Re: Can't figure out why managesieve (pigeonhole) can't connect
thank you again. it seems you have seen my paste of config.inc.php. I do not have a config.php:
my_user@some_host:/usr/local/www/roundcube/config # ls -l total 67 -rw-r--r-- 1 root wheel 164 Jul 23 15:17 .htaccess -rw-r--r-- 1 root wheel 1867 Nov 22 15:12 config.inc.php -rw-r--r-- 1 root wheel 2943 Jul 23 15:17 config.inc.php.sample -rw-r--r-- 1 root wheel 63790 Oct 29 20:24 defaults.inc.php -rw-r--r-- 1 root wheel 2806 Jul 23 15:17 mimetypes.php my_user@some_host:/usr/local/www/roundcube/config #
I have tried changing tls:// to ssl:// and back again (in the line $config['managesieve_host'] = 'tls://obfuscated.domain';) but the error remains the same:
roundcube: PHP Error: Connection refused (GET /index.php?_task=settings&_action=plugin.managesieve) roundcube: PHP Error: Unable to connect to managesieve on obfuscated.domain:4190 in /usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 221 (GET /index.php?_task=settings&_action=plugin.managesieve) roundcube: PHP Error: Not currently in AUTHORISATION state (GET /index.php?_task=settings&_action=plugin.managesieve) php: PHP Error: Not currently connected (GET /index.php?_task=settings&_action=plugin.managesieve) roundcube: PHP Error: Connection refused (GET /index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide) roundcube: PHP Error: Unable to connect to managesieve on obfuscated.domain:4190 in /usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 221 (GET /index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide) php: PHP Error: Not currently connected (GET /index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide) roundcube: PHP Error: Connection refused (POST /?_task=settings&_action=plugin.managesieve-save) roundcube: PHP Error: Unable to connect to managesieve on obfuscated.domain:4190 in /usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 221 (POST /?_task=settings&_action=plugin.managesieve-save)
i don't understand why it can't connect, this seems to work fine:
# gnutls-cli --tofu --starttls -p 4190 10.0.0.91 Processed 142 CA certificate(s). Resolving '10.0.0.91:4190'... Connecting to '10.0.0.91:4190'...
- Simple Client Mode:
"IMPLEMENTATION" "dovecot" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" "NOTIFY" "mailto" "SASL" "CRAM-MD5" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready." STARTTLS OK "Begin TLS negotiation now." *** Starting TLS handshake pin-sha256="xxxxxxxxxxxxxxxxxxxxxx"
Certificate type: X.509
Got a certificate list of 3 certificates.
Certificate[0] info:
- subject
CN=obfuscated.domain.com', issuer
CN=R3,O=Let's Encrypt,C=US', serial xxxxxxxxxxxxxxxxxxxxxx, RSA key 2048 bits, signed using RSA-SHA256, activatedyyyy-mm-dd 17:48:15 UTC', expires
yyyy-mm-dd 17:48:14 UTC', pin-sha256="xxxxxxxxxxxxxxxxxxxxxx" Public Key ID: sha1:xxxxxxxxxxxxxxxxxxxxxx sha256:xxxxxxxxxxxxxxxxxxxxxx Public Key PIN: pin-sha256:xxxxxxxxxxxxxxxxxxxxxx
- subject
Certificate[1] info:
- subject
CN=R3,O=Let's Encrypt,C=US', issuer
CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial xxxxxxxxxxxxxxxxxxxxxx, RSA key 2048 bits, signed using RSA-SHA256, activatedyyyy-mm-dd 00:00:00 UTC', expires
yyyy-mm-dd 16:00:00 UTC',
- subject
- Certificate[2] info:
pin-sha256="xxxxxxxxxxxxxxxxxxxxxx"
- subject
CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer
CN=DST Root CA X3,O=Digital Signature Trust Co.', serial yyyy-mm-dd, RSA key 4096 bits, signed using RSA-SHA256, activatedyyyy-mm-dd 19:14:03 UTC', expires
yyyy-mm-dd 18:14:03 UTC',
- subject
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... Host 10.0.0.91 (sieve) has never been contacted before. Its certificate is valid for 10.0.0.91. Are you sure you want to trust it? (y/N): y
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: xx:yy:xx:yy:xx:yy...
