POSSIBLE SPAM: Re: Trouble configuring managesive plugin for roundcube
Christian Kivalo
ml+dovecot at valo.at
Sun Jul 10 15:49:14 UTC 2022
On July 10, 2022 5:01:02 PM GMT+02:00, Austin Witmer
<austin96 at emypeople.net> wrote:
> When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf
> file, I get the log line below from mail.log on my mail server.
>
> Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth
> attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS
> handshaking: SSL_accept() failed: error:1408F10B:SSL
> routines:ssl3_get_record:wrong version number,
> session=<PoXYpnTjLN0KdAAD>
>
> I’m not smart enough with ssl stuff to know what the root cause of that
> error is. Can somebody help me out?
You current dovecot config as below requires you to use tls:// prefix in
the managesieve configuration. I just tried it with my server and it
worked. Use:
$config['managesieve_host'] = 'tls://10.116.0.2';
You have debug logging enabled in your roundcube managesieve config, the
output should be in your roundcube logging. Look at that logging during
a connection attempt, this helped me allot identifying a certificate
name mismatch.
> Thanks!
>
> Austin Witmer
>
>> On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96 at emypeople.net>
>> wrote:
>>
>> So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
>>
>> ## Dovecot configuration file
>>
>> # Enable installed protocols
>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>
>> dict {
>> #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
>> #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
>> }
>>
>> !include conf.d/*.conf
>>
>> !include_try local.conf
>>
>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>
>> listen = *
>>
>> disable_plaintext_auth = yes
>> mail_privileged_group = mail
>>
>> passdb {
>> args = /etc/dovecot/dovecot-sql.conf
>> driver = sql
>> }
>> protocols = imap lmtp pop3
>>
>> namespace inbox {
>> inbox = yes
>>
>> mailbox Trash {
>> auto = subscribe # autocreate and autosubscribe the Trash mailbox
>> special_use = \Trash
>> }
>> mailbox Sent {
>> auto = subscribe # autocreate and autosubscribe the Sent mailbox
>> special_use = \Sent
>> }
>> mailbox Spam {
>> auto = subscribe # autocreate and autosubscribe the Spam mailbox
>> }
>> }
>>
>> service auth {
>> unix_listener /var/spool/postfix/private/auth {
>> group = postfix
>> mode = 0660
>> user = postfix
>> }
>> }
>> service imap-login {
>> inet_listener imap {
>> port = 0
>> }
>> inet_listener imaps {
>> port = 993
>> }
>> }
>>
>> service lmtp {
>> unix_listener /var/spool/postfix/private/dovecot-lmtp {
>> group = postfix
>> mode = 0600
>> user = postfix
>> }
>> }
>> protocol lmtp {
>> postmaster_address=postmaster at mydomain.com
>> hostname=mail.mydomain.com
>> }
>>
>> ssl = required # Enable installed protocols
>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>
>> listen = *
>>
>> disable_plaintext_auth = yes
>> mail_privileged_group = mail
>>
>> passdb {
>> args = /etc/dovecot/dovecot-sql.conf
>> driver = sql
>> }
>>
>> namespace inbox {
>> inbox = yes
>>
>> mailbox Trash {
>> auto = subscribe # autocreate and autosubscribe the Trash mailbox
>> special_use = \Trash
>> }
>> mailbox Sent {
>> auto = subscribe # autocreate and autosubscribe the Sent mailbox
>> special_use = \Sent
>> }
>> }
>>
>> service auth {
>> unix_listener /var/spool/postfix/private/auth {
>> group = postfix
>> mode = 0660
>> user = postfix
>> }
>> }
>> service imap-login {
>> inet_listener imap {
>> port = 0
>> }
>> inet_listener imaps {
>> port = 993
>> }
>> }
>>
>> service lmtp {
>> unix_listener /var/spool/postfix/private/dovecot-lmtp {
>> group = postfix
>> mode = 0600
>> user = postfix
>> }
>> }
>> protocol lmtp {
>> postmaster_address=postmaster at mydomain.com
>> hostname=mail.mydomain.com
>> }
>>
>> ssl = required
>> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>> ssl_prefer_server_ciphers = yes
>>
>>
>> userdb {
>> driver = prefetch
>> }
>>
>> userdb {
>> driver = sql
>> args = /etc/dovecot/dovecot-sql.conf
>> }
>>
>> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>> #ssl_dh_parameters_length = 4096
>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>> ssl_prefer_server_ciphers = yes
>> #ssl_protocols = !SSLv3
>>
>> userdb {
>> driver = prefetch
>> }
>>
>> userdb {
>> driver = sql
>> args = /etc/dovecot/dovecot-sql.conf
>> }
>>
>> And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried
>> enabling ssl = yes in the config below but it still didn’t work.
