Re: Changing the imaps port #

2019-01-22 Thread Michael A. Peters 
Another possible thing, I don't know what the bug is or if it is fixed, 
but few years ago Thunderbird (on CentOS 7) for me refused to connect to 
Port 993 or Port 465 if I used a self-signed certificate even though the 
same certificate worked when using STARTTLS and port 143 and 587. The 
error wasn't an SSL error, it just would act like it was not connecting.


With CA signed certificates it did work on 993 and 465.

On 1/22/19 1:25 AM, Michael A. Peters wrote:
Comcast DNS servers enforce dnssec, AT does not (last I checked). If 
by chance your zone has DNSSEC enabled but mis-configured then it is 
possible the domain name you use for the dovecot server is not resolving 
because of a dnssec validation failure.


I have never heard of comcast or any ISP blocking port 993. That would 
seem to be a violation of net neutrality rules. I use comcast (consumer, 
not business) and it does not block 993 (does block 25 but that it 
should block for dynamic issued addresses)


Look at the domain name used in your e-mail client and make sure it 
actually resolves. If it does not, check to see if DNSSEC validation is 
the issue.


On 1/21/19 8:58 PM, Patrick Mahan wrote:
Yes, I am pretty sure about that.  I originally was connected via AT 
DSL but wanted the fast access of cable modem.  I need permanent IPs 
which required me to contract with Comcast buisness.  Once I switched 
over, I was no longer able to access my imap server, which was as I 
mentioned, stunnel listening on the imaps port and forwarding to 
dovecot listening on the imap port.


I was getting connection refused on my laptop (thunderbird) email 
client when I was not at home.  I validated that it was not because it 
was reaching my email server.  So who ever was rejecting it, I assumed 
it was somewhere inside the comcast network.  Once I switch to a 
non-standard port, I was able to connect again.


Re needing to say ssl = yes, I thought that was implied for imaps?

I can go back to stunnel, just thought it was an unnecessary layer.

Thanks,

Patrick


On Mon, Jan 21, 2019 at 8:46 PM @lbutlr > wrote:


    On 21 Jan 2019, at 20:17, Patrick Mahan mailto:plma...@gmail.com>> wrote:
 > Due to comcast buisness ISP intercepting imaps

    At you sure about that? I've been using comcast business for 7 years
    and the do not block 143, 993 587 or 25. they do block 110, but
    that's fine, I stopped supporting POP around 2001.

    Other than 110, they block DHCP, NETBIOS, SNMP, and ports 445, 520,
    and 1080. They will block port 25 on a individual basis, but I've no
    idea what their criteria is for that.

 > I need to have my clients connect to non-standard port (). 
    Previously I had been using stunnel to receive the imaps connection

    and forward it to the imap port over 127.0.0.1.  But I would like to
    retire stunnel and have my imap clients connect remotely.

    An stunnel or a reverse proxy is the best way to do this, honestly.

    As for why your config isn't working, my only guess is maybe you
    need to specify ssl?

  inet_listener imaps {
       port = 999
       ssl = yes
    }

    ?


    --     If you write the word "monkey" a million times, do you 
start to

    think you're
    Shakespeare? -- Steven Wright

Re: Changing the imaps port #

2019-01-22 Thread Michael A. Peters 
Comcast DNS servers enforce dnssec, AT does not (last I checked). If 
by chance your zone has DNSSEC enabled but mis-configured then it is 
possible the domain name you use for the dovecot server is not resolving 
because of a dnssec validation failure.


I have never heard of comcast or any ISP blocking port 993. That would 
seem to be a violation of net neutrality rules. I use comcast (consumer, 
not business) and it does not block 993 (does block 25 but that it 
should block for dynamic issued addresses)


Look at the domain name used in your e-mail client and make sure it 
actually resolves. If it does not, check to see if DNSSEC validation is 
the issue.


On 1/21/19 8:58 PM, Patrick Mahan wrote:
Yes, I am pretty sure about that.  I originally was connected via AT 
DSL but wanted the fast access of cable modem.  I need permanent IPs 
which required me to contract with Comcast buisness.  Once I switched 
over, I was no longer able to access my imap server, which was as I 
mentioned, stunnel listening on the imaps port and forwarding to dovecot 
listening on the imap port.