- Options: "IMPLEMENTATION" "dovecot" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" "NOTIFY" "mailto" "SASL" "CRAM-MD5" "VERSION" "1.0" OK "TLS negotiation successful."
On 2022-11-23 13:35, Yassine Chaouche wrote:
also make sure your are editing config.php and not config.inc.php (which you pasted)
Yassine.
Le 23 novembre 2022 8:30:36 PM GMT+01:00, Yassine Chaouche <a.chaouche@algerian-radio.dz> a écrit :
good. we have established that the problem shouldn't be on dovecot's side. i suspect roundcube is misconfigured or can't connect for some reason. I believe someone mentioned SSL and TLS support problem in RC for a specific version? can you try without? also can you paste RC config?
Yassine.
i don't understand why it can't connect, this seems to work fine:
fine ?
you're manually overriding at least one problem with your certs/config
...
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... Host 10.0.0.91 (sieve) has never been contacted before. Its certificate is valid for 10.0.0.91. Are you sure you want to trust it? (y/N): y ...
it appears that you're using a self-signed cert? are your trusted certs defined and correctly chained? if not explicitly defined, did you correctly add you certs to system ssl dirs, and ensure hashes are correct?
demonstrate first that you can connect to dovecot over tls with a cmd line client, without ignoring or overriding your cert problems
including any client/server cert verification requirements you've turned on in dovecot config
once you've passed the correct certs, then demonstrate that you can authenticate in the same session with any password/credentials you've set
once that all works, make sure you've got those certs correctly set up in your rc config
Thank you for this. I am not using self-signed, I am using letsencrypt as a CA, the certs are installed where certbot put them.
I tried the example from https://wiki2.dovecot.org/TestInstallation, using openssl s_client, and I achieved the following (lots of data replaced with "...")
I have not changed anything else since your last reply, I am honestly not sure what rc config has to do with certs (google has not given me a result that seems to apply). Does the below help confirm my certs are properly installed and that i can connect to dovecot over tls and pass my credentials?
root@mc:~ # openssl s_client -connect mydomain.com:143 -starttls imap CONNECTED(00000004) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mydomain.com verify return:1
Certificate chain ...
Server certificate -----BEGIN CERTIFICATE----- .. -----END CERTIFICATE----- ..
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 4922 bytes and written 426 bytes Verification: OK
.. .. ..
read R BLOCK a login me@mydomain.com MyPass
- CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE a OK Logged in a OK Logged in b select inbox
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
- OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
- 35 EXISTS
- 0 RECENT
- OK [UNSEEN 18] First unseen.
- OK [UIDVALIDITY 1669149589] UIDs valid
- OK [UIDNEXT 255] Predicted next UID
- OK [HIGHESTMODSEQ 615] Highest b OK [READ-WRITE] Select completed (0.001 + 0.000 secs). c list "" *
- LIST (\HasNoChildren \Marked \Trash) "/" Trash
- LIST (\HasNoChildren \UnMarked \Junk) "/" Junk
- LIST (\HasNoChildren \Marked \Sent) "/" Sent
- LIST (\HasNoChildren \Drafts) "/" Drafts
- LIST (\HasNoChildren \UnMarked) "/" INBOX/email-reports
- LIST (\HasNoChildren \UnMarked) "/" INBOX/NAS-Alerts
- LIST (\HasChildren) "/" INBOX c OK List completed (0.001 + 0.000 secs).
