With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the following in my logs:
Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error: Login failed for username from [ip-address]. Could not connect to ssl://imap.some.domain:993: Unknown reason in /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /rcm/?_task=login&_action=login)
Outgoing SMTP TLS connections from Roundcube are affected, too. This is probably caused by how PHP 5.6 verifies certificates. I have tried configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate chains, but no dice. I am positive that the IMAP and SMTP servers (Dovecot and Postfix, respectively) are configured correctly, because MUAs like Thunderbird or iOS Mail connect successfully.
When I include the following workaround in config.inc.php Roundcube can connect to the IMAP server:
$config['default_host'] = 'ssl://imap.some.domain'; $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, ), );
Does anybody here know how to debug and fix this? Other people seem to have this problem as well, but disabling peer verification was the only recommendation I could find so far, and for obvious reasons I would like to avoid that.
-Ralph
I had the same problems until a saint suggested me to stop using self signed certificates and start using Let's Encrypt. It's completely free and you can create a strong signed certificates in minutes. There are also several ways to create an automatic renewal process.
I switched from self signed certificates to strong certificate signed by an authority for free in less than an hour.
This guide has everything you need to know. https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-...
Bye Davide
In data 10 agosto 2017 3:46:12 PM Ralph Seichter m16+roundcube@monksofcool.net ha scritto:
With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the following in my logs:
Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error: Login failed for username from [ip-address]. Could not connect to ssl://imap.some.domain:993: Unknown reason in /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /rcm/?_task=login&_action=login)
Outgoing SMTP TLS connections from Roundcube are affected, too. This is probably caused by how PHP 5.6 verifies certificates. I have tried configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate chains, but no dice. I am positive that the IMAP and SMTP servers (Dovecot and Postfix, respectively) are configured correctly, because MUAs like Thunderbird or iOS Mail connect successfully.
When I include the following workaround in config.inc.php Roundcube can connect to the IMAP server:
$config['default_host'] = 'ssl://imap.some.domain'; $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, ), );
Does anybody here know how to debug and fix this? Other people seem to have this problem as well, but disabling peer verification was the only recommendation I could find so far, and for obvious reasons I would like to avoid that.
-Ralph _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
On 10.08.17 19:00, Davide Perini wrote:
I had the same problems until a saint suggested me to stop using self signed certificates and start using Let's Encrypt. It's completely free and you can create a strong signed certificates in minutes.
Thanks, I am aware of Let's Encrypt, but the problems I described occur with certificates issued by both Let's Encrypt and by my own CA (not self-signed certs, but a real CA). I guess I should have mentioned that.
I included my own CA certificates and those provided by Let's Encrypt in my Roundcube server's keychain, but it just does not work as expected. I am fairly certain it is related to PHP 5.6 in particular, as I described earlier.
-Ralph
Ralph Seichter m16+roundcube@monksofcool.net wrote:
With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the following in my logs:
Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error: Login failed for username from [ip-address]. Could not connect to ssl://imap.some.domain:993: Unknown reason in /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /rcm/?_task=login&_action=login)
Outgoing SMTP TLS connections from Roundcube are affected, too. This is probably caused by how PHP 5.6 verifies certificates. I have tried configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate chains, but no dice. I am positive that the IMAP and SMTP servers (Dovecot and Postfix, respectively) are configured correctly, because MUAs like Thunderbird or iOS Mail connect successfully.
When I include the following workaround in config.inc.php Roundcube can connect to the IMAP server:
$config['default_host'] = 'ssl://imap.some.domain'; $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, ), );
Does anybody here know how to debug and fix this? Other people seem to have this problem as well, but disabling peer verification was the only recommendation I could find so far, and for obvious reasons I would like to avoid that.
I did struggle for a long time as well ;-)
Here's my "HOWTO" in config.inc.php, and please note, that my roundcube/nginx and both postfix/dovecot(10.10.10.2) run in different FreeBSD jails. Thus you might need to stick with localhost:
// GRIMM (howto) // // ssl: explicit SSL // tls: implicit STARTTLS // // peer_name: // openssl s_client -connect 10.10.10.2:993 will show Common Name (CN) // of peer's certificate, and that name will become peer_name // // IMPORTANT: pkg install ca_root_nss // // GRIMM (modified from 'localhost') $config['default_host'] = 'ssl://10.10.10.2'; // GRIMM (end)
// GRIMM (added) $config['imap_conn_options'] = array( 'ssl' => array( 'peer_name' => 'my-peer-name-shown-from-command-above', ), ); // GRIMM (end)
// TCP port used for IMAP connections // GRIMM (modified from 143) $config['default_port'] = 993; // GRIMM (end)
// SMTP server host (for sending mails). // GRIMM (modified from '') $config['smtp_server'] = 'tls://10.10.10.2'; // GRIMM (end)
// GRIMM (added) $config['smtp_conn_options'] = array( 'ssl' => array( 'peer_name' => 'my-peer-name-shown-from-command-above', ), ); // GRIMM (end)
// SMTP port (default is 25; use 587 for STARTTLS or 465 for the // deprecated SSL over SMTP (aka SMTPS)) // GRIMM (modified from 25) $config['smtp_port'] = 587; // GRIMM (end)
HTH and regards, Michael
On 10.08.17 19:50, Michael Grimm wrote:
Here's my "HOWTO" in config.inc.php, and please note, that my roundcube/nginx and both postfix/dovecot(10.10.10.2) run in different FreeBSD jails. Thus you might need to stick with localhost [...]
I verified that the peer name matches my
$config['default_host'] = 'ssl://imap.some.domain';
entry, and I also tested your
'peer_name' => 'imap.some.domain'
suggestion, but still no workee. Using localhost is not an option, because Roundcube runs on server A and Dovecot/Postfix on server B (namely imap.some.domain). Also, if I could use localhost, I would not mind turning off peer verification.
