When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf file, I get the log line below from mail.log on my mail server.
Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD>
I’m not smart enough with ssl stuff to know what the root cause of that error is. Can somebody help me out?
Thanks!
Austin Witmer
On Jul 10, 2022, at 8:52 AM, Austin Witmer austin96@emypeople.net wrote:
So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
## Dovecot configuration file
# Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol
dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext }
!include conf.d/*.conf
!include_try local.conf
!include_try /usr/share/dovecot/protocols.d/*.protocol
listen = *
disable_plaintext_auth = yes mail_privileged_group = mail
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocols = imap lmtp pop3
namespace inbox { inbox = yes
mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } mailbox Spam { auto = subscribe # autocreate and autosubscribe the Spam mailbox } }
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } }
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com }
ssl = required # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol
listen = *
disable_plaintext_auth = yes mail_privileged_group = mail
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql }
namespace inbox { inbox = yes
mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } }
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } }
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com }
ssl = required ssl_cert =
userdb { driver = prefetch }
userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf }
ssl_cert =
userdb { driver = prefetch }
userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf }
And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn’t work.
## ## ManageSieve specific settings ##
# Uncomment to enable managesieve protocol: protocols = $protocols sieve
# Service definitions
service managesieve-login { inet_listener sieve { port = 4190 # ssl = yes }
#inet_listener sieve_deprecated { # port = 2000 #}
# Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster.
#service_count = 1 # Number of processes to always keep waiting for more connections. #process_min_avail = 0
# If you set service_count=0, you probably need to grow this. #vsz_limit = 64M }
#service managesieve { # Max. number of ManageSieve processes (connections) #process_limit = 1024 #}
# Service configuration
protocol sieve { # Maximum ManageSieve command line length in bytes. ManageSieve usually does # not involve overly long command lines, so this setting will not normally # need adjustment #managesieve_max_line_length = 65536
# Maximum number of ManageSieve connections allowed for a user from each IP # address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far). # Do NOT try to load IMAP plugins here. #mail_plugins =
# MANAGESIEVE logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client # %{put_bytes} - Number of bytes saved using PUTSCRIPT command # %{put_count} - Number of scripts saved using PUTSCRIPT command # %{get_bytes} - Number of bytes read using GETCRIPT command # %{get_count} - Number of scripts read using GETSCRIPT command # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command # %{get_count} - Number of scripts checked using CHECKSCRIPT command # %{deleted_count} - Number of scripts deleted using DELETESCRIPT command # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command #managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can # specify the IMPLEMENTATION capability that Dovecot reports to clients. # For example: 'Cyrus timsieved v2.2.13' #managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server # before login. If left unassigned these will be reported dynamically # according to what the Sieve interpreter supports by default (after login # this may differ depending on the user). #managesieve_sieve_capability = #managesieve_notify_capability =
# The maximum number of compile errors that are returned to the client upon # script upload or script verification. #managesieve_max_compile_errors = 5
# Refer to 90-sieve.conf for script quota configuration and configuration of # Sieve execution limits. }
Here is the output of testing with openssl from the roundcube server.
I ran this: openssl s_client -connect 10.116.0.2:4190
And got this:
CONNECTED(00000003) 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 5 bytes and written 283 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) —
Is the second line in the output above the problem?
Thanks to all of you for your help so far!
Austin Witmer
On Jul 10, 2022, at 2:17 AM, Tomas Habarta lists+dovecot@tocc.cz wrote:
I can't see your dovecot conf, but anyway -- roundcube side has to be aligned with dovecot's, i.e. if you use ssl on roundcube side, make sure you have it enabled on dovecot side too, something like:
service managesieve-login { inet_listener sieve { port = 4190 ssl = yes }
or just use tls, i.e. no "ssl=yes" in dovecot conf, but tls://10.116.0.2 in roundcube conf This seems to be the same case: https://github.com/roundcube/roundcubemail/issues/7127
Tomas
On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:
Hello all! I’ve got a bit of a problem that I would like some help with. So, I have two servers, one is my mail server running postfix, dovecot etc. I have a second server setup as my roundcube server. Both servers are running on the same LAN network. I have sieve scripts setup in dovecot in my mail server and they are working great! My trouble is that I can’t seem to make my roundcube talk correctly to managesieve on my mail server. Here is the mail.log file from the mail server when I try to create a sievescript from roundcube webmail: Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, session=<cZMzomvjyNgKdAAD> And here is my managesieve configuration from my roundcube server. /var/www/roundcube/plugins/managesieve/config.inc.php
<?php $config['managesieve_port'] = 4190; $config['managesieve_host'] = '[1]ssl://10.116.0.2'; $config['managesieve_auth_type'] = null; $config['managesieve_auth_cid'] = null; $config['managesieve_auth_pw'] = null; $config['managesieve_usetls'] = false; $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'allow_self_signed' => true, ), ); $config['managesieve_default'] = 'var/lib/dovecot/sieve/default.sieve'; $config['managesieve_script_name'] = 'default.sieve'; $config['managesieve_mbox_encoding'] = 'UTF-8'; $config['managesieve_replace_delimiter'] = ''; $config['managesieve_disabled_extensions'] = []; $config['managesieve_debug'] = true; $config['managesieve_kolab_master'] = false; $config['managesieve_filename_extension'] = '.sieve'; $config['managesieve_filename_exceptions'] = []; $config['managesieve_domains'] = []; $config['managesieve_default_headers'] = ['Subject', 'From', 'To']; $config['managesieve_vacation'] = 0; $config['managesieve_forward'] = 0; $config['managesieve_vacation_interval'] = 0; $config['managesieve_vacation_addresses_init'] = false; $config['managesieve_vacation_from_init'] = false; $config['managesieve_notify_methods'] = ['mailto']; $config['managesieve_raw_editor'] = true; $config['managesieve_disabled_actions'] = []; $config['managesieve_allowed_hosts'] = null; Does anybody have any clue why roundcube isn’t able to login in to managesieve on my mail server? Are there more logs/configs you would like to see? Thanks in advance for your help and suggestions! Austin Witmer References Visible links 1. file:///tmp/ssl:/10.116.0.2