On Thu, 06 Aug 2009 12:34:30 +0200, "A.L.E.C" alec@alec.pl wrote:
Julien Vehent wrote:
OK, so to use STARTTLS with roundcube, the postfix server must be configured with the option smtpd_enforce_tls = yes, right ?
No, it is must not. As I see in the code, STARTTLS is called when authentication is requested (when smtp_user and smtp_pass options in Roundcube config
are
set) and (from Net_SMTP):
version_compare(PHP_VERSION, '5.1.0', '>=') && extension_loaded('openssl') && isset($this->_esmtp['STARTTLS']) && strncasecmp($this->host, 'ssl://', 6) != 0
OK, It confirms what I read in the postfix doc, that the server must not enforce STARTTLS (RFC 2487).
So, I have the following roundcube configuration :
// use this host for sending mails.
// to use SSL connection, set ssl://smtp.host.com
// if left blank, the PHP mail() function is used
$rcmail_config['smtp_server'] = 'ssl://localhost';
// SMTP port (default is 25; 465 for SSL)
$rcmail_config['smtp_port'] = 25;
// SMTP username (if required) if you use %u as the username RoundCube
// will use the current username for login
$rcmail_config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password RoundCube
// will use the current user's password for login
$rcmail_config['smtp_pass'] = '%p';
// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
$rcmail_config['smtp_auth_type'] = '';
The following postfix configuration :
# TLS server options
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_key_file = [keyfile] smtpd_tls_cert_file = [pemcert] smtpd_tls_CAfile = [cafile] smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert = no
and the following trace when I try to send an email from roundcube to my gmail account : http://www.linuxwall.info/files/starttlsroundcubetrace.pcap.txt
Postfix sends its banner in packet '12:43:23.225014' and then roundcube ACK it and does nothing more. It doesn't send any more data. My understanding is that roundcube should then announce itself through a 'EHLO' command, and postfix would returns its capabilities.
But instead, postfix then announce that the command has not been recognized (but what command ? ack number didn't change between '12:43:23.209554' and '12:43:23.225096' so no data have been transmitted...)
It's weird, and I don't know how to debug it further...
The only thing I'm sure of, is that this postfix configuration works fine with thunderbird in TLS mode.
Julien
List info: http://lists.roundcube.net/dev/