I've been trying to configure my Raspberry Pi (Raspbian Jessie Lite) as a postfix/dovecot email server for my domain dominicgkerr.co.uk. Using a combination of the fantastic walkthroughs written by Sam Hobbs (https://samhobbs.co.uk/raspberry-pi-email-server) and @Pestmeester (www.pestmeester.nl), I have managed to sucessfully set up communcation through IMAP (port 143), IMAPS (port 993), and POP3 (port 110).
Ideally I would like to prevent traffic over unsecured IMAP and POP3 ports, and decided to turn off ports 143 and 110 in order to exclusively serve traffic via IMAPS and POP3S (port 995). Turning off port 143 seems to work fine, and IMAPS requests are handled successfully through 993 and verified using my installed ssl certificate.
However, trying the same trick with POP3 ports does not to work, and I cannot for the life of me be able to set up my ssl certificates such a way that Gmail/Thunderbird/openssl can connect to the raspberry pi across POP3S:
- Gmail simply refuses to connect when trying to set up its "Check email from other accounts (using POP3)" service
Thunderbird complains that my server's POP3S connect has an "Unknown identity"and testing the connection locally with Openssl returns verify return code 21 (unable to verify the first certificate), and gives an "-ERR Unknown command" when trying to login using "a login user pass"...
I purchased a Comodo ssl certificate for the server, and pointed both postfix (using /etc/postfix/main.cf) and dovecot (using /etc/dovecot/conf.d/10-ssl.conf) to its location in /etc/ssl/certs.
Does POP3S need a different ssl certificate to that used by IMAPS (e.g. does it require the full certificate chain - IMAPS seems to work fine without it)? Despite pointing to (a now correct) certificate chain, I'm unable to connect to my server over pop3s. I've checked that my ipTables firewall isn't blocking traffic over 995 (-A INPUT -p tcp --dport 995 -j ACCEPT), and have set the following listeners in /etc/dovecot/conf.d/10-master.conf:
service imap-login {
inet_listener imap {
port = 0
#Previously port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
Any ideas? If there's any postfix/dovecot files which would be useful to look at to help diagnose what's wrong, I'll happily paste them below... Thanks in advance!
Edit - Fixed Openssl Return Code 21 After playing around with my certificates again, I realised I'd messed up installing the required certificate chain. Now connecting to pop3s via Openssl returns verify code 0 (ok), but still doesn't like my attempts to login using "a login pass" (returning "-Err Unknown command" as before)... Is this the correct syntax? It works fine when using Openssl to connect over imaps!
Edit - Thunderbird Unknown Identity Complaint Yikes! It now seems that Thunderbird will allow me to setup a secure pop3s account to receive email from my server. I've changed a few things since last testing this (I've have also been playing around with setting up nginx to run a webserver in parallel), but I suspect that installing the (correct) full ssl certificate chain helped out...
Edit - OpenSSL -ERR Unknown command Yes I am an idiot... The correct login syntax is simply "user username", followed by "pass password".
Edit - Revised question title After fixing a few stupid errors my question has been simplified somewhat; is there any missing plugin/configuration/hack/illogical reason why Gmail is consistently unable to check the emails (over pop3s) served by my raspberry pi? Seemingly everything else works now; is there something subtle I'm missing...
