Troubleshooting Dovecot IMAPS Connection Issues on Ubuntu 16.04: Port 993 Not Responding


5 views

When trying to establish an IMAPS connection to port 993 on your Ubuntu 16.04 mail server, you're encountering immediate connection closure without proper handshake. This suggests either a configuration issue in Dovecot or a deeper system-level problem.

# Verify Dovecot is listening on port 993
sudo netstat -plutn | grep 993

# Check firewall status
sudo ufw status

# Test with openssl
openssl s_client -connect mysite.com:993 -crlf

From your dovecot -n output, these elements need special attention:

ssl = required
ssl_cert = /etc/letsencrypt/live/mysite.com/fullchain.pem
ssl_key = /etc/letsencrypt/live/mysite.com/privkey.pem

service imap-login {
  inet_listener imap {
    port = 0  # This disables plain IMAP (port 143)
  }
}

First, let's modify the SSL configuration to be more explicit:

# Edit /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/letsencrypt/live/mysite.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mysite.com/privkey.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes

Let's check if Dovecot can access the certificate files:

sudo -u dovecot ls -la /etc/letsencrypt/live/mysite.com/
sudo -u dovecot cat /etc/letsencrypt/live/mysite.com/privkey.pem

Try connecting from the server itself first:

telnet localhost 993
openssl s_client -connect localhost:993 -crlf

Enable verbose logging in Dovecot:

# Add to /etc/dovecot/conf.d/10-logging.conf
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
ssl=verbose

Configure Dovecot to listen on an alternative port temporarily:

# In /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imaps {
    port = 9943
    ssl = yes
  }
}

After making changes, run these verification commands:

sudo doveconf -n
sudo systemctl restart dovecot
sudo tail -f /var/log/mail.log

Try connecting using different tools for comparison:

# Using swaks
swaks --to user@mysite.com --server mysite.com --port 993 --tls

# Using curl
curl --url "imaps://mysite.com:993" --user username:password

When attempting to establish an IMAPS connection on port 993 to a Dovecot mail server running on Ubuntu 16.04, we encounter immediate connection termination without proper SSL/TLS negotiation. Key indicators from our diagnostics:

telnet mysite.com 993
Trying 127.0.1.1...
Connected to mysite.com.
Escape character is '^]'.
Connection closed by foreign host.

The Dovecot configuration shows several important settings that need verification:

ssl = required
ssl_cert = /etc/letsencrypt/live/mysite.com/fullchain.pem
ssl_key = /etc/letsencrypt/live/mysite.com/privkey.pem
protocols = imap lmtp pop3

Let's perform deeper network-level diagnostics:

openssl s_client -connect mysite.com:993 -crlf -debug -showcerts -state

When this fails with "write:errno=104", it typically indicates TCP connection establishment but immediate SSL termination.

Check certificate files existence and permissions:

sudo ls -la /etc/letsencrypt/live/mysite.com/
sudo cat /etc/letsencrypt/live/mysite.com/fullchain.pem
sudo cat /etc/letsencrypt/live/mysite.com/privkey.pem

Ensure the vmail user has appropriate access:

sudo usermod -a -G ssl-cert dovecot
sudo chmod 640 /etc/letsencrypt/live/mysite.com/privkey.pem
sudo chown root:ssl-cert /etc/letsencrypt/live/mysite.com/privkey.pem

Add these parameters to /etc/dovecot/conf.d/10-ssl.conf:

ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_dh = </etc/dovecot/dh.pem

Generate DH parameters if missing:

openssl dhparam -out /etc/dovecot/dh.pem 4096

Enable verbose logging in /etc/dovecot/conf.d/10-logging.conf:

log_path = /var/log/dovecot.log
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
ssl = yes
verbose_ssl = yes

Then monitor logs in real-time:

sudo tail -f /var/log/dovecot.log

Check if the port is actually reachable externally:

nc -zv mysite.com 993

Verify IPTables isn't interfering despite showing inactive:

sudo iptables -L -n -v
  1. Certificate chain includes intermediate certificates
  2. Private key isn't encrypted with passphrase
  3. Dovecot service can read both cert and key files
  4. No SELinux/AppArmor restrictions (on Ubuntu 16.04)
  5. DNS records properly resolve to server's IP

After implementing these changes, restart Dovecot and test again:

sudo systemctl restart dovecot
openssl s_client -connect mysite.com:993 -crlf