Thanks so much Christian Kivalo!

See below.

On Jul 12, 2022, at 9:13 AM, Christian Kivalo <ml+dovecot@valo.at> wrote:

On 2022-07-12 16:19, Austin Witmer wrote:
So, I changed the $config['managesieve_host'] =
'tls://mail.mydomain.com’; to the fqdn of my mail server instead of
the internal IP address and now it works!
Good to hear it works now :)

Why would using the fqdn work, but not the internal LAN IP address?
The client, here php / roundcube checks if the presented certificate contains the address it connected to and ip addresses are very seldomly added as hosts to certificates.

As a side note, I am now remembering that in my main Roundcube config,
I had to use the fqdn for the imap and smtp server instead of the
internal LAN IP address. Is it because it needs to connect to a host
with the same hostname that the certificate returns? Would it work to
add an entry in my hosts file that says "10.116.0.2  mail.mydomain.com
[1]”? I should be able to use the internal IP addresses, right? Are
there downsides to using the fqdn?

The hosts file entry would help with name resolution but not with certificate verification.

But you can make php think it connects to the correct hostname with the ssl connection options

$config['managesieve_conn_options'] = [
  'ssl'         => [
  'verify_peer'  => false,
  'peer_name' => 'FQDN of mailserver',
  ],
];

This probably even works without the "verify_peer" line, haven't tested.


I added the block above to my managesieve configuration in Roundcube and now connected to an internal IP address works beautifully!

Now I just need to figure out how to accomplish the same thing for the imap and smtp server that Roundcube is using. Is there a block similar to the one above that I could add to my Roundcube config.inc.php file to enable me to use internal addresses for my imap and smtp servers?


I may have some questions about configuring sieve rules later, but I
can start a new thread for that.
Austin Witmer
On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot@valo.at>
wrote:
I added “login” to my auth_mechanisms line in
/etc/dovecot/conf.d/10-auth.conf. That line already looked like
auth_mechanisms = plain
This is what the line looks like now: auth_mechanisms = plain
login
I restarted dovecot and it still is not advertising anything after
“SASL” in the sieve log file. See below:
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto"
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" ""
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS"
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0"
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu)
ready."
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS
negotiation now."
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
????Y8h#u??Lu?u?V2??N[?˴?+)u?????F?'{ֺ?G?r?iS??pݥ??D}?????
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
?>??0??SxfXC%]c?|?y?"w???K_ޕ???N
?.?c?
??_D?r???ǿ?r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
?.e???i8p?{Ur"???3GZ?Cž??7??U)s?;,c?6????HY??B?ڑB.g=TtAk?dq???nV?i
?BG2D???7?hܖQTl?)G??9??W?????M›^??
??D&?䢀rQ???2E?pn?Ez?????䉉i?
@1??փiC???=???W?M\
`?]?}?D$`?:???^?/K???5?aB?c??ar)?l@C??X?ٹ?!J???k??"/1?r???w?_??@?p??w
)R?d??o????k*?*?????
i?O?i%S?l^?o2?H
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
5?7?x??w?z"??hu4?E??:?/?F(d?;?򵂒?i??"??5??G,5????E?C?MS????
L???*??*???LO?D?? J?l???ځ?
??IN??v?fR?5t?:???SG?>{mY??D?˱????t?Rj?w?#
??n??[?S?
V4O?z?=.ܰې??uA?ھ????9?τ???c??oE?;LBOg??Ql'w?=
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
?&???C/_??*??????|.??$O?~?
??5?"????縉??
?r??0~?+~????B
??5)]cZ?Z?򔠛t??D??????-?dZ??M?z??2TɉOp?q?o?T?3?`'????g??6
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5???
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
And once again the line from my mail.log file.
Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no
auth
attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS,
session=<7VswBnvjXuIKdAAD>
Any further suggestions? Why do you suppose that the auth
mechanisms
are not being advertised?
The auth mechanisms are not shown because you access from a remote
host, have STARTTLS available and "disable_plaintext_auth = yes"
set. The auth mechanisms will be shown after STARTTLS.
This is described here
https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting
One more thing comes to mind regarding the ssl options in the
managesieve plugin config. Do you use a self signed cert in dovecot?
One more thing you could try, in your managesieve plugin
config.inc.php
remove this section:
$config['managesieve_conn_options'] = array(
'ssl' => array(
'verify_peer'       => false,
'allow_self_signed' => true,
),
);
add this section:
$config['managesieve_conn_options'] = [
'ssl'         => [
'verify_peer'  => false,
'peer_name' => 'change to the hostname from dovecots ssl
certificate',
],
];
add in there, when using self-signed cert
'allow_self_signed' => true,
--
Christian Kivalo
Links:
------
[1] http://mail.mydomain.com

--
Christian Kivalo

Thanks again for everyone’s help! Much appreciated!

Austin Witmer