Re: Mailabruf mit STARTTLS und Port 143 teilweise nicht mehr möglich
Andreas Wass - Glas Gasperlmair
a.wass at glas-gasperlmair.at
Mi Jun 22 13:59:41 CEST 2022
Ich kann das Problem von einem der betroffenen PCs aus zu meinem
identisch konfiguriertem Test-Mailserver nachvollziehen und hab das
Logging mal richtig aufgedreht.
auth_verbose = yes
auth_debug = yes
mail_debug = yes
verbose_ssl = yes
Anbei das Maillog und darunter noch meine dovecot config.
Wie gesagt, es betrifft zur Zeit ca. 10 (von 120) Windows 10 (Version
10.0.19044) PC's mit Thunderbird 91.10.0, beim Mailabruf über IMAP Port
143 mit STARTTLS
Zertifikat ist von Let's Encrypt und aktuell.
Diverse Limits kann ich ausschliessen (s. letzte Antwort auf Peer's
Kommentar)
Bin sehr dankbar für Hinweise.
mail.log
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:47:10 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS read client hello
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS read client hello
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write server hello
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write server hello
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write change cipher spec
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: TLSv1.3 write encrypted extensions
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write change cipher spec
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: TLSv1.3 write encrypted extensions
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write certificate
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write certificate
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: before SSL initialization
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: TLSv1.3 write server certificate verify
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: TLSv1.3 write server certificate verify
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write finished
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: TLSv1.3 early data
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: TLSv1.3 early data
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3/TLS write finished
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: TLSv1.3 early data
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: TLSv1.3 early data
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL error:
Connection closed
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL error:
Connection closed
Jun 22 13:48:50 testmailserver dovecot: imap-login: Disconnected (no
auth attempts in 100 secs): user=<>, rip=192.168.106.93, TLS
handshaking: Connection closed, session=<O/eu6wfiA8bAqGpd>
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: TLSv1.3 early data
Jun 22 13:48:50 testmailserver dovecot: imap-login: Disconnected (no
auth attempts in 100 secs): user=<>, rip=192.168.106.93, TLS
handshaking: Connection closed, session=<Qveu6wfiBMbAqGpd>
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL error:
Connection closed
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: TLSv1.3 early data
Jun 22 13:48:50 testmailserver dovecot: imap-login: Debug: SSL error:
Connection closed
doveconf -n
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-9-amd64 x86_64 Debian 11.3 ext4
# Hostname: testmailserver.glas.local
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
default_client_limit = 8192
default_process_limit = 2048
default_vsz_limit = 4 G
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r mpid=%e %c %k
session=<%{session}>
mail_debug = yes
mail_location = maildir:/var/vmail/%d/%n/Maildir
mail_plugins = fts fts_lucene zlib
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
fts = lucene
fts_autoindex = yes
fts_lucene = whitespace_chars=@.
sieve = ~/.dovecot.sieve
sieve_before = /var/vmail/sieve/global/spam-global.sieve
sieve_dir = ~/sieve
zlib_save = gz
zlib_save_level = 6
}
protocols = imap lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}
service imap-login {
process_min_avail = 32
service_count = 0
}
service lmtp {
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
ssl_cert = </etc/letsencrypt/live/mail1.gasperlmair.at/fullchain.pem
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_key = # hidden, use -P to show it
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
verbose_ssl = yes
protocol lmtp {
mail_plugins = fts fts_lucene zlib sieve
}
protocol imap {
mail_plugins = fts fts_lucene zlib imap_zlib
}
Am 21.06.2022 um 14:41 schrieb Andreas Wass - Glas Gasperlmair via Dovecot:
> Hallo Peer,
>
> für solche "Limit-Probleme" müssten es doch Einträge im Logfile geben
> oder?
>
> lsof -i :143 | wc -l bringt bei mir 304
>
> Diverse Limits:
>
> grep -R limit /etc/dovecot/| grep -v '#'
> /etc/dovecot/conf.d/10-master.conf:default_process_limit = 2048
> /etc/dovecot/conf.d/10-master.conf:default_client_limit = 8192
> /etc/dovecot/conf.d/10-master.conf:default_vsz_limit = 4096M
>
> vi /etc/sysctl.conf
> fs.file-max=8192
>
> vi /etc/security/limits.conf
> * soft nproc 8192
> * hard nproc 8192
> * soft nofile 8192
> * hard nofile 8192
> root soft nproc 8192
> root hard nproc 8192
> root soft nofile 8192
> root hard nofile 8192
>
> Am 21.06.2022 um 09:59 schrieb Peer Heinlein:
>> Am 20.06.22 um 14:25 schrieb Andreas Wass - Glas Gasperlmair via
>> Dovecot:
>>
>>
>> Hallo,
>>
>>> Immer mehr Thunderbird-Clients (Version 91.10.0) können über Port 143
>>> und STARTTLS keine E-Mails mehr abrufen.
>>> Irgendwie komisch, dass es nicht alle Clients betrifft, sondern täglich
>>> 1 -2 dazukommen.
>> Hört sich danach an, als ob Ihr ein maximales Limit von
>> IMAP-Verbindungen habt (z.B.: 1024) durch ulimit oder
>> systemd-Limitierungen und dass Ihr durch Wachstum o.ä. "an diese Grenze
>> stosst".
>>
>> Sorgt dann dafür, dass einzelne Clients keinen Slot mehr kriegen.
>>
>> Verifizierungsfrage:
>>
>> Was sieht man bei
>>
>> lsof -i :143 | wc -l
>>
>> Irgendein "mystischer" typischer Wert a la ~1024 ~4098 etc.?
>>
>> Wir verwenden:
>>
>> /etc/systemd/system/dovecot.service.d/limits.conf:
>> ============================
>> [Service]
>> # You can add environment variables with e.g.:
>> #Environment='CORE_OUTOFMEM=1'
>>
>> # If you have trouble with `Too many open files' you may set:
>> LimitNOFILE=100000
>>
>> # If you want to allow the Dovecot services to produce core dumps, use:
>> LimitCORE=infinity
>> ============================
>>
>>
>>
>> Peer
>>
>>
>>
>>
>
Mehr Informationen über die Mailingliste Dovecot