tlsv1 alert unknown ca: SSL alert number 48

Tobias lists.zxinn at otaking.se
Sun Jun 19 14:44:29 UTC 2016


That's great!

Yeah, stunnel is a very useful tool in this case. Also works well for 
securing mail out via submission (port 587), when the webmail client 
does not properly support STARTTLS, or the configurability of these TLS 
parameters.

Squirrelmail does not currently support this, so you're better off also 
using stunnel for outgoing mail, if it needs encryption for 
authentication purposes.

Not only are these certificate options not yet implemented (neither for 
IMAP nor SMTP), but Squirrelmail also does not play nice with Dovecot 
when using STARTTLS, and you also disallow any login attempts until the 
connection is encrypted. Neither the stable 1.4.23 release, nor the 
development track, 1.5.2, handle these parameters or scenarios yet.

I submitted bug reports for these issues, and hacked my own code to 
include corrections for my own setup. A quick look at current SVN source 
for 1.5 track shows no improvement yet. (If I have time this summer I 
may clean up my own modification and submit a patch.)

Here's a link to my cross-post to this very mail list, on April 3rd 
2016.
https://www.mail-archive.com/dovecot@dovecot.org/msg65453.html

While I use stunnel for many things (perhaps too many), in this case I 
wanted to use STARTTLS for no particular reason.

/Tobias

On 2016-06-19 18:42, Maurizio Dall'Acqua wrote:
> I have found a solution!
> 
> I have tried to install the new version or Roundcube from github, but I 
> have
> had some problems with the configuration files. So I've switched back 
> to
> Squirrelmail.
> 
> I have set Squirrelmail to plain text login but I have tunneled the
> connection to stunnel4 by means of xinetd, so I can have a secure login
> connection. For some reasons both Roundcube and Squirrelmail can't use 
> the
> self-signed certificate I provided, but it is not a problem for 
> stunnel4.
> 
> So, here we go,
> 
> Thanks to all those who have suggested a solution in the mail-list.
> 
> ;-)
> 
> On Sat, Jun 18, 2016 at 10:27:50AM -0400, Gedalya wrote:
>> I didn't actually test this. There might be some incompatibility 
>> preventing this from installing properly on raspbian.
>> Was there nothing else printed out? Usually when you get such a line 
>> it is printed several lines below something else, where the actual 
>> problem occurred.
>> Anyway, this is getting way out of the scope of this mailing list. 
>> Frankly it isn't too difficult to just manually install roundcube 
>> directly from the sources on github, and that may be your best option 
>> right now.
>> 
>> 
>> On 06/18/2016 08:01 AM, Maurizio Dall'Acqua wrote:
>> > I've tried to install the new version of Roundcube but I've got an error
>> > message:
>> >
>> >
>> > Unpacking roundcube (1.1.5+dfsg.1-1~bpo8+1) ...
>> > Errors were encountered while processing:
>> >  /var/cache/apt/archives/roundcube-core_1.1.5+dfsg.1-1~bpo8+1_all.deb
>> > E: Sub-process /usr/bin/dpkg returned an error code (1)
>> >
>> > If anybody can give me instructions on how to correct this, perhaps I should
>> > try to downgrade again?
>> >
>> >
>> >
>> > On Sat, Jun 18, 2016 at 06:37:33AM -0400, Gedalya wrote:
>> >> On 06/18/2016 02:27 AM, Maurizio Dall'Acqua wrote:
>> >>> The version of Roundcube I am using is 0.9.5+dfsg1-4.1
>> >> If you want to get a newer version using Debian packages, perhaps try to add the following line to /etc/apt/sources.list :
>> >>
>> >> deb http://httpredir.debian.org/debian jessie-backports main
>> >>
>> >> Then run:
>> >>
>> >> apt-get --dry-run -tjessie-backports install roundcube
>> >>
>> >> and take a close look at what's being pulled from where, make sure it all makes sense to you.
>> >>
>> >> Then run it again, for real:
>> >>
>> >> apt-get -tjessie-backports install roundcube
>> >>
>> >> This should get you roundcube 1.1.5+dfsg.1-1~bpo8+1 from Debian's repository, while pulling necessary dependencies from your native raspbian.


More information about the dovecot mailing list