff:127.0.0.0]/104
# This lists the IP addresses that are considered "trusted" and can use # this server to send mail to the outside (i.e. to other domains). By # default, only "localhost" is allowed. From everyone else only mail to # domains in $mydestination will be accepted.
# This lists the IP addresses that are considered "trusted" and can use
# this server to send mail to the outside (i.e. to other domains). By
# default, only "localhost" is allowed. From everyone else only mail to
# domains in $mydestination will be accepted.
mydestination = (domain name), localhost
# List of domains to accept mail for, from any IP address.
# Delivery
alias_maps = hash:/etc/aliases
# This keeps system-wide aliases. It's good to set it explicitly because
# the default value sometimes includes NIS, which doesn't make sense.
recipient_delimiter = +
# Tells postfix to split the local part of addresses at the first '+', # so-called "plus-addressing": mail sent to diti+foo@ will be delivered # to the diti@ mailbox.
# Tells postfix to split the local part of addresses at the first '+',
# so-called "plus-addressing": mail sent to diti+foo@ will be delivered
# to the diti@ mailbox.
mynetworks_style = subnet
home_mailbox = Mail/
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


And my master.cf:



#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about $recipient
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r $sender -m $extension $user
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m $extension $user
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
$nexthop $user


And here is my dovecot config:



##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = apop

##
## Password and user databases
##

passdb
driver = pam
args = %s


# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext


Here is the output of doveconf -n:



# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-4-686-pae i686 Debian 9.2
auth_mechanisms = login
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox
inbox = yes
location =
mailbox Drafts
special_use = Drafts

mailbox Junk
special_use = Junk

mailbox Sent
special_use = Sent

mailbox "Sent Messages"
special_use = Sent

mailbox Trash
special_use = Trash

prefix =

passdb
args = %s
driver = pam

passdb
driver = pam

protocols = " imap"
service auth
unix_listener /var/spool/postfix/private/auth
group = postfix
mode = 0660
user = postfix


service imap-login
inet_listener imaps
port = 993
ssl = yes


service pop3-login
inet_listener pop3s
port = 995
ssl = yes


ssl_cert = /etc/letsencrypt/live/(domain name)/fullchain.pem
ssl_key = # hidden, use -P to show it
userdb
driver = passwd



What am I doing wrong here? all of the required ports are open. I am using Thunderbird as an email client.







share|improve this question






















  • Please provide the output of doveconf -n, which prints Dovecot's current configuration.
    – Jens Erat
    Oct 28 '17 at 21:30












up vote
1
down vote

favorite
1









up vote
1
down vote

favorite
1






1





I am using SSL to encrypt my email server's communications. However, when I try to send messages to it or retrieve messages from it, it fails to do so.
Here is what it says in /var/log:



Oct 28 15:29:36 (server name) dovecot[602]: master: Error: service(imap-login): command startup failed, throttling for 16 secs
Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY


And here is my postfix main.cf:



# Server information
mydomain = (domain name)
myorigin = (domain name)
# Various other parameters use these two variables as default values.

# SMTP service
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/(domain name)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(domain name)/privkey.pem
# This allows STARTTLS to be used on all incoming SMTP connections.
# Note that `postfix` must be added to the `ssl-cert` group to be able
# to access files in /etc/ssl/private.

# Policies
mynetworks = [::1]/128, 127.0.0.0/8, [::ffff:127.0.0.0]/104
# This lists the IP addresses that are considered "trusted" and can use # this server to send mail to the outside (i.e. to other domains). By # default, only "localhost" is allowed. From everyone else only mail to # domains in $mydestination will be accepted.
# This lists the IP addresses that are considered "trusted" and can use
# this server to send mail to the outside (i.e. to other domains). By
# default, only "localhost" is allowed. From everyone else only mail to
# domains in $mydestination will be accepted.
mydestination = (domain name), localhost
# List of domains to accept mail for, from any IP address.
# Delivery
alias_maps = hash:/etc/aliases
# This keeps system-wide aliases. It's good to set it explicitly because
# the default value sometimes includes NIS, which doesn't make sense.
recipient_delimiter = +
# Tells postfix to split the local part of addresses at the first '+', # so-called "plus-addressing": mail sent to diti+foo@ will be delivered # to the diti@ mailbox.
# Tells postfix to split the local part of addresses at the first '+',
# so-called "plus-addressing": mail sent to diti+foo@ will be delivered
# to the diti@ mailbox.
mynetworks_style = subnet
home_mailbox = Mail/
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


