On July 10, 2022 5:01:02 PM GMT+02:00, Austin Witmer <austin96@emypeople.net> wrote:
When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf file, I get the log line below from mail.log on my mail server.
Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD>
I’m not smart enough with ssl stuff to know what the root cause of that error is. Can somebody help me out?
You current dovecot config as below requires you to use tls:// prefix in the managesieve configuration. I just tried it with my server and it worked. Use: $config['managesieve_host'] = 'tls://10.116.0.2';
You have debug logging enabled in your roundcube managesieve config, the output should be in your roundcube logging. Look at that logging during a connection attempt, this helped me allot identifying a certificate name mismatch.
Thanks!
Austin Witmer
On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96@emypeople.net> wrote:
So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
## Dovecot configuration file
# Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol
dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext }
!include conf.d/*.conf
!include_try local.conf
!include_try /usr/share/dovecot/protocols.d/*.protocol
listen = *
disable_plaintext_auth = yes mail_privileged_group = mail
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocols = imap lmtp pop3
namespace inbox { inbox = yes
mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } mailbox Spam { auto = subscribe # autocreate and autosubscribe the Spam mailbox } }
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } }
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com }
ssl = required # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol
listen = *
disable_plaintext_auth = yes mail_privileged_group = mail
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql }
namespace inbox { inbox = yes
mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } }
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } }
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com }
ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes
userdb { driver = prefetch }
userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf }
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH #ssl_dh_parameters_length = 4096 ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes #ssl_protocols = !SSLv3
userdb { driver = prefetch }
userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf }
And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn’t work.
## ## ManageSieve specific settings ##
# Uncomment to enable managesieve protocol: protocols = $protocols sieve
# Service definitions
service managesieve-login { inet_listener sieve { port = 4190 # ssl = yes }
#inet_listener sieve_deprecated { # port = 2000 #}
# Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. <doc/wiki/LoginProcess.txt> #service_count = 1
# Number of processes to always keep waiting for more connections. #process_min_avail = 0
# If you set service_count=0, you probably need to grow this. #vsz_limit = 64M }
#service managesieve { # Max. number of ManageSieve processes (connections) #process_limit = 1024 #}
# Service configuration
protocol sieve { # Maximum ManageSieve command line length in bytes. ManageSieve usually does # not involve overly long command lines, so this setting will not normally # need adjustment #managesieve_max_line_length = 65536
# Maximum number of ManageSieve connections allowed for a user from each IP # address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far). # Do NOT try to load IMAP plugins here. #mail_plugins =
# MANAGESIEVE logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client # %{put_bytes} - Number of bytes saved using PUTSCRIPT command # %{put_count} - Number of scripts saved using PUTSCRIPT command # %{get_bytes} - Number of bytes read using GETCRIPT command # %{get_count} - Number of scripts read using GETSCRIPT command # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command # %{get_count} - Number of scripts checked using CHECKSCRIPT command # %{deleted_count} - Number of scripts deleted using DELETESCRIPT command # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command #managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can # specify the IMPLEMENTATION capability that Dovecot reports to clients. # For example: 'Cyrus timsieved v2.2.13' #managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server # before login. If left unassigned these will be reported dynamically # according to what the Sieve interpreter supports by default (after login # this may differ depending on the user). #managesieve_sieve_capability = #managesieve_notify_capability =
# The maximum number of compile errors that are returned to the client upon # script upload or script verification. #managesieve_max_compile_errors = 5
# Refer to 90-sieve.conf for script quota configuration and configuration of # Sieve execution limits. }
Here is the output of testing with openssl from the roundcube server.
I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null
And got this:
CONNECTED(00000003) 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 5 bytes and written 283 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) —
Is the second line in the output above the problem?
Thanks to all of you for your help so far!
Austin Witmer
On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot@tocc.cz> wrote:
I can't see your dovecot conf, but anyway -- roundcube side has to be aligned with dovecot's, i.e. if you use ssl on roundcube side, make sure you have it enabled on dovecot side too, something like:
service managesieve-login { inet_listener sieve { port = 4190 ssl = yes }
or just use tls, i.e. no "ssl=yes" in dovecot conf, but tls://10.116.0.2 in roundcube conf This seems to be the same case: https://github.com/roundcube/roundcubemail/issues/7127
Tomas
On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:
Hello all! I’ve got a bit of a problem that I would like some help with. So, I have two servers, one is my mail server running postfix, dovecot etc. I have a second server setup as my roundcube server. Both servers are running on the same LAN network. I have sieve scripts setup in dovecot in my mail server and they are working great! My trouble is that I can’t seem to make my roundcube talk correctly to managesieve on my mail server. Here is the mail.log file from the mail server when I try to create a sievescript from roundcube webmail: Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, session=<cZMzomvjyNgKdAAD> And here is my managesieve configuration from my roundcube server. /var/www/roundcube/plugins/managesieve/config.inc.php <?php $config['managesieve_port'] = 4190; $config['managesieve_host'] = '[1]ssl://10.116.0.2'; $config['managesieve_auth_type'] = null; $config['managesieve_auth_cid'] = null; $config['managesieve_auth_pw'] = null; $config['managesieve_usetls'] = false; $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'allow_self_signed' => true, ), ); $config['managesieve_default'] = 'var/lib/dovecot/sieve/default.sieve'; $config['managesieve_script_name'] = 'default.sieve'; $config['managesieve_mbox_encoding'] = 'UTF-8'; $config['managesieve_replace_delimiter'] = ''; $config['managesieve_disabled_extensions'] = []; $config['managesieve_debug'] = true; $config['managesieve_kolab_master'] = false; $config['managesieve_filename_extension'] = '.sieve'; $config['managesieve_filename_exceptions'] = []; $config['managesieve_domains'] = []; $config['managesieve_default_headers'] = ['Subject', 'From', 'To']; $config['managesieve_vacation'] = 0; $config['managesieve_forward'] = 0; $config['managesieve_vacation_interval'] = 0; $config['managesieve_vacation_addresses_init'] = false; $config['managesieve_vacation_from_init'] = false; $config['managesieve_notify_methods'] = ['mailto']; $config['managesieve_raw_editor'] = true; $config['managesieve_disabled_actions'] = []; $config['managesieve_allowed_hosts'] = null; Does anybody have any clue why roundcube isn’t able to login in to managesieve on my mail server? Are there more logs/configs you would like to see? Thanks in advance for your help and suggestions! Austin Witmer
References
Visible links
- file:///tmp/ssl:/10.116.0.2
-- Christian Kivalo