POSSIBLE SPAM: Re: Trouble configuring managesive plugin for roundcube

Austin Witmer austin96 at emypeople.net
Sun Jul 10 15:01:02 UTC 2022 

When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf file, I get the log line below from mail.log on my mail server.

Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD>

I’m not smart enough with ssl stuff to know what the root cause of that error is. Can somebody help me out?

Thanks!

Austin Witmer

> On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96 at emypeople.net> wrote:
> 
> So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
> 
> ## Dovecot configuration file
> 
> # Enable installed protocols
> !include_try /usr/share/dovecot/protocols.d/*.protocol
> 
> dict {
>  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
>  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
> }
> 
> !include conf.d/*.conf
> 
> !include_try local.conf
> 
> !include_try /usr/share/dovecot/protocols.d/*.protocol
> 
> listen = *
> 
> disable_plaintext_auth = yes
> mail_privileged_group = mail
> 
> passdb {
>  args = /etc/dovecot/dovecot-sql.conf
>  driver = sql
> }
> protocols = imap lmtp pop3
> 
> namespace inbox {
>  inbox = yes
> 
>  mailbox Trash {
>    auto = subscribe # autocreate and autosubscribe the Trash mailbox
>    special_use = \Trash
>  }
>  mailbox Sent {
>    auto = subscribe # autocreate and autosubscribe the Sent mailbox
>    special_use = \Sent
>  } 
>  mailbox Spam {
>    auto = subscribe # autocreate and autosubscribe the Spam mailbox
>  }
> }
> 
> service auth {
>  unix_listener /var/spool/postfix/private/auth {
>    group = postfix
>    mode = 0660
>    user = postfix
>  }
> }
> service imap-login {
>  inet_listener imap {
>    port = 0
>  }
>  inet_listener imaps {
>    port = 993
>  }
> }
> 
> service lmtp {
>    unix_listener /var/spool/postfix/private/dovecot-lmtp {
>      group = postfix
>      mode = 0600
>      user = postfix
>    }
> }
> protocol lmtp {
>    postmaster_address=postmaster at mydomain.com
>    hostname=mail.mydomain.com
> }
> 
> ssl = required # Enable installed protocols
> !include_try /usr/share/dovecot/protocols.d/*.protocol
> 
> listen = *
> 
> disable_plaintext_auth = yes
> mail_privileged_group = mail
> 
> passdb {
>  args = /etc/dovecot/dovecot-sql.conf
>  driver = sql
> }
> 
> namespace inbox {
>  inbox = yes
> 
>  mailbox Trash {
>    auto = subscribe # autocreate and autosubscribe the Trash mailbox
>    special_use = \Trash
>  }
>  mailbox Sent {
>    auto = subscribe # autocreate and autosubscribe the Sent mailbox
>    special_use = \Sent
>  }
> }
> 
> service auth {
>  unix_listener /var/spool/postfix/private/auth {
>    group = postfix
>    mode = 0660
>    user = postfix
>  }
> }
> service imap-login {
>  inet_listener imap {
>    port = 0
>  }
>  inet_listener imaps {
>    port = 993
>  }
> }
> 
> service lmtp {
>    unix_listener /var/spool/postfix/private/dovecot-lmtp {
>      group = postfix
>      mode = 0600
>      user = postfix
>    }
> }
> protocol lmtp {
>    postmaster_address=postmaster at mydomain.com
>    hostname=mail.mydomain.com
> }
> 
> ssl = required
> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
> ssl_cipher_list = AES128+EECDH:AES128+EDH
> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
> ssl_prefer_server_ciphers = yes
> 
> 
> userdb {
>  driver = prefetch
> }
> 
> userdb {
>  driver = sql
>  args = /etc/dovecot/dovecot-sql.conf
> }
> 
> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
> ssl_cipher_list = AES128+EECDH:AES128+EDH
> #ssl_dh_parameters_length = 4096
> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
> ssl_prefer_server_ciphers = yes
> #ssl_protocols = !SSLv3
> 
> userdb {
>  driver = prefetch
> }
> 
> userdb {
>  driver = sql
>  args = /etc/dovecot/dovecot-sql.conf
> }
> 
> And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn’t work.
> 
> ##
> ## ManageSieve specific settings
> ##
> 
> # Uncomment to enable managesieve protocol:
> protocols = $protocols sieve
> 
> # Service definitions
> 
> service managesieve-login {
>  inet_listener sieve {
>    port = 4190
> #    ssl = yes
>  }
> 
>  #inet_listener sieve_deprecated {
>  #  port = 2000
>  #}
> 
>  # Number of connections to handle before starting a new process. Typically
>  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
>  # is faster. <doc/wiki/LoginProcess.txt>
>  #service_count = 1
> 
>  # Number of processes to always keep waiting for more connections.
>  #process_min_avail = 0
> 
>  # If you set service_count=0, you probably need to grow this.
>  #vsz_limit = 64M
> }
> 
> #service managesieve {
>  # Max. number of ManageSieve processes (connections)
>  #process_limit = 1024
> #}
> 
> # Service configuration
> 
> protocol sieve {
>  # Maximum ManageSieve command line length in bytes. ManageSieve usually does
>  # not involve overly long command lines, so this setting will not normally
>  # need adjustment
>  #managesieve_max_line_length = 65536
> 
>  # Maximum number of ManageSieve connections allowed for a user from each IP
>  # address.
>  # NOTE: The username is compared case-sensitively.
>  #mail_max_userip_connections = 10
> 
>  # Space separated list of plugins to load (none known to be useful so far).
>  # Do NOT try to load IMAP plugins here.
>  #mail_plugins =
> 
>  # MANAGESIEVE logout format string:
>  #  %i - total number of bytes read from client
>  #  %o - total number of bytes sent to client
