Ports mail server

Default Ports:

Server: Authentication: Port:
SMTP Server (Outgoing Messages) Non-Encrypted AUTH 25 (or 587)
Secure (TLS) StartTLS 587
Secure (SSL) SSL 465
IMAP Server (Incoming Messages) Non-Encrypted AUTH 143
Secure (TLS) StartTLS 143
Secure (SSL) SSL 993

 

This list is without any warranties and not sorted alphabetically.
See also: A List of SMTP and POP3 Mail Server (Mail Server List)

Installing and configuring an SSL certificate on Postfix/Dovecot mail server

From here ….thanks…

This guide describes the ways to enable the SSL/TLS encryption using a trusted SSL certificate for receiving secured incoming and outgoing connections on a Postfix-Dovecot server.

For testing purposes, a Comodo PositiveSSL certificate has been used; however, to secure your mail server, you can purchase any certificate with us as they meet your needs.

The testing was done on the following server stack:

  • Ubuntu 16.04
  • Postfix 3.1.0
  • Dovecot 2.2.22

If you do not have any issued (trusted) certificate yet for the hostname of your mail server, it is necessary to purchase it, generate a CSR needed for activation and once done, activate  it.

If you have your certificate issued, you are able to download it from the SSLs.com user account or from the email (fulfillment email) received  from the Certificate Authority to the administrative contact email address you have chosen during the activation process.

The first thing you need to do is to upload and concatenate the certificate files on the server. You can follow the actions below:

1. Upload the certificate file yourdomainname.crt to the server along with the CA bundle. Keep in mind that the CA bundle can be either in a single file (example.ca-bundle) or in separate files (COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, AddTrustExternalCARoot.crt as in our case). The following files should be saved in the following way: the certificate and CA bundle files in the /etc/ssl/certs/ directory; the corresponding private key (example_com.key) in the /etc/ssl/private/ folder.

2.Combine the uploaded files into one using one of the commands below:

2.1. Create a file with the server certificate and CA chain:

  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/yourdomainname.ca-bundle >> /etc/ssl/certs/certificate.crt
  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt /etc/ssl/certs/AddTrustExternalCARoot.crt >> /etc/ssl/certs/certificate.crt

2.2. One file with the combined certificate, CA chain and Private Key can be acceptable for Postfix and  Dovecot. One of the commands below can be used to create it:

  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/yourdomainname.ca-bundle /etc/ssl/private/yourdomainname.key >> /etc/ssl/certs/certificate_and_key.crt
  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt /etc/ssl/certs/AddTrustExternalCARoot.crt /etc/ssl/private/yourdomainname.key >> /etc/ssl/certs/certificate_and_key.crt

In order to check the content of the new file in question, run the following command: cat /etc/ssl/certs/certificate.crt or cat /etc/ssl/certs/certificate_and_key.crt.

It is necessary to check whether there are no excessive white spaces between or inside the PEM-encoded certificate and key blocks in the output.

If you notice such spaces, they can be edited manually – open the file in a text editor like “vi” or “nano” and remove the odd elements.

The editing of Postfix and Dovecot configuration files to enable SSL/TLS on specific ports

The process of sending and receiving mail over the Internet is a complex system of endpoint and intermediary instances (mail server and client software) labeled as mail user agents (MUA), mail submission agents (MSA), mail transfer agents (MTA) and mail delivery agents (MDA) depending on the functions they perform. Normally, an email is passed over each type of the above-mentioned parties, and different transport protocols are used on every step, namely submission protocol, Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP).

The below chart shows the use of ports for specific transport protocol execution.

Protocol Usage Plain text / encrypted session Encrypted session only
POP3 Incoming mail 110 995
IMAP Incoming mail 143 993
SMTP Outgoing mail 25 465
Submission Outgoing mail 587

The Opportunistic TLS approach gives the possibility to use ports 25, 110, 143 and 587 either in the plain text (unencrypted) or secure (encrypted) mode. According to this approach, the STARTTLS command is requested when an existing active plain text session happens.

Technically, using ports 465, 993 and 995 and the way HTTP protocol is used over SSL/TLS are similar: 1) secure ports are detached from their “unsecured” counterparts; 2) any data exchange can be performed after establishing an encrypted session.

NOTE: Although port 465 is not listed as the SMTPS port in the official standards of IANA’s documentation, it is used to serve encrypted outgoing mail traffic by mail server administrators.

