MailServer blues!

Hello everyone. I’m running Onlyoffice Workspace-CE. I have the mailserver portion running as well…sorta.

I can send email, all day long, but can’t receive them. I have open all ports thats needed. I’ve tried manually setting my open certs because I need a CA and this doesn’t work. I made sure to put the certs in mailserver/cert/. I have all three mail.onlyoffice.ca.bundle (fullchain), mail.onlyoffice.key(privkey), and mail.onlyoffice.crt (cert). I’ve check my dns in porkbun (using porkbun to host my domain) and everything is good to go. DNS check in onlyoffice is all green. I was using cloudflare before and went away from it as I was old it can cause errors. However Im still having errors.

I keep getting the following errors from dovecot.llog

TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<yro2S/ooiACsFgAG>

When I try to email myself from say my gmail account, I check maillog and it says it was delivered but it doesn’t show up in the inbox.

Dec 11 08:32:07 mail postfix/smtpd[684]: connect from unknown[94.156.227.110]
Dec 11 08:32:08 mail postfix/smtpd[684]: disconnect from unknown[94.156.227.110]
Dec 11 08:32:21 mail postfix/smtpd[684]: connect from unknown[80.94.95.239]
Dec 11 08:32:22 mail postfix/smtpd[684]: disconnect from unknown[80.94.95.239]
Dec 11 08:34:36 mail postfix/smtpd[687]: connect from mail-pj1-f42.google.com[209.85.216.42]
Dec 11 08:34:37 mail postfix/smtpd[687]: 7F9E617C666A: client=mail-pj1-f42.google.com[209.85.216.42]
Dec 11 08:34:37 mail postfix/cleanup[691]: 7F9E617C666A: message-id=<CANTZfsNBr9SBCf9hyyKB=bsVzZn1+iNfr8jaEUNXsr9U9R1kpg@mail.gmail.com>
Dec 11 08:34:37 mail postfix/qmgr[312]: 7F9E617C666A: from=<mygmail@gmail.com>, size=4192, nrcpt=1 (queue active)
Dec 11 08:34:37 mail postfix/smtpd[687]: disconnect from mail-pj1-f42.google.com[209.85.216.42]
Dec 11 08:34:42 mail postfix/smtpd[695]: connect from localhost[127.0.0.1]
Dec 11 08:34:42 mail postfix/smtpd[695]: A7B1017C666E: client=localhost[127.0.0.1]
Dec 11 08:34:42 mail postfix/cleanup[691]: A7B1017C666E: message-id=<CANTZfsNBr9SBCf9hyyKB=bsVzZn1+iNfr8jaEUNXsr9U9R1kpg@mail.gmail.com>
Dec 11 08:34:42 mail opendkim[455]: A7B1017C666E: no signing table match for 'mygmail@gmail.com'
Dec 11 08:34:42 mail opendkim[455]: A7B1017C666E: DKIM verification successful
Dec 11 08:34:42 mail opendkim[455]: A7B1017C666E: s=20230601 d=gmail.com SSL 
Dec 11 08:34:42 mail postfix/smtpd[695]: disconnect from localhost[127.0.0.1]
Dec 11 08:34:42 mail postfix/qmgr[312]: A7B1017C666E: from=<dvalin21@gmail.com>, size=4803, nrcpt=1 (queue active)
Dec 11 08:34:42 mail amavis[355]: (00355-01) Passed CLEAN {RelayedInternal}, MYUSERS LOCAL [209.85.216.42]:49338 [209.85.216.42] <mygmail@gmail.com> -> <email@example.com>, Queue-ID: 7F9E617C666A, Message-ID: <CANTZfsNBr9SBCf9hyyKB=bsVzZn1+iNfr8jaEUNXsr9U9R1kpg@mail.gmail.com>, mail_id: RDdnfK9vBNdW, Hits: -3.892, size: 4158, queued_as: A7B1017C666E, dkim_sd=20230601:gmail.com, 5006 ms
Dec 11 08:34:42 mail postfix/smtp[692]: 7F9E617C666A: to=<email@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.5, delays=0.51/0.01/0.01/5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A7B1017C666E)
Dec 11 08:34:42 mail postfix/qmgr[312]: 7F9E617C666A: removed
Dec 11 08:34:42 mail postfix/pipe[697]: A7B1017C666E: to=<email@example.com>, relay=dovecot, delay=0.07, delays=0.01/0.01/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)

Also, I try to setup a imap for an invoice app with this email and it fails do to SSL

imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=172.22.0.6, lip=172.22.0.5, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<yro2S/ooiACsFgAG>

Basically what I shared earlier.

I don’t know if the permission are just not set right or what or something else, but everything says at least I should be able to receive emails!

What should the cert permissions be? What should the folder permissions be? Thanks

Also, wanted to let you know I followed your port liist

Hi @Keith

Is the issue with receiving emails still persisting?