>  #  %{put_bytes} - Number of bytes saved using PUTSCRIPT command
>  #  %{put_count} - Number of scripts saved using PUTSCRIPT command
>  #  %{get_bytes} - Number of bytes read using GETCRIPT command
>  #  %{get_count} - Number of scripts read using GETSCRIPT command
>  #  %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
>  #  %{get_count} - Number of scripts checked using CHECKSCRIPT command
>  #  %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
>  #  %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
>  #managesieve_logout_format = bytes=%i/%o
> 
>  # To fool ManageSieve clients that are focused on CMU's timesieved you can
>  # specify the IMPLEMENTATION capability that Dovecot reports to clients.
>  # For example: 'Cyrus timsieved v2.2.13'
>  #managesieve_implementation_string = Dovecot Pigeonhole
> 
>  # Explicitly specify the SIEVE and NOTIFY capability reported by the server
>  # before login. If left unassigned these will be reported dynamically
>  # according to what the Sieve interpreter supports by default (after login
>  # this may differ depending on the user).
>  #managesieve_sieve_capability =
>  #managesieve_notify_capability =
> 
>  # The maximum number of compile errors that are returned to the client upon
>  # script upload or script verification.
>  #managesieve_max_compile_errors = 5
> 
>  # Refer to 90-sieve.conf for script quota configuration and configuration of
>  # Sieve execution limits.
> }
> 
> Here is the output of testing with openssl from the roundcube server.
> 
> I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null
> 
> And got this:
> 
> CONNECTED(00000003)
> 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5 bytes and written 283 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
>> 
> Is the second line in the output above the problem?
> 
> Thanks to all of you for your help so far! 
> 
> Austin Witmer
> 
>> On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot at tocc.cz> wrote:
>> 
>> I can't see your dovecot conf, but anyway -- roundcube side has to be aligned with dovecot's, i.e. if you use ssl on roundcube side, make sure you have it enabled on dovecot side too, something like:
>> 
>> service managesieve-login {
>> inet_listener sieve {
>>   port = 4190
>>   ssl = yes
>> }
>> 
>> or just use tls, i.e. no "ssl=yes" in dovecot conf, but tls://10.116.0.2 in roundcube conf
>> This seems to be the same case: https://github.com/roundcube/roundcubemail/issues/7127
>> 
>> Tomas
>> 
>> 
>> On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:
>>>  Hello all!
>>>  I’ve got a bit of a problem that I would like some help with. So, I have
>>>  two servers, one is my mail server running postfix, dovecot etc. I have a
>>>  second server setup as my roundcube server. Both servers are running on
>>>  the same LAN network.
>>>  I have sieve scripts setup in dovecot in my mail server and they are
>>>  working great! My trouble is that I can’t seem to make my roundcube talk
>>>  correctly to managesieve on my mail server.
>>>  Here is the mail.log file from the mail server when I try to create a
>>>  sievescript from roundcube webmail:
>>>  Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too many
>>>  invalid commands. (no auth attempts in 0 secs): user=<>, rip=10.116.0.3,
>>>  lip=10.116.0.2, session=<cZMzomvjyNgKdAAD> 
>>>  And here is my managesieve configuration from my roundcube server.
>>>  /var/www/roundcube/plugins/managesieve/config.inc.php
>>>  <?php
>>>  $config['managesieve_port'] = 4190;
>>>  $config['managesieve_host'] = '[1]ssl://10.116.0.2';
>>>  $config['managesieve_auth_type'] = null;
>>>  $config['managesieve_auth_cid'] = null;
>>>  $config['managesieve_auth_pw'] = null;
>>>  $config['managesieve_usetls'] = false;
>>>  $config['managesieve_conn_options'] = array(
>>>          'ssl' => array(
>>>              'verify_peer'       => false,
>>>              'allow_self_signed' => true,
>>>          ),
>>>      );
>>>  $config['managesieve_default'] = 'var/lib/dovecot/sieve/default.sieve';
>>>  $config['managesieve_script_name'] = 'default.sieve';
>>>  $config['managesieve_mbox_encoding'] = 'UTF-8';
>>>  $config['managesieve_replace_delimiter'] = '';
>>>  $config['managesieve_disabled_extensions'] = [];
>>>  $config['managesieve_debug'] = true;
>>>  $config['managesieve_kolab_master'] = false;
>>>  $config['managesieve_filename_extension'] = '.sieve';
>>>  $config['managesieve_filename_exceptions'] = [];
>>>  $config['managesieve_domains'] = [];
>>>  $config['managesieve_default_headers'] = ['Subject', 'From', 'To'];
>>>  $config['managesieve_vacation'] = 0;
>>>  $config['managesieve_forward'] = 0;
>>>  $config['managesieve_vacation_interval'] = 0;
>>>  $config['managesieve_vacation_addresses_init'] = false;
>>>  $config['managesieve_vacation_from_init'] = false;
>>>  $config['managesieve_notify_methods'] = ['mailto'];
>>>  $config['managesieve_raw_editor'] = true;
>>>  $config['managesieve_disabled_actions'] = [];
>>>  $config['managesieve_allowed_hosts'] = null;
>>>  Does anybody have any clue why roundcube isn’t able to login in to
>>>  managesieve on my mail server?
>>>  Are there more logs/configs you would like to see?
>>>  Thanks in advance for your help and suggestions!
>>>  Austin Witmer
>>> 
>>> References
>>> 
>>>  Visible links
>>>  1. file:///tmp/ssl:/10.116.0.2

More information about the dovecot mailing list