And my master.cf:



#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about $recipient
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r $sender -m $extension $user
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m $extension $user
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
$nexthop $user


And here is my dovecot config:



##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = apop

##
## Password and user databases
##

passdb
driver = pam
args = %s


# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext


Here is the output of doveconf -n:



# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-4-686-pae i686 Debian 9.2
auth_mechanisms = login
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox
inbox = yes
location =
mailbox Drafts
special_use = Drafts

mailbox Junk
special_use = Junk

mailbox Sent
special_use = Sent

mailbox "Sent Messages"
special_use = Sent

mailbox Trash
special_use = Trash

prefix =

passdb
args = %s
driver = pam

passdb
driver = pam

protocols = " imap"
service auth
unix_listener /var/spool/postfix/private/auth
group = postfix
mode = 0660
user = postfix


service imap-login
inet_listener imaps
port = 993
ssl = yes


service pop3-login
inet_listener pop3s
port = 995
ssl = yes


ssl_cert = /etc/letsencrypt/live/(domain name)/fullchain.pem
ssl_key = # hidden, use -P to show it
userdb
driver = passwd



What am I doing wrong here? all of the required ports are open. I am using Thunderbird as an email client.







share|improve this question














I am using SSL to encrypt my email server's communications. However, when I try to send messages to it or retrieve messages from it, it fails to do so.
Here is what it says in /var/log:



Oct 28 15:29:36 (server name) dovecot[602]: master: Error: service(imap-login): command startup failed, throttling for 16 secs
Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY


And here is my postfix main.cf:



# Server information
mydomain = (domain name)
myorigin = (domain name)
# Various other parameters use these two variables as default values.

# SMTP service
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/(domain name)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(domain name)/privkey.pem
# This allows STARTTLS to be used on all incoming SMTP connections.
# Note that `postfix` must be added to the `ssl-cert` group to be able
# to access files in /etc/ssl/private.

# Policies
mynetworks = [::1]/128, 127.0.0.0/8, [::ffff:127.0.0.0]/104
# This lists the IP addresses that are considered "trusted" and can use # this server to send mail to the outside (i.e. to other domains). By # default, only "localhost" is allowed. From everyone else only mail to # domains in $mydestination will be accepted.
# This lists the IP addresses that are considered "trusted" and can use
# this server to send mail to the outside (i.e. to other domains). By
# default, only "localhost" is allowed. From everyone else only mail to
# domains in $mydestination will be accepted.
mydestination = (domain name), localhost
# List of domains to accept mail for, from any IP address.
# Delivery
alias_maps = hash:/etc/aliases
# This keeps system-wide aliases. It's good to set it explicitly because
# the default value sometimes includes NIS, which doesn't make sense.
recipient_delimiter = +
# Tells postfix to split the local part of addresses at the first '+', # so-called "plus-addressing": mail sent to diti+foo@ will be delivered # to the diti@ mailbox.
# Tells postfix to split the local part of addresses at the first '+',
# so-called "plus-addressing": mail sent to diti+foo@ will be delivered
# to the diti@ mailbox.
mynetworks_style = subnet
home_mailbox = Mail/
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


And my master.cf:



#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about $recipient
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d $recipient
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r $sender -m $extension $user
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m $extension $user
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $nexthop $user $extension
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
$nexthop $user


And here is my dovecot config:



##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = apop

##
## Password and user databases
##

passdb
driver = pam
args = %s


# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext


Here is the output of doveconf -n:



# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-4-686-pae i686 Debian 9.2
auth_mechanisms = login
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox
inbox = yes
location =
mailbox Drafts
special_use = Drafts

mailbox Junk
special_use = Junk

mailbox Sent
special_use = Sent

mailbox "Sent Messages"
special_use = Sent

mailbox Trash
special_use = Trash

prefix =

passdb
args = %s
driver = pam

passdb
driver = pam

protocols = " imap"
service auth
unix_listener /var/spool/postfix/private/auth
group = postfix
mode = 0660
user = postfix


service imap-login
inet_listener imaps
port = 993
ssl = yes


service pop3-login
inet_listener pop3s
port = 995
ssl = yes


ssl_cert = /etc/letsencrypt/live/(domain name)/fullchain.pem
ssl_key = # hidden, use -P to show it
userdb
driver = passwd



What am I doing wrong here? all of the required ports are open. I am using Thunderbird as an email client.









