* TLDR ; 如果你有连接问题,不仅要确保你已经将所需的规则添加到你的防火墙,还要确保( $ iptables -L -v )规则的顺序是正确的! *
现在已经过了几天了,我不知道为什么我的IMAP(993端口)拒绝工作(Dovecot,版本2.2.22)。 连接不成功,出于某种原因,我没有看到。
使用openssl解决连接问题:在端口993上连接不起作用:
$ openssl s_client -connect my-domain.com:993
收益:
connect: Connection timed out connect:errno=110
但是使用的端口(993)似乎是开放的:
$ ufw status
收益:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 25/tcp ALLOW Anywhere 587/tcp ALLOW Anywhere 993/tcp ALLOW Anywhere 143/tcp ALLOW Anywhere 465/tcp ALLOW Anywhere 110/tcp ALLOW Anywhere 995/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6) 587/tcp (v6) ALLOW Anywhere (v6) 993/tcp (v6) ALLOW Anywhere (v6) 143/tcp (v6) ALLOW Anywhere (v6) 465/tcp (v6) ALLOW Anywhere (v6) 110/tcp (v6) ALLOW Anywhere (v6) 995/tcp (v6) ALLOW Anywhere (v6)
我的鸽舍configuration是:
$ dovecot -n # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.4.0-38-generic x86_64 Ubuntu 16.04.1 LTS ext4 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = sha1 mail_debug = yes mail_location = maildir:/var/mail/vhosts/%d/%n mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap pop3 lmtp service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } ssl = required ssl_cert = </etc/ssl/localcerts/www.my-domain.com.chained.crt ssl_key = </etc/ssl/localcerts/www.my-domain.com.key userdb { args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n driver = static } verbose_ssl = yes
编辑1:
密钥和证书匹配:
$ (openssl x509 -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.crt | openssl md5 ;\ openssl rsa -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.key | openssl md5) | uniq
只返回1个标识符:
(stdin)= cfcbed2e4061910c47c5008d8732e522
编辑2:
启用达夫科特的最大日志logging,其中包括:
auth_verbose=yes auth_debug=yes auth_debug_passwords=yes mail_debug=yes verbose_ssl=yes auth_verbose_passwords=sha1
收益:
$ tail -f /var/log/mail.log dovecot: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3, lmtp (core dumps disabled) [...] dovecot: lmtp(5491): Connect from local dovecot: lmtp([email protected]): +rg7LUpw6ldzFQAAxWOCog: msgid=<[email protected]>: saved mail to INBOX dovecot: lmtp(5491): Disconnect from local: Successful quit
编辑3:
通过SSL连接到在端口443上使用相同证书和密钥的networking服务器(Nginx)完全正常工作:
$ openssl s_client -connect my-domain.com:443
编辑4:
我使用了相同版本的Dovecot,相同的Dovecotconfiguration和旧服务器上相同的证书+密钥,与Dovecot的IMAP连接完全正常。
编辑5:
尝试使用参数-dtls1在IMAP端口993上build立连接(通过openssl s_client )似乎做了一些事情:
$ openssl s_client -connect my-domain.com:993 -dtls1 -debug
返回(非常慢)这样的事情:
CONNECTED(00000003) write to 0x1425de0 [0x142f970] (202 bytes => 202 (0xCA)) 0000 - 16 fe ff 00 00 00 00 00-00 00 00 00 bd 01 00 00 ................ 0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........yn}% 0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...KNp...r... 0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V. [...] 0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1....... 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... read from 0x1425de0 [0x142b413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF)) write to 0x1425de0 [0x1434ed0] (202 bytes => 202 (0xCA)) 0000 - 16 fe ff 00 00 00 00 00-00 00 01 00 bd 01 00 00 ................ 0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........yn}% 0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...KNp...r... 0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V. [...] 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... [...] 0070 - 45 00 44 00 43 00 42 c0-0e c0 04 00 2f 00 96 00 EDCB..../... 0080 - 41 c0 12 c0 08 00 16 00-13 00 10 00 0d c0 0d c0 A............... 0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1....... 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... read from 0x1e8dde0 [0x1e93413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF)) 139876009338520:error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired:d1_lib.c:495: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 2424 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : DTLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1474892601 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
…然后连接closures。
但是,使用参数-tls1 (TLSv1)或-tls1_1 (TLSv1.1)或-tls1_2 (TLSv1.2)将返回超时消息: connect: Connection timed out并connect:errno=110
编辑6:
如果我在Dovecot中启用了安全的POP端口995,请重新启动它,在防火墙中打开此端口,然后尝试:
openssl s_client -connect my-domain.com:995
…我也得到超时错误connect: Connection timed out和connect:errno=110 ,显然表明问题的根源适用于IMAP 和 POP。
编辑7:
正确的stream程似乎听取正确的端口:
$ netstat -tulpn
收益:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2827/nginx tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 2327/opendkim tcp 0 0 127.0.0.1:2812 0.0.0.0:* LISTEN 1918/monit tcp 0 0 127.0.0.1:34305 0.0.0.0:* LISTEN 2915/public tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2269/mysqld tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2827/nginx tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2249/sshd tcp6 0 0 :::25 :::* LISTEN 2597/master tcp6 0 0 :::993 :::* LISTEN 2306/dovecot tcp6 0 0 :::995 :::* LISTEN 2306/dovecot tcp6 0 0 :::587 :::* LISTEN 2597/master tcp6 0 0 :::110 :::* LISTEN 2306/dovecot tcp6 0 0 :::143 :::* LISTEN 2306/dovecot tcp6 0 0 :::465 :::* LISTEN 2597/master
