nginx proxy path

[mgkirs]

i am try to start with nginx, i am do not understand haw to work with ACME, MTA-STS
i am don`t find mta-sts.txt

		# Automatic TLS configuration with ACME, e.g. through Let's Encrypt. The key is a
		# name referenced in TLS configs, e.g. letsencrypt. (optional)
ACME:
	letsencrypt:
		Port: 10444
		# For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory.
		DirectoryURL: https://acme-v02.api.letsencrypt.org/directory
		# Email address to register at ACME provider. The provider can email you when
		# certificates are about to expire. If you configure an address for which email is
		# delivered by this server, keep in mind that TLS misconfigurations could result
		# in such notification emails not arriving.
		ContactEmail: host

		# If set, used for suggested CAA DNS records, for restricting TLS certificate
		# issuance to a Certificate Authority. If empty and DirectyURL is for Let's
		# Encrypt, this value is set automatically to letsencrypt.org. (optional)
		IssuerDomainName: letsencrypt.org
		# File containing hash of admin password, for authentication in the web admin
		# pages (if enabled). (optional)

That config server not for 127.0.0.1
i am try to listen whith nginx but i am do not haw to slow proxy

server {
    server_name autoconfig.host; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://$server_address:10444;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Для ACME вызовов
    location /.well-known/acme-challenge/ {
        proxy_pass http://$server_address:10444;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/neveru.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/neveru.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

That give error 400 or 502
if i am connect to $server_addreess:10433 i am look ERR_CONNECTION_TIMED_OUT or SSL_ERROR

OS:

NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"
Rocky Linux release 9.4 (Blue Onyx)
Rocky Linux release 9.4 (Blue Onyx)
Rocky Linux release 9.4 (Blue Onyx)

may be its ssl redirects cloudflsare...
some times i am look:

mox[39660]: l=debug m="autotls hostpolicy result" err="autotls: host not in allowlist: \"mx.host\"" pkg=autotls host=host

where is allow list configurations?

mox[73422]: l=print m="starting as unprivileged user" pkg=serve user=mox pid=73422
mox[73422]: l=debug m="checking ips of hosts configured for acme tls cert validation" pkg=mox
mox[73422]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mx.hostcom resp=[ffff;ff] authentic=true duration=3.142491ms
mox[73422]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=autoconfig.neveru.me. resp=[ffff;ff] authentic=true duration="954.344µs"
mox[73422]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mta-sts.host resp=[ffff;ff] authentic=true duration=2.578024ms
mox[73422]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mail.host resp=[ffff;ff] authentic=true duration="478.275µs"
mox[73422]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=autoconfig.host resp=[ffff ff] authentic=true duration="379.888µs"
mox[73422]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mta-sts.host resp=[ffff,ff] authentic=true duration=1.068899ms
mox[73422]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mail.host resp=[ffff;ff] authentic=true duration="564.612µs"
mox[73422]: l=print m="ready to serve" pkg=serve
mox[73422]: l=info m="sending tls reports" pkg=tlsrptsend day=20240929 cid=19241227017
mox[73422]: l=info m="determining own version before checking for updates, trying again in 24h" err="parsing version: open data/lastknownversion: no such file or directory" pkg=serve
mox[73422]: l=info m="finished sending tls reports" pkg=tlsrptsend cid=19241227017
mox[73422]: l=debug m="dns lookup result" err="lookup spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host= spamhaus.o>
mox[73422]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=ff status=pass explanation= duration=1.550482ms
mox[73422]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.host
mox[73422]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.host
mox[73422]: l=print m="ensuring certificate availability" pkg=http hostname=mx.host
mox[73422]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.host
mox[73422]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.nhost
mox[73422]: l=debug m="autotls hostpolicy result" pkg=autotls host=mx.host mox[73422]: l=debug m="found existing private key for certificate for host" pkg=mox acmename=letsencrypt host=mx.host keytype=ecdsa-p256
mox[73422]: l=debug m="dns lookup result" err="lookup spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=.bl.spamcop.net. >
mox[73422]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=ff status=pass explanation= duration=23.132401ms
mox[73422]: l=debug m="dns lookup result" err="lookup .spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor typ>
mox[73422]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=ffff status=pass explanation= duration=1.672654ms
mox[73422]: l=debug m="dircache put result" pkg=autotls name=mx.host+token
mox[73422]: l=debug m="dns lookup result" err="lookup .spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=>
mox[73422]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=ffff status=pass explanation= duration=23.980872ms

[mjl-]

I hope I'm understanding your situation and goal. Hopefully the answer below can get you on your way.

ACME:
	letsencrypt:
		Port: 10444

I think you have nginx receiving regular https traffic on port 443, and you are forwarding at least "/.well-known/acme-challenge/" to mox, that you want to let listen on port 443? Using a https reverse proxy (like nginx) will not work with acme's verification: That verification uses tls-alpn-01, which means the original TLS connection from the ACME provider (for example Let's Encrypt) must make it to mox. During the TLS handshake, the "application-layer next protocol" extension ("alpn") is used to perform the verification. A reverse proxy like nginx will not pass that information on to mox.

So if you're using nginx in front of mox, you cannot use tls-alpn-01 verification with acme.

But you should be able to use the http-01 verification. That works with requests over regular http on port 80. So you would have to enable one of the mox webservices (for example "WebserverHTTP") port 80 of your "public" listener. That automatically enables acme http-01 verification. You will have to reverse proxy requests to /.well-known/acme-challenge/ (for all domains that need a TLS certificate) on port 80 to mox on port 80.

With mta-sts, you would also have to reverse proxy mta-sts.$yourdomain.example to mox.

If you get a message that a domain is not on the allowlist, that would normally mean the domain is not configured in mox, and mox will not retrieve a certificate for it using acme. The allowlist is automatically created based on the hostname (for example mx.yourdomain.example) and the domain(s) (for example autoconfig.yourdomain.example, mta-sts.yourdomain.example).

if i am connect to $server_addreess:10433 i am look ERR_CONNECTION_TIMED_OUT or SSL_ERROR

I don't know why you would get those errors. But it's better to leave the acme port at 443 and only use plain http-01 acme verification.

Hope this helps. If you're running into trouble with http-01 acme verification, it would be useful to see configuration file snippets and error logs.

[mgkirs]

Now mox make cert and can sent post

But i can`t get post from google, i am could not connect whith Thunderburd

autoconciguration port 143

Oct 10 03:11:48 neverume mox[250998]: l=info m="new connection" pkg=smtpserver remote=188.190.10.140:50140 local=185.83.219.53:25 submission=false tls=false listener=public cid=19273e64c76 delta="167.368µs"
Oct 10 03:11:48 neverume mox[250998]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="127.229µs" cid=19273e64c76 delta=52.240301ms
Oct 10 03:11:48 neverume mox[250998]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="413.129µs" cid=19273e64c76 delta=5.11349ms
Oct 10 03:11:48 neverume mox[250998]: l=info m="connection closed" err="read: EOF (io error)" pkg=smtpserver cid=19273e64c76 delta=58.289365ms
lines 1008-1057/1057 (END)

port 993

Oct 10 02:32:01 neverume mox[250869]: l=info m="new connection" pkg=imapserver remote=172.56.35.221:1071 local=185.83.219.53:993 tls=true listener=public cid=19273c9ae17 delta="151.099µs"
Oct 10 02:32:01 neverume mox[250869]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mail.neveru.me
Oct 10 02:32:01 neverume mox[250869]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mail.neveru.me
Oct 10 02:32:01 neverume mox[250869]: l=debug m="autotls hostpolicy result" pkg=autotls host=mail.neveru.me
Oct 10 02:32:01 neverume mox[250869]: l=debug m="generating new private key for certificate for host" pkg=mox acmename=letsencrypt host=mail.neveru.me keytype=ecdsa-p256
Oct 10 02:32:01 neverume mox[250869]: l=debug m="dircache put result" pkg=autotls name=mail.neveru.me+token
Oct 10 02:32:03 neverume mox[250869]: l=error m="requesting certificate" err="acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414143477807\" for domain \"mail.neveru.me\": no viable challenge type>
Oct 10 02:32:03 neverume mox[250869]: l=info m="connection closed" err="write: acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414143477807\" for domain \"mail.neveru.me\": no viable challenge typ>
Oct 10 02:32:03 neverume mox[250869]: l=error m="requesting certificate" err="acme/autocert: missing certificate" pkg=autotls host=mail.neveru.me
Oct 10 02:32:03 neverume mox[250869]: l=info m="connection closed" err="write: acme/autocert: missing certificate (io error)" pkg=imapserver cid=19273c9ae17 delta=2.568453214s
Oct 10 02:32:03 neverume mox[250869]: l=debug m="dircache delete result" pkg=autotls name=mail.neveru.me+token
Oct 10 02:32:51 neverume mox[250869]: l=error m="requesting automatic certificate" err="429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/>

