<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="">Set
</div>
<div class="">
<br class="">
</div>
<div class="">
ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
</div>
</div>
</blockquote>
<div class="">
<br class="">
</div>
<div class="">
Can this be the Lets Encrypt cert that we already have? In other words we have:
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</span>
</div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_key = </etc/pki/dovecot/private/dovecot.pem</span>
</div>
</div>
<div class="">
<br class="">
</div>
<div class="">
Can those be used?
</div>
</div>
</blockquote>
<div class="">
<br class="">
</div>
<div class="">
Set it to *CA* cert. You can also use
</div>
<div class="">
<br class="">
</div>
<div class="">
ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos)
</div></blockquote></div></div></blockquote><div><br class=""></div>OK did that.</div><div><br class=""></div><div><blockquote type="cite" class=""><div class=""><blockquote type="cite" class="">
<div class="">
ssl_client_ca_dir=/etc/ssl/certs (on debian based)
</div>
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" class="">
<div class="">
<div class="">
Are you using haproxy or something in front of dovecot?
</div>
</div>
</blockquote>
<br class="">
</div>
<div class="">
No. Just Squirrelmail webmail with sendmail.
</div>
<br class="">
</blockquote>
<div class="">
Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?</div></blockquote></div></blockquote><div><br class=""></div>I see some options in <a href="http://squirrelmail.org/docs/admin/admin-5.html#ss5.3" class="">http://squirrelmail.org/docs/admin/admin-5.html#ss5.3</a>. Would it be a plugin?<br class=""><br class=""><blockquote type="cite" class=""><div class=""><blockquote type="cite" class="">
</blockquote>
<div class="">
Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with
</div>
<div class="">
<br class="">
</div>
<div class="">
`doveconf auth_policy_request_attributes`</div></div></blockquote><br class=""></div><div>Yes I’ve confirmed it matches. Still getting the URL or IP of the webmail address as well as errors like <span style="font-family: Menlo; font-size: 11px;" class="">SSL handshake to ex.ter.na.lip:8084 failed: Connection closed</span></div><div><br class=""></div><div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Timeout (now: 2019-03-28 16:13:36.300)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Absolute timeout expired for request [Req10: POST <a href="https://ourdomain:8084/?command=allow" class="">https://ourdomain:8084/?command=allow</a>] (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST <a href="https://ourdomain:8084/?command=allow]:" class="">https://ourdomain:8084/?command=allow]:</a> Error: 9008 Absolute request timeout expired (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Dropping request [Req10: POST <a href="https://ourdomain:8084/?command=allow" class="">https://ourdomain:8084/?command=allow</a>]</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server HTTP error: Absolute request timeout expired (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST <a href="https://ourdomain:8084/?command=allow]:" class="">https://ourdomain:8084/?command=allow]:</a> Destroy (requests left=1)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST <a href="https://ourdomain:8084/?command=allow]:" class="">https://ourdomain:8084/?command=allow]:</a> Free (requests left=0)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth-worker(32249): Debug: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): lookup service=dovecot</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:36 auth-worker(32249): Debug: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): #1/1 style=1 msg=Password: </span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth-worker(32249): Info: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): unknown user</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy request <a href="https://ourdomain:8084/?command=report" class="">https://ourdomain:8084/?command=report</a></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server request JSON: {"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Set request timeout to 2019-03-28 16:13:40.625 (now: 2019-03-28 16:13:38.625)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth: Debug: http-client: peer ex.ter.na.lip:8084 (shared): Peer reused</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Setting up connection to ex.ter.na.lip:8084 (SSL=ourdomain) (1 requests pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth: Debug: http-client[1]: request [Req11: POST <a href="https://ourdomain:8084/?command=report]:" class="">https://ourdomain:8084/?command=report]:</a> Submitted (requests left=1)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:38 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Debug: client passdb out: FAIL<span class="Apple-tab-span" style="white-space:pre"> </span>1<span class="Apple-tab-span" style="white-space:pre"> </span>user=abc</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 secs): user=<abc>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<5aBSMC2FROF/AAAB></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Timeout (now: 2019-03-28 16:13:40.626)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Absolute timeout expired for request [Req11: POST <a href="https://ourdomain:8084/?command=report" class="">https://ourdomain:8084/?command=report</a>] (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST <a href="https://ourdomain:8084/?command=report]:" class="">https://ourdomain:8084/?command=report]:</a> Error: 9008 Absolute request timeout expired (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Dropping request [Req11: POST <a href="https://ourdomain:8084/?command=report" class="">https://ourdomain:8084/?command=report</a>]</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server HTTP error: Absolute request timeout expired (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST <a href="https://ourdomain:8084/?command=report]:" class="">https://ourdomain:8084/?command=report]:</a> Destroy (requests left=1)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST <a href="https://ourdomain:8084/?command=report]:" class="">https://ourdomain:8084/?command=report]:</a> Free (requests left=0)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client: peer ex.ter.na.lip:8084 (shared): Backoff timer expired</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Making new connection 1 of 1 (0 connections exist, 0 pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: HTTPS connection created (1 parallel connections exist)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connected</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Starting SSL handshake</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: SSL handshake to ex.ter.na.lip:8084 failed: Connection closed</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Connection failed (1 connections exist, 0 pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client: peer ex.ter.na.lip:8084: Failed to make connection (1 connections exist, 0 pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Failed to establish any connection within our peer pool: SSL handshake to ex.ter.na.lip:8084 failed: Connection closed (1 connections exist, 0 pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Failed to set up connection to ex.ter.na.lip:8084 (SSL=ourdomain): SSL handshake to ex.ter.na.lip:8084 failed: Connection closed (1 peers pending, 0 requests pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: queue <a href="https://ourdomain:8084:" class="">https://ourdomain:8084:</a> Failed to set up any connection; failing all queued requests</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Unlinked queue <a href="https://ourdomain:8084" class="">https://ourdomain:8084</a> (0 queues linked)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection close</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection disconnect</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Detached peer</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection destroy</span></div></div><br class=""></body></html>