I was getting connection refused on my laptop (thunderbird) email client 
when I was not at home.  I validated that it was not because it was 
reaching my email server.  So who ever was rejecting it, I assumed it 
was somewhere inside the comcast network.  Once I switch to a 
non-standard port, I was able to connect again.


Re needing to say ssl = yes, I thought that was implied for imaps?

I can go back to stunnel, just thought it was an unnecessary layer.

Thanks,

Patrick


On Mon, Jan 21, 2019 at 8:46 PM @lbutlr > wrote:


On 21 Jan 2019, at 20:17, Patrick Mahan mailto:plma...@gmail.com>> wrote:
 > Due to comcast buisness ISP intercepting imaps

At you sure about that? I've been using comcast business for 7 years
and the do not block 143, 993 587 or 25. they do block 110, but
that's fine, I stopped supporting POP around 2001.

Other than 110, they block DHCP, NETBIOS, SNMP, and ports 445, 520,
and 1080. They will block port 25 on a individual basis, but I've no
idea what their criteria is for that.

 > I need to have my clients connect to non-standard port (). 
Previously I had been using stunnel to receive the imaps connection

and forward it to the imap port over 127.0.0.1.  But I would like to
retire stunnel and have my imap clients connect remotely.

An stunnel or a reverse proxy is the best way to do this, honestly.

As for why your config isn't working, my only guess is maybe you
need to specify ssl?

  inet_listener imaps {
       port = 999
       ssl = yes
    }

?


-- 
If you write the word "monkey" a million times, do you start to

think you're
Shakespeare? -- Steven Wright

Re: Changing the imaps port #

2019-01-21 Thread Odhiambo Washington 
On Tue, 22 Jan 2019 at 06:17, Patrick Mahan  wrote:

> Dovecot 2.3.4, FreeBSD 11.2
>
> Due to comcast buisness ISP intercepting imaps I need to have my clients
> connect to non-standard port ().  Previously I had been using stunnel
> to receive the imaps connection and forward it to the imap port over
> 127.0.0.1.  But I would like to retire stunnel and have my imap clients
> connect remotely.
>
> I have configured the imap-login service -
>
> service imap-login {
>   inet_listener imap {
> address = 127.0.0.1, ::1
> port = 143
>   }
>   inet_listener imaps {
> port = 
>   }
>   process_min_avail = 3
>   service_count = 0
>   vsz_limit = 1 G
> }
>
> But I am not seeing any listeners on port  -
>
> root@ns(1001)# netstat -an | grep 
>
> Using sockstat on FreeBSD:
>
> root@ns(1002)# sockstat | grep dovecot | grep tcp
> root  dovecot  34800 15 tcp4 *:4190
>*:*
> root  dovecot  34800 37 tcp4 127.0.0.1:143
> *:*
> root  dovecot  34800 38 tcp6  ::1:143
> *:*
>
> I have mail_debug = yes, but I don't see any failures.  What is the best
> way to debug why I am not seeing this port number?
>
> Thanks,
>
> Patrick
>
>
I would leave dovecot config untouched and use a firewall (PF) to translate
port  to whatever dovecot listens to.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Changing the imaps port #

2019-01-21 Thread @lbutlr 
On 21 Jan 2019, at 21:58, Patrick Mahan  wrote:
> Re needing to say ssl = yes, I thought that was implied for imaps?

I would think so, but all the examples I found in a quick search explicitly set 
it when changing the port.

Also, unlike regular comcast, I have found the tech support on their business 
to be pretty decent. I’d call them and find out why 993 is blocked.

-- 
Badges? We ain't got no badges. We don't need no badges. I don't have to
show you any stinking badges.

Re: Changing the imaps port #

2019-01-21 Thread Patrick Mahan 
Yes, I am pretty sure about that.  I originally was connected via AT DSL
but wanted the fast access of cable modem.  I need permanent IPs which
required me to contract with Comcast buisness.  Once I switched over, I was
no longer able to access my imap server, which was as I mentioned, stunnel
listening on the imaps port and forwarding to dovecot listening on the imap
port.