>>
>> ##
>> ## ManageSieve specific settings
>> ##
>>
>> # Uncomment to enable managesieve protocol:
>> protocols = $protocols sieve
>>
>> # Service definitions
>>
>> service managesieve-login {
>> inet_listener sieve {
>> port = 4190
>> # ssl = yes
>> }
>>
>> #inet_listener sieve_deprecated {
>> # port = 2000
>> #}
>>
>> # Number of connections to handle before starting a new process.
>> Typically
>> # the only useful values are 0 (unlimited) or 1. 1 is more secure,
>> but 0
>> # is faster. <doc/wiki/LoginProcess.txt>
>> #service_count = 1
>>
>> # Number of processes to always keep waiting for more connections.
>> #process_min_avail = 0
>>
>> # If you set service_count=0, you probably need to grow this.
>> #vsz_limit = 64M
>> }
>>
>> #service managesieve {
>> # Max. number of ManageSieve processes (connections)
>> #process_limit = 1024
>> #}
>>
>> # Service configuration
>>
>> protocol sieve {
>> # Maximum ManageSieve command line length in bytes. ManageSieve
>> usually does
>> # not involve overly long command lines, so this setting will not
>> normally
>> # need adjustment
>> #managesieve_max_line_length = 65536
>>
>> # Maximum number of ManageSieve connections allowed for a user from
>> each IP
>> # address.
>> # NOTE: The username is compared case-sensitively.
>> #mail_max_userip_connections = 10
>>
>> # Space separated list of plugins to load (none known to be useful so
>> far).
>> # Do NOT try to load IMAP plugins here.
>> #mail_plugins =
>>
>> # MANAGESIEVE logout format string:
>> # %i - total number of bytes read from client
>> # %o - total number of bytes sent to client
>> # %{put_bytes} - Number of bytes saved using PUTSCRIPT command
>> # %{put_count} - Number of scripts saved using PUTSCRIPT command
>> # %{get_bytes} - Number of bytes read using GETCRIPT command
>> # %{get_count} - Number of scripts read using GETSCRIPT command
>> # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
>> # %{get_count} - Number of scripts checked using CHECKSCRIPT command
>> # %{deleted_count} - Number of scripts deleted using DELETESCRIPT
>> command
>> # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT
>> command
>> #managesieve_logout_format = bytes=%i/%o
>>
>> # To fool ManageSieve clients that are focused on CMU's timesieved
>> you can
>> # specify the IMPLEMENTATION capability that Dovecot reports to
>> clients.
>> # For example: 'Cyrus timsieved v2.2.13'
>> #managesieve_implementation_string = Dovecot Pigeonhole
>>
>> # Explicitly specify the SIEVE and NOTIFY capability reported by the
>> server
>> # before login. If left unassigned these will be reported dynamically
>> # according to what the Sieve interpreter supports by default (after
>> login
>> # this may differ depending on the user).
>> #managesieve_sieve_capability =
>> #managesieve_notify_capability =
>>
>> # The maximum number of compile errors that are returned to the
>> client upon
>> # script upload or script verification.
>> #managesieve_max_compile_errors = 5
>>
>> # Refer to 90-sieve.conf for script quota configuration and
>> configuration of
>> # Sieve execution limits.
>> }
>>
>> Here is the output of testing with openssl from the roundcube server.
>>
>> I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null
>>
>> And got this:
>>
>> CONNECTED(00000003)
>> 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong
>> version number:../ssl/record/ssl3_record.c:331:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 5 bytes and written 283 bytes
>> Verification: OK
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>> —
>>
>> Is the second line in the output above the problem?
