[SOLVED] PMG 6.1-5 restore configuration from 5.1-4

A

Andres.Urzagasti

Renowned Member
Oct 22, 2015
43
3
73
Reconquista (SF, Argentina)
www.litoralnorte.com.ar
Hi,
We have in production a PMG 5.1-4. Due to intermitent issues with Avast, we need to update.
The update from 5.1-4 to 6.1-5 was OK, but later I cannot update the Avast package, so I have installed PMG 6.1-5 from scratch.

Installations work very well, Avast installation are OK (with the new repositories from Avast).
But when I have restored the configuration, appears this error in Fetchmail:

-- Logs begin at Tue 2020-02-25 00:54:05 -03, end at Tue 2020-02-25 00:54:17 -03. --
Feb 25 00:54:14 proxmoxMG systemd[1]: Starting LSB: init-Script for system wide fetchmail daemon...
Feb 25 00:54:14 proxmoxMG fetchmail[955]: Not starting fetchmail daemon, disabled via /etc/default/fetchmail.
Feb 25 00:54:14 proxmoxMG systemd[1]: Started LSB: init-Script for system wide fetchmail daemon.

I have changed some options in /etc/init.d/fetchmail and the fetchmail daemons finally start up.
However actually the system cannot fetch mails . This is a problem very similar to my previous post.
- Accounts are POP3 without SSL
- Accounts are configured in GUI, and I can see in /etc/pmg/fetchmailrc in POP3 mode
- Fetchmail also tryes to login using TLS.

However the log says:
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: (mailserverexternal): upgrade to TLS failed.
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: Unknown login or authentication error on user@(mailserverexternal)
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: socket error while fetching from user@proxmox0089
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: Query status=2 (SOCKET)

Some ideas?
Thanks!
 
Last edited:
Output of systemctl status fetchmail

● fetchmail.service - LSB: init-Script for system wide fetchmail daemon
Loaded: loaded (/etc/init.d/fetchmail; generated)
Active: active (running) since Tue 2020-02-25 01:23:18 -03; 9min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 1 (limit: 4915)
Memory: 1.8M
CGroup: /system.slice/fetchmail.service
└─3521 /usr/bin/fetchmail -f /etc/pmg/fetchmailrc --pidfile /var/run/fetchmail/fetchmail.pid --syslog

Feb 25 01:29:21 proxmoxMG fetchmail[3521]: socket error while fetching from (USER)@proxmox0024
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: Query status=2 (SOCKET)
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: servidor.com: upgrade to TLS failed.
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: Unknown login or authentication error on (OTHERUSER)@servidor.com
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: socket error while fetching from (OTHERUSER)@proxmox0010
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: Query status=2 (SOCKET)
 
Update
The issue is originated in some configuration of PMG that forcing pop3-SSL , that I cannot find.
The /etc/pmg/fetchmailrc is configured with accounts of type user@domain.com, in POP3 110 port without SSL
The ISP provider are providing POP3 without SSL (110 port) or POP3 with TLS1.1 (995 port)
I have tested configuration with POP3-110 and POP3-995-SSL and I have same error ( server.com : upgrade to TLS failed. )

I have donwgraded the /etc/ssl/openssl.conf to work with 1.1 ( MinProtocol = TLSv1.1 and CipherString = DEFAULT@SECLEVEL=1) but I cannot connect to my ISP server.

Any directios to disable SSL in this fetchmail?
 
hm - I guess the problem is that your provider is using a self-signed certificate for it's pop3s (995) and pop3+starttls server

These days you really should ask them to use a certificate signed by a CA

as a probably more sensible workaround would be - to fetch their certificate and add them to your PMGs certificate store

(afair: get the cert (with openssl s_client or so), add it to /usr/local/share/ca-certificates/; run update-ca-certificates -f)
 
I would expect fetchmail to use the value you configured in openssl config

the only other thing I could think of as workaround is to edit the fetchmailrc.tt template and add the necessary options to also disable starttls - you would need to experiment but it should be absence of ssl and sslproto should be set to ' ' (empty)

I hope this helps!
 
Hi again Ivanov,
Finally with your last message, i have changed :
/var/lib/pmg/templates/fetchmail.tt

defaults:
antispam -1
batchlimit 100
sslproto ''

AND I have changed also /etc/pmg/fetchmailrc and added sslproto ''

With this two changes, the config works OK, and the PMG 6.1.5 now downloads POP3 mail using fetchmail without SSL *and* filtering with AVAST.
Surely will upgrade the ISP provider in the next days.

In conclusion:
- In PMG 6.x is not possible download mail using SSL/TLS 1.1
- Is not recomendable download mail using POP3 without SSL (security concerns)

Thanks for your assistance. This case is closed.
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back