Troubleshooting Dovecot IMAPS Connection Issues on Ubuntu 16.04: Port 993 Not Responding


21 views

When trying to establish an IMAPS connection to port 993 on your Ubuntu 16.04 mail server, you're encountering immediate connection closure without proper handshake. This suggests either a configuration issue in Dovecot or a deeper system-level problem.

# Verify Dovecot is listening on port 993
sudo netstat -plutn | grep 993

# Check firewall status
sudo ufw status

# Test with openssl
openssl s_client -connect mysite.com:993 -crlf

From your dovecot -n output, these elements need special attention:

ssl = required
ssl_cert = /etc/letsencrypt/live/mysite.com/fullchain.pem
ssl_key = /etc/letsencrypt/live/mysite.com/privkey.pem

service imap-login {
  inet_listener imap {
    port = 0  # This disables plain IMAP (port 143)
  }
}

First, let's modify the SSL configuration to be more explicit:

# Edit /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/letsencrypt/live/mysite.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mysite.com/privkey.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes

Let's check if Dovecot can access the certificate files:

sudo -u dovecot ls -la /etc/letsencrypt/live/mysite.com/
sudo -u dovecot cat /etc/letsencrypt/live/mysite.com/privkey.pem

Try connecting from the server itself first:

telnet localhost 993
openssl s_client -connect localhost:993 -crlf

Enable verbose logging in Dovecot:

# Add to /etc/dovecot/conf.d/10-logging.conf
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
ssl=verbose

Configure Dovecot to listen on an alternative port temporarily:

# In /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imaps {
    port = 9943
    ssl = yes
  }
}

After making changes, run these verification commands:

sudo doveconf -n
sudo systemctl restart dovecot
sudo tail -f /var/log/mail.log

Try connecting using different tools for comparison:

# Using swaks
swaks --to user@mysite.com --server mysite.com --port 993 --tls

# Using curl
curl --url "imaps://mysite.com:993" --user username:password

When attempting to establish an IMAPS connection on port 993 to a Dovecot mail server running on Ubuntu 16.04, we encounter immediate connection termination without proper SSL/TLS negotiation. Key indicators from our diagnostics:

telnet mysite.com 993
Trying 127.0.1.1...
Connected to mysite.com.
Escape character is '^]'.
Connection closed by foreign host.

The Dovecot configuration shows several important settings that need verification:

ssl = required
ssl_cert = /etc/letsencrypt/live/mysite.com/fullchain.pem
ssl_key = /etc/letsencrypt/live/mysite.com/privkey.pem
protocols = imap lmtp pop3

Let's perform deeper network-level diagnostics:

openssl s_client -connect mysite.com:993 -crlf -debug -showcerts -state

When this fails with "write:errno=104", it typically indicates TCP connection establishment but immediate SSL termination.

Check certificate files existence and permissions:

sudo ls -la /etc/letsencrypt/live/mysite.com/
sudo cat /etc/letsencrypt/live/mysite.com/fullchain.pem
sudo cat /etc/letsencrypt/live/mysite.com/privkey.pem

Ensure the vmail user has appropriate access:

sudo usermod -a -G ssl-cert dovecot
sudo chmod 640 /etc/letsencrypt/live/mysite.com/privkey.pem
sudo chown root:ssl-cert /etc/letsencrypt/live/mysite.com/privkey.pem

Add these parameters to /etc/dovecot/conf.d/10-ssl.conf:

ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_dh = </etc/dovecot/dh.pem

Generate DH parameters if missing:

openssl dhparam -out /etc/dovecot/dh.pem 4096

Enable verbose logging in /etc/dovecot/conf.d/10-logging.conf:

log_path = /var/log/dovecot.log
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
ssl = yes
verbose_ssl = yes

Then monitor logs in real-time:

sudo tail -f /var/log/dovecot.log

Check if the port is actually reachable externally:

nc -zv mysite.com 993

Verify IPTables isn't interfering despite showing inactive:

sudo iptables -L -n -v
  1. Certificate chain includes intermediate certificates
  2. Private key isn't encrypted with passphrase
  3. Dovecot service can read both cert and key files
  4. No SELinux/AppArmor restrictions (on Ubuntu 16.04)
  5. DNS records properly resolve to server's IP

After implementing these changes, restart Dovecot and test again:

sudo systemctl restart dovecot
openssl s_client -connect mysite.com:993 -crlf