Ssl
與 Dovecot 的 IMAP 連接不斷失敗(超時)
*** TLDR ; 如果您遇到連接問題,不僅要確保已將所需的規則添加到防火牆,還要確保 (
$ iptables -L -v) 規則的順序正確!***現在已經有幾天了,我無法弄清楚為什麼我的 IMAP 設置(在埠 993 上)拒絕工作(使用 Dovecot,版本 2.2.22)。連接不成功,由於某種原因我看不到。
使用 openssl 對連接進行故障排除:在埠 993 上連接不起作用:
$ openssl s_client -connect my-domain.com:993返回:
connect: Connection timed out connect:errno=110但是使用的埠(993)似乎是開放的:
$ ufw status返回:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 25/tcp ALLOW Anywhere 587/tcp ALLOW Anywhere 993/tcp ALLOW Anywhere 143/tcp ALLOW Anywhere 465/tcp ALLOW Anywhere 110/tcp ALLOW Anywhere 995/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6) 587/tcp (v6) ALLOW Anywhere (v6) 993/tcp (v6) ALLOW Anywhere (v6) 143/tcp (v6) ALLOW Anywhere (v6) 465/tcp (v6) ALLOW Anywhere (v6) 110/tcp (v6) ALLOW Anywhere (v6) 995/tcp (v6) ALLOW Anywhere (v6)我的鴿舍配置是:
$ dovecot -n # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.4.0-38-generic x86_64 Ubuntu 16.04.1 LTS ext4 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = sha1 mail_debug = yes mail_location = maildir:/var/mail/vhosts/%d/%n mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap pop3 lmtp service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } ssl = required ssl_cert = </etc/ssl/localcerts/www.my-domain.com.chained.crt ssl_key = </etc/ssl/localcerts/www.my-domain.com.key userdb { args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n driver = static } verbose_ssl = yes編輯1:
密鑰和證書確實匹配:
$ (openssl x509 -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.crt | openssl md5 ;\ openssl rsa -noout -modulus -in /etc/ssl/localcerts/www.my-domain.com.key | openssl md5) | uniq僅返回 1 個標識符:
(stdin)= cfcbed2e4061910c47c5008d8732e522編輯2:
啟用 Dovecot 的最大日誌記錄,其中:
auth_verbose=yes auth_debug=yes auth_debug_passwords=yes mail_debug=yes verbose_ssl=yes auth_verbose_passwords=sha1返回:
$ tail -f /var/log/mail.log dovecot: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3, lmtp (core dumps disabled) [...] dovecot: lmtp(5491): Connect from local dovecot: lmtp(info@my-domain.com): +rg7LUpw6ldzFQAAxWOCog: msgid=<57ea704a99e89_b638aedb491d2@chbh.mail>: saved mail to INBOX dovecot: lmtp(5491): Disconnect from local: Successful quit編輯 3:
通過 SSL 連接到在埠 443 上使用相同證書和密鑰的網路伺服器(Nginx)完全可以正常工作:
$ openssl s_client -connect my-domain.com:443編輯4:
我在舊伺服器上使用了相同版本的 Dovecot、相同的 Dovecot 配置和相同的證書+密鑰,其中與 Dovecot 的 IMAP 連接完全正常。
編輯 5:
嘗試
openssl s_client使用參數在 IMAP 埠 993(通過)上建立連接-dtls1似乎做了一些事情:$ openssl s_client -connect my-domain.com:993 -dtls1 -debug返回(非常緩慢)這樣的東西:
CONNECTED(00000003) write to 0x1425de0 [0x142f970] (202 bytes => 202 (0xCA)) 0000 - 16 fe ff 00 00 00 00 00-00 00 00 00 bd 01 00 00 ................ 0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........y.n}% 0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...K.N.p....r... 0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V. [...] 0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1....... 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... read from 0x1425de0 [0x142b413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF)) write to 0x1425de0 [0x1434ed0] (202 bytes => 202 (0xCA)) 0000 - 16 fe ff 00 00 00 00 00-00 00 01 00 bd 01 00 00 ................ 0010 - b1 00 00 00 00 00 00 00-b1 fe ff 79 ab 6e 7d 25 ...........y.n}% 0020 - ac b9 bb 4b d9 4e 10 70-d4 fa 89 1b 72 bc 10 c1 ...K.N.p....r... 0030 - 46 30 c6 16 d8 46 63 4d-9f 75 9c 00 00 00 56 c0 F0...FcM.u....V. [...] 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... [...] 0070 - 45 00 44 00 43 00 42 c0-0e c0 04 00 2f 00 96 00 E.D.C.B...../... 0080 - 41 c0 12 c0 08 00 16 00-13 00 10 00 0d c0 0d c0 A............... 0090 - 03 00 0a 00 ff 01 00 00-31 00 0b 00 04 03 00 01 ........1....... 00a0 - 02 00 0a 00 1c 00 1a 00-17 00 19 00 1c 00 1b 00 ................ 00b0 - 18 00 1a 00 16 00 0e 00-0d 00 0b 00 0c 00 09 00 ................ 00c0 - 0a 00 23 00 00 00 0f 00-01 01 ..#....... read from 0x1e8dde0 [0x1e93413] (17741 bytes => -1 (0xFFFFFFFFFFFFFFFF)) 139876009338520:error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired:d1_lib.c:495: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 2424 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : DTLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1474892601 Timeout : 7200 (sec) Verify return code: 0 (ok) ---…然後連接關閉。
但是,使用參數
-tls1(TLSv1) 或-tls1_1(TLSv1.1) 或-tls1_2(TLSv1.2) 會返回超時消息:connect: Connection timed out和connect:errno=110編輯 6:
如果我在 Dovecot 中啟用了安全 POP 埠 995,請重新啟動它,在防火牆中打開此埠,然後嘗試:
openssl s_client -connect my-domain.com:995…我也收到超時錯誤
connect: Connection timed out,connect:errno=110顯然表明問題的根源適用於 IMAP和POP。編輯 7:
正確的程序似乎在正確的埠上偵聽:
$ netstat -tulpn返回:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2827/nginx tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 2327/opendkim tcp 0 0 127.0.0.1:2812 0.0.0.0:* LISTEN 1918/monit tcp 0 0 127.0.0.1:34305 0.0.0.0:* LISTEN 2915/public tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2269/mysqld tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2306/dovecot tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2827/nginx tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2597/master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2249/sshd tcp6 0 0 :::25 :::* LISTEN 2597/master tcp6 0 0 :::993 :::* LISTEN 2306/dovecot tcp6 0 0 :::995 :::* LISTEN 2306/dovecot tcp6 0 0 :::587 :::* LISTEN 2597/master tcp6 0 0 :::110 :::* LISTEN 2306/dovecot tcp6 0 0 :::143 :::* LISTEN 2306/dovecot tcp6 0 0 :::465 :::* LISTEN 2597/master編輯 8:
Telnet 僅適用於埠 80 和 443(由 Nginx 使用),所有其他埠似乎都沒有響應(超時)。
編輯 9:
我剛剛使用它進行了埠掃描
nmap 12.34.56.78,它只顯示22/tcp | open | sshand80/tcp | open | http和443/tcp | open | https。如果您查看ufw status上面發布的結果,您可以看到我允許了一個完整的埠列表,這些埠沒有被 nmap “找到”。造成這種情況的原因和解決方法是什麼?(我知道這不是我的網路或提供商——我可以連接到我的舊/“相同”伺服器,並且 nmap 掃描將所需的 IMAP 埠顯示為“打開”)。編輯 10:
$ iptables -L -v返回:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 118K 7235K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https 118K 7228K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh 118K 7226K f2b-SSH tcp -- any any anywhere anywhere tcp dpt:ssh 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 387K 57M f2b-HTTPS tcp -- any any anywhere anywhere tcp dpt:https 488K 64M f2b-nginx-http-auth tcp -- any any anywhere anywhere multiport dports http,https 118K 7226K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh 1381K 214M ACCEPT all -- lo any anywhere anywhere 222K 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 398 23248 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 7903 443K ACCEPT tcp -- any any anywhere anywhere multiport dports http,https 7460 441K DROP all -- any any anywhere anywhere 0 0 ufw-before-logging-input all -- any any anywhere anywhere 0 0 ufw-before-input all -- any any anywhere anywhere 0 0 ufw-after-input all -- any any anywhere anywhere 0 0 ufw-after-logging-input all -- any any anywhere anywhere 0 0 ufw-reject-input all -- any any anywhere anywhere 0 0 ufw-track-input all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all -- any any anywhere anywhere 0 0 ufw-before-forward all -- any any anywhere anywhere 0 0 ufw-after-forward all -- any any anywhere anywhere 0 0 ufw-after-logging-forward all -- any any anywhere anywhere 0 0 ufw-reject-forward all -- any any anywhere anywhere 0 0 ufw-track-forward all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 53 packets, 3160 bytes) pkts bytes target prot opt in out source destination 1575K 531M ufw-before-logging-output all -- any any anywhere anywhere 1575K 531M ufw-before-output all -- any any anywhere anywhere 537 97799 ufw-after-output all -- any any anywhere anywhere 537 97799 ufw-after-logging-output all -- any any anywhere anywhere 537 97799 ufw-reject-output all -- any any anywhere anywhere 537 97799 ufw-track-output all -- any any anywhere anywhere Chain f2b-HTTPS (4 references) pkts bytes target prot opt in out source destination 1547K 228M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-SSH (2 references) pkts bytes target prot opt in out source destination 235K 14M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-nginx-http-auth (2 references) pkts bytes target prot opt in out source destination 975K 128M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain f2b-sshd (2 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any 62-210-106-228.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable 235K 14M RETURN all -- any any anywhere anywhere 0 0 RETURN all -- any any anywhere anywhere Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc 0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ufw-user-forward all -- any any anywhere anywhere Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID 0 0 DROP all -- any any anywhere anywhere ctstate INVALID 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc 0 0 ufw-not-local all -- any any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900 0 0 ufw-user-input all -- any any anywhere anywhere Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 1381K 214M ACCEPT all -- any lo anywhere anywhere 194K 317M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 537 97799 ufw-user-output all -- any any anywhere anywhere Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST 0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10 0 0 DROP all -- any any anywhere anywhere Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 112 10791 ACCEPT tcp -- any any anywhere anywhere ctstate NEW 300 22604 ACCEPT udp -- any any anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination
ufw您在拒絕imaps連接的規則之前有一個 DROP 規則。這不是唯一會產生問題的規則。您應該檢查他們是如何到達那裡的,也許您使用-I的是-Ainbefore.rules或after.rules。1381K 214M ACCEPT all -- lo any anywhere anywhere 222K 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 398 23248 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 7903 443K ACCEPT tcp -- any any anywhere anywhere multiport dports http,https 7460 441K DROP all -- any any anywhere anywhere以上所有規則都插入在
ufw規則之前,可能會產生問題。例如,如果您配置ufw為拒絕 http 或 https,則這些規則無論如何都會允許這些埠。