Dovecot not running and not starting after custom SSL/TLS certificate installation

AnnoyingTechnology commented 2 years ago

Prior to placing the issue, please check following: (fill out each checkbox with an X once done)

[x] I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue.
[x] I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[x] I have understood that answers are voluntary and community-driven, and not commercial support.
[x] I have verified that my issue has not been already answered in the past. I also checked previous issues.

Summary

We had a new mailcow install working briefly (with default ssl certificates).

The installation of a custom certificate (issued by Let's Encrypt, but not by acme-mailcow) then prevents dovecot from starting.

The certificate and private key are provided by Let's Encrypt from another machine, and copied via scp to mailcow.
They were copied as stated in the documentation (fullchain.pem->cert.pem and privatekey->key.pem)
The permissions for both files are kept to 600 and root:root, as the default provided ones.
The local let's encrypt container has been disabled since the installation of mailcow.

After restarting the required services (still following the documentation), dovecot is not running and will not start.

Adding debug options to dovecot.conf didn't help me diagnose further.
Restoring the original certificates and restarting services didn't solve the issue.
Updating the whole mailcow install (./update.sh) didn't solve the issue.

Crazy thing : it was broken for the 6 hours of attempted debugging + last night and when collecting logs for this issue just 15min ago, dovecot seems to have finally started after running ?!

I guess this command may play a role in fixing the issue ? docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 as suggested in the issue template.

As following of the guide entails a crashed dovecot, I hope that this issue is legitimate.

emails:/opt/mailcow-dockerized/data/assets/ssl# openssl x509 -in cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:7f:a4:0d:2a:82:a7:21:27:80:b4:11:bf:e5:23:d6:91:a0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Nov 19 19:11:54 2021 GMT
            Not After : Feb 17 19:11:53 2022 GMT
        Subject: CN = mail.{ourdomainnameredacted}.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)

Logs

Dec 28 09:37:02 0861c46e0a5e dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42

Reproduction

Install mailcow using SKIP_LETS_ENCRYPT=y and SKIP_CLAMD=u

Import certificates from another host that uses Let's Encrypt, as explained in the documentation.

@emails:/opt/mailcow-dockerized# cat /root/scripts/retrieve-and-install-tls-certificate.sh 
#!/bin/bash
# obtains lets encrypt certificate from our reverse proxy, and restarts mailcow dockers instances
cd /opt/mailcow-dockerized
scp root@hostWithLetsEncryptExposed:/etc/letsencrypt/live/mail.{ourdomainnameredacted}.com/fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem
scp root@hostWithLetsEncryptExposed:/etc/letsencrypt/live/mail.{ourdomainnameredacted}.com/privkey.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem
chmod 600 /opt/mailcow-dockerized/data/assets/ssl/*
postfix_c=$(docker ps -qaf name=postfix-mailcow)
dovecot_c=$(docker ps -qaf name=dovecot-mailcow)
nginx_c=$(docker ps -qaf name=nginx-mailcow)
docker restart ${postfix_c} ${dovecot_c} ${nginx_c}

git diff origin/master shows :

different data/assets/ssl-example/...

data/conf/dovecot/dovecot.conf

-#mail_debug = yes
-#auth_debug = yes
+mail_debug = yes
+auth_debug = yes

data/conf/postfix/main.cf

myhostname = mail.{ourdomainredactedhere}.com

docker-compose.yml

-      sysctls:
-        - net.core.somaxconn=4096

but this setting is already applied.

System information

uname Linux emails 5.13.19-2-pve #1 SMP PVE 5.13.19-4 (Mon, 29 Nov 2021 12:10:09 +0100) x86_64 GNU/Linux

Question	Answer
My operating system	Debian 11.2
Is Apparmor, SELinux or similar active?	No
Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported	LXC With full control over the Kernel settings and host
Server/VM specifications (Memory, CPU Cores)	4 vCores, 6Gb RAM
Docker Version (`docker version`)	20.10.12
Docker-Compose Version (`docker-compose version`)	1.29.2
Reverse proxy (custom solution)	Nginx on another machine, but the issue exists with direct access via IP address

Output of git diff origin/master, any other changes to the code? If so, see above.
All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat.

We do not have custom rules, other services running on this machine, nor have we modified mailcow's IP addresses or ranges.

@emails:/opt/mailcow-dockerized# iptables -L -vn
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 195K  181M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 195K  181M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 125K  178M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  207 13083 DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
69576 3153K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
  206 13023 ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    1    60 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:443
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
69576 3153K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 529K  474M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
 171K 7810K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 529K  474M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

emails:/opt/mailcow-dockerized# iptables -L -vn -t nat
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   54  3240 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  229 16377 MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.9           172.22.1.9           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.13          172.22.1.13          tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.13          172.22.1.13          tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.8:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.9:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    1    60 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.13:443
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.13:80

DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output.

