Troubleshoot Mail Protocol Errors

This guide helps diagnose and resolve common connection, authentication, and delivery issues with the Mailu mail server at mail.kup6s.com.

Quick Diagnostics

Test DNS Resolution

# Verify DNS points to correct IP
nslookup mail.kup6s.com

# Expected output:
# Name: mail.kup6s.com
# Address: 167.233.14.203
# Address: 2a01:4f8:1c1f:6562::1

Test TLS Connectivity

Test IMAPS (port 993):

openssl s_client -connect mail.kup6s.com:993 -quiet

Expected: * OK [CAPABILITY IMAP4rev1 ...] Dovecot ready.

Test SMTPS (port 465):

openssl s_client -connect mail.kup6s.com:465 -quiet

Expected: 220 mail.kup6s.com ESMTP Postfix

Test Submission (port 587):

openssl s_client -connect mail.kup6s.com:587 -starttls smtp -quiet

Expected: 220 mail.kup6s.com ESMTP Postfix

Test Authentication

Test IMAP login:

# Connect to IMAP
openssl s_client -connect mail.kup6s.com:993 -quiet

# Login (replace with your credentials)
a LOGIN user@kup6s.com yourpassword

# Expected: a OK Logged in
# Logout
a LOGOUT

Test SMTP AUTH:

# Generate base64 credentials
echo -ne '\000user@kup6s.com\000yourpassword' | base64

# Connect to SMTP
openssl s_client -connect mail.kup6s.com:465 -quiet

# Authenticate
EHLO localhost
AUTH PLAIN <base64-string-from-above>

# Expected: 235 2.7.0 Authentication successful
QUIT

Common Connection Errors

“Connection Refused” or “Cannot Connect”

Symptoms: Mail client cannot establish connection to server

Possible Causes:

  1. Firewall blocking ports

    • Check: Try from different network (e.g., mobile data)

    • Solution: Contact network administrator to unblock ports 465, 587, 993, 995

  2. Wrong server name

    • Check: Verify server is mail.kup6s.com (not kup6s.com)

    • Solution: Update mail client settings

  3. Service down

    • Check: kubectl get pods -n mailu | grep front

    • Solution: Contact administrator if pod not Running

“Connection Times Out”

Symptoms: Connection attempt hangs for 30-60 seconds then fails

Diagnosis:

# Test if port is reachable
timeout 5 openssl s_client -connect mail.kup6s.com:993

# If timeout, port is likely blocked

Solutions:

  1. Try alternative port (587 instead of 465 for SMTP)

  2. Check corporate firewall rules

  3. Try from different network to isolate issue

“Certificate Error” or “SSL/TLS Handshake Failed”

Symptoms: Client shows certificate warning or TLS error

Common Causes:

  1. System clock wrong

    • Check: Verify date/time on device

    • Solution: Enable automatic time sync

  2. Outdated OS/Client

    • Check: Update mail client or OS

    • Solution: Old clients may not trust Let’s Encrypt root CA

  3. Incorrect port security setting

    • Check: Port 465 uses SSL/TLS (implicit), port 587 uses STARTTLS (explicit)

    • Solution: Match security type to port

Verify Certificate Manually:

# View certificate details
openssl s_client -connect mail.kup6s.com:993 -showcerts

# Check certificate validity dates
openssl s_client -connect mail.kup6s.com:993 2>/dev/null | openssl x509 -noout -dates

Authentication Errors

“Authentication Failed” or “Invalid Credentials”

Symptoms: Client shows password error even with correct password

Troubleshooting Steps:

  1. Verify credentials via webmail:

    • Open https://mail.kup6s.com in browser

    • Try logging in with same email/password

    • If fails: Password is actually wrong, use admin UI to reset

  2. Check username format:

    • ✅ Correct: user@kup6s.com (full email address)

    • ❌ Wrong: user (username only)

    • Some clients require full email in both username fields

  3. Check for special characters:

    • Passwords with @, %, & may need escaping in some clients

    • Try changing password to alphanumeric temporarily to test

  4. Check account status:

    # Admin command to verify account exists
kubectl exec -n mailu deploy/mailu-admin-deployment-c8xxxxxx -- \
  flask mailu user info user@kup6s.com

“535 5.7.8 Authentication Failed” (SMTP)

Specific to SMTP submission - authentication is required:

Check AUTH mechanisms:

openssl s_client -connect mail.kup6s.com:465 -quiet
EHLO localhost

# Look for: 250-AUTH PLAIN LOGIN
# Mailu supports PLAIN and LOGIN auth methods

Solution: Ensure “My server requires authentication” is enabled in SMTP settings

Rate Limiting / “Too Many Login Attempts”

Symptoms: Authentication fails after multiple attempts, works later

Cause: Mailu rate limiting (10 attempts per hour per IP by default)

Solutions:

  1. Wait 1 hour for rate limit to reset

  2. Verify credentials before retrying

  3. Check admin UI for failed login attempts

Admin Command to Check:

# View rate limit status
kubectl logs -n mailu deploy/mailu-admin-deployment-c8xxxxxx | grep -i "rate"

Mail Delivery Issues

Outgoing Mail Rejected

Symptom: “550 Relay access denied” or similar

Cause: SMTP authentication not configured

Solution: Enable SMTP authentication in mail client (port 465 or 587, not 25)

Incoming Mail Not Arriving

Check MX Records:

dig MX kup6s.com

# Expected:
# kup6s.com. IN MX 10 mail.kup6s.com.

Check Postfix Logs:

# View incoming mail logs
kubectl logs -n mailu deploy/mailu-smtp-deployment-c8xxxxxx | tail -50

Common Issues:

  • SPF/DKIM failures (check sender’s configuration)

  • Mailbox quota exceeded (check admin UI)

  • Spam filtering (check Rspamd web UI)

“Mailbox Full” or Quota Errors

Check Quota:

# Admin command to check mailbox quota
kubectl exec -n mailu deploy/mailu-admin-deployment-c8xxxxxx -- \
  flask mailu user info user@kup6s.com | grep quota

Solution: Increase quota in admin UI or delete old emails

Server-Side Diagnostics

Check Service Health

# Check all Mailu pods are running
kubectl get pods -n mailu

# Expected: All pods in Running state
# - mailu-admin-deployment-*
# - mailu-front-deployment-*
# - mailu-imap-deployment-*
# - mailu-smtp-deployment-*
# - mailu-antispam-deployment-*
# - mailu-redis-deployment-*
# - mailu-webmail-deployment-*

Check Logs for Errors

Front (nginx):

kubectl logs -n mailu -l 'app.kubernetes.io/component=front' --tail=50

IMAP (Dovecot):

kubectl logs -n mailu -l 'app.kubernetes.io/component=imap' --tail=50

SMTP (Postfix):

kubectl logs -n mailu -l 'app.kubernetes.io/component=smtp' --tail=50

Admin (authentication):

kubectl logs -n mailu -l 'app.kubernetes.io/component=admin' --tail=50

Test Internal Services

From within cluster:

# Test nginx front is listening on mail ports
kubectl exec -n mailu deploy/mailu-front-deployment-c8xxxxxx -- netstat -tlnp | grep -E ':(25|465|587|993|995)'

# Expected: nginx listening on all mail ports

Test admin authentication endpoint:

# From front pod
kubectl exec -n mailu deploy/mailu-front-deployment-c8xxxxxx -- \
  curl -i http://mailu-admin-service-c8xxxxxx/internal/auth/email

# Expected: 200 or appropriate auth response

Traefik and LoadBalancer Issues

Mail Ports Not Externally Accessible

Check Traefik IngressRouteTCP:

kubectl get ingressroutetcp -n mailu

# Should see:
# - mailu-imaps (port 993)
# - mailu-smtps (port 465)
# - mailu-submission (port 587)
# - mailu-pop3s (port 995)

Check LoadBalancer Service:

kubectl get svc -n mailu mailu-loadbalancer-service-c8xxxxxx

# Should show TYPE=LoadBalancer with EXTERNAL-IP assigned
# PORTS should include 25, 465, 587, 993, 995

Test from Outside Cluster:

# Get LoadBalancer IP
LB_IP=$(kubectl get svc -n mailu -l 'app.kubernetes.io/component=loadbalancer' -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')

# Test direct connection (bypassing DNS)
openssl s_client -connect $LB_IP:993 -quiet

TLS Termination Issues

Check Certificate:

# Verify cert-manager certificate is ready
kubectl get certificate -n mailu

# Should show READY=True for mail.kup6s.com certificate

Check TLS Secret:

# Verify secret exists and has valid cert data
kubectl get secret -n mailu mail-kup6s-com-tls -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -subject -dates

# Should show:
# subject=CN = mail.kup6s.com
# notBefore and notAfter dates (valid range)

Port Reference

Port

Protocol

Purpose

Auth Required

25

SMTP

Server-to-server mail

No (external servers)

465

SMTPS

Client submission (TLS)

Yes

587

Submission

Client submission (STARTTLS)

Yes

993

IMAPS

IMAP (TLS)

Yes

995

POP3S

POP3 (TLS)

Yes

143

IMAP

IMAP (plain)

Yes (not exposed externally)

110

POP3

POP3 (plain)

Yes (not exposed externally)

Note: Only ports with TLS (465, 587, 993, 995, 25) are exposed externally via Traefik.

Getting Help

If issues persist after following this guide:

  1. Collect diagnostics:

    # Save pod status
kubectl get pods -n mailu > mailu-pods.txt

# Save recent logs
kubectl logs -n mailu -l 'app.kubernetes.io/component=front' --tail=100 > front-logs.txt
kubectl logs -n mailu -l 'app.kubernetes.io/component=admin' --tail=100 > admin-logs.txt

  2. Check Mailu admin UI at https://mail.kup6s.com/admin for:

    • User account status

    • Mail queue

    • Failed authentication attempts

  3. Review architecture: See Traefik TLS Termination Pattern for how the system works