Both techniques described above are considered to be used in the Internet mail system nowadays. In order to secure your mail, it is better to install an SSL certificate on every mail port you are planning to use.

The steps below will help you to install your SSL certificate for both mail ports: incoming and outgoing ones:

Port 25 (SMTP with STARTTLS)

  1. Open to edit the file named main.cf (Postfix configuration file). You can usually find it in the /etc/postfix/ directory.
  2. Locate the TLS parameters section in the main.cf file and make the changes in the following values of certain directives. See the example below:
  • if  you save the certificate and private key in separate files:

smtpd_tls_cert_file=/etc/ssl/certs/certificate.crt

smtpd_tls_key_file=/etc/ssl/private/yourdomainname.key

  • if  you save the certificate and private key in a single file:

smtpd_tls_cert_file=/etc/ssl/certs/certificate_and_key.crt

smtpd_tls_key_file=$smtpd_tls_cert_file

NB: It is necessary to make sure that smtpd_use_tls directive is set to yes:

smtpd_use_tls=yes

Once done, close the main.cf file and save the changes you made.

http://helpdesk.ssls.com/hc/article_attachments/115000773949/post1.jpg

Ports 587 (Submission with STARTTLS) and 465 (SMTPS)

  1. Locate the Postfix’s master.cf file in the /etc/postfix/ directory and open it;
  2. When it is opened, uncomment (or edit if needed) the next lines:
  • to open and protect port 587:

submission inet n       –       y       –       –       smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=may

-o smtpd_sasl_auth_enable=yes

  • to open and protect port 465:

smtps     inet  n       –       y       –       –       smtpd

-o syslog_name=postfix/smtps

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

Now you can close this file.

http://helpdesk.ssls.com/hc/article_attachments/115000773969/post2.jpg

Ports 110 (POP3 with STARTTLS), 143 (IMAP with STARTTLS), 993 (IMAPS) and 995 (POP3S)

If you need to install an SSL certificate for Dovecot, it is essential to follow the next steps:

  • Open the file named 10-ssl.conf. This file can be usually located in the /etc/dovecot/conf.d/ directory.
  • Edit the following lines:

 

  • if  you save the certificate and private key in separate files:

ssl_cert = </etc/ssl/certs/certificate.crt

ssl_key = </etc/ssl/private/yourdomainname.key

  • if  you save the certificate and private key in a single file:

ssl_cert = </etc/ssl/certs/cert_and_key.crt

ssl_key = </etc/ssl/certs/cert_and_key.crt

Make sure that thessl directive is set to yes:

ssl = yes

When the changes are made, close the 10-ssl.conf file.

 

If the steps mentioned above are made, the SSL certificate is installed for all incoming ports now.

http://helpdesk.ssls.com/hc/article_attachments/115000773989/post3.jpg

Please note that if you have the Dovecot version 1.x, the directives for SSL certificates in configuration files may slightly differ:

  • it is necessary to check whether /etc/dovecot/dovecot.conf has the following line:

protocols = imap pop3 imaps pop3s

  • edit the /etc/dovecot/conf.d/10-ssl.conf file in the following way:

ssl_disable = no

 

– if  you save the certificate and private key in separate files:

ssl_cert_file = </etc/ssl/certs/certificate.crt

ssl_key_file = </etc/ssl/private/yourdomainname.key

 

– if  you save the certificate and private key in a single file:

ssl_cert_file = </etc/ssl/certs/cert_and_key.crt

ssl_key_file = </etc/ssl/certs/cert_and_key.crt

 

Useful tips:

Below you can find the information regarding some additional settings which can be useful in setting up your mail server’s SSL/TLS handling. For further information, you can refer to Postfix andDovecot official documentation regarding this matter as well.

It is possible to use the STARTTLS port on Postfix in the “wrapper” mode with the smtpd_tls_wrappermode directive. Instead of showing the STARTTLS support and waiting for the request from a remote client, this option helps to run  a secure connection from the very beginning. The following directive should be added to /etc/postfix/master.cf , for instance:

smtps inet n     –     n     –     –     smtpd

-o smtpd_tls_wrappermode=yes

On Dovecot, when you try to log in, there is an opportunity to set the ssl directive to required value (ssl=required), which implies forcing the SSL handshake.

In such cases, the password will be sent in a secure way, meanwhile with ssl = yes, email clients are not requested to use SSL/TLS in precedence. Both plaintext and non-plaintext authentication mechanisms can be applied with this setting.