On 2022-11-23 14:49, PGNet Dev wrote:
i don't understand why it can't connect, this seems to work fine:
fine ?
you're manually overriding at least one problem with your certs/config
...
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... Host 10.0.0.91 (sieve) has never been contacted before. Its certificate is valid for 10.0.0.91. Are you sure you want to trust it? (y/N): y ...
it appears that you're using a self-signed cert? are your trusted certs defined and correctly chained? if not explicitly defined, did you correctly add you certs to system ssl dirs, and ensure hashes are correct?
demonstrate first that you can connect to dovecot over tls with a cmd line client, without ignoring or overriding your cert problems
including any client/server cert verification requirements you've turned on in dovecot config
once you've passed the correct certs, then demonstrate that you can authenticate in the same session with any password/credentials you've set
once that all works, make sure you've got those certs correctly set up in your rc config
Hello
This test only states, that you can connect to IMAP Port 143 with STARTTLS and use your certificate there. It does not show, if your managesieve Port 4190 uses that certificate too. Managesieve does not use STARTTLS, and has its own configurations.
I suspect, that in your certificate you do not have the private IP as alternate name included, as you try to reach 10.0.0.91:4190, not mydomain.com:4190.
Kind regards, Christian Mack
Am 14.12.22 um 21:48 schrieb colin@colinlikesfood.com:
Thank you for this. I am not using self-signed, I am using letsencrypt as a CA, the certs are installed where certbot put them.
I tried the example from https://wiki2.dovecot.org/TestInstallation, using openssl s_client, and I achieved the following (lots of data replaced with "...")
I have not changed anything else since your last reply, I am honestly not sure what rc config has to do with certs (google has not given me a result that seems to apply). Does the below help confirm my certs are properly installed and that i can connect to dovecot over tls and pass my credentials?
root@mc:~ # openssl s_client -connect mydomain.com:143 -starttls imap CONNECTED(00000004) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mydomain.com verify return:1
Certificate chain ...
Server certificate -----BEGIN CERTIFICATE----- .. -----END CERTIFICATE----- ..
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 4922 bytes and written 426 bytes Verification: OK
.. .. ..
read R BLOCK a login me@mydomain.com MyPass
- CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE a OK Logged in a OK Logged in b select inbox
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
- OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
- 35 EXISTS
- 0 RECENT
- OK [UNSEEN 18] First unseen.
- OK [UIDVALIDITY 1669149589] UIDs valid
- OK [UIDNEXT 255] Predicted next UID
- OK [HIGHESTMODSEQ 615] Highest b OK [READ-WRITE] Select completed (0.001 + 0.000 secs). c list "" *
- LIST (\HasNoChildren \Marked \Trash) "/" Trash
- LIST (\HasNoChildren \UnMarked \Junk) "/" Junk
- LIST (\HasNoChildren \Marked \Sent) "/" Sent
- LIST (\HasNoChildren \Drafts) "/" Drafts
- LIST (\HasNoChildren \UnMarked) "/" INBOX/email-reports
- LIST (\HasNoChildren \UnMarked) "/" INBOX/NAS-Alerts
- LIST (\HasChildren) "/" INBOX c OK List completed (0.001 + 0.000 secs).
On 2022-11-23 14:49, PGNet Dev wrote:
i don't understand why it can't connect, this seems to work fine:
fine ?
you're manually overriding at least one problem with your certs/config
...
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... Host 10.0.0.91 (sieve) has never been contacted before. Its certificate is valid for 10.0.0.91. Are you sure you want to trust it? (y/N): y ...
it appears that you're using a self-signed cert? are your trusted certs defined and correctly chained? if not explicitly defined, did you correctly add you certs to system ssl dirs, and ensure hashes are correct?
demonstrate first that you can connect to dovecot over tls with a cmd line client, without ignoring or overriding your cert problems
including any client/server cert verification requirements you've turned on in dovecot config
once you've passed the correct certs, then demonstrate that you can authenticate in the same session with any password/credentials you've set
once that all works, make sure you've got those certs correctly set up in your rc config
-- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung, Lehre, Infrastruktur 78457 Konstanz +49 7531 88-4416
Actually, managesieve DOES use starttls, and does use the same config as rest of Dovecot does, unless you override it of course.