Here’s the list of log files we could take a look at:

• /app/onlyoffice/CommunityServer/logs/mail/mail-aggregator.errors.log
• /app/onlyoffice/CommunityServer/logs/web.api.log
• /app/onlyoffice/CommunityServer/logs/web.log

If the issue persists, further logs would help narrow it down.

Hey, sorry for the rather long time since I’ve been back. Yes the issue still happening. Here are the logs.

cat mail-aggregator.errors.log
This usually means that the SSL certificate presented by the server is not trusted by the system for one or more of
the following reasons:

1. The server is using a self-signed certificate which cannot be verified.
2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate.
3. A Certificate Authority CRL server for one or more of the certificates in the chain is temporarily unavailable.
4. The certificate presented by the server is expired or invalid.
5. The set of SSL/TLS protocols supported by the client and server do not match.

See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#SslHandshakeException for possible solutions.

 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:0A000410:SSL routines::sslv3 alert handshake failure
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions, SelectClientCertificate clientCertificateSelectionCallback)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at MailKit.Net.Imap.ImapClient.ConnectAsync(String host, Int32 port, SecureSocketOptions options, Boolean doAsync, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at ASC.Mail.Clients.MailClient.LoginImap(Boolean enableUtf8)
   at ASC.Mail.Aggregator.Service.Service.MailboxHandler.CreateClient() in /home/jenkins/workspace/release.mail.precompiled/Services/ASC.Mail.Aggregator.Service/Service/MailboxHandler.cs:line 311 
2025-01-10 00:21:02,986 ERROR [7] ASC.Mail Mbox_1 - AT LOGIN IMAP/POP3 [SSL EXCEPTION]
Tenant: 1, MailboxId: 1, Address: email@example.com
MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.

This usually means that the SSL certificate presented by the server is not trusted by the system for one or more of
the following reasons:

1. The server is using a self-signed certificate which cannot be verified.
2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate.
3. A Certificate Authority CRL server for one or more of the certificates in the chain is temporarily unavailable.
4. The certificate presented by the server is expired or invalid.
5. The set of SSL/TLS protocols supported by the client and server do not match.

See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#SslHandshakeException for possible solutions.

 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:0A000410:SSL routines::sslv3 alert handshake failure
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions, SelectClientCertificate clientCertificateSelectionCallback)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at MailKit.Net.Imap.ImapClient.ConnectAsync(String host, Int32 port, SecureSocketOptions options, Boolean doAsync, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at ASC.Mail.Clients.MailClient.LoginImap(Boolean enableUtf8)
   at ASC.Mail.Aggregator.Service.Service.MailboxHandler.CreateClient() in /home/jenkins/workspace/release.mail.precompiled/Services/ASC.Mail.Aggregator.Service/Service/MailboxHandler.cs:line 311 

cat web.api.log
2024-12-11 08:21:26,926 ERROR [39] localhost - ASC.Api - GetCommonDomain() failed. Exception: System.NullReferenceException: Object reference not set to an instance of an object
  at ASC.Api.MailServer.MailServerApi.SendMailboxCreated (ASC.Mail.Data.Contracts.ServerMailboxData serverMailbox, System.Boolean toMailboxUser, System.Boolean toUserProfile) [0x00171] in <f511cc127b8a45458c593e6e143b4bda>:0  

cat web.log
2025-01-09 08:18:53,237 ERROR [48] localhost - ASC.Mail.ContactEngine - SearchEmails: 
The following exceptions have been thrown by WaitAll():
-------------------------------------------------
System.ApplicationException: Error retrieving response. Check inner details for more info. ---> System.Net.WebException: Error: ConnectFailure (Connection refused) ---> System.Net.Sockets.SocketException: Connection refused
  at System.Net.Sockets.SocketAsyncResult.CheckIfThrowDelayedException () [0x00014] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.Sockets.Socket.EndConnect (System.IAsyncResult asyncResult) [0x0002c] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebConnection+<>c.<Connect>b__16_1 (System.IAsyncResult asyncResult) [0x00006] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) [0x00019] in <f2b3ab7dfff746f594d2ef5b16ec3c90>:0 
--- End of stack trace from previous location where exception was thrown ---