Oct 10 03:14:40 neverume mox[250998]: l=info m="new connection" pkg=imapserver remote=172.56.35.221:18061 local=185.83.219.53:993 tls=true listener=public cid=19273e64c78 delta="844.163µs"
Oct 10 03:15:44 neverume mox[250998]: l=info m="connection closed" err="write: EOF (io error)" pkg=imapserver cid=19273e64c78 delta=1m3.79252849s

https://post.neveru.me/webmail/
dose not have mailboxes...
i am cant see mails was i am sent, but sent the mail from Compose button this is work

server {
    server_name autoconfig.neveru.me; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    
    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/neveru.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/neveru.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    server_name autoconfig.neverume.com; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    
    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ws.neverume.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ws.neverume.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}


server {
    server_name mx.neveru.me; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }


    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    
    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/neveru.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/neveru.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    server_name mx.neverume.com; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    

    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ws.neverume.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ws.neverume.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}

server {
    server_name mail.neveru.me; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    
    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/neveru.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/neveru.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    server_name mail.neverume.com; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    
    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ws.neverume.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ws.neverume.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}

server {
    server_name mta-sts.neveru.me; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }


    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    
    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/neveru.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/neveru.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}


server {
    server_name mta-sts.neverume.com; 
    # Проксирование запросов на локальный Mox
    location / {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /.well-known/acme-challenge/ {
        proxy_pass http://185.83.219.53:7744;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    


    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ws.neverume.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ws.neverume.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}


server {

    index index.php index.html;
    
    server_name post.neveru.me ;


    location / {
        proxy_pass http://127.0.0.1:9071;  # Пример порта Mox, если он предоставляет веб-интерфейс
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/neveru.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/neveru.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}
server {
    if ($host = post.neveru.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    
    server_name post.neveru.me;
    return 404; # managed by Certbot


}
server {
    if ($host = autoconfig.neveru.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name mx.neveru.me;
    return 404; # managed by Certbot


}

Oct 10 02:48:45 neverume mox[250998]: l=print m="ready to serve" pkg=serve
Oct 10 02:48:45 neverume mox[250998]: l=info m="determining own version before checking for updates, trying again in 24h" err="parsing version: open data/lastknownversion: no such file or directory" pkg=serve
Oct 10 02:48:45 neverume mox[250998]: l=debug m="dns lookup result" err="lookup 53.219.83.185.sbl.spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=53.219.83.185.sbl.spamhaus.org. resp=[] authentic>
Oct 10 02:48:45 neverume mox[250998]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=185.83.219.53 status=pass explanation= duration="916.559µs"
Oct 10 02:48:45 neverume mox[250998]: l=info m="sending tls reports" pkg=tlsrptsend day=20241009 cid=19273e64ac2
Oct 10 02:48:45 neverume mox[250998]: l=info m="finished sending tls reports" pkg=tlsrptsend cid=19273e64ac2
Oct 10 02:48:46 neverume mox[250998]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neverume.com
Oct 10 02:48:46 neverume mox[250998]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neverume.com
Oct 10 02:48:46 neverume mox[250998]: l=print m="ensuring certificate availability" pkg=http hostname=autoconfig.neverume.com
Oct 10 02:48:46 neverume mox[250998]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neverume.com
Oct 10 02:48:46 neverume mox[250998]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neverume.com
Oct 10 02:48:46 neverume mox[250998]: l=debug m="autotls hostpolicy result" pkg=autotls host=autoconfig.neverume.com
Oct 10 02:48:46 neverume mox[250998]: l=debug m="generating new private key for certificate for host" pkg=mox acmename=letsencrypt host=autoconfig.neverume.com keytype=ecdsa-p256
Oct 10 02:48:46 neverume mox[250998]: l=debug m="dns lookup result" err="lookup 53.219.83.185.bl.spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=53.219.83.185.bl.spamcop.net. resp=[] authentic=fal>
Oct 10 02:48:46 neverume mox[250998]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=185.83.219.53 status=pass explanation= duration=34.160592ms
Oct 10 02:48:47 neverume mox[250998]: l=debug m="dns lookup result" err="lookup a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1.1.0.a.c.2.2.0.a.2.sbl.spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host>
Oct 10 02:48:47 neverume mox[250998]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=2a02:2ca0:1111:10::a status=pass explanation= duration=2.164137ms
Oct 10 02:48:48 neverume mox[250998]: l=debug m="dns lookup result" err="lookup a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1.1.0.a.c.2.2.0.a.2.bl.spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=a>
Oct 10 02:48:48 neverume mox[250998]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=2a02:2ca0:1111:10::a status=pass explanation= duration=24.004407ms
Oct 10 02:48:48 neverume mox[250998]: l=debug m="dircache put result" pkg=autotls name=autoconfig.neverume.com+token
Oct 10 02:48:50 neverume mox[250998]: l=error m="requesting automatic certificate" err="acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414148852617\" for domain \"autoconfig.neverume.com\": no vi>
Oct 10 02:48:50 neverume mox[250998]: l=debug m="dircache delete result" pkg=autotls name=autoconfig.neverume.com+token
Oct 10 02:48:50 neverume mox[250998]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 02:48:50 neverume mox[250998]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 02:49:00 neverume mox[250998]: l=print m="ensuring certificate availability" pkg=http hostname=mx.neverume.com
Oct 10 02:49:00 neverume mox[250998]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 02:49:00 neverume mox[250998]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 02:49:00 neverume mox[250998]: l=debug m="autotls hostpolicy result" pkg=autotls host=mx.neverume.com
Oct 10 02:49:00 neverume mox[250998]: l=debug m="found existing private key for certificate for host" pkg=mox acmename=letsencrypt host=mx.neverume.com keytype=ecdsa-p256
Oct 10 02:49:01 neverume mox[250998]: l=debug m="dircache put result" pkg=autotls name=mx.neverume.com+token
Oct 10 02:49:35 neverume mox[250998]: l=debug m="http request" pkg=http httpaccess= handler=account method=post url=/api/Account host=post.neveru.me duration=61.446182ms statuscode=200 proto=http/1.0 remoteaddr=127.0.0.1:42372 tlsinfo>
Oct 10 02:49:41 neverume mox[250998]: l=debug m="http request" pkg=http httpaccess= handler=account method=get url=/webmail-http host=post.neveru.me duration="174.257µs" statuscode=404 proto=http/1.0 remoteaddr=127.0.0.1:42378 tlsinfo>
Oct 10 02:50:41 neverume mox[250998]: l=info m="new connection" pkg=smtpserver remote=3.101.148.189:46296 local=185.83.219.53:465 submission=true tls=true listener=public cid=19273e64ac7 delta="783.587µs"
Oct 10 02:51:27 neverume mox[250998]: l=info m="new connection" pkg=smtpserver remote=188.190.10.140:56146 local=185.83.219.53:25 submission=false tls=false listener=public cid=19273e64ac8 delta="160.588µs"
Oct 10 02:51:27 neverume mox[250998]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="86.433µs" cid=19273e64ac8 delta=6.133109ms
Oct 10 02:51:27 neverume mox[250998]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="181.049µs" cid=19273e64ac8 delta=5.431609ms
Oct 10 02:51:27 neverume mox[250998]: l=info m="connection closed" err="read: EOF (io error)" pkg=smtpserver cid=19273e64ac8 delta=126.347618ms
Oct 10 02:50:41 neverume mox[250998]: l=info m="new connection" pkg=smtpserver remote=3.101.148.189:46296 local=185.83.219.53:465 submission=true tls=true listener=public cid=19273e64ac7 delta="783.587µs"
Oct 10 02:51:27 neverume mox[250998]: l=info m="new connection" pkg=smtpserver remote=188.190.10.140:56146 local=185.83.219.53:25 submission=false tls=false listener=public cid=19273e64ac8 delta="160.588µs"
Oct 10 02:51:27 neverume mox[250998]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="86.433µs" cid=19273e64ac8 delta=6.133109ms
Oct 10 02:51:27 neverume mox[250998]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="181.049µs" cid=19273e64ac8 delta=5.431609ms
Oct 10 02:51:27 neverume mox[250998]: l=info m="connection closed" err="read: EOF (io error)" pkg=smtpserver cid=19273e64ac8 delta=126.347618ms
Oct 10 02:52:46 neverume mox[250998]: l=debug m="dircache delete result" pkg=autotls name=mx.neverume.com+token
Oct 10 02:52:46 neverume mox[250998]: l=error m="requesting automatic certificate" err="acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414150108957\" for domain \"mx.neverume.com\": no viable cha>
Oct 10 02:52:46 neverume mox[250998]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neveru.me
Oct 10 02:52:46 neverume mox[250998]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neveru.me
Oct 10 02:52:46 neverume mox[250998]: l=error m="requesting certificate" err="acme/autocert: missing certificate" pkg=autotls host=mx.neverume.com
Oct 10 02:52:46 neverume mox[250998]: l=info m="connection closed" err="write: acme/autocert: missing certificate (io error)" pkg=smtpserver cid=19273e64ac7 delta=2m4.800478387s
Oct 10 02:52:56 neverume mox[250998]: l=print m="ensuring certificate availability" pkg=http hostname=autoconfig.neveru.me
Oct 10 02:52:56 neverume mox[250998]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neveru.me
Oct 10 02:52:56 neverume mox[250998]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=autoconfig.neveru.me
Oct 10 02:52:56 neverume mox[250998]: l=debug m="autotls hostpolicy result" pkg=autotls host=autoconfig.neveru.me
Oct 10 02:52:56 neverume mox[250998]: l=debug m="generating new private key for certificate for host" pkg=mox acmename=letsencrypt host=autoconfig.neveru.me keytype=ecdsa-p256
Oct 10 02:52:57 neverume mox[250998]: l=debug m="dircache put result" pkg=autotls name=autoconfig.neveru.me+token
Oct 10 02:52:59 neverume mox[250998]: l=debug m="dircache delete result" pkg=autotls name=autoconfig.neveru.me+token
Oct 10 02:52:59 neverume mox[250998]: l=error m="requesting automatic certificate" err="acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414150169627\" for domain \"autoconfig.neveru.me\": no viabl>
lines 1096-1145/1145 (END)

# NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be
# on their own line, they don't end a line. Do not escape or quote strings.