But other than that, you're right.
Aki
On 15/12/2022 09:49 EET Christian Mack <christian.mack@uni-konstanz.de> wrote:
Hello
This test only states, that you can connect to IMAP Port 143 with STARTTLS and use your certificate there. It does not show, if your managesieve Port 4190 uses that certificate too. Managesieve does not use STARTTLS, and has its own configurations.
I suspect, that in your certificate you do not have the private IP as alternate name included, as you try to reach 10.0.0.91:4190, not mydomain.com:4190.
Kind regards, Christian Mack
Am 14.12.22 um 21:48 schrieb colin@colinlikesfood.com:
Thank you for this. I am not using self-signed, I am using letsencrypt as a CA, the certs are installed where certbot put them.
I tried the example from https://wiki2.dovecot.org/TestInstallation, using openssl s_client, and I achieved the following (lots of data replaced with "...")
I have not changed anything else since your last reply, I am honestly not sure what rc config has to do with certs (google has not given me a result that seems to apply). Does the below help confirm my certs are properly installed and that i can connect to dovecot over tls and pass my credentials?
root@mc:~ # openssl s_client -connect mydomain.com:143 -starttls imap CONNECTED(00000004) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mydomain.com verify return:1
Certificate chain ...
Server certificate -----BEGIN CERTIFICATE----- .. -----END CERTIFICATE----- ..
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 4922 bytes and written 426 bytes Verification: OK
.. .. ..
read R BLOCK a login me@mydomain.com MyPass
- CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE a OK Logged in a OK Logged in b select inbox
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
- OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
- 35 EXISTS
- 0 RECENT
- OK [UNSEEN 18] First unseen.
- OK [UIDVALIDITY 1669149589] UIDs valid
- OK [UIDNEXT 255] Predicted next UID
- OK [HIGHESTMODSEQ 615] Highest b OK [READ-WRITE] Select completed (0.001 + 0.000 secs). c list "" *
- LIST (\HasNoChildren \Marked \Trash) "/" Trash
- LIST (\HasNoChildren \UnMarked \Junk) "/" Junk
- LIST (\HasNoChildren \Marked \Sent) "/" Sent
- LIST (\HasNoChildren \Drafts) "/" Drafts
- LIST (\HasNoChildren \UnMarked) "/" INBOX/email-reports
- LIST (\HasNoChildren \UnMarked) "/" INBOX/NAS-Alerts
- LIST (\HasChildren) "/" INBOX c OK List completed (0.001 + 0.000 secs).
On 2022-11-23 14:49, PGNet Dev wrote:
i don't understand why it can't connect, this seems to work fine:
fine ?
you're manually overriding at least one problem with your certs/config
...
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... Host 10.0.0.91 (sieve) has never been contacted before. Its certificate is valid for 10.0.0.91. Are you sure you want to trust it? (y/N): y ...
it appears that you're using a self-signed cert? are your trusted certs defined and correctly chained? if not explicitly defined, did you correctly add you certs to system ssl dirs, and ensure hashes are correct?
demonstrate first that you can connect to dovecot over tls with a cmd line client, without ignoring or overriding your cert problems
including any client/server cert verification requirements you've turned on in dovecot config
once you've passed the correct certs, then demonstrate that you can authenticate in the same session with any password/credentials you've set
once that all works, make sure you've got those certs correctly set up in your rc config
-- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung, Lehre, Infrastruktur 78457 Konstanz +49 7531 88-4416
participants (5)
-
Aki Tuomi
-
Christian Mack
-
colin@colinlikesfood.com
-
PGNet Dev
-
Yassine Chaouche