Trouble configuring managesive plugin for roundcube
Austin Witmer
austin96 at emypeople.net
Sun Jul 10 21:10:07 UTC 2022
Ok, I changed to $config['managesieve_host'] = 'tls://10.116.0.2’; and the below is the log from /var/www/roundcube/logs/sieve.log during a connection attempt. Does this log give you any clues?
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "IMPLEMENTATION" "Dovecot (Ubuntu) Pigeonhole"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "NOTIFY" "mailto"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SASL" ""
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "STARTTLS"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "VERSION" "1.0"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Dovecot (Ubuntu) ready."
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> C: STARTTLS
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Begin TLS negotiation now."
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> C: LOGOUT
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?=?C-ɓH????(??̸?.?2
[`S?w??K???:?&Bn3v?*?z[??'K?x?@??W??T-?q?\?o?Tub.Nr?)*??j?ב??=
?P^??.mr???+?5e.ُ?q?.$????/????uݚ?B~?f+>?????.ܮ?.?=ʑ?
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?A?\???F???X? c+ԩ???!???{?-??\?]?????7H1+v?y?5?G-6c0???av?_1?5n??i7˃U??L@?AH??O?N???Ie?r?F??weqfR???Y???b????? ??kT‰+?.??S?u????ԕ?Тc?Z'݀?nTȣȆ?m???????(6?~&WC??B?m???Z?1?????R?3??i@??R???=VHf?5??1??}????u9m
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?
??*}??OG?C??,????.ä?Cg??R????M?? ?Kiq?
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: W?qWN?]ۿ?8??dց?=?&?H8????y??"?6?D?!*?ޒ?K??????$eV??.O????n???M???h??C???A????U?G2?O,????E?C\*?~,?ќ?$?{????W0w??B?E??X`?!VH???k+??????e???Ero̎0ȭ???&????2?&????I?^D?;??f?4????Zn%Y_û?/s1hj??;???ujt?d?H?vܓt3"?Wm0`???? z???AU?QRE?Ƽ\Bz-V??W???,?bp???e?D???0m?-?
?8?%???4??V?\?'MR[?O1?ި4 ?
4Z?X
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S:
And here is the log from the mail server during the same connection attempt.
Jul 10 20:59:48 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<d9tCt3njVuEKdAAD>
And here is the output of doveconf -n
austin at mail:~$ doveconf -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-121-generic x86_64 Ubuntu 20.04.4 LTS
# Hostname: mail.mydomain.com
listen = *
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
auto = subscribe
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
sieve = /mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve
sieve_global_dir = /var/lib/dovecot/sieve/
sieve_global_path = /var/lib/dovecot/sieve/default.sieve
sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log
}
protocols = imap lmtp pop3 imap lmtp sieve pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol lmtp {
hostname = mail.mydomain.com
mail_plugins = " sieve"
postmaster_address = postmaster at mydomain.com
}
protocol lda {
mail_plugins = " sieve"
}
What am I missing???? Thanks so much to all of you for helping me along! This is why I like the Open-source community!
Austin Witmer
> On Jul 10, 2022, at 9:49 AM, Christian Kivalo <ml+dovecot at valo.at> wrote:
>
>
> On July 10, 2022 5:01:02 PM GMT+02:00, Austin Witmer <austin96 at emypeople.net> wrote:
>> When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf file, I get the log line below from mail.log on my mail server.
>> Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD>
>> I’m not smart enough with ssl stuff to know what the root cause of that error is. Can somebody help me out?
>
> You current dovecot config as below requires you to use tls:// prefix in the managesieve configuration. I just tried it with my server and it worked. Use:
> $config['managesieve_host'] = 'tls://10.116.0.2';
>
> You have debug logging enabled in your roundcube managesieve config, the output should be in your roundcube logging. Look at that logging during a connection attempt, this helped me allot identifying a certificate name mismatch.
>
>
>> Thanks!