share|improve this question













share|improve this question




share|improve this question








edited Oct 28 '17 at 22:03









Jeff Schaller

32.1k849109




32.1k849109










asked Oct 28 '17 at 21:02









Haxalicious

134




134











  • Please provide the output of doveconf -n, which prints Dovecot's current configuration.
    – Jens Erat
    Oct 28 '17 at 21:30
















  • Please provide the output of doveconf -n, which prints Dovecot's current configuration.
    – Jens Erat
    Oct 28 '17 at 21:30















Please provide the output of doveconf -n, which prints Dovecot's current configuration.
– Jens Erat
Oct 28 '17 at 21:30




Please provide the output of doveconf -n, which prints Dovecot's current configuration.
– Jens Erat
Oct 28 '17 at 21:30










2 Answers
2






active

oldest

votes

















up vote
3
down vote













The error message at the top of the question tells you exactly what the problem is, and where to look for it:




Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY



The problem you have listed is nothing to do with Postfix; it's reported by the IMAP Login component for Dovecot. It tells you that the private SSL key you have defined is not a valid file. It's supposed to begin with ANY PRIVATE KEY but it doesn't.



I'd point out the appropriate line in your Dovecot configuration, but you haven't included that component in your question.



None of this applies to a Postfix problem that doesn't allow you to send or receive email. If that is the problem you want addressing you should include relevant error messages and log files from Postfix. Not from Dovecot.






share|improve this answer




















  • I think I found the problem, I accidentally mixed up the SSL cert and private key lines. Is there any chance that I could have leaked the private key, and if so, I should regenerate it, right?
    – Haxalicious
    Oct 28 '17 at 21:42










  • @Haxalicious no it's not been leaked, because Dovecot couldn't even read it (wrong format). But if you'd be happier regenerating it, go right ahead; there's no harm in doing so.
    – roaima
    Oct 29 '17 at 7:41

















up vote
1
down vote













There seem to be a number of questions regarding IMAP/SMTP TLS certs and communication. I remember struggling to understand this myself. I made diagram of the pathway and which certs are used where...



I think this is correct, at least my servers work as expected. So, if it's not correct, then it's at least somewhat correct. The main point is that there are two certs, not one. I use Courier, so adjust the variables appropriately.



 .----------------------------.
| IMAP |
| x509 Cert |
.------->| |----------.
| | TLS_CERTFILE=some_cert.pem | |
| | TLS_DHPARAMS=dhparms.pem | |
| '----------------------------' |
| |
| |
| |
| TLS Provided by |
| IMAP connection |
| v
| .------------------------------.
| | SMTP |
| | x509 Cert |
.-------------. | |
| IMAP Client | | smtpd_tls_security_level=may |
'-------------' | smtpd_tls_cert_file |
| smtpd_tls_key_file |
| |
'------------------------------'
|
|
TLS Provided by |
SMTP connection |
(may = cert not required) |
|
|
v
.---------------.
| Receiver SMTP |
'---------------'





share|improve this answer






















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f401129%2fi-cant-send-or-receive-email-through-my-email-server%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    3
    down vote













    The error message at the top of the question tells you exactly what the problem is, and where to look for it:




    Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key
    error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY



    The problem you have listed is nothing to do with Postfix; it's reported by the IMAP Login component for Dovecot. It tells you that the private SSL key you have defined is not a valid file. It's supposed to begin with ANY PRIVATE KEY but it doesn't.



    I'd point out the appropriate line in your Dovecot configuration, but you haven't included that component in your question.



    None of this applies to a Postfix problem that doesn't allow you to send or receive email. If that is the problem you want addressing you should include relevant error messages and log files from Postfix. Not from Dovecot.






    share|improve this answer




















    • I think I found the problem, I accidentally mixed up the SSL cert and private key lines. Is there any chance that I could have leaked the private key, and if so, I should regenerate it, right?
      – Haxalicious
      Oct 28 '17 at 21:42










    • @Haxalicious no it's not been leaked, because Dovecot couldn't even read it (wrong format). But if you'd be happier regenerating it, go right ahead; there's no harm in doing so.
      – roaima
      Oct 29 '17 at 7:41














    up vote
    3
    down vote













    The error message at the top of the question tells you exactly what the problem is, and where to look for it:




    Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key
    error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY



    The problem you have listed is nothing to do with Postfix; it's reported by the IMAP Login component for Dovecot. It tells you that the private SSL key you have defined is not a valid file. It's supposed to begin with ANY PRIVATE KEY but it doesn't.