# Details: https://pkg.go.dev/github.com/mjl-/sconf.


# Directory where all data is stored, e.g. queue, accounts and messages, ACME TLS
# certs/keys. If this is a relative path, it is relative to the directory of
# mox.conf.
DataDir: ../data

# Default log level, one of: error, info, debug, trace, traceauth, tracedata.
# Trace logs SMTP and IMAP protocol transcripts, with traceauth also messages with
# passwords, and tracedata on top of that also the full data exchanges (full
# messages), which can be a large amount of data.
LogLevel: debug

# User to switch to after binding to all sockets as root. Default: mox. If the
# value is not a known user, it is parsed as integer and used as uid and gid.
# (optional)
User: mox

# Full hostname of system, e.g. mail.<domain>
Hostname: mx.neverume.com

# If enabled, a single DNS TXT lookup of _updates.xmox.nl is done every 24h to
# check for a new release. Each time a new release is found, a changelog is
# fetched from https://updates.xmox.nl/changelog and delivered to the postmaster
# mailbox. (optional)
#
# RECOMMENDED: please enable to stay up to date
#
CheckUpdates: true

# Automatic TLS configuration with ACME, e.g. through Let's Encrypt. The key is a
# name referenced in TLS configs, e.g. letsencrypt. (optional)
ACME:
	letsencrypt:
		Port: 10444
		# For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory.
		DirectoryURL: https://acme-v02.api.letsencrypt.org/directory

		# Email address to register at ACME provider. The provider can email you when
		# certificates are about to expire. If you configure an address for which email is
		# delivered by this server, keep in mind that TLS misconfigurations could result
		# in such notification emails not arriving.
		ContactEmail: [email protected]

		# If set, used for suggested CAA DNS records, for restricting TLS certificate
		# issuance to a Certificate Authority. If empty and DirectyURL is for Let's
		# Encrypt, this value is set automatically to letsencrypt.org. (optional)
		IssuerDomainName: letsencrypt.org

# File containing hash of admin password, for authentication in the web admin
# pages (if enabled). (optional)
AdminPasswordFile: adminpasswd

# Listeners are groups of IP addresses and services enabled on those IP addresses,
# such as SMTP/IMAP or internal endpoints for administration or Prometheus
# metrics. All listeners with SMTP/IMAP services enabled will serve all configured
# domains. If the listener is named 'public', it will get a few helpful additional
# configuration checks, for acme automatic tls certificates and monitoring of ips
# in dnsbls if those are configured.
Listeners:
	internal:
		# Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but
		# it is better to explicitly specify the IPs you want to use for email, as mox
		# will make sure outgoing connections will only be made from one of those IPs. If
		# both outgoing IPv4 and IPv6 connectivity is possible, and only one family has
		# explicitly configured addresses, both address families are still used for
		# outgoing connections. Use the "direct" transport to limit address families for
		# outgoing connections.
		IPs:
			- 127.0.0.1
			- ::1

		# If empty, the config global Hostname is used. The internal services webadmin,
		# webaccount, webmail and webapi only match requests to IPs, this hostname,
		# "localhost". All except webadmin also match for any client settings domain.
		# (optional)
		Hostname: post.neveru.me

		# Account web interface, for email users wanting to change their accounts, e.g.
		# set new password, set new delivery rulesets. Default path is /. (optional)
		AccountHTTP:
			Enabled: true

			Port: 9071
		# Admin web interface, for managing domains, accounts, etc. Default path is
		# /admin/. Preferably only enable on non-public IPs. Hint: use 'ssh -L
		# 8080:localhost:80 you@yourmachine' and open http://localhost:8080/admin/, or set
		# up a tunnel (e.g. WireGuard) and add its IP to the mox 'internal' listener.
		# (optional)
		AdminHTTP: 
			Enabled: true
			Port: 9071
		# Webmail client, for reading email. Default path is /webmail/. (optional)
		WebmailHTTP:
			Enabled: true
			Port: 9071
		# Like WebAPIHTTP, but with plain HTTP, without TLS. (optional)
		WebAPIHTTP:
			Enabled: true
			Port: 9071
		# Serve prometheus metrics, for monitoring. You should not enable this on a public
		# IP. (optional)
		MetricsHTTP:
			Enabled: false
	public:

		# Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but
		# it is better to explicitly specify the IPs you want to use for email, as mox
		# will make sure outgoing connections will only be made from one of those IPs. If
		# both outgoing IPv4 and IPv6 connectivity is possible, and only one family has
		# explicitly configured addresses, both address families are still used for
		# outgoing connections. Use the "direct" transport to limit address families for
		# outgoing connections.
		IPs:
			- 185.83.219.53
			- 2a02:2ca0:1111:10::a

		# For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections. (optional)
		TLS:

			# Name of provider from top-level configuration to use for ACME, e.g. letsencrypt.
			# (optional)
			ACME: letsencrypt

			# Private keys used for ACME certificates. Specified explicitly so DANE TLSA DNS
			# records can be generated, even before the certificates are requested. DANE is a
			# mechanism to authenticate remote TLS certificates based on a public key or
			# certificate specified in DNS, protected with DNSSEC. DANE is opportunistic and
			# attempted when delivering SMTP with STARTTLS. The private key files must be in
			# PEM format. PKCS8 is recommended, but PKCS1 and EC private keys are recognized
			# as well. Only RSA 2048 bit and ECDSA P-256 keys are currently used. The first of
			# each is used when requesting new certificates through ACME. (optional)
			HostPrivateKeyFiles:
				- hostkeys/mx.neveru.me.20240916T143606.rsa2048.privatekey.pkcs8.pem
				- hostkeys/mx.neveru.me.20240916T143606.ecdsap256.privatekey.pkcs8.pem

		# (optional)
		SMTP:
			Enabled: true

			# Addresses of DNS block lists for incoming messages. Block lists are only
			# consulted for connections/messages without enough reputation to make an
			# accept/reject decision. This prevents sending IPs of all communications to the
			# block list provider. If any of the listed DNSBLs contains a requested IP
			# address, the message is rejected as spam. The DNSBLs are checked for healthiness
			# before use, at most once per 4 hours. IPs we can send from are periodically
			# checked for being in the configured DNSBLs. See MonitorDNSBLs in domains.conf to
			# only monitor IPs we send from, without using those DNSBLs for incoming messages.
			# Example DNSBLs: sbl.spamhaus.org, bl.spamcop.net. See
			# https://www.spamhaus.org/sbl/ and https://www.spamcop.net/ for more information
			# and terms of use. (optional)
			#DNSBLs:
				#- sbl.spamhaus.org
				#- bl.spamcop.net

		# SMTP over TLS for submitting email, by email applications. Requires a TLS
		# config. (optional)
		Submissions:
			Enabled: true

		# IMAP over TLS for reading email, by email applications. Requires a TLS config.
		# (optional)
		IMAPS:
			Enabled: true
		# Serve autoconfiguration/autodiscovery to simplify configuring email
		# applications, will use port 443. Requires a TLS config. (optional)
		AutoconfigHTTPS:
			Enabled: true
			Port: 4444
		# Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config.
		# (optional)
		MTASTSHTTPS:
			Enabled: true
			Port: 4444
		# All configured WebHandlers will serve on an enabled listener. (optional)
		WebserverHTTP:
			Enabled: true
			Port: 7744
		# All configured WebHandlers will serve on an enabled listener. Either ACME must
		# be configured, or for each WebHandler domain a TLS certificate must be
		# configured. (optional)
		WebserverHTTPS:
			Enabled: true
			Port: 4444
# Destination for emails delivered to postmaster addresses: a plain 'postmaster'
# without domain, 'postmaster@<hostname>' (also for each listener with SMTP
# enabled), and as fallback for each domain without explicitly configured
# postmaster destination.
Postmaster:
	Account: u