In order to switch off the plaintext authentication mechanism, it is possible to use disable_plaintext_auth directive (/etc/dovecot/conf.d/10-auth.conf):

disable_plaintext_auth=yes

The following directives on Dovecot (/etc/dovecot/dovecot.conf) can be used for eliminating the ciphers which are better not to be used due to low encryption strength:

ssl_dh_parameters_length = 2048

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

To exclude certain ciphers or protocols for opportunistic (STARTTLS) or mandatory (regular SSL) encryption, it is possible to use the following directives in /etc/postfix/main.cf and assign the corresponding values to them:

– for mandatory TLS

smtpd_tls_mandatory_exclude_ciphers = [cipher] smtpd_tls_mandatory_protocols = ![protocol]

– for opportunistic TLS

smtpd_tls_exclude_ciphers = [cipher]

smtpd_tls_protocols = ![protocol]

 

To set the server side cipher list more preferable over the client-side one, these directives can be used:

– on Dovecot (/etc/dovecot/conf.d/10-ssl.conf)

ssl_prefer_server_ciphers = yes

– on Postfix (/etc/postfix/main.cf)

tls_preempt_cipherlist = yes

 

How to check SSL installation

OpenSSL

 

The OpenSSL toolkit helps to check the SSL certificate installation on a server both remotely and locally.

In order to check STARTTLS ports, the following command should be run. Replace [port] with the port number and [protocol] with smtp, pop3 or imap value:

openssl s_client -connect example.com:[port] -servername example.com -starttls [protocol]

In order to check non-STARTTLS ports, use the following command:

openssl s_client -connect example.com:[port] -servername example.com

http://helpdesk.ssls.com/hc/article_attachments/115000774009/post4.jpg

 

How to check your secure connection

 

In order to check your mail server connectivity over SSL/TLS, the online checkers listed below can be used.

You need to specify the server hostname and port number or an existing email account and run the test.

 

How to update Roundcube

I followed this link

I created a backup database copy and I untar the files from roundcube.net.I created a parallel virtualhost like webmailtest.yourdomain.it.

Upload the new files

Use your favorite FTP/SFTP/SCP program to upload the updated files, which are:

  • ./bin/*
  • ./SQL/*
  • ./program/*
  • ./installer/*
  • ./vendor/*

Upload plugins/* and skins/* from the release package but don’t replace the entire skinsand plugins folders! You might have added other skins and plugins to those directories which you want to keep.

Also copy the default config file and the mimetypes mapping:

  • config/defaults.inc.php
  • config/mimetypes.php

Run the installer

Edit your Roundcube config (config/config.inc.php, or config/main.inc.php for versions < 1.0) and set 'enable_installer' to true. Then open http://<url-to-roundcube>/installer/in your web browser and click “3. Test config”

Follow the instructions on the screen to update your local config and the database schema.

When you’re done and all the lights are green in the installer, edit your Roundcube config file again and set 'enable_installer' to false if it’s still present. To seal your installation, you should even remove the installer directory from the webserver.

Error: modseq_hdr.log_offset too large Centos 7

2018-01-02 01:40:59 imap(info@saic.it): Fatal: master: service(imap): child 18780 killed with signal 6 (core dumps disabled)

2018-01-02 01:40:59 imap(info@saic.it): Error: /var/vmail/saic.it/info/Maildir/dovecot.index: modseq_hdr.log_offset too large

2018-01-02 01:40:59 imap(info@saic.it): Error: /var/vmail/saic.it/info/Maildir/dovecot.index: modseq_hdr.log_offset too large

2018-01-02 01:40:59 imap(info@saic.it): Panic: file mail-transaction-log-file.c: line 1148 (mail_transaction_log_file_get_highest_modseq_at): assertion fa

iled: (offset <= file->sync_offset)

HOW TO SOLVE

find /var/vmail/saic.it/info/Maildir/ -name "dovecot*" -delete

 

Restart Postfix & Dovecot (to rebuild the dovecot files):

$ service dovecot restart
$ service postfix restart

I think the cause is the presence of a virus in some emails attachment.

thanks to this link

Use SSL certificate free for 3 months

Create your key (mail.saic.key) and your request (mail.saic.csr):

openssl req -new -newkey rsa:4096 -nodes -subj ‘/CN=mail.saic.it/O=SAIC, Inc./C=IT/ST=Italy/L=Viadana’ -keyout mail.saic.key -out mail.saic.csr

Go to this website and follow the istruction for have back the certificate for your Common Name (mail.saic.it) and the authority certificate :

Certificate Authority https://www.sslforfree.com

I configured my dns.