编辑8:
Telnet只能在端口80和443(由Nginx使用)上工作,所有其他端口似乎没有响应(超时)。
编辑9:
我只是使用nmap 12.34.56.78做了端口扫描,只显示了22/tcp | open | ssh 22/tcp | open | ssh 22/tcp | open | ssh和80/tcp | open | http 80/tcp | open | http 80/tcp | open | http和443/tcp | open | https 443/tcp | open | https 443/tcp | open | https 。 如果你看看上面ufw status的结果,你可以看到我允许一个完整的nmap没有find的端口列表。 这是什么原因和解决scheme? (我知道这不是我的networking或提供者 – 我可以连接到我的旧/“相同”的服务器,nmap扫描显示所需的IMAP端口为“开放”)。
编辑10:
$ iptables -L -v
收益:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 118K 7235K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https 118K 7228K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh 118K 7226K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https 118K 7226K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh 1381K 214M ACCEPT all -- lo any anywhere anywhere 222K 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 398 23248 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 7903 443K ACCEPT tcp -- any any anywhere anywhere multiport dports http,https 7460 441K DROP all -- any any anywhere anywhere 0 0 ufw-before-logging-input all -- any any anywhere anywhere 0 0 ufw-before-input all -- any any anywhere anywhere 0 0 ufw-after-input all -- any any anywhere anywhere 0 0 ufw-after-logging-input all -- any any anywhere anywhere 0 0 ufw-reject-input all -- any any anywhere anywhere 0 0 ufw-track-input all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all -- any any anywhere anywhere 0 0 ufw-before-forward all -- any any anywhere anywhere 0 0 ufw-after-forward all -- any any anywhere anywhere 0 0 ufw-after-logging-forward all -- any any anywhere anywhere 0 0 ufw-reject-forward all -- any any anywhere anywhere 0 0 ufw-track-forward all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 53 packets, 3160 bytes) pkts bytes target prot opt in out source destination 1575K 531M ufw-before-logging-output all -- any any anywhere anywhere 1575K 531M ufw-before-output all -- any any anywhere anywhere 537 97799 ufw-after-output all -- any any anywhere anywhere 537 97799 ufw-after-logging-output all -- any any anywhere anywhere 537 97799 ufw-reject-output all -- any any anywhere anywhere 537 97799 ufw-track-output all -- any any anywhere anywhere Chain f2b-HTTPS (4 references) pkts bytes target prot opt in out source destination 1547K 228M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-SSH (2 references) pkts bytes target prot opt in out source destination 235K 14M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-nginx-http-auth (2 references) pkts bytes target prot opt in out source destination 975K 128M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-sshd (2 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any 62-210-106-228.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable 235K 14M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc 0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ufw-user-forward all -- any any anywhere anywhere Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID 0 0 DROP all -- any any anywhere anywhere ctstate INVALID 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc 0 0 ufw-not-local all -- any any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900 0 0 ufw-user-input all -- any any anywhere anywhere Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 1381K 214M ACCEPT all -- any lo anywhere anywhere 194K 317M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 537 97799 ufw-user-output all -- any any anywhere anywhere Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10 0 0 DROP all -- any any anywhere anywhere Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 112 10791 ACCEPT tcp -- any any anywhere anywhere ctstate NEW 300 22604 ACCEPT udp -- any any anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination
在ufw规则拒绝imaps连接之前,您有一个DROP规则。 这不是唯一可以制造问题的规则。 你应该检查他们是如何到达那里的,也许你曾经使用过,而不是在before.rules或after.rules 。
1381K 214M ACCEPT all -- lo any anywhere anywhere 222K 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 398 23248 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 7903 443K ACCEPT tcp -- any any anywhere anywhere multiport dports http,https 7460 441K DROP all -- any any anywhere anywhere
所有上述规则都插入到ufw规则之前,并且可能会产生问题。 例如,如果您将ufwconfiguration为拒绝http或https,则这些规则将允许这些端口。
尝试设置:
disable_plaintext_auth=no ssl=yes
那么反向DNSparsing呢? 鸽舍可能会检查它,而NGinx则不会。
尝试添加
127.0.0.1 my-domain.com
到您的主机文件。
我遇到了你所描述的同样的问题。 你现在可能已经知道了,但是我只有在dovecot连接到993端口时才发送一个响应,把“imaps”添加到它应该支持的协议列表中。 添加“imap”并将configuration中的“ssl”属性设置为“yes”或“required”是不够的。 希望有所帮助。