	# E.g. Postmaster or Inbox.
	Mailbox: Postmaster

# Destination for per-host TLS reports (TLSRPT). TLS reports can be per recipient
# domain (for MTA-STS), or per MX host (for DANE). The per-domain TLS reporting
# configuration is in domains.conf. This is the TLS reporting configuration for
# this host. If absent, no host-based TLSRPT address is configured, and no host
# TLSRPT DNS record is suggested. (optional)
HostTLSRPT:

	# Account to deliver TLS reports to. Typically same account as for postmaster.
	Account: u

	# Mailbox to deliver TLS reports to. Recommended value: TLSRPT.
	Mailbox: TLSRPT

	# Localpart at hostname to accept TLS reports at. Recommended value: tls-reports.
	Localpart: tls-reports

[mjl-]

But i can`t get post from google, i am could not connect whith Thunderburd

autoconciguration port 143

Oct 10 03:11:48 neverume mox[250998]: l=info m="new connection" pkg=smtpserver remote=188.190.10.140:50140 local=185.83.219.53:25 submission=false tls=false listener=public cid=19273e64c76 delta="167.368µs"
Oct 10 03:11:48 neverume mox[250998]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="127.229µs" cid=19273e64c76 delta=52.240301ms
Oct 10 03:11:48 neverume mox[250998]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="413.129µs" cid=19273e64c76 delta=5.11349ms
Oct 10 03:11:48 neverume mox[250998]: l=info m="connection closed" err="read: EOF (io error)" pkg=smtpserver cid=19273e64c76 delta=58.289365ms
lines 1008-1057/1057 (END)

Thunderbird is connecting to port 25 to do authenticated submission. But port 25 is for email delivery, not submitting with authentication. Thunderbird should be connecting to port 465 with TLS, or to 587 as TCP+STARTTLS. I'm wondering if Thunderbird has really used autoconfig to setup the account. I think that too would require a TLS certificate, but getting a certificate doesn't appear to be working yet. You should manually change the port in Thunderbird to 465 or 587. But then you'll get the same error for now as with connecting with IMAP to port 993: mox cannot get a certificate.

So we still need to get ACME working. There are two mechanism that could be used: tls-alpn-01 or http-01. I think both are problematic at the moment:

1. For tls-alpn-01, the original HTTPS requests has to go straight to mox, not via a reverse proxy like nginx. But you do have the reverse proxy set up, so this is not currently an option.
2. To activate support for http-01 in mox, mox currently needs to be configured to serve HTTP on port 80. But I'm sure nginx is also serving on port 80, so mox can't listen on port 80, and so support for http-01 isn't currently activated. It makes sense for mox to enable http-01 on any listener that is serving plain http. The code that enables http-01 is at

   mox/http/web.go

   Line 804 in 354b9f4

   // If we are listening on port 80 for plain http, also register acme http-01

   . I think a check like that should be copied to the various cases higher up where mox is handling the various plain http webserver functionality. I'll try to make a patch, hopefully tomorrow. I think that will get you working ACME!

Oct 10 02:32:03 neverume mox[250869]: l=error m="requesting certificate" err="acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/414143477807\" for domain "mail.neveru.me": no viable challenge type>
Oct 10 02:32:03 neverume mox[250869]: l=info m="connection closed" err="write: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/414143477807\" for domain "mail.neveru.me": no viable challenge typ>
Oct 10 02:32:03 neverume mox[250869]: l=error m="requesting certificate" err="acme/autocert: missing certificate" pkg=autotls host=mail.neveru.me
Oct 10 02:32:03 neverume mox[250869]: l=info m="connection closed" err="write: acme/autocert: missing certificate (io error)" pkg=imapserver cid=19273c9ae17 delta=2.568453214s
Oct 10 02:32:03 neverume mox[250869]: l=debug m="dircache delete result" pkg=autotls name=mail.neveru.me+token
Oct 10 02:32:51 neverume mox[250869]: l=error m="requesting automatic certificate" err="429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/>

The "no viable challenge type" error means that tls-alpn-01 and http-01 (and any other mechanisms) did not succeed, which is understandable given the current configuration & mox behaviour.
For future testing, the last error "too many failed authorizations recently" is important: You may have to wait a while before testing again after changes.

dose not have mailboxes...
i am cant see mails was i am sent, but sent the mail from Compose button this is work

I've seen this before. This is very likely due to nginx's behaviour of buffering reverse proxy requests by default. The webmail uses a server-sent-events (SSE) connection, that streams data to the browser. But nginx is holding it up in its buffer. You'll need proxy_buffering on, also see issue #195.

Interestingly (to me least), your screenshot also reveals a bug in the mox webmail! The red box in the lower left indicates an unhandled JS error has occurred. I suspect the Signature field of the settings object is being read when you start composing a message. But that settings object isn't populated yet (the data is still in nginx's buffers). The error should go away with buffering disabled. I'll fix the webmail to not read the settings object when it's not loaded. I'm happy to finally see that error reporting code pay off. (:

[mjl-]

@mgkirs Could you try the latest commit? It should enable ACME validation with the "http-01" mechanism: plain http requests. Nginx needs to forward such requests for each domain that needs a TLS certificate.

See https://www.xmox.nl/b/#0fbf24160c65f8dd8855533cfaa2b485ee6764d9 for compiling or downloading a binary.

[mgkirs]

@mgkirs Could you try the latest commit? It should enable ACME validation with the "http-01" mechanism: plain http requests. Nginx needs to forward such requests for each domain that needs a TLS certificate.

See https://www.xmox.nl/b/#0fbf24160c65f8dd8855533cfaa2b485ee6764d9 for compiling or downloading a binary.