I was getting connection refused on my laptop (thunderbird) email client
when I was not at home.  I validated that it was not because it was
reaching my email server.  So who ever was rejecting it, I assumed it was
somewhere inside the comcast network.  Once I switch to a non-standard
port, I was able to connect again.

Re needing to say ssl = yes, I thought that was implied for imaps?

I can go back to stunnel, just thought it was an unnecessary layer.

Thanks,

Patrick


On Mon, Jan 21, 2019 at 8:46 PM @lbutlr  wrote:

> On 21 Jan 2019, at 20:17, Patrick Mahan  wrote:
> > Due to comcast buisness ISP intercepting imaps
>
> At you sure about that? I've been using comcast business for 7 years and
> the do not block 143, 993 587 or 25. they do block 110, but that's fine, I
> stopped supporting POP around 2001.
>
> Other than 110, they block DHCP, NETBIOS, SNMP, and ports 445, 520, and
> 1080. They will block port 25 on a individual basis, but I've no idea what
> their criteria is for that.
>
> > I need to have my clients connect to non-standard port ().
> Previously I had been using stunnel to receive the imaps connection and
> forward it to the imap port over 127.0.0.1.  But I would like to retire
> stunnel and have my imap clients connect remotely.
>
> An stunnel or a reverse proxy is the best way to do this, honestly.
>
> As for why your config isn't working, my only guess is maybe you need to
> specify ssl?
>
>  inet_listener imaps {
>   port = 999
>   ssl = yes
>}
>
> ?
>
>
> --
> If you write the word "monkey" a million times, do you start to think
> you're
> Shakespeare? -- Steven Wright
>
>

Re: Changing the imaps port #

2019-01-21 Thread @lbutlr 
On 21 Jan 2019, at 20:17, Patrick Mahan  wrote:
> Due to comcast buisness ISP intercepting imaps

At you sure about that? I've been using comcast business for 7 years and the do 
not block 143, 993 587 or 25. they do block 110, but that's fine, I stopped 
supporting POP around 2001.

Other than 110, they block DHCP, NETBIOS, SNMP, and ports 445, 520, and 1080. 
They will block port 25 on a individual basis, but I've no idea what their 
criteria is for that.

> I need to have my clients connect to non-standard port ().  Previously I 
> had been using stunnel to receive the imaps connection and forward it to the 
> imap port over 127.0.0.1.  But I would like to retire stunnel and have my 
> imap clients connect remotely.

An stunnel or a reverse proxy is the best way to do this, honestly.

As for why your config isn't working, my only guess is maybe you need to 
specify ssl?

 inet_listener imaps {
  port = 999
  ssl = yes
   }

?


-- 
If you write the word "monkey" a million times, do you start to think you're
Shakespeare? -- Steven Wright

Changing the imaps port #

2019-01-21 Thread Patrick Mahan 
Dovecot 2.3.4, FreeBSD 11.2

Due to comcast buisness ISP intercepting imaps I need to have my clients
connect to non-standard port ().  Previously I had been using stunnel
to receive the imaps connection and forward it to the imap port over
127.0.0.1.  But I would like to retire stunnel and have my imap clients
connect remotely.

I have configured the imap-login service -

service imap-login {
  inet_listener imap {
address = 127.0.0.1, ::1
port = 143
  }
  inet_listener imaps {
port = 
  }
  process_min_avail = 3
  service_count = 0
  vsz_limit = 1 G
}

But I am not seeing any listeners on port  -

root@ns(1001)# netstat -an | grep 

Using sockstat on FreeBSD:

root@ns(1002)# sockstat | grep dovecot | grep tcp
root  dovecot  34800 15 tcp4 *:4190
   *:*
root  dovecot  34800 37 tcp4 127.0.0.1:143
  *:*
root  dovecot  34800 38 tcp6  ::1:143
*:*

I have mail_debug = yes, but I don't see any failures.  What is the best
way to debug why I am not seeing this port number?

Thanks,

Patrick