-Ralph
I am using PHP 5.6 and I don't have this problem so no, I don't think that this is your problem. I'm pretty sure that the problem resides in your postfix/dovecot configuration, if you use those.
If you use postfix/dovecot I can tell you where to look.
Bye, Davide
Il 10/08/2017 19.30, Ralph Seichter ha scritto:
On 10.08.17 19:00, Davide Perini wrote:
I had the same problems until a saint suggested me to stop using self signed certificates and start using Let's Encrypt. It's completely free and you can create a strong signed certificates in minutes.
Thanks, I am aware of Let's Encrypt, but the problems I described occur with certificates issued by both Let's Encrypt and by my own CA (not self-signed certs, but a real CA). I guess I should have mentioned that.
I included my own CA certificates and those provided by Let's Encrypt in my Roundcube server's keychain, but it just does not work as expected. I am fairly certain it is related to PHP 5.6 in particular, as I described earlier.
-Ralph _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
On 11.08.17 00:00, Davide Perini wrote:
I'm pretty sure that the problem resides in your postfix/dovecot configuration, if you use those.
Sorry, but no. As I stated in my OP, other clients can access Dovecot and Postfix just fine (tested with iOS Mail, Apple Mail, Thunderbird on macOS and Windows). Roundcube 1.3 with PHP 5.6 is the only combination causing problems, and since Roundcube uses PHP to establish IMAP connections and I can connect fine if I disable PHP peer verification, the cause is definitely that verification mechanism failing on my Roundcube server. The crux is to figure out why it fails.
Google confirms that other people experienced similar problems after updating to PHP 5.6, which enabled peer verification as a default setting (see http://php.net/manual/en/migration56.openssl.php).
-Ralph
If you use correct certificates with correct postfix dovecot configuration you must be able to do peer verification. If you are not able to do it, you don't have right certificates or right configuration. The wrong config may resides in both postfix/dovecot files or in the roundcube itself.
Thunderbird ignore peer verification on both IMAP and SMTP.
Bye
In data 11 agosto 2017 00:24:52 Ralph Seichter m16+roundcube@monksofcool.net ha scritto:
On 11.08.17 00:00, Davide Perini wrote:
I'm pretty sure that the problem resides in your postfix/dovecot configuration, if you use those.
Sorry, but no. As I stated in my OP, other clients can access Dovecot and Postfix just fine (tested with iOS Mail, Apple Mail, Thunderbird on macOS and Windows). Roundcube 1.3 with PHP 5.6 is the only combination causing problems, and since Roundcube uses PHP to establish IMAP connections and I can connect fine if I disable PHP peer verification, the cause is definitely that verification mechanism failing on my Roundcube server. The crux is to figure out why it fails.
Google confirms that other people experienced similar problems after updating to PHP 5.6, which enabled peer verification as a default setting (see http://php.net/manual/en/migration56.openssl.php).
-Ralph _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Am 2017-08-10 20:21, schrieb Ralph Seichter:
I verified that the peer name matches my
$config['default_host'] = 'ssl://imap.some.domain';
entry, and I also tested your
'peer_name' => 'imap.some.domain'
suggestion, but still no workee.
I had had to install FreeBSD's ca_root_nss port [1] as well. Do you have those root certificates in place at your host running roundcube?
Regards, Michael
[1] port description: Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird.
On 11.08.2017 09:40, Michael Grimm wrote:
I had had to install FreeBSD's ca_root_nss port [1] as well. Do you have those root certificates in place at your host running roundcube?
The Gentoo equivalent package is app-misc/ca-certificates, and yes, it is installed. Additionally, I manually placed certs for my own CA and for Let's Encrypt CAs into /usr/local/share/ca-certificates, which is Gentoo's recommended method of providing additional CA information. My php.ini contains
openssl.cafile=/etc/ssl/certs/ca-certificates.crt
which is generated by Gentoo and contains all certs in one big file (See "man update-ca-certificates").
What I have done today is to rebuild OpenSSL, PHP and even Apache, in that order. It seemed a long shot, but I had run out of ideas. Lo and behold, rebuilding has done the trick! A simple
$config['default_host'] = 'ssl://imap.some.domain';
without any additional options is now sufficient, and peer verification obviously works, as I also verified using
openssl s_client -showcerts -connect imap.some.domain:993
I'm obviously glad, but still, colour me surprised. :-P
-Ralph
On 11.08.2017 09:26, Davide Perini wrote:
Thunderbird ignore peer verification on both IMAP and SMTP.
Nope. For a test, set up foo.some.domain and bar.some.domain as CNAME records for imap.some.domain, with the server certificate containing both imap.some.domain and foo.some.domain, but not bar.some.domain.
The attempt to connect with an IMAP server name of bar.some.domain, will cause Thunderbird to open an "Add Security Exception" dialog, with the complaint "Wrong Site - The certificate belongs to a different site, which could mean that someone is trying to impersonate this site." (see attached image). That's the result of peer verification.
-Ralph
I'm using php56 with roundcube(1.3.0) and got no problems with being able to send mail via roundcube.
imap settings:
$config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, 'verify_depth' => 3, 'cafile' => '/etc/pki/tls/certs/combined.pem', ), );
smtp settings:
$config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, 'verify_depth' => 3, ), );
Hope that helps?
Cheers!
Maarten
On 2017-08-10 15:38, Ralph Seichter wrote:
With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the following in my logs:
Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error: Login failed for username from [ip-address]. Could not connect to ssl://imap.some.domain:993: Unknown reason in /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /rcm/?_task=login&_action=login)
Outgoing SMTP TLS connections from Roundcube are affected, too. This is probably caused by how PHP 5.6 verifies certificates. I have