>> Austin Witmer
>>> On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96 at emypeople.net> wrote:
>>> So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
>>> ## Dovecot configuration file
>>> # Enable installed protocols
>>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>> dict {
>>> #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
>>> #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
>>> }
>>> !include conf.d/*.conf
>>> !include_try local.conf
>>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>> listen = *
>>> disable_plaintext_auth = yes
>>> mail_privileged_group = mail
>>> passdb {
>>> args = /etc/dovecot/dovecot-sql.conf
>>> driver = sql
>>> }
>>> protocols = imap lmtp pop3
>>> namespace inbox {
>>> inbox = yes
>>> mailbox Trash {
>>> auto = subscribe # autocreate and autosubscribe the Trash mailbox
>>> special_use = \Trash
>>> }
>>> mailbox Sent {
>>> auto = subscribe # autocreate and autosubscribe the Sent mailbox
>>> special_use = \Sent
>>> }
>>> mailbox Spam {
>>> auto = subscribe # autocreate and autosubscribe the Spam mailbox
>>> }
>>> }
>>> service auth {
>>> unix_listener /var/spool/postfix/private/auth {
>>> group = postfix
>>> mode = 0660
>>> user = postfix
>>> }
>>> }
>>> service imap-login {
>>> inet_listener imap {
>>> port = 0
>>> }
>>> inet_listener imaps {
>>> port = 993
>>> }
>>> }
>>> service lmtp {
>>> unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>> group = postfix
>>> mode = 0600
>>> user = postfix
>>> }
>>> }
>>> protocol lmtp {
>>> postmaster_address=postmaster at mydomain.com
>>> hostname=mail.mydomain.com
>>> }
>>> ssl = required # Enable installed protocols
>>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>> listen = *
>>> disable_plaintext_auth = yes
>>> mail_privileged_group = mail
>>> passdb {
>>> args = /etc/dovecot/dovecot-sql.conf
>>> driver = sql
>>> }
>>> namespace inbox {
>>> inbox = yes
>>> mailbox Trash {
>>> auto = subscribe # autocreate and autosubscribe the Trash mailbox
>>> special_use = \Trash
>>> }
>>> mailbox Sent {
>>> auto = subscribe # autocreate and autosubscribe the Sent mailbox
>>> special_use = \Sent
>>> }
>>> }
>>> service auth {
>>> unix_listener /var/spool/postfix/private/auth {
>>> group = postfix
>>> mode = 0660
>>> user = postfix
>>> }
>>> }
>>> service imap-login {
>>> inet_listener imap {
>>> port = 0
>>> }
>>> inet_listener imaps {
>>> port = 993
>>> }
>>> }
>>> service lmtp {
>>> unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>> group = postfix
>>> mode = 0600
>>> user = postfix
>>> }
>>> }
>>> protocol lmtp {
>>> postmaster_address=postmaster at mydomain.com
>>> hostname=mail.mydomain.com
>>> }
>>> ssl = required
>>> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>>> ssl_prefer_server_ciphers = yes
>>> userdb {
>>> driver = prefetch
>>> }
>>> userdb {
>>> driver = sql
>>> args = /etc/dovecot/dovecot-sql.conf
>>> }
>>> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>>> #ssl_dh_parameters_length = 4096
>>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>>> ssl_prefer_server_ciphers = yes
>>> #ssl_protocols = !SSLv3
>>> userdb {
>>> driver = prefetch
>>> }
>>> userdb {
>>> driver = sql
>>> args = /etc/dovecot/dovecot-sql.conf
>>> }
>>> And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn’t work.
>>> ##
>>> ## ManageSieve specific settings
>>> ##
>>> # Uncomment to enable managesieve protocol:
>>> protocols = $protocols sieve
>>> # Service definitions
>>> service managesieve-login {
>>> inet_listener sieve {
>>> port = 4190
>>> # ssl = yes
>>> }
>>> #inet_listener sieve_deprecated {
>>> # port = 2000
>>> #}
>>> # Number of connections to handle before starting a new process. Typically
>>> # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
>>> # is faster. <doc/wiki/LoginProcess.txt>
>>> #service_count = 1
>>> # Number of processes to always keep waiting for more connections.
>>> #process_min_avail = 0
>>> # If you set service_count=0, you probably need to grow this.
>>> #vsz_limit = 64M
>>> }
>>> #service managesieve {
>>> # Max. number of ManageSieve processes (connections)
>>> #process_limit = 1024
>>> #}
>>> # Service configuration
>>> protocol sieve {
>>> # Maximum ManageSieve command line length in bytes. ManageSieve usually does
>>> # not involve overly long command lines, so this setting will not normally
>>> # need adjustment
>>> #managesieve_max_line_length = 65536
>>> # Maximum number of ManageSieve connections allowed for a user from each IP
>>> # address.
>>> # NOTE: The username is compared case-sensitively.
>>> #mail_max_userip_connections = 10
>>> # Space separated list of plugins to load (none known to be useful so far).
>>> # Do NOT try to load IMAP plugins here.
>>> #mail_plugins =
>>> # MANAGESIEVE logout format string:
>>> # %i - total number of bytes read from client
>>> # %o - total number of bytes sent to client
>>> # %{put_bytes} - Number of bytes saved using PUTSCRIPT command
>>> # %{put_count} - Number of scripts saved using PUTSCRIPT command
>>> # %{get_bytes} - Number of bytes read using GETCRIPT command
>>> # %{get_count} - Number of scripts read using GETSCRIPT command
>>> # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
>>> # %{get_count} - Number of scripts checked using CHECKSCRIPT command
>>> # %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
>>> # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
>>> #managesieve_logout_format = bytes=%i/%o
>>> # To fool ManageSieve clients that are focused on CMU's timesieved you can
>>> # specify the IMPLEMENTATION capability that Dovecot reports to clients.
>>> # For example: 'Cyrus timsieved v2.2.13'
>>> #managesieve_implementation_string = Dovecot Pigeonhole
>>> # Explicitly specify the SIEVE and NOTIFY capability reported by the server
>>> # before login. If left unassigned these will be reported dynamically
>>> # according to what the Sieve interpreter supports by default (after login
>>> # this may differ depending on the user).
