Ralph Seichter m16+roundcube@monksofcool.net wrote:
With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the following in my logs:
Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error: Login failed for username from [ip-address]. Could not connect to ssl://imap.some.domain:993: Unknown reason in /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /rcm/?_task=login&_action=login)
Outgoing SMTP TLS connections from Roundcube are affected, too. This is probably caused by how PHP 5.6 verifies certificates. I have tried configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate chains, but no dice. I am positive that the IMAP and SMTP servers (Dovecot and Postfix, respectively) are configured correctly, because MUAs like Thunderbird or iOS Mail connect successfully.
When I include the following workaround in config.inc.php Roundcube can connect to the IMAP server:
$config['default_host'] = 'ssl://imap.some.domain'; $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, ), );
Does anybody here know how to debug and fix this? Other people seem to have this problem as well, but disabling peer verification was the only recommendation I could find so far, and for obvious reasons I would like to avoid that.
I did struggle for a long time as well ;-)
Here's my "HOWTO" in config.inc.php, and please note, that my roundcube/nginx and both postfix/dovecot(10.10.10.2) run in different FreeBSD jails. Thus you might need to stick with localhost:
// GRIMM (howto) // // ssl: explicit SSL // tls: implicit STARTTLS // // peer_name: // openssl s_client -connect 10.10.10.2:993 will show Common Name (CN) // of peer's certificate, and that name will become peer_name // // IMPORTANT: pkg install ca_root_nss // // GRIMM (modified from 'localhost') $config['default_host'] = 'ssl://10.10.10.2'; // GRIMM (end)
// GRIMM (added) $config['imap_conn_options'] = array( 'ssl' => array( 'peer_name' => 'my-peer-name-shown-from-command-above', ), ); // GRIMM (end)
// TCP port used for IMAP connections // GRIMM (modified from 143) $config['default_port'] = 993; // GRIMM (end)
// SMTP server host (for sending mails). // GRIMM (modified from '') $config['smtp_server'] = 'tls://10.10.10.2'; // GRIMM (end)
// GRIMM (added) $config['smtp_conn_options'] = array( 'ssl' => array( 'peer_name' => 'my-peer-name-shown-from-command-above', ), ); // GRIMM (end)
// SMTP port (default is 25; use 587 for STARTTLS or 465 for the // deprecated SSL over SMTP (aka SMTPS)) // GRIMM (modified from 25) $config['smtp_port'] = 587; // GRIMM (end)
HTH and regards, Michael