    I'd point out the appropriate line in your Dovecot configuration, but you haven't included that component in your question.



    None of this applies to a Postfix problem that doesn't allow you to send or receive email. If that is the problem you want addressing you should include relevant error messages and log files from Postfix. Not from Dovecot.






    share|improve this answer




















    • I think I found the problem, I accidentally mixed up the SSL cert and private key lines. Is there any chance that I could have leaked the private key, and if so, I should regenerate it, right?
      – Haxalicious
      Oct 28 '17 at 21:42










    • @Haxalicious no it's not been leaked, because Dovecot couldn't even read it (wrong format). But if you'd be happier regenerating it, go right ahead; there's no harm in doing so.
      – roaima
      Oct 29 '17 at 7:41












    up vote
    3
    down vote










    up vote
    3
    down vote









    The error message at the top of the question tells you exactly what the problem is, and where to look for it:




    Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key
    error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY



    The problem you have listed is nothing to do with Postfix; it's reported by the IMAP Login component for Dovecot. It tells you that the private SSL key you have defined is not a valid file. It's supposed to begin with ANY PRIVATE KEY but it doesn't.



    I'd point out the appropriate line in your Dovecot configuration, but you haven't included that component in your question.



    None of this applies to a Postfix problem that doesn't allow you to send or receive email. If that is the problem you want addressing you should include relevant error messages and log files from Postfix. Not from Dovecot.






    share|improve this answer












    The error message at the top of the question tells you exactly what the problem is, and where to look for it:




    Oct 28 15:29:52 (server name) dovecot[14267]: imap-login: Fatal: Couldn't parse private ssl_key
    error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY



    The problem you have listed is nothing to do with Postfix; it's reported by the IMAP Login component for Dovecot. It tells you that the private SSL key you have defined is not a valid file. It's supposed to begin with ANY PRIVATE KEY but it doesn't.



    I'd point out the appropriate line in your Dovecot configuration, but you haven't included that component in your question.



    None of this applies to a Postfix problem that doesn't allow you to send or receive email. If that is the problem you want addressing you should include relevant error messages and log files from Postfix. Not from Dovecot.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Oct 28 '17 at 21:14









    roaima

    40k546109




    40k546109











    • I think I found the problem, I accidentally mixed up the SSL cert and private key lines. Is there any chance that I could have leaked the private key, and if so, I should regenerate it, right?
      – Haxalicious
      Oct 28 '17 at 21:42










    • @Haxalicious no it's not been leaked, because Dovecot couldn't even read it (wrong format). But if you'd be happier regenerating it, go right ahead; there's no harm in doing so.
      – roaima
      Oct 29 '17 at 7:41
















    • I think I found the problem, I accidentally mixed up the SSL cert and private key lines. Is there any chance that I could have leaked the private key, and if so, I should regenerate it, right?
      – Haxalicious
      Oct 28 '17 at 21:42










    • @Haxalicious no it's not been leaked, because Dovecot couldn't even read it (wrong format). But if you'd be happier regenerating it, go right ahead; there's no harm in doing so.
      – roaima
      Oct 29 '17 at 7:41















    I think I found the problem, I accidentally mixed up the SSL cert and private key lines. Is there any chance that I could have leaked the private key, and if so, I should regenerate it, right?
    – Haxalicious
    Oct 28 '17 at 21:42




    I think I found the problem, I accidentally mixed up the SSL cert and private key lines. Is there any chance that I could have leaked the private key, and if so, I should regenerate it, right?
    – Haxalicious
    Oct 28 '17 at 21:42












    @Haxalicious no it's not been leaked, because Dovecot couldn't even read it (wrong format). But if you'd be happier regenerating it, go right ahead; there's no harm in doing so.
    – roaima
    Oct 29 '17 at 7:41




    @Haxalicious no it's not been leaked, because Dovecot couldn't even read it (wrong format). But if you'd be happier regenerating it, go right ahead; there's no harm in doing so.
    – roaima
    Oct 29 '17 at 7:41












    up vote
    1
    down vote













    There seem to be a number of questions regarding IMAP/SMTP TLS certs and communication. I remember struggling to understand this myself. I made diagram of the pathway and which certs are used where...



    I think this is correct, at least my servers work as expected. So, if it's not correct, then it's at least somewhat correct. The main point is that there are two certs, not one. I use Courier, so adjust the variables appropriately.