Oct 10 15:07:46 neverume mox[257471]: l=print m="listening for smtp" pkg=smtpserver listener=public address=185.83.219.53:465 protocol=submissions
Oct 10 15:07:46 neverume mox[257471]: l=print m="listening for smtp" pkg=smtpserver listener=public address=[2a02:2ca0:1111:10::a]:465 protocol=submissions
Oct 10 15:07:46 neverume mox[257471]: l=print m="listening for imap" pkg=imapserver listener=public addr=185.83.219.53:993 protocol=imaps
Oct 10 15:07:46 neverume mox[257471]: l=print m="listening for imap" pkg=imapserver listener=public addr=[2a02:2ca0:1111:10::a]:993 protocol=imaps
Oct 10 15:07:46 neverume mox[257471]: l=print m="http listener" pkg=http name=internal kinds="account-http at /,admin-http at /admin/,webapi-http at /webapi/,webmail-http at /webmail/" address=127.0.0.1:9071
Oct 10 15:07:46 neverume mox[257471]: l=print m="http listener" pkg=http name=internal kinds="account-http at /,admin-http at /admin/,webapi-http at /webapi/,webmail-http at /webmail/" address=[::1]:9071
Oct 10 15:07:46 neverume mox[257471]: l=print m="https listener" pkg=http name=public kinds=autoconfig-https,mtasts-https,webserver-https address=185.83.219.53:4444
Oct 10 15:07:46 neverume mox[257471]: l=print m="https listener" pkg=http name=public kinds=autoconfig-https,mtasts-https,webserver-https address=[2a02:2ca0:1111:10::a]:4444
Oct 10 15:07:46 neverume mox[257471]: l=print m="http listener" pkg=http name=public kinds=webserver-http,acme-http-01 address=185.83.219.53:7744
Oct 10 15:07:46 neverume mox[257471]: l=print m="http listener" pkg=http name=public kinds=webserver-http,acme-http-01 address=[2a02:2ca0:1111:10::a]:7744
Oct 10 15:07:46 neverume mox[257471]: l=print m="https listener" pkg=http name=public kinds=acme-tls-alpn-01 address=185.83.219.53:10433
Oct 10 15:07:46 neverume mox[257471]: l=print m="https listener" pkg=http name=public kinds=acme-tls-alpn-01 address=[2a02:2ca0:1111:10::a]:10433
Oct 10 15:07:46 neverume mox[257477]: l=debug m="autotls setting allowed hostnames" pkg=mox hostnames=[autoconfig.neveru.me;autoconfig.neverume.com;mail.neveru.me;mail.neverume.com;mta-sts.neveru.me;mta-sts.neverume.com;mx.neverume.com] publicips=[185.83.219.53,2a02:2ca0:1111:1>
Oct 10 15:07:46 neverume mox[257477]: l=print m="starting as unprivileged user" pkg=serve user=mox uid=1000 gid=1001 pid=257477
Oct 10 15:07:46 neverume mox[257477]: l=debug m="checking ips of hosts configured for acme tls cert validation" pkg=mox
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mx.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration=2.931714ms
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=autoconfig.neveru.me. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration=1.438194ms
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mta-sts.neveru.me. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration="592.077µs"
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mail.neveru.me. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration=9.99225ms
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=autoconfig.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration=1.207156ms
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mta-sts.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration=48.261048ms
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mail.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration=2.511589ms
Oct 10 15:07:46 neverume mox[257477]: l=print m="ready to serve" pkg=serve
Oct 10 15:07:46 neverume mox[257477]: l=debug m="checking for updates" pkg=serve lastknown=v0.0.13
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" pkg=serve pkg=dns type=txt name=_updates.xmox.nl. resp="[v=UPDATES0;l=v0.0.12]" authentic=true duration="803.589µs"
Oct 10 15:07:46 neverume mox[257477]: l=debug m="updates lookup result" pkg=serve pkg=updates domain=xmox.nl version=v0.0.12 record="version=UPDATES0" duration="900.206µs"
Oct 10 15:07:46 neverume mox[257477]: l=debug m="updates check result" pkg=serve pkg=updates domain=xmox.nl lastknown=v0.0.13 changelogbaseurl=https://updates.xmox.nl/changelog version=v0.0.12 record="version=UPDATES0" duration="937.395µs"
Oct 10 15:07:46 neverume mox[257477]: l=debug m="no new version available" pkg=serve
Oct 10 15:07:46 neverume mox[257477]: l=info m="sending tls reports" pkg=tlsrptsend day=20241009 cid=192768ae2c4
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dns lookup result" err="lookup 53.219.83.185.sbl.spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=53.219.83.185.sbl.spamhaus.org. resp=[] authentic=false duration=1.046344ms
Oct 10 15:07:46 neverume mox[257477]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=185.83.219.53 status=pass explanation= duration=1.214069ms
Oct 10 15:07:46 neverume mox[257477]: l=info m="finished sending tls reports" pkg=tlsrptsend cid=192768ae2c4
Oct 10 15:07:47 neverume mox[257477]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:07:47 neverume mox[257477]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:07:47 neverume mox[257477]: l=print m="ensuring certificate availability" pkg=http hostname=mx.neverume.com
Oct 10 15:07:47 neverume mox[257477]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:07:47 neverume mox[257477]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:07:47 neverume mox[257477]: l=debug m="autotls hostpolicy result" pkg=autotls host=mx.neverume.com
Oct 10 15:07:47 neverume mox[257477]: l=debug m="found existing private key for certificate for host" pkg=mox acmename=letsencrypt host=mx.neverume.com keytype=ecdsa-p256
Oct 10 15:07:47 neverume mox[257477]: l=debug m="dns lookup result" err="lookup 53.219.83.185.bl.spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=53.219.83.185.bl.spamcop.net. resp=[] authentic=false duration=30.40783ms
Oct 10 15:07:47 neverume mox[257477]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=185.83.219.53 status=pass explanation= duration=30.794096ms
Oct 10 15:07:48 neverume mox[257477]: l=debug m="dns lookup result" err="lookup a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1.1.0.a.c.2.2.0.a.2.sbl.spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1>
Oct 10 15:07:48 neverume mox[257477]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=2a02:2ca0:1111:10::a status=pass explanation= duration=1.127541ms
Oct 10 15:07:49 neverume mox[257477]: l=debug m="dns lookup result" err="lookup a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1.1.0.a.c.2.2.0.a.2.bl.spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1>
Oct 10 15:07:49 neverume mox[257477]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=2a02:2ca0:1111:10::a status=pass explanation= duration=24.057766ms
Oct 10 15:08:04 neverume mox[257477]: l=info m="new connection" pkg=imapserver remote=172.56.163.134:18239 local=185.83.219.53:993 tls=true listener=public cid=192768ae2c5 delta="479.718µs"
Oct 10 15:08:04 neverume mox[257477]: l=info m="new connection" pkg=imapserver remote=172.56.163.134:45198 local=185.83.219.53:993 tls=true listener=public cid=192768ae2c6 delta="147.783µs"
Oct 10 15:08:04 neverume mox[257477]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mail.neveru.me
Oct 10 15:08:04 neverume mox[257477]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mail.neveru.me
Oct 10 15:08:04 neverume mox[257477]: l=debug m="autotls hostpolicy result" pkg=autotls host=mail.neveru.me
Oct 10 15:08:04 neverume mox[257477]: l=debug m="generating new private key for certificate for host" pkg=mox acmename=letsencrypt host=mail.neveru.me keytype=ecdsa-p256
Oct 10 15:08:05 neverume mox[257477]: l=debug m="dircache put result" pkg=autotls name=mail.neveru.me+token
Oct 10 15:08:07 neverume mox[257477]: l=info m="autotls cert store" pkg=autotls name=hNB1rOmcgI0Mjr7HMsyZjpfi3bmdiPMAtu5Ai43I7zY+http-01
Oct 10 15:08:07 neverume mox[257477]: l=debug m="dircache put result" pkg=autotls name=hNB1rOmcgI0Mjr7HMsyZjpfi3bmdiPMAtu5Ai43I7zY+http-01
Oct 10 15:08:09 neverume mox[257477]: l=error m="requesting certificate" err="acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414370257157\" for domain \"mail.neveru.me\": no viable challenge type found (failures: challenge tls-alpn-01: acm>
Oct 10 15:08:09 neverume mox[257477]: l=info m="connection closed" err="write: acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414370257157\" for domain \"mail.neveru.me\": no viable challenge type found (failures: challenge tls-alpn-01: ac>
Oct 10 15:08:09 neverume mox[257477]: l=debug m="dircache delete result" pkg=autotls name=mail.neveru.me+token
Oct 10 15:08:09 neverume mox[257477]: l=error m="requesting certificate" err="acme/autocert: missing certificate" pkg=autotls host=mail.neveru.me
Oct 10 15:08:09 neverume mox[257477]: l=info m="connection closed" err="write: acme/autocert: missing certificate (io error)" pkg=imapserver cid=192768ae2c5 delta=4.453626645s
Oct 10 15:08:09 neverume mox[257477]: l=info m="autotls cert delete" pkg=autotls name=hNB1rOmcgI0Mjr7HMsyZjpfi3bmdiPMAtu5Ai43I7zY+http-01
Oct 10 15:08:09 neverume mox[257477]: l=debug m="dircache delete result" pkg=autotls name=hNB1rOmcgI0Mjr7HMsyZjpfi3bmdiPMAtu5Ai43I7zY+http-01

[mjl-]

Oct 10 15:08:09 neverume mox[257477]: l=error m="requesting certificate" err="acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/414370257157\" for domain "mail.neveru.me": no viable challenge type found (failures: challenge tls-alpn-01: acm>
Oct 10 15:08:09 neverume mox[257477]: l=info m="connection closed" err="write: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/414370257157\" for domain "mail.neveru.me": no viable challenge type found (failures: challenge tls-alpn-01: ac>

Those lines are truncated (probably copy-pasted from terminal). Do they say something about http-01 failing? And have you seen an error message explaining the failure? It would be good to check that it isn't still the "too many failed attempts recently" error.

And do you see HTTP requests coming in from Let's Encrypt? They should at least be in the nginx logs.

[mgkirs]

Oct 10 15:08:09 neverume mox[257477]: l=error m="requesting certificate" err="acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414370257157\" for domain \"mail.neveru.me\": no viable challenge type found (failures: challenge tls-alpn-01: acme: authorization error for mail.neveru.me: 403 urn:ietf:params:acme:error:unauthorized: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge; challenge http-01: acme: authorization error for mail.neveru.me: 403 urn:ietf:params:acme:error:unauthorized: 2a02:2ca0:1111:10::a: Invalid response from http://mail.neveru.me/.well-known/acme-challenge/hNB1rOmcgI0Mjr7HMsyZjpfi3bmdiPMAtu5Ai43I7zY: 404)" pkg=autotls host=mail.neveru.me
Oct 10 15:08:09 neverume mox[257477]: l=info m="connection closed" err="write: acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414370257157\" for domain \"mail.neveru.me\": no viable challenge type found (failures: challenge tls-alpn-01: acme: authorization error for mail.neveru.me: 403 urn:ietf:params:acme:error:unauthorized: Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge; challenge http-01: acme: authorization error for mail.neveru.me: 403 urn:ietf:params:acme:error:unauthorized: 2a02:2ca0:1111:10::a: Invalid response from http://mail.neveru.me/.well-known/acme-challenge/hNB1rOmcgI0Mjr7HMsyZjpfi3bmdiPMAtu5Ai43I7zY: 404) (io error)" pkg=imapserver cid=192768ae2c6 delta=4.431744998s

i can give full log file, but i am was try to connect few different Thunderbird config.

