On 2022-07-12 16:19, Austin Witmer wrote:
So, I changed the $config['managesieve_host'] = 'tls://mail.mydomain.com’; to the fqdn of my mail server instead of the internal IP address and now it works! Good to hear it works now :)
Why would using the fqdn work, but not the internal LAN IP address? The client, here php / roundcube checks if the presented certificate contains the address it connected to and ip addresses are very seldomly added as hosts to certificates.
As a side note, I am now remembering that in my main Roundcube config, I had to use the fqdn for the imap and smtp server instead of the internal LAN IP address. Is it because it needs to connect to a host with the same hostname that the certificate returns? Would it work to add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com [1]”? I should be able to use the internal IP addresses, right? Are there downsides to using the fqdn?
The hosts file entry would help with name resolution but not with certificate verification.
But you can make php think it connects to the correct hostname with the ssl connection options
$config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'FQDN of mailserver', ], ];
This probably even works without the "verify_peer" line, haven't tested.
I may have some questions about configuring sieve rules later, but I can start a new thread for that.
Austin Witmer
On Jul 11, 2022, at 1:06 PM, Christian Kivalo ml+dovecot@valo.at wrote:
I added “login” to my auth_mechanisms line in /etc/dovecot/conf.d/10-auth.conf. That line already looked like auth_mechanisms = plain This is what the line looks like now: auth_mechanisms = plain login I restarted dovecot and it still is not advertising anything after “SASL” in the sieve log file. See below: [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) ready." [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS negotiation now." [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ????Y8h#u??Lu?u?V2??N[?˴?+)u?????F?'{ֺ?G?r?iS??pݥ??D}????? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?>??0??SxfXC%]c?|?y?"w???K_ޕ???N ?.?c? ??_D?r???ǿ?r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
?.e???i8p?{Ur"???3GZ?C??7??U)s?;,c?6????HY??B?ڑB.g=TtAk?dq???nV?i
?BG2D???7?hܖQTl?)G??9??W?????M^?? ??D&?䢀rQ???2E?pn?Ez?????䉉i? @1??փiC???=???W?M\
?]?}?D$
?:???^?/K???5?aB?c??ar)?l@C??X?ٹ?!J???k??"/1?r???w?_??@?p??w)R?d??o????k*?*????? i?O?i%S?l^?o2?H [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: 5?7?x??w?z"??hu4?E??:?/?F(d?;??i??"??5??G,5????E?C?MS???? L???*??*???LO?D?? J?l???ځ? ??IN??v?fR?5t?:???SG?>{mY??D?˱????t?Rj?w?# ??n??[?S?
V4O?z?=.ܰې??uA?ھ????9?τ???c??oE?;LBOg??Ql'w?= [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?&???C/_??*??????|.??$O?~? ??5?"????縉?? ?r??0~?+~????B
??5)]cZ?Z?t??D??????-?dZ??M?z??2TɉOp?q?o?T?3?`'????g??6 [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: And once again the line from my mail.log file. Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<7VswBnvjXuIKdAAD> Any further suggestions? Why do you suppose that the auth mechanisms are not being advertised? The auth mechanisms are not shown because you access from a remote host, have STARTTLS available and "disable_plaintext_auth = yes" set. The auth mechanisms will be shown after STARTTLS. This is described here https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting
One more thing comes to mind regarding the ssl options in the managesieve plugin config. Do you use a self signed cert in dovecot?
One more thing you could try, in your managesieve plugin config.inc.php
remove this section: $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'allow_self_signed' => true, ), );
add this section: $config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'change to the hostname from dovecots ssl certificate', ], ];
add in there, when using self-signed cert 'allow_self_signed' => true,
-- Christian Kivalo
Links:
-- Christian Kivalo