[RCU] managesieve-plugin closes connection before negotiation

Florian Ruhnke (OiledAmoeba) forum at ruhnke.cloud
Wed Jul 31 17:14:50 CEST 2019


Hi,

I do have an running dovecot-sieve installation. There is no problem to 
use it with rainloop or Thunderbird. But I can't get roundcube to work 
with sieve.
Dovecot forces to initiate TLS before auth. SSL is disabled, only TLS 
1.2+ is enabled.

sieve-log of roundcube:
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "IMPLEMENTATION" "Dovecot 
Pigeonhole"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SIEVE" "fileinto reject 
envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include 
variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "NOTIFY" "mailto"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "SASL" ""
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "STARTTLS"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: "VERSION" "1.0"
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Doctor, your Tardis is 
ready."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: STARTTLS
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: NO "Error in MANAGESIEVE 
command received by server."
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> C: LOGOUT
[31-Jul-2019 16:24:29 +0200]: <fqn6h82s> S: OK "Begin TLS negotiation 
now."

maillog (dovecot errors):
Jul 31 16:24:29 mail dovecot: managesieve-login: Disconnected (no auth 
attempts in 0 secs): user=<>, rip=10.23.102.80, lip=10.23.102.251, TLS 
handshaking: SSL_accept() failed: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number, 
session=<rbUW4vqOC+MKF2ZQ>

managesieve config.inc.php:
$config['managesieve_port'] = 4190;
$config['managesieve_host'] = 'mail.domain.tld';
$config['managesieve_auth_type'] = 'PLAIN';
$config['managesieve_auth_cid'] = null;
$config['managesieve_auth_pw'] = null;
$config['managesieve_usetls'] = true;
//$config['managesieve_conn_options'] = null;
$config['managesieve_conn_options'] = array(
  'ssl' => array(
  'verify_peer' => true,
  'verify_peer_name' => true,
  'allow_self_signed' => false,
  ),
);
$config['managesieve_default'] = '/etc/dovecot/sieve/global';
$config['managesieve_script_name'] = 'managesieve';
$config['managesieve_mbox_encoding'] = 'UTF-8';
$config['managesieve_replace_delimiter'] = '';
$config['managesieve_disabled_extensions'] = array();
$config['managesieve_debug'] = true;
$config['managesieve_kolab_master'] = false;
$config['managesieve_filename_extension'] = '.sieve';
$config['managesieve_filename_exceptions'] = array();
$config['managesieve_domains'] = array();
$config['managesieve_vacation'] = 1;
$config['managesieve_vacation_interval'] = 0;
$config['managesieve_vacation_addresses_init'] = false;
$config['managesieve_vacation_from_init'] = false;
$config['managesieve_notify_methods'] = array('mailto');
$config['managesieve_raw_editor'] = true;

The dovecot-log looks like roundcube is trying to initiate SSL3 but this 
is disabled. I think "Error in MANAGESIEVE command received by server." 
has to do with the deactivated SSL.

Connecting to dovecot manually with gnutls-cli --starttls -p 4190 
mail.domain.tld:
Processed 306 CA certificate(s).
Resolving 'mail.domain.tld:4190'...
Connecting to '<IP>:4190'...

- Simple Client Mode:

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include 
variables body enotify environment mailbox date index ihave duplicate m
ime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Doctor, your Tardis is ready."
NO "Error in MANAGESIEVE command received by server."
STARTTLS
OK "Begin TLS negotiation now."
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
  - subject `CN=mail.domain.tld', issuer `CN=Let's Encrypt Authority 
X3,O=Let's Encrypt,C=US', serial 0x03c0d3d322307e5a997f654b435b56480773, 
RSA key 4096 bits, signed using RSA-SHA256, activated `2019-06-06 
09:18:10 UTC', expires `2019-09-04 09:18:10 UTC', 
pin-sha256="8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4="
         Public Key ID:
                 sha1:62b08cf75ae6c45915db8d8c7bff6947788ac3b2
                 
sha256:f12975ee55b1598489713729a501b80cb4818443ffb91919e4d4d07dd924a12e
         Public Key PIN:
                 pin-sha256:8Sl17lWxWYSJcTcppQG4DLSBhEP/uRkZ5NTQfdkkoS4=

- Certificate[1] info:
  - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer 
`CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using 
RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 
16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is trusted.
- Description: 
(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include 
variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve"
"NOTIFY" "mailto"
"SASL" "PLAIN LOGIN"
"VERSION" "1.0"
OK "TLS negotiation successful."
LOGOUT
OK "Logout completed."
- Peer has closed the GnuTLS connection

So, what do I have to do to get roundcube to talk to sieve?


More information about the users mailing list