i am was wait few time, now

Oct 10 15:21:47 neverume mox[257925]: l=debug m="autotls setting allowed hostnames" pkg=mox hostnames=[autoconfig.neveru.me;autoconfig.neverume.com;mail.neveru.me;mail.neverume.com;mta-sts.neveru.me;mta-sts.neverume.com;mx.neverume.com] publicips=[185.83.219.53,2a02:2ca0:1111:1>
Oct 10 15:21:47 neverume mox[257925]: l=print m="starting as unprivileged user" pkg=serve user=mox uid=1000 gid=1001 pid=257925
Oct 10 15:21:47 neverume mox[257925]: l=debug m="checking ips of hosts configured for acme tls cert validation" pkg=mox
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mx.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration=1.40658ms
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=autoconfig.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration="635.152µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mta-sts.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration="647.187µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mail.neverume.com. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration="426.113µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=autoconfig.neveru.me. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration="434.944µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mta-sts.neveru.me. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration="413.098µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=mox pkg=autotls type=ip network=ip host=mail.neveru.me. resp=[2a02:2ca0:1111:10::a;185.83.219.53] authentic=true duration="542.526µs"
Oct 10 15:21:47 neverume mox[257925]: l=print m="ready to serve" pkg=serve
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" err="lookup 53.219.83.185.sbl.spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=53.219.83.185.sbl.spamhaus.org. resp=[] authentic=false duration=1.340411ms
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=185.83.219.53 status=pass explanation= duration=1.478148ms
Oct 10 15:21:47 neverume mox[257925]: l=debug m="checking for updates" pkg=serve lastknown=v0.0.13
Oct 10 15:21:47 neverume mox[257925]: l=debug m="dns lookup result" pkg=serve pkg=dns type=txt name=_updates.xmox.nl. resp="[v=UPDATES0;l=v0.0.12]" authentic=true duration="372.132µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="updates lookup result" pkg=serve pkg=updates domain=xmox.nl version=v0.0.12 record="version=UPDATES0" duration="464.098µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="updates check result" pkg=serve pkg=updates domain=xmox.nl lastknown=v0.0.13 changelogbaseurl=https://updates.xmox.nl/changelog version=v0.0.12 record="version=UPDATES0" duration="531.82µs"
Oct 10 15:21:47 neverume mox[257925]: l=debug m="no new version available" pkg=serve
Oct 10 15:21:47 neverume mox[257925]: l=info m="sending tls reports" pkg=tlsrptsend day=20241009 cid=1927697b957
Oct 10 15:21:47 neverume mox[257925]: l=info m="finished sending tls reports" pkg=tlsrptsend cid=1927697b957
Oct 10 15:21:48 neverume mox[257925]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:21:48 neverume mox[257925]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:21:48 neverume mox[257925]: l=print m="ensuring certificate availability" pkg=http hostname=mx.neverume.com
Oct 10 15:21:48 neverume mox[257925]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:21:48 neverume mox[257925]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mx.neverume.com
Oct 10 15:21:48 neverume mox[257925]: l=debug m="autotls hostpolicy result" pkg=autotls host=mx.neverume.com
Oct 10 15:21:48 neverume mox[257925]: l=debug m="found existing private key for certificate for host" pkg=mox acmename=letsencrypt host=mx.neverume.com keytype=ecdsa-p256
Oct 10 15:21:48 neverume mox[257925]: l=debug m="dns lookup result" err="lookup 53.219.83.185.bl.spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=53.219.83.185.bl.spamcop.net. resp=[] authentic=false duration=28.924719ms
Oct 10 15:21:48 neverume mox[257925]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=185.83.219.53 status=pass explanation= duration=29.054423ms
Oct 10 15:21:49 neverume mox[257925]: l=debug m="dns lookup result" err="lookup a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1.1.0.a.c.2.2.0.a.2.sbl.spamhaus.org. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1>
Oct 10 15:21:49 neverume mox[257925]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=sbl.spamhaus.org ip=2a02:2ca0:1111:10::a status=pass explanation= duration=1.714411ms
Oct 10 15:21:51 neverume mox[257925]: l=debug m="dns lookup result" err="lookup a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1.1.0.a.c.2.2.0.a.2.bl.spamcop.net. on 127.0.0.1:53: no such host" pkg=dnsblmonitor type=ip network=ip4 host=a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.1.1.1>
Oct 10 15:21:51 neverume mox[257925]: l=debug m="dnsbl lookup result" pkg=serve pkg=dnsbl zone=bl.spamcop.net ip=2a02:2ca0:1111:10::a status=pass explanation= duration=29.524702ms
Oct 10 15:21:58 neverume mox[257925]: l=info m="new connection" pkg=smtpserver remote=178.215.236.89:50089 local=185.83.219.53:25 submission=false tls=false listener=public cid=1927697b958 delta="331.873µs"
Oct 10 15:21:58 neverume mox[257925]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="114.129µs" cid=1927697b958 delta=17.955897ms
Oct 10 15:21:58 neverume mox[257925]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="132.346µs" cid=1927697b958 delta=17.712058ms
Oct 10 15:21:58 neverume mox[257925]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=quit code=221 ecode=2.0.0 duration="24.989µs" cid=1927697b958 delta=17.405351ms
Oct 10 15:21:58 neverume mox[257925]: l=info m="connection closed" pkg=smtpserver cid=1927697b958 delta="255.201µs"
Oct 10 15:22:33 neverume mox[257925]: l=info m="new connection" pkg=imapserver remote=172.56.163.134:35468 local=185.83.219.53:993 tls=true listener=public cid=1927697b959 delta="336.105µs"
Oct 10 15:22:33 neverume mox[257925]: l=info m="new connection" pkg=imapserver remote=172.56.163.134:25349 local=185.83.219.53:993 tls=true listener=public cid=1927697b95a delta="157.912µs"
Oct 10 15:22:33 neverume mox[257925]: l=info m="getting cert from dir cache" err="acme/autocert: certificate cache miss" pkg=autotls name=mail.neveru.me
Oct 10 15:22:33 neverume mox[257925]: l=debug m="dircache get result" err="acme/autocert: certificate cache miss" pkg=autotls name=mail.neveru.me
Oct 10 15:22:33 neverume mox[257925]: l=debug m="autotls hostpolicy result" pkg=autotls host=mail.neveru.me
Oct 10 15:22:33 neverume mox[257925]: l=debug m="generating new private key for certificate for host" pkg=mox acmename=letsencrypt host=mail.neveru.me keytype=ecdsa-p256
Oct 10 15:23:42 neverume mox[257925]: l=debug m="http request" pkg=http httpaccess= handler=(nomatch) method=get url=/.env host=autoconfig.neverume.com duration=1.105041ms statuscode=404 proto=http/1.0 remoteaddr=185.83.219.53:36502 tlsinfo=plain useragent="SonyEricssonS500i/R6>
Oct 10 15:23:43 neverume mox[257925]: l=debug m="http request" pkg=http httpaccess= handler=(nomatch) method=get url=/.env host=autoconfig.neveru.me duration="259.572µs" statuscode=404 proto=http/1.0 remoteaddr=185.83.219.53:36508 tlsinfo=plain useragent="Mozilla/5.0 (Linux; An>
lines 1844-1904/1904 (END)

Oct 10 15:58:15 neverume mox[258686]: l=info m="new connection" pkg=smtpserver remote=206.168.34.223:38068 local=185.83.219.53:25 submission=false tls=false listener=public cid=19276b89961 delta="289.077µs"
Oct 10 15:58:16 neverume mox[258686]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="195.547µs" cid=19276b89961 delta=1.068167522s
Oct 10 15:58:16 neverume mox[258686]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=starttls code=220 ecode=2.0.0 duration="61.724µs" cid=19276b89961 delta=268.788264ms
Oct 10 15:58:16 neverume mox[258686]: l=debug m="starting tls server handshake" pkg=smtpserver cid=19276b89961 delta="230.8µs"
Oct 10 15:59:17 neverume mox[258686]: l=info m="new connection" pkg=imapserver remote=172.56.163.134:18213 local=185.83.219.53:993 tls=true listener=public cid=19276b89962 delta="444.526µs"
Oct 10 16:00:33 neverume mox[258686]: l=info m="sending dmarc aggregate reports" pkg=dmarcdb end=2024-10-10T14:00:00Z intervals=[2;1] cid=19276b89963
Oct 10 16:00:33 neverume mox[258686]: l=info m="finished sending dmarc aggregate reports" pkg=dmarcdb cid=19276b89963
Oct 10 16:00:57 neverume mox[258686]: l=info m="connection closed" err="write: EOF (io error)" pkg=imapserver cid=19276b89962 delta=1m40.039941941

MX
OK
Preference	Host	IPs
10	mx.neverume.com.	2a02:2ca0:1111:10::a, 185.83.219.53

Show instructions

TLS
SMTP connection with STARTTLS to MX hostname "mx.neverume.com." IP 2a02:2ca0:1111:10::a: TLS handshake after SMTP STARTTLS: context deadline exceeded
SMTP connection with STARTTLS to MX hostname "mx.neverume.com." IP 185.83.219.53: TLS handshake after SMTP STARTTLS: read tcp 185.83.219.53:52754->185.83.219.53:25: i/o timeout



DANE
OK

Show instructions

SPF
OK
Domain TXT record: v=spf1 ip6:2a02:2ca0:1111:10::a ip4:185.83.219.53 mx ~all
Host TXT record: v=spf1 a -all

else i am was try to slow Check DNS. i am have few domains mox not configure mx.neveru.me