>>> #managesieve_sieve_capability =
>>> #managesieve_notify_capability =
>>> # The maximum number of compile errors that are returned to the client upon
>>> # script upload or script verification.
>>> #managesieve_max_compile_errors = 5
>>> # Refer to 90-sieve.conf for script quota configuration and configuration of
>>> # Sieve execution limits.
>>> }
>>> Here is the output of testing with openssl from the roundcube server.
>>> I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null
>>> And got this:
>>> CONNECTED(00000003)
>>> 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
>>> ---
>>> no peer certificate available
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 5 bytes and written 283 bytes
>>> Verification: OK
>>> ---
>>> New, (NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>> No ALPN negotiated
>>> Early data was not sent
>>> Verify return code: 0 (ok)
>>> —
>>> Is the second line in the output above the problem?
>>> Thanks to all of you for your help so far!
>>> Austin Witmer
>>>> On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot at tocc.cz> wrote:
>>>> I can't see your dovecot conf, but anyway -- roundcube side has to be aligned with dovecot's, i.e. if you use ssl on roundcube side, make sure you have it enabled on dovecot side too, something like:
>>>> service managesieve-login {
>>>> inet_listener sieve {
>>>> port = 4190
>>>> ssl = yes
>>>> }
>>>> or just use tls, i.e. no "ssl=yes" in dovecot conf, but tls://10.116.0.2 in roundcube conf
>>>> This seems to be the same case: https://github.com/roundcube/roundcubemail/issues/7127
>>>> Tomas
>>>> On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:
>>>>> Hello all!
>>>>> I’ve got a bit of a problem that I would like some help with. So, I have
>>>>> two servers, one is my mail server running postfix, dovecot etc. I have a
>>>>> second server setup as my roundcube server. Both servers are running on
>>>>> the same LAN network.
>>>>> I have sieve scripts setup in dovecot in my mail server and they are
>>>>> working great! My trouble is that I can’t seem to make my roundcube talk
>>>>> correctly to managesieve on my mail server.
>>>>> Here is the mail.log file from the mail server when I try to create a
>>>>> sievescript from roundcube webmail:
>>>>> Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too many
>>>>> invalid commands. (no auth attempts in 0 secs): user=<>, rip=10.116.0.3,
>>>>> lip=10.116.0.2, session=<cZMzomvjyNgKdAAD>
>>>>> And here is my managesieve configuration from my roundcube server.
>>>>> /var/www/roundcube/plugins/managesieve/config.inc.php
>>>>> <?php
>>>>> $config['managesieve_port'] = 4190;
>>>>> $config['managesieve_host'] = '[1]ssl://10.116.0.2';
>>>>> $config['managesieve_auth_type'] = null;
>>>>> $config['managesieve_auth_cid'] = null;
>>>>> $config['managesieve_auth_pw'] = null;
>>>>> $config['managesieve_usetls'] = false;
>>>>> $config['managesieve_conn_options'] = array(
>>>>> 'ssl' => array(
>>>>> 'verify_peer' => false,
>>>>> 'allow_self_signed' => true,
>>>>> ),
>>>>> );
>>>>> $config['managesieve_default'] = 'var/lib/dovecot/sieve/default.sieve';
>>>>> $config['managesieve_script_name'] = 'default.sieve';
>>>>> $config['managesieve_mbox_encoding'] = 'UTF-8';
>>>>> $config['managesieve_replace_delimiter'] = '';
>>>>> $config['managesieve_disabled_extensions'] = [];
>>>>> $config['managesieve_debug'] = true;
>>>>> $config['managesieve_kolab_master'] = false;
>>>>> $config['managesieve_filename_extension'] = '.sieve';
>>>>> $config['managesieve_filename_exceptions'] = [];
>>>>> $config['managesieve_domains'] = [];
>>>>> $config['managesieve_default_headers'] = ['Subject', 'From', 'To'];
>>>>> $config['managesieve_vacation'] = 0;
>>>>> $config['managesieve_forward'] = 0;
>>>>> $config['managesieve_vacation_interval'] = 0;
>>>>> $config['managesieve_vacation_addresses_init'] = false;
>>>>> $config['managesieve_vacation_from_init'] = false;
>>>>> $config['managesieve_notify_methods'] = ['mailto'];
>>>>> $config['managesieve_raw_editor'] = true;
>>>>> $config['managesieve_disabled_actions'] = [];
>>>>> $config['managesieve_allowed_hosts'] = null;
>>>>> Does anybody have any clue why roundcube isn’t able to login in to
>>>>> managesieve on my mail server?
>>>>> Are there more logs/configs you would like to see?
>>>>> Thanks in advance for your help and suggestions!
>>>>> Austin Witmer
>>>>> References
>>>>> Visible links
>>>>> 1. file:///tmp/ssl:/10.116.0.2
>
> --
> Christian Kivalo
More information about the dovecot
mailing list