Trouble configuring managesive plugin for roundcube

Christian Kivalo ml+dovecot at valo.at
Tue Jul 12 15:13:35 UTC 2022 

On 2022-07-12 16:19, Austin Witmer wrote:
> So, I changed the $config['managesieve_host'] =
> 'tls://mail.mydomain.com’; to the fqdn of my mail server instead of
> the internal IP address and now it works!
Good to hear it works now :)

> Why would using the fqdn work, but not the internal LAN IP address?
The client, here php / roundcube checks if the presented certificate 
contains the address it connected to and ip addresses are very seldomly 
added as hosts to certificates.

> As a side note, I am now remembering that in my main Roundcube config,
> I had to use the fqdn for the imap and smtp server instead of the
> internal LAN IP address. Is it because it needs to connect to a host
> with the same hostname that the certificate returns? Would it work to
> add an entry in my hosts file that says "10.116.0.2  mail.mydomain.com
> [1]”? I should be able to use the internal IP addresses, right? Are
> there downsides to using the fqdn?

The hosts file entry would help with name resolution but not with 
certificate verification.

But you can make php think it connects to the correct hostname with the 
ssl connection options

$config['managesieve_conn_options'] = [
    'ssl'         => [
    'verify_peer'  => false,
    'peer_name' => 'FQDN of mailserver',
    ],
];

This probably even works without the "verify_peer" line, haven't tested.


> I may have some questions about configuring sieve rules later, but I
> can start a new thread for that.
> 
> Austin Witmer
> 
>> On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot at valo.at>
>> wrote:
>> 
>>> I added “login” to my auth_mechanisms line in
>>> /etc/dovecot/conf.d/10-auth.conf. That line already looked like
>>> auth_mechanisms = plain
>>> This is what the line looks like now: auth_mechanisms = plain
>>> login
>>> I restarted dovecot and it still is not advertising anything after
>>> “SASL” in the sieve log file. See below:
>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto"
>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" ""
>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS"
>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0"
>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu)
>>> ready."
>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS
>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS
>>> negotiation now."
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
>>> ????Y8h#u??Lu?u?V2??N[?˴?+)u?????F?'{ֺ?G?r?iS??pݥ??D}?????
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
>>> ?>??0??SxfXC%]c?|?y?"w???K_ޕ???N
>>> ?.?c?
>>> ??_D?r???ǿ?r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
>>> 
>> ?.e???i8p?{Ur"???3GZ?Cž??7??U)s?;,c?6????HY??B?ڑB.g=TtAk?dq???nV?i
>>> ?BG2D???7?hܖQTl?)G??9??W?????M›^??
>>> ??D&?䢀rQ???2E?pn?Ez?????䉉i?
>>> @1??փiC???=???W?M\
>>> 
>> 
> `?]?}?D$`?:???^?/K???5?aB?c??ar)?l at C??X?ٹ?!J???k??"/1?r???w?_??@?p??w
>>> )R?d??o????k*?*?????
>>> i?O?i%S?l^?o2?H
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
>>> 5?7?x??w?z"??hu4?E??:?/?F(d?;?򵂒?i??"??5??G,5????E?C?MS????
>>> L???*??*???LO?D?? J?l???ځ?
>>> ??IN??v?fR?5t?:???SG?>{mY??D?˱????t?Rj?w?#
>>> ??n??[?S?
>>> 
>>> V4O?z?=.ܰې??uA?ھ????9?τ???c??oE?;LBOg??Ql'w?=
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
>>> ?&???C/_??*??????|.??$O?~?
>>> ??5?"????縉??
>>> ?r??0~?+~????B
>>> 
>>> ??5)]cZ?Z?򔠛t??D??????-?dZ??M?z??2TɉOp?q?o?T?3?`'????g??6
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5???
>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
>>> And once again the line from my mail.log file.
>>> Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no
>>> auth
>>> attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS,
>>> session=<7VswBnvjXuIKdAAD>
>>> Any further suggestions? Why do you suppose that the auth
>>> mechanisms
>>> are not being advertised?
>> The auth mechanisms are not shown because you access from a remote
>> host, have STARTTLS available and "disable_plaintext_auth = yes"
>> set. The auth mechanisms will be shown after STARTTLS.
>> This is described here
>> https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting
>> 
>> One more thing comes to mind regarding the ssl options in the
>> managesieve plugin config. Do you use a self signed cert in dovecot?
>> 
>> One more thing you could try, in your managesieve plugin
>> config.inc.php
>> 
>> remove this section:
>> $config['managesieve_conn_options'] = array(
>> 'ssl' => array(
>> 'verify_peer'       => false,
>> 'allow_self_signed' => true,
>> ),
>> );
>> 
>> add this section:
>> $config['managesieve_conn_options'] = [
>> 'ssl'         => [
>> 'verify_peer'  => false,
>> 'peer_name' => 'change to the hostname from dovecots ssl
>> certificate',
>> ],
>> ];
>> 
>> add in there, when using self-signed cert
>> 'allow_self_signed' => true,
>> 
>> --
>> Christian Kivalo
> 
> 
> 
> Links:
> ------
> [1] http://mail.mydomain.com

-- 
  Christian Kivalo

More information about the dovecot mailing list