@neveru.me
password

mail.neverume.com:993 STARTTLS

Oct 10 18:35:09 neverume mox[261650]: l=info m="new connection" pkg=imapserver remote=172.56.163.134:52349 local=185.83.219.53:993 tls=true listener=public cid=192774804eb delta="440.798µs"
Oct 10 18:35:09 neverume mox[261650]: l=info m="new connection" pkg=imapserver remote=172.56.163.134:14721 local=185.83.219.53:993 tls=true listener=public cid=192774804ea delta="439.353µs"
Oct 10 18:36:34 neverume mox[261650]: l=info m="new connection" pkg=smtpserver remote=188.190.10.140:62997 local=185.83.219.53:25 submission=false tls=false listener=public cid=192774804ec delta="581.252µs"
Oct 10 18:36:34 neverume mox[261650]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="227.186µs" cid=192774804ec delta=6.804133ms
Oct 10 18:36:34 neverume mox[261650]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="177.16µs" cid=192774804ec delta=4.784356ms
Oct 10 18:36:35 neverume mox[261650]: l=info m="connection closed" err="read: EOF (io error)" pkg=smtpserver cid=192774804ec delta=16.856551ms
Oct 10 18:36:49 neverume mox[261650]: l=info m="connection closed" err="write: EOF (io error)" pkg=imapserver cid=192774804eb delta=1m40.049611186s
Oct 10 18:36:49 neverume mox[261650]: l=info m="connection closed" err="write: EOF (io error)" pkg=imapserver cid=192774804ea delta=1m40.064263082s

Connection to server mail.neverume.com timed out.

mail.neverume.com:993 SSL\TLS

Oct 10 18:44:21 neverume mox[261650]: l=error m="requesting certificate" err="acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414433387737\" for domain \"mail.neverume.com\": no viable challenge t>
Oct 10 18:44:21 neverume mox[261650]: l=info m="connection closed" err="write: acme/autocert: unable to satisfy \"https://acme-v02.api.letsencrypt.org/acme/authz-v3/414433387737\" for domain \"mail.neverume.com\": no viable challenge >
Oct 10 18:44:21 neverume mox[261650]: l=info m="autotls cert delete" pkg=autotls name=STd_XfCxVKVxAqO82octy1H9jwrv1mi3quwurPqfemU+http-01
Oct 10 18:44:21 neverume mox[261650]: l=debug m="dircache delete result" pkg=autotls name=STd_XfCxVKVxAqO82octy1H9jwrv1mi3quwurPqfemU+http-01
Oct 10 18:44:21 neverume mox[261650]: l=error m="requesting certificate" err="acme/autocert: missing certificate" pkg=autotls host=mail.neverume.com
Oct 10 18:44:21 neverume mox[261650]: l=debug m="dircache delete result" pkg=autotls name=mail.neverume.com+token
Oct 10 18:44:21 neverume mox[261650]: l=info m="connection closed" err="write: acme/autocert: missing certificate (io error)" pkg=imapserver cid=192774804f3 delta=3.935920934s
Oct 10 18:44:38 neverume mox[261650]: l=info m="new connection" pkg=smtpserver remote=188.190.10.147:49705 local=185.83.219.53:25 submission=false tls=false listener=public cid=192774804f4 delta="270.799µs"
Oct 10 18:44:38 neverume mox[261650]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="113.104µs" cid=192774804f4 delta=4.720917ms
Oct 10 18:44:38 neverume mox[261650]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=rset code=250 ecode=2.0.0 duration="105.197µs" cid=192774804f4 delta=4.770797ms
Oct 10 18:44:38 neverume mox[261650]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="105.804µs" cid=192774804f4 delta=4.791727ms
Oct 10 18:44:38 neverume mox[261650]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=quit code=221 ecode=2.0.0 duration="25.136µs" cid=192774804f4 delta=4.5008ms
Oct 10 18:44:38 neverume mox[261650]: l=info m="connection closed" pkg=smtpserver cid=192774804f4 delta="180.579µs"

Non-overridable TLS error occurred. Handshake error or probably the TLS version or certificate used by server mail.neverume.com is incompatible.

[mjl-]

I'm seeing entries on crt.sh for your domains (including autoconfig and mta-sts) from Let's Encrypt. Was that the result of successful ACME verification with mox? (:

Btw, about timing out connections to 993: Make sure to use direct TLS, not TCP+STARTTLS, on that port.

[mgkirs]

Я вижу записи на crt.sh для ваших доменов (включая autoconfig и mta-sts) из Let's Encrypt. Было ли это результатом успешной проверки ACME с помощью mox? (:

What`s you mean? Before patch this is didn't work

Кстати, об истечении времени ожидания подключений к 993: убедитесь, что вы используете прямой TLS, а не TCP+STARTTLS, на этом порту.
i have option c or SSL\TLS this is STARTTLS, the next it is SSL\TLS

i have error

TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 17997999906816:error:10000438:SSL routines:OPENSSL_internal:TLSV1_ALERT_INTERNAL_ERROR:third_party/openssl/boringssl/src/ssl/tls_record.cc:592:SSL alert number 80

from google

[mjl-]

What`s you mean? Before patch this is didn't work

I looked at https://crt.sh/?q=mx.neveru.me (and similar for autoconfig, mta-sts), and noticed new certificates. Perhaps that's only an intent to hand out a certificate, not a fully granted certificate.

By the way, are you seeing logging in mox for http requests for the /.well-known/acme-challenge/ verification? One of your error messages mentioned a "404" response. It would be good to know mox is sending that response, and not nginx.

TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 17997999906816:error:10000438:SSL routines:OPENSSL_internal:TLSV1_ALERT_INTERNAL_ERROR:third_party/openssl/boringssl/src/ssl/tls_record.cc:592:SSL alert number 80

OK, that indeed is a TLS-level "internal error", likely because there is no certificate.

It's a matter of figuring out why the http-01 verification is still failing.

[mjl-]

@mgkirs Any progress? Did you get it working, and can we close this issue?

[mgkirs]

i am look to nginx load balancer

stream {
    
    map $ssl_preread_server_name $backend {
        autoconfig.neveru.me 185.83.219.53:47444;
        autoconfig.neverume.com 185.83.219.53:47444;
        mx.neveru.me 185.83.219.53:4444;
        mx.neverume.com 185.83.219.53:4444;
        mail.neveru.me 185.83.219.53:4444;
        mail.neverume.com 185.83.219.53:4444;
        mta-sts.neveru.me 185.83.219.53:47744;
        mta-sts.neverume.com 185.83.219.53:47744;
        default 185.83.219.53:9090;
    }

    server {
        listen 443;
        listen [::]:443;
        ssl_preread on;
        proxy_pass $backend;
    }
}

but to day i am have some diffrent issues
25 port dose not work it is work, but if i am try sent like smpt it is not wotk, 25 smpt dose not available for localhost i am dose not find config
google dose not sent the e-mail to mox
Thunderbird sent the mails and get mails it is ok, but when i am try to connect whith php smpt fremwork it is not work i am have no idea no any logs errors

neverume mox[460266]: l=info m="new connection" pkg=smtpserver remote=45.84.89.2:52136 local=185.83.219.53:465 submission=true tls=true listener=public cid=192d7c45966 delta=1.246765ms
neverume mox[460266]: l=debug m="smtp command result" pkg=smtpserver kind=submission cmd=(unknown) code=500 ecode=5.5.2 duration="76.465µs" cid=192d7c45966 delta=228.431765ms
neverume mox[460266]: l=info m="connection closed" err="io error" pkg=smtpserver cid=192d7c45966 delta="438.697µs"
neverume mox[460266]: l=info m="https error" err="http: TLS handshake error from 64.62.197.69:51031: tls: first record does not look like a TLS handshake" pkg=http pkg=net/http
neverume mox[460266]: l=info m="https error" err="http: TLS handshake error from 64.62.197.75:11755: unexpected EOF" pkg=http pkg=net/http
neverume mox[460266]: l=debug m="tls request without sni servername, rejecting" pkg=autotls localaddr=185.83.219.53:4444 supportedprotos=[]
neverume mox[460266]: l=info m="https error" err="http: TLS handshake error from 71.6.134.235:54598: tls: no certificates configured" pkg=http pkg=net/http
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd=idle duration=9m46.710295799s cid=192d7c45965 delta=9m48.855359171s [email protected]
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd=noop duration="183.765µs" cid=192d7c45965 delta=175.274763ms [email protected]
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd=getquotaroot duration="570.736µs" cid=192d7c45965 delta=143.877655ms [email protected]
neverume mox[460266]: l=debug m="processing uid" pkg=imapserver uid=12 cid=192d7c45965 delta=151.816964ms [email protected]
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd="uid fetch" duration=17.702184ms cid=192d7c45965 delta=11.674691ms [email protected]
neverume mox[460266]: l=info m="new connection" pkg=imapserver remote=172.169.111.158:45770 local=185.83.219.53:993 tls=true listener=public cid=192d7c45967 delta=2.170757ms
neverume mox[460266]: l=info m="connection closed" err="write: tls: first record does not look like a TLS handshake (io error)" pkg=imapserver cid=192d7c45967 delta=2.091799ms
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd=idle duration=9m44.04600808s cid=192d7c45965 delta=9m46.193017572s [email protected]
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd=check duration="793.164µs" cid=192d7c45965 delta=143.932795ms [email protected]
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd=getquotaroot duration=1.957008ms cid=192d7c45965 delta=180.441423ms [email protected]
neverume mox[460266]: l=debug m="processing uid" pkg=imapserver uid=12 cid=192d7c45965 delta=192.504112ms [email protected]
neverume mox[460266]: l=debug m="imap command done" pkg=imapserver cmd="uid fetch" duration=45.141905ms cid=192d7c45965 delta=43.279479ms [email protected]
neverume mox[460266]: l=info m="https error" err="http: TLS handshake error from 71.6.134.235:45258: client sent an HTTP request to an HTTPS server" pkg=http pkg=net/http
neverume mox[460266]: l=info m="new connection" pkg=smtpserver remote=185.196.9.167:59683 local=185.83.219.53:25 submission=false tls=false listener=public cid=192d7c45968 delta=2.122591ms
neverume mox[460266]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="945.179µs" cid=192d7c45968 delta=24.972207ms
neverume mox[460266]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration=1.276304ms cid=192d7c45968 delta=24.366956ms
neverume mox[460266]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=quit code=221 ecode=2.0.0 duration="38.346µs" cid=192d7c45968 delta=21.887429ms
neverume mox[460266]: l=info m="connection closed" pkg=smtpserver cid=192d7c45968 delta="335.308µs"
neverume mox[460266]: l=info m="new connection" pkg=smtpserver remote=185.196.9.190:49271 local=185.83.219.53:25 submission=false tls=false listener=public cid=192d7c45969 delta=1.694477ms
neverume mox[460266]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="968.708µs" cid=192d7c45969 delta=25.15996ms
neverume mox[460266]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="553.923µs" cid=192d7c45969 delta=22.378517ms
neverume mox[460266]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=quit code=221 ecode=2.0.0 duration="36.046µs" cid=192d7c45969 delta=23.561869ms
neverume mox[460266]: l=info m="connection closed" pkg=smtpserver cid=192d7c45969 delta="348.916µs"