  at System.Net.WebConnection.Connect (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x001e1] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.Connect (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x0025d] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x000cc] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebOperation.Run () [0x0009a] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00016] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at RestSharp.Http.<ExecuteRequest>g__GetRawResponse|185_1 (System.Net.WebRequest request) [0x00020] in <4c50e991a27848e79eaad19a5e76e5dd>:0 
  at RestSharp.Http.ExecuteRequest (System.String httpMethod, System.Action`1[T] prepareRequest) [0x00015] in <4c50e991a27848e79eaad19a5e76e5dd>:0 
   --- End of inner exception stack trace ---
  at ASC.Mail.Utils.ApiHelper.Execute (RestSharp.RestRequest request) [0x00097] in <2921f4e537694e4986749770b021eed9>:0 
  at ASC.Mail.Utils.ApiHelper.SearchCrmEmails (System.String term, System.Int32 maxCount) [0x0003c] in <2921f4e537694e4986749770b021eed9>:0 
  at ASC.Mail.Core.Engine.ContactEngine+<>c__DisplayClass19_0.<SearchEmails>b__3 () [0x0002d] in <2921f4e537694e4986749770b021eed9>:0 
  at System.Threading.Tasks.Task`1[TResult].InnerInvoke () [0x0000f] in <f2b3ab7dfff746f594d2ef5b16ec3c90>:0 
  at System.Threading.Tasks.Task.Execute () [0x00000] in <f2b3ab7dfff746f594d2ef5b16ec3c90>:0 
-------------------------------------------------
System.ApplicationException: Error retrieving response. Check inner details for more info. ---> System.Net.WebException: Error: ConnectFailure (Connection refused) ---> System.Net.Sockets.SocketException: Connection refused
  at System.Net.Sockets.SocketAsyncResult.CheckIfThrowDelayedException () [0x00014] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.Sockets.Socket.EndConnect (System.IAsyncResult asyncResult) [0x0002c] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebConnection+<>c.<Connect>b__16_1 (System.IAsyncResult asyncResult) [0x00006] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) [0x00019] in <f2b3ab7dfff746f594d2ef5b16ec3c90>:0 
--- End of stack trace from previous location where exception was thrown ---

  at System.Net.WebConnection.Connect (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x001e1] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.Connect (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x0025d] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x000cc] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebOperation.Run () [0x0009a] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00016] in <88f564ea69dd4dc8ba9bf979e48d5996>:0 
  at RestSharp.Http.<ExecuteRequest>g__GetRawResponse|185_1 (System.Net.WebRequest request) [0x00020] in <4c50e991a27848e79eaad19a5e76e5dd>:0 
  at RestSharp.Http.ExecuteRequest (System.String httpMethod, System.Action`1[T] prepareRequest) [0x00015] in <4c50e991a27848e79eaad19a5e76e5dd>:0 
   --- End of inner exception stack trace ---
  at ASC.Mail.Utils.ApiHelper.Execute (RestSharp.RestRequest request) [0x00097] in <2921f4e537694e4986749770b021eed9>:0 
  at ASC.Mail.Utils.ApiHelper.SearchPeopleEmails (System.String term, System.Int32 startIndex, System.Int32 count) [0x0004b] in <2921f4e537694e4986749770b021eed9>:0 
  at ASC.Mail.Core.Engine.ContactEngine+<>c__DisplayClass19_0.<SearchEmails>b__4 () [0x0002d] in <2921f4e537694e4986749770b021eed9>:0 
  at System.Threading.Tasks.Task`1[TResult].InnerInvoke () [0x0000f] in <f2b3ab7dfff746f594d2ef5b16ec3c90>:0 
  at System.Threading.Tasks.Task.Execute () [0x00000] in <f2b3ab7dfff746f594d2ef5b16ec3c90>:0  

So I’ve followed the following instructions (Since logs say it can find ssl or whatever), to add my CA certs to mailserver.

The self-signed certificates for your domain will be created by default while running the docker container. If you want to use CA sertified certificates, you will need to rename them and copy into the /app/onlyoffice/MailServer/data/certs directory before running the image. The following files are required:

/app/onlyoffice/MailServer/data/certs/mail.onlyoffice.key
/app/onlyoffice/MailServer/data/certs/mail.onlyoffice.crt
/app/onlyoffice/MailServer/data/certs/mail.onlyoffice.ca-bundle

Docker-MailServer

Made sure to change the permissions for crt and ca-bundle to 644 and key to 600.
I’ve tried to this before which I didn’t change the ownership of it. It was root, and still the certs didn’t work or it didn’t read them. This time I made sure to change the ownership to the user of my ubuntu server, same result. I took cert.pem and rename to mail.onlyoffice.crt, then .key, then .ca-bundle. If there is more, the documentation doesn’t say that it is. I do have workspace-ce behind npm reverse proxy. I don’t know if that makes the difference or not.

Also found this nginx error

[error] 2267#2267: *9 connect() to unix:/var/run/onlyoffice/onlyoffice.socket failed (11: Resource temporarily unavailable) while connecting to upstream, client: 172.23.0.6, server: , request: "GET /addons/mail/Default.aspx?warmup=true HTTP/1.1", upstream: "fastcgi://unix:/var/run/onlyoffice/onlyoffice.socket:", host: "172.23.0.6"

@Keith

Thank you for the information, and apologies for the delay.
I’ll need some time to review the issue. As soon as I have any updates or additional questions, I’ll make sure to get back to you.