I set all file permission

chmod 444 mail.saic.*

then vim /etc/postfix/main.cf

smtp_tls_key_file                         = /etc/ssl/certs/mail.saic.key

smtp_tls_cert_file                        = /etc/ssl/certs/mail.saic.crt

smtp_tls_CAfile                           = /etc/ssl/certs/saic.sslforfree.ca

here the console for renew the certificate

great!!

 

It can be useful to check a certificate and key before applying them to your server. The following commands help verify the certificate, key, and CSR (Certificate Signing Request).

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in server.crt -text -noout

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in server.key -check

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in server.csr

Verify a certificate and key matches

These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.

openssl x509 -noout -modulus -in server.crt| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5

 

Self Signed Certificate : Commands

Create a private key

openssl genrsa -out server.key 4096

Generate a new private key and certificate signing request

openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out server.csr -key server.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Remove a passphrase from a private key

openssl rsa -in server.pem -out newserver.pem

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

Check a certificate signing request (CSR)

openssl req -text -noout -verify -in server.csr

Check a private key

openssl rsa -in server.key -check

Check a public key

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Check a certificate

openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in server.p12

Verify a private key matches an certificate

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Display all certificates including intermediates

openssl s_client -connect www.paypal.com:443

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in server.cer -out server.pem

Convert a PEM file to DER

openssl x509 -outform der -in server.pem -out server.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in server.pfx -out server.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

Convert private key into pem

openssl rsa -in private.key -text > private.pem

Verifying that a Certificate is issued by a CA

$ openssl verify -verbose -CAfile cacert.pem  server.crt
server.crt: OK

here a website to verify

my procedure to create a new certificate:

create key a and request :

openssl req -out ispconfig.saic.csr -new -newkey rsa:4096 -nodes -keyout ispconfig.saic.key

chmod 444 ispconfig.saic.*

put the cst into the web site to obtain crt certificate + ca certificate

convert the key : openssl rsa -in ispconfig.saic.key -text > ispconfig.saic.pem (when pem is request)

my procedure to renew

 

How to test if the email address exists

Source Link

To check if user entered email mailbox.does.not.exist@webdigiapps.com really exists go through the following in command prompt on windows / terminal on mac. The commands you type in are in green and the server response is in blue. Please refer to MAC & PC screenshots towards the end of this post.

Step 1 – Find mail exchanger or mail server of webdigiapps.com

COMMAND:
nslookup -q=mx webdigiapps.com
RESPONSE:
Non-authoritative answer:
webdigiapps.com mail exchanger = 0 mx2.sub3.homie.mail.dreamhost.com.
webdigiapps.com mail exchanger = 0 mx1.sub3.homie.mail.dreamhost.com.

Step 2 – Now we know the mail server address so let us connect to it. You can connect to one of the exchanger addresses in the response from Step 1.

COMMAND:
telnet mx2.sub3.homie.mail.dreamhost.com 25
RESPONSE:
Connected to mx2.sub3.homie.mail.dreamhost.com.
Escape character is ‘^]’.
220 homiemail-mx7.g.dreamhost.com ESMTP

COMMAND:
helo hi
RESPONSE:
250 homiemail-mx8.g.dreamhost.com

COMMAND:
mail from: <youremail@gmail.com>
RESPONSE:
250 2.1.0 Ok

COMMAND:
rcpt to: <mailbox.does.not.exist@webdigiapps.com>
RESPONSE:
550 5.1.1 <mailbox.does.not.exist@webdigiapps.com>: Recipient address rejected: User unknown in virtual alias table

COMMAND:
quit
RESPONSE:
221 2.0.0 Bye

Screenshots – MAC Terminal & Windows

MAC email verification
Windows email verification

NOTES:

1) the 550 response indicates that the email address is not valid and you have caught a valid but wrong email address. This code can be on the server and called on AJAX when user tabs out of the email field.  The entire check will take less than 2 seconds to run and you can make sure that the email is correct.
2) If email was present the server will respond with a 250 instead of 550
3) There are certain servers with a CATCH ALL email and this means all email address are accepted as valid on their servers (RARE but some servers do have this setting).
4) Please do not use this method to continuously to check for availability of gmail / yahoo / msn accounts etc as this may cause your IP to be added to a blacklist.
5) This is to supplement the standard email address javascript validation.