[mjl-]

Sending from php doesn't work? Is it this connection?

neverume mox[460266]: l=info m="new connection" pkg=smtpserver remote=185.196.9.190:49271 local=185.83.219.53:25 submission=false tls=false listener=public cid=192d7c45969 delta=1.694477ms
neverume mox[460266]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="968.708µs" cid=192d7c45969 delta=25.15996ms
neverume mox[460266]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="553.923µs" cid=192d7c45969 delta=22.378517ms
neverume mox[460266]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=quit code=221 ecode=2.0.0 duration="36.046µs" cid=192d7c45969 delta=23.561869ms

That seems to be an attempt to submit a message on port 25. Submission only works on ports 465 (TLS) and port 587 (STARTTLS).
That connection could also be a random connection attempt from a spammer trying to send through your server though...

If messages from google aren't coming in, it is likely a problem with MX delivery.
I tried making a connection like for delivery, and that seems to work for neverume.com, but not neveru.me. You can try with openssl s_client -starttls smtp -connect mx.neverume.com:25 (works) and openssl s_client -starttls smtp -connect mx.neveru.me:25 (no certificate for that name, which makes sense since mox would use a single mx host name).
Have you tried looking at the DNS check admin pages for each domain? It may show a warning/error that will help you further.

[mgkirs]

Hostname: mx.neveru.me
i am change config mox get mails from gmail
it is correct domain

Mox have only one Hostname filed for server on mox.conf
Haw i am can make corret mx servers if i am have more domains?
i am look domains.conf,
this is config have mx servers for different accounts
mx.neveru.me
mx.neverume.com

mox dose not serve delivery, this config not configure mx servers

 openssl s_client -starttls smtp -connect mx.neveru.me:465
CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 23 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Neverume mox[35486]: l=info m="new connection" pkg=smtpserver remote=[2a02:2ca0:1111:10::a]:58696 local=[2a02:2ca0:1111:10::a]:465 submission=true tls=true listener=public cid=1930d725d43 delta="624.214µs"
 Neverume mox[35486]: l=info m="connection closed" err="write: read tcp [2a02:2ca0:1111:10::a]:465->[2a02:2ca0:1111:10::a]:58696: i/o timeout (io error)" pkg=smtpserver cid=1930d725d43 delta=30.0157031s
 Neverume mox[35486]: l=info m="new connection" pkg=smtpserver remote=80.94.95.239:60560 local=185.83.219.53:25 submission=false tls=false listener=public cid=1930d725d44 delta="865.929µs"
 Neverume mox[35486]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="227.5µs" cid=1930d725d44 delta=899.81174ms
 Neverume mox[35486]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=rset code=250 ecode=2.0.0 duration="85.182µs" cid=1930d725d44 delta=1.105789959s
 Neverume mox[35486]: l=debug m="smtp command result" err="authentication only allowed on submission ports" pkg=smtpserver kind=smtp cmd=auth code=503 ecode=5.5.1 duration="381.627µs" cid=1930d725d44 delta=981.327421ms
 Neverume mox[35486]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=quit code=221 ecode=2.0.0 duration="67.55µs" cid=1930d725d44 delta=977.061274ms
 Neverume mox[35486]: l=info m="connection closed" pkg=smtpserver cid=1930d725d44 delta="341.431µs"

 openssl s_client -starttls smtp -connect mx.neveru.me:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = mx.neveru.me
verify return:1
---
Certificate chain
 0 s:CN = mx.neveru.me
   i:C = US, O = Let's Encrypt, CN = E5
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Nov  8 16:42:46 2024 GMT; NotAfter: Feb  6 16:42:45 2025 GMT
 1 s:C = US, O = Let's Encrypt, CN = E5
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDeDCCAv6gAwIBAgISBOCQySnCEA7u0VbcwRQxeaCFMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNDExMDgxNjQyNDZaFw0yNTAyMDYxNjQyNDVaMBcxFTATBgNVBAMTDG14
Lm5ldmVydS5tZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE80x0Dfb4+5Su9M
e79oL+CYnYQcCE/CDPKDxsp1YEZf25tNjW/KiVXZ7sIY+uh+2ipfTPOMZK4salCa
pTXx9sujggINMIICCTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFw7to+gaBdXQzfj
IbmUNMIJk5hKMB8GA1UdIwQYMBaAFJ8rX888IU+dBLftKyzExnCL0tcNMFUGCCsG
AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2U1Lm8ubGVuY3Iub3JnMCIG
CCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcvMBcGA1UdEQQQMA6CDG14
Lm5ldmVydS5tZTATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIE
gfQEgfEA7wB1AM8RVu7VLnyv84db2Wkum+kacWdKsBfsrAHSW3fOzDsIAAABkwzd
teUAAAQDAEYwRAIgFrCO2jXxER45e9VtId64fgVJSi3fyifu32blJet69A4CIDH4
2KeHHAoerbN+8oYj2bwN7lonlukAZ8sn3n22kKFnAHYAE0rfGrWYQgl4DG/vTHqR
pBa3I0nOWFdq367ap8Kr4CIAAAGTDN22xAAABAMARzBFAiEA+ahoIukQU+ZyuGFa
kztiWt3G/KlrMipUDLTg90pe/3ICIHUIY7+aAmIcZFa/dzzzlR+Sj/kiX8yu0An4
0ZQ6/DsbMAoGCCqGSM49BAMDA2gAMGUCMBO04O0pljIkP4ulZIEU7qHabAxTCllC
hq4bJD00COJ4lx2xVNhVUiOSsN6ora3vKgIxANq1nAUWjnT4s7LaEXSsLpgU/tbx
0FAwqxGIdmf8v73THB+wM+1OV+kEQJUU5UIVYw==
-----END CERTIFICATE-----
subject=CN = mx.neveru.me
issuer=C = US, O = Let's Encrypt, CN = E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2589 bytes and written 423 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 SMTPUTF8
80EBA914807F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:320:

Neverume mox[37533]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=ehlo code=250 ecode= duration="174.515µs" cid=1930d97c3ee delta="811.122µs"
Neverume mox[37533]: l=debug m="smtp command result" pkg=smtpserver kind=smtp cmd=starttls code=220 ecode=2.0.0 duration="51.172µs" cid=1930d97c3ee delta="266.425µs"
Neverume mox[37533]: l=debug m="starting tls server handshake" pkg=smtpserver cid=1930d97c3ee delta="116.12µs"
Neverume mox[37533]: l=debug m="autotls cert get" pkg=autotls name=mx.neveru.me
Neverume mox[37533]: l=debug m="dircache get result" pkg=autotls name=mx.neveru.me
Neverume mox[37533]: l=debug m="tls server handshake done" pkg=smtpserver tls=TLS1.3 ciphersuite=TLS_AES_128_GCM_SHA256 cid=1930d97c3ee delta=9.919652ms
Neverume mox[37533]: l=info m="connection closed" err="read: read tcp [2a02:2ca0:1111:10::a]:25->[2a02:2ca0:1111:10::a]:58464: i/o timeout (io error)" pkg=smtpserver cid=1930d97c3ee delta=30.003113709s

what about http certification, it is correct, i think nginx work whith http proxy correct, i am just try restart current mox server with old nginx config this is correct dose not look any errors, certificate cashed

Thankee