     .----------------------------.
    | IMAP |
    | x509 Cert |
    .------->| |----------.
    | | TLS_CERTFILE=some_cert.pem | |
    | | TLS_DHPARAMS=dhparms.pem | |
    | '----------------------------' |
    | |
    | |
    | |
    | TLS Provided by |
    | IMAP connection |
    | v
    | .------------------------------.
    | | SMTP |
    | | x509 Cert |
    .-------------. | |
    | IMAP Client | | smtpd_tls_security_level=may |
    '-------------' | smtpd_tls_cert_file |
    | smtpd_tls_key_file |
    | |
    '------------------------------'
    |
    |
    TLS Provided by |
    SMTP connection |
    (may = cert not required) |
    |
    |
    v
    .---------------.
    | Receiver SMTP |
    '---------------'





    share|improve this answer


























      up vote
      1
      down vote













      There seem to be a number of questions regarding IMAP/SMTP TLS certs and communication. I remember struggling to understand this myself. I made diagram of the pathway and which certs are used where...



      I think this is correct, at least my servers work as expected. So, if it's not correct, then it's at least somewhat correct. The main point is that there are two certs, not one. I use Courier, so adjust the variables appropriately.



       .----------------------------.
      | IMAP |
      | x509 Cert |
      .------->| |----------.
      | | TLS_CERTFILE=some_cert.pem | |
      | | TLS_DHPARAMS=dhparms.pem | |
      | '----------------------------' |
      | |
      | |
      | |
      | TLS Provided by |
      | IMAP connection |
      | v
      | .------------------------------.
      | | SMTP |
      | | x509 Cert |
      .-------------. | |
      | IMAP Client | | smtpd_tls_security_level=may |
      '-------------' | smtpd_tls_cert_file |
      | smtpd_tls_key_file |
      | |
      '------------------------------'
      |
      |
      TLS Provided by |
      SMTP connection |
      (may = cert not required) |
      |
      |
      v
      .---------------.
      | Receiver SMTP |
      '---------------'





      share|improve this answer
























        up vote
        1
        down vote










        up vote
        1
        down vote









        There seem to be a number of questions regarding IMAP/SMTP TLS certs and communication. I remember struggling to understand this myself. I made diagram of the pathway and which certs are used where...



        I think this is correct, at least my servers work as expected. So, if it's not correct, then it's at least somewhat correct. The main point is that there are two certs, not one. I use Courier, so adjust the variables appropriately.



         .----------------------------.
        | IMAP |
        | x509 Cert |
        .------->| |----------.
        | | TLS_CERTFILE=some_cert.pem | |
        | | TLS_DHPARAMS=dhparms.pem | |
        | '----------------------------' |
        | |
        | |
        | |
        | TLS Provided by |
        | IMAP connection |
        | v
        | .------------------------------.
        | | SMTP |
        | | x509 Cert |
        .-------------. | |
        | IMAP Client | | smtpd_tls_security_level=may |
        '-------------' | smtpd_tls_cert_file |
        | smtpd_tls_key_file |
        | |
        '------------------------------'
        |
        |
        TLS Provided by |
        SMTP connection |
        (may = cert not required) |
        |
        |
        v
        .---------------.
        | Receiver SMTP |
        '---------------'





        share|improve this answer














        There seem to be a number of questions regarding IMAP/SMTP TLS certs and communication. I remember struggling to understand this myself. I made diagram of the pathway and which certs are used where...



        I think this is correct, at least my servers work as expected. So, if it's not correct, then it's at least somewhat correct. The main point is that there are two certs, not one. I use Courier, so adjust the variables appropriately.



         .----------------------------.
        | IMAP |
        | x509 Cert |
        .------->| |----------.
        | | TLS_CERTFILE=some_cert.pem | |
        | | TLS_DHPARAMS=dhparms.pem | |
        | '----------------------------' |
        | |
        | |
        | |
        | TLS Provided by |
        | IMAP connection |
        | v
        | .------------------------------.
        | | SMTP |
        | | x509 Cert |
        .-------------. | |
        | IMAP Client | | smtpd_tls_security_level=may |
        '-------------' | smtpd_tls_cert_file |
        | smtpd_tls_key_file |
        | |
        '------------------------------'
        |
        |
        TLS Provided by |
        SMTP connection |
        (may = cert not required) |
        |
        |
        v
        .---------------.
        | Receiver SMTP |
        '---------------'






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Oct 28 '17 at 21:48

























        answered Oct 28 '17 at 21:34









        RubberStamp

        1,4651216




        1,4651216



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f401129%2fi-cant-send-or-receive-email-through-my-email-server%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?