151.101.65.69
151.101.193.69
151.101.1.69
151.101.129.69

I am aware that LXC are not supported, but we have full control over the host (as that seems to be the main concern for not supporting them) and we are applying the required settings to the host's kernel (ie. net.core.somaxconn=4096).

We are more than open to paid support if this was to be considered a support request and not a mailcow issue.

andryyy commented 2 years ago

Hi, can you try this? ->

Run „down“, delete the folder data/assets/ssl/mail.yourmailcowhostname.tld, run „up -d“

Mit besten Grüßen André Peters

Am 28.12.2021 um 10:06 schrieb Julien @.***>:

Prior to placing the issue, please check following: (fill out each checkbox with an X once done)

I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue. I have understood that this bug report is dedicated for bugs, and not for support-related inquiries. I have understood that answers are voluntary and community-driven, and not commercial support. I have verified that my issue has not been already answered in the past. I also checked previous issues. Summary

We had a new mailcow install working briefly (with default ssl certificates).

The installation of a custom certificate (issued by Let's Encrypt, but not by acme-mailcow) then prevents dovecot from starting.

The certificate and private key are provided by Let's Encrypt from another machine, and copied via scp to mailcow. They were copied as stated in the documentation (fullchain.pem->cert.pem and privatekey->key.pem) The permissions for both files are kept to 600 and root:root, as the default provided ones. The local let's encrypt container has been disabled since the installation of mailcow. After restarting the required services (still following the documentation), dovecot is not running and will not start.

Adding debug options to dovecot.conf didn't help me diagnose further. Restoring the original certificates and restarting services didn't solve the issue. Updating the whole mailcow install (./update.sh) didn't solve the issue. Crazy thing : it was broken for the 6 hours of attempted debugging + last night and when collecting logs for this issue just 15min ago, dovecot seems to have finally started after running ?!

I guess this command may play a role in fixing the issue ? docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 as suggested in the issue template.

As following of the guide entails a crashed dovecot, I hope that this issue is legitimate.

emails:/opt/mailcow-dockerized/data/assets/ssl# openssl x509 -in cert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 04:7f:a4:0d:2a:82:a7:21:27:80:b4:11:bf:e5:23:d6:91:a0 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Nov 19 19:11:54 2021 GMT Not After : Feb 17 19:11:53 2022 GMT Subject: CN = mail.{ourdomainnameredacted}.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit)

Logs

Dec 28 09:37:02 0861c46e0a5e dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Reproduction

Import certificates from another host that Let's Encrypt, as explained in the documentation.

git diff origin/master shows :

different data/assets/ssl-example/... data/conf/dovecot/dovecot.conf

-#mail_debug = yes -#auth_debug = yes +mail_debug = yes +auth_debug = yes data/conf/postfix/main.cf

myhostname = mail.{ourdomainredactedhere}.com docker-compose.yml

sysctls:

net.core.somaxconn=4096 but this setting is already applied.

System information

uname Linux emails 5.13.19-2-pve #1 SMP PVE 5.13.19-4 (Mon, 29 Nov 2021 12:10:09 +0100) x86_64 GNU/Linux Question Answer My operating system Debian 11.2 Is Apparmor, SELinux or similar active? No Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported LXC With full control over the Kernel settings and host Server/VM specifications (Memory, CPU Cores) 4 vCores, 6Gb RAM Docker Version (docker version) 20.10.12 Docker-Compose Version (docker-compose version) 1.29.2 Reverse proxy (custom solution) Nginx on another machine, but the issue exists with direct access via IP address Output of git diff origin/master, any other changes to the code? If so, see above. All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat. We do not have custom rules, other services running on this machine, nor have we modified mailcow's IP addresses or ranges.

@emails:/opt/mailcow-dockerized# iptables -L -vn

Warning: iptables-legacy tables present, use iptables-legacy to see them

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
195K 181M DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
195K 181M DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
125K 178M ACCEPT all -- br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 207 13083 DOCKER all -- br-mailcow 0.0.0.0/0 0.0.0.0/0
69576 3153K ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
206 13023 ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.8 tcp dpt:3306 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:8983 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:587 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:465 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:25 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995 1 60 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.13 tcp dpt:443 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.13 tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination
69576 3153K DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
529K 474M RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references) pkts bytes target prot opt in out source destination
0 0 DROP all -- br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- docker0 0.0.0.0/0 0.0.0.0/0
171K 7810K RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination
529K 474M RETURN all -- 0.0.0.0/0 0.0.0.0/0
emails:/opt/mailcow-dockerized# iptables -L -vn -t nat