>>
>> Thanks to all of you for your help so far!
>>
>> Austin Witmer
>>
>>> On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot at tocc.cz>
>>> wrote:
>>>
>>> I can't see your dovecot conf, but anyway -- roundcube side has to be
>>> aligned with dovecot's, i.e. if you use ssl on roundcube side, make
>>> sure you have it enabled on dovecot side too, something like:
>>>
>>> service managesieve-login {
>>> inet_listener sieve {
>>> port = 4190
>>> ssl = yes
>>> }
>>>
>>> or just use tls, i.e. no "ssl=yes" in dovecot conf, but
>>> tls://10.116.0.2 in roundcube conf
>>> This seems to be the same case:
>>> https://github.com/roundcube/roundcubemail/issues/7127
>>>
>>> Tomas
>>>
>>>
>>> On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:
>>>> Hello all!
>>>> I’ve got a bit of a problem that I would like some help with. So, I
>>>> have
>>>> two servers, one is my mail server running postfix, dovecot etc. I
>>>> have a
>>>> second server setup as my roundcube server. Both servers are
>>>> running on
>>>> the same LAN network.
>>>> I have sieve scripts setup in dovecot in my mail server and they
>>>> are
>>>> working great! My trouble is that I can’t seem to make my roundcube
>>>> talk
>>>> correctly to managesieve on my mail server.
>>>> Here is the mail.log file from the mail server when I try to create
>>>> a
>>>> sievescript from roundcube webmail:
>>>> Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too
>>>> many
>>>> invalid commands. (no auth attempts in 0 secs): user=<>,
>>>> rip=10.116.0.3,
>>>> lip=10.116.0.2, session=<cZMzomvjyNgKdAAD>
>>>> And here is my managesieve configuration from my roundcube server.
>>>> /var/www/roundcube/plugins/managesieve/config.inc.php
>>>> <?php
>>>> $config['managesieve_port'] = 4190;
>>>> $config['managesieve_host'] = '[1]ssl://10.116.0.2';
>>>> $config['managesieve_auth_type'] = null;
>>>> $config['managesieve_auth_cid'] = null;
>>>> $config['managesieve_auth_pw'] = null;
>>>> $config['managesieve_usetls'] = false;
>>>> $config['managesieve_conn_options'] = array(
>>>> 'ssl' => array(
>>>> 'verify_peer' => false,
>>>> 'allow_self_signed' => true,
>>>> ),
>>>> );
>>>> $config['managesieve_default'] =
>>>> 'var/lib/dovecot/sieve/default.sieve';
>>>> $config['managesieve_script_name'] = 'default.sieve';
>>>> $config['managesieve_mbox_encoding'] = 'UTF-8';
>>>> $config['managesieve_replace_delimiter'] = '';
>>>> $config['managesieve_disabled_extensions'] = [];
>>>> $config['managesieve_debug'] = true;
>>>> $config['managesieve_kolab_master'] = false;
>>>> $config['managesieve_filename_extension'] = '.sieve';
>>>> $config['managesieve_filename_exceptions'] = [];
>>>> $config['managesieve_domains'] = [];
>>>> $config['managesieve_default_headers'] = ['Subject', 'From', 'To'];
>>>> $config['managesieve_vacation'] = 0;
>>>> $config['managesieve_forward'] = 0;
>>>> $config['managesieve_vacation_interval'] = 0;
>>>> $config['managesieve_vacation_addresses_init'] = false;
>>>> $config['managesieve_vacation_from_init'] = false;
>>>> $config['managesieve_notify_methods'] = ['mailto'];
>>>> $config['managesieve_raw_editor'] = true;
>>>> $config['managesieve_disabled_actions'] = [];
>>>> $config['managesieve_allowed_hosts'] = null;
>>>> Does anybody have any clue why roundcube isn’t able to login in to
>>>> managesieve on my mail server?
>>>> Are there more logs/configs you would like to see?
>>>> Thanks in advance for your help and suggestions!
>>>> Austin Witmer
>>>>
>>>> References
>>>>
>>>> Visible links
>>>> 1. file:///tmp/ssl:/10.116.0.2
>
--
Christian Kivalo
More information about the dovecot
mailing list