Warning: iptables-legacy tables present, use iptables-legacy to see them

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
54 3240 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
229 16377 MASQUERADE all -- !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- 172.22.1.249 172.22.1.249 tcp dpt:6379 0 0 MASQUERADE tcp -- 172.22.1.8 172.22.1.8 tcp dpt:3306 0 0 MASQUERADE tcp -- 172.22.1.9 172.22.1.9 tcp dpt:8983 0 0 MASQUERADE tcp -- 172.22.1.253 172.22.1.253 tcp dpt:587 0 0 MASQUERADE tcp -- 172.22.1.253 172.22.1.253 tcp dpt:465 0 0 MASQUERADE tcp -- 172.22.1.253 172.22.1.253 tcp dpt:25 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:12345 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:4190 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:995 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:993 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:143 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:110 0 0 MASQUERADE tcp -- 172.22.1.13 172.22.1.13 tcp dpt:443 0 0 MASQUERADE tcp -- 172.22.1.13 172.22.1.13 tcp dpt:80

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
0 0 RETURN all -- br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.8:3306 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.9:8983 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.253:587 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.253:465 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.253:25 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995 1 60 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.13:443 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.13:80

DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output. 151.101.65.69 151.101.193.69 151.101.1.69 151.101.129.69 I am aware that LXC are not supported, but we have full control over the host (as that seems to be the main concern for not supporting them) and we are applying the required settings to the host's kernel (ie. net.core.somaxconn=4096).

We are more than open to paid support if this was to be considered a support request and not a mailcow issue.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

AnnoyingTechnology commented 2 years ago

Hi, thanks for your answer.

I'm a bit confused, are we talking about /opt/mailcow-dockerized/.../ssl/mail.domain.tld ? If so, this folder does not exist.

# exa --tree /opt/mailcow-dockerized/data/assets/ssl
/opt/mailcow-dockerized/data/assets/ssl
├── all.pem
├── cert.pem
├── dhparams.pem
└── key.pem

although I did try creating one at some point, according to an answer in another similar issue (didn't help).

andryyy commented 2 years ago

Did you set SKIP_LETS_ENCRYPT in mailcow.conf? The folder must not exist, that’s correct in your case. TLS_SNI is disabled in mailcow.conf, right? Can you set 644 on the cert.pem? Please always run down and up -d to rule other problems out.

Am 28.12.2021 um 10:17 schrieb Julien @.***>:

Hi, thanks for your answer.

I'm a bit confused, are we talking about /opt/mailcow-dockerized/.../ssl/ ? If so, this folder does not exist.

exa --tree /opt/mailcow-dockerized/data/assets/ssl

/opt/mailcow-dockerized/data/assets/ssl ├── all.pem ├── cert.pem ├── dhparams.pem └── key.pem although I did try creating one at some point, according to an answer in another similar issue (didn't help).

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

AnnoyingTechnology commented 2 years ago

Did you set SKIP_LETS_ENCRYPT in mailcow.conf?

Yes, from the very start. cat mailcow.conf | grep LETS = SKIP_LETS_ENCRYPT=y

TLS_SNI is disabled in mailcow.conf, right?

Yes cat mailcow.conf | grep SNI = ENABLE_SSL_SNI=n

Can you set 644 on the cert.pem?

Done, followed by down/up : dovecot is not running anymore

WARNING: The WATCHDOG_NOTIFY_EMAIL variable is not set. Defaulting to a blank string.
Creating network "mailcowdockerized_mailcow-network" with driver "bridge"
Creating mailcowdockerized_unbound-mailcow_1   ... done
Creating mailcowdockerized_sogo-mailcow_1      ... done
Creating mailcowdockerized_olefy-mailcow_1     ... done
Creating mailcowdockerized_memcached-mailcow_1 ... done
Creating mailcowdockerized_watchdog-mailcow_1  ... done
Creating mailcowdockerized_dockerapi-mailcow_1 ... done
Creating mailcowdockerized_redis-mailcow_1     ... done
Creating mailcowdockerized_solr-mailcow_1      ... done
Creating mailcowdockerized_clamd-mailcow_1     ... done
Creating mailcowdockerized_php-fpm-mailcow_1   ... done
Creating mailcowdockerized_mysql-mailcow_1     ... done
Creating mailcowdockerized_postfix-mailcow_1   ... done
Creating mailcowdockerized_dovecot-mailcow_1   ... done
Creating mailcowdockerized_nginx-mailcow_1     ... done
Creating mailcowdockerized_acme-mailcow_1      ... done
Creating mailcowdockerized_netfilter-mailcow_1 ... done
Creating mailcowdockerized_rspamd-mailcow_1    ... done
Creating mailcowdockerized_ofelia-mailcow_1    ... done

emails:/opt/mailcow-dockerized# docker-compose logs dovecot-mailcow
Attaching to mailcowdockerized_dovecot-mailcow_1
dovecot-mailcow_1    | Uptime: 24  Threads: 7  Questions: 281  Slow queries: 0  Opens: 47  Open tables: 38  Queries per second avg: 11.708
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Loading modules from directory: /usr/lib/dovecot/modules
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib05_mail_crypt_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_fts_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_listescape_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_replication_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so
dovecot-mailcow_1    | sievec(root)<58><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: Effective uid=0, gid=0, home=/root
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: dict(file): dict created (uri=file:/var/vmail/shared-mailboxes.db, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: Quota root: name=Userquota backend=dict args=:proxy::sqlquota
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: Quota warning: bytes=0 (95%) messages=0 reverse=no command=quota-warning 95 root
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: Quota warning: bytes=0 (80%) messages=0 reverse=no command=quota-warning 80 root
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: Quota grace: root=Userquota bytes=0 (10%)
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: quota-dict: user=root, uri=proxy::sqlquota, noenforcing=0
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: dict(proxy): dict created (uri=proxy::sqlquota, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<58><Dnz7CxfZymE6AAAAaaAigg>: Debug: replication: No mail_replica setting - replication disabled
dovecot-mailcow_1    | sievec: Debug: dict(file): dict destroyed
dovecot-mailcow_1    | sievec: Debug: dict(proxy): Waiting for dict to finish pending operations
dovecot-mailcow_1    | sievec: Debug: dict(proxy): dict destroyed
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Loading modules from directory: /usr/lib/dovecot/modules
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib05_mail_crypt_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_fts_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_listescape_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_replication_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so
dovecot-mailcow_1    | sievec(root)<59><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: Effective uid=0, gid=0, home=/root
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: dict(file): dict created (uri=file:/var/vmail/shared-mailboxes.db, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: Quota root: name=Userquota backend=dict args=:proxy::sqlquota
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: Quota warning: bytes=0 (95%) messages=0 reverse=no command=quota-warning 95 root
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: Quota warning: bytes=0 (80%) messages=0 reverse=no command=quota-warning 80 root
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: Quota grace: root=Userquota bytes=0 (10%)
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: quota-dict: user=root, uri=proxy::sqlquota, noenforcing=0
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: dict(proxy): dict created (uri=proxy::sqlquota, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<59><kU+6EBfZymE7AAAAaaAigg>: Debug: replication: No mail_replica setting - replication disabled
dovecot-mailcow_1    | sievec: Debug: dict(file): dict destroyed
dovecot-mailcow_1    | sievec: Debug: dict(proxy): Waiting for dict to finish pending operations
dovecot-mailcow_1    | sievec: Debug: dict(proxy): dict destroyed
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Loading modules from directory: /usr/lib/dovecot/modules
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib05_mail_crypt_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_fts_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_listescape_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_replication_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so
dovecot-mailcow_1    | sievec(root)<60><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: Effective uid=0, gid=0, home=/root
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: dict(file): dict created (uri=file:/var/vmail/shared-mailboxes.db, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: Quota root: name=Userquota backend=dict args=:proxy::sqlquota
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: Quota warning: bytes=0 (95%) messages=0 reverse=no command=quota-warning 95 root
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: Quota warning: bytes=0 (80%) messages=0 reverse=no command=quota-warning 80 root
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: Quota grace: root=Userquota bytes=0 (10%)
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: quota-dict: user=root, uri=proxy::sqlquota, noenforcing=0
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: dict(proxy): dict created (uri=proxy::sqlquota, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<60><+OQ/EhfZymE8AAAAaaAigg>: Debug: replication: No mail_replica setting - replication disabled
dovecot-mailcow_1    | sievec: Debug: dict(file): dict destroyed
dovecot-mailcow_1    | sievec: Debug: dict(proxy): Waiting for dict to finish pending operations
dovecot-mailcow_1    | sievec: Debug: dict(proxy): dict destroyed
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Loading modules from directory: /usr/lib/dovecot/modules
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib05_mail_crypt_acl_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_fts_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_listescape_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_replication_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so
dovecot-mailcow_1    | sievec(root)<61><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: Effective uid=0, gid=0, home=/root
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: dict(file): dict created (uri=file:/var/vmail/shared-mailboxes.db, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: Quota root: name=Userquota backend=dict args=:proxy::sqlquota
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: Quota warning: bytes=0 (95%) messages=0 reverse=no command=quota-warning 95 root
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: Quota warning: bytes=0 (80%) messages=0 reverse=no command=quota-warning 80 root
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: Quota grace: root=Userquota bytes=0 (10%)
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: quota-dict: user=root, uri=proxy::sqlquota, noenforcing=0
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: dict(proxy): dict created (uri=proxy::sqlquota, base_dir=/var/run/dovecot)
dovecot-mailcow_1    | sievec(root)<61><LmoXFBfZymE9AAAAaaAigg>: Debug: replication: No mail_replica setting - replication disabled
dovecot-mailcow_1    | sievec: Debug: dict(file): dict destroyed
dovecot-mailcow_1    | sievec: Debug: dict(proxy): Waiting for dict to finish pending operations
dovecot-mailcow_1    | sievec: Debug: dict(proxy): dict destroyed
dovecot-mailcow_1    | Adding user `vmail' to group `tty' ...
dovecot-mailcow_1    | Adding user vmail to group tty
dovecot-mailcow_1    | Done.
dovecot-mailcow_1    |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
dovecot-mailcow_1    |                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
dovecot-mailcow_1    | Warning: Transient problem: timeout Will retry in 1 seconds. 10 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
dovecot-mailcow_1    | Warning: Transient problem: timeout Will retry in 2 seconds. 9 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
dovecot-mailcow_1    | Warning: Transient problem: timeout Will retry in 4 seconds. 8 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
dovecot-mailcow_1    | Warning: Transient problem: timeout Will retry in 8 seconds. 7 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:14 --:--:--     0
dovecot-mailcow_1    | Warning: Transient problem: timeout Will retry in 16 seconds. 6 retries left.

Please always run down and up -d to rule other problems out.

Sure, will do. Lost track of how many time I've done that in the last 24 hours :)

I would very much like to multitail /var/logs/dovecot.log, launch /bin/dovecot manually to check its output and strace dovecot to see what it's actually unhappy about or which files it is actually trying to open/parse, but knowing nothing about Docker I'm stuck. We're subscribing to paid support right now.

edit: accounting finally subscribed this morning.

AnnoyingTechnology commented 2 years ago

I will try to reproduce this with a fresh KVM to rule out LXC issues entirely and not waste your time.

AnnoyingTechnology commented 2 years ago

I have just reproduced the issue in an actual VM (KVM). Any ideas ?

MAGICCC commented 2 years ago

I just checked on my install using acme.sh to get LE certs using DNS challenge. In my domain.com.conf I have

Le_RealKeyPath='/certs-to-use/domain.com/privkey.pem'
Le_RealFullChainPath='/certs-to-use/domain.comt/fullchain.pem'

And these I copy with rsync to my mailcow VM in /data/assets/ssl and restart the services

-rw-r--r--  1 root root 5934 Dec 21 04:03 cert.pem
-rw-------  1 root root 3243 Dec 21 04:03 key.pem

fullchain.pem ->cert.pem privkey.pem -> key.pem

AnnoyingTechnology commented 2 years ago

Thanks for the feedback.

fullchain.pem ->cert.pem privkey.pem -> key.pem

Is exactly what we've done too. Perms are also identical.

root@emails:/opt/mailcow-dockerized/data/assets/ssl# ls
.rw-r--r--  5.6k root root  28 Dec  2021  cert.pem
.rw-------  1.7k root root  28 Dec  2021  key.pem

AnnoyingTechnology commented 2 years ago

The most curious thing is that it started working without any apparent reason not any change in our LXC.

And on the KVM I created to reproduce the issue, yesterday dovecot would not start either. A few minutes ago I checked it and it is now up and running !

Screenshot from 2022-01-04 11-08-43

We very much need to understand this erratic behavior before we can trust our mailcow setup.

DerLinkman commented 2 years ago

Are there new results?

AnnoyingTechnology commented 2 years ago

Two different persons from Mailcow support subscription took a look at it.

This is an interesting behavior. It is difficult to find the source of this problem...

This is complicated.

They are still investigating

AnnoyingTechnology commented 2 years ago

@DerLinkman there has been progress.

Support says that curl is trying to fetch something and hangs there, preventing Dovecot from starting.

Should be a fix fairly soon.

DerLinkman commented 2 years ago

Yes i know :) I´m the one you´ve chatted with :)

Thx for your information :)

AnnoyingTechnology commented 2 years ago

Ahaha, thanks again then :) Greatly appreciate the help

milkmaker commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

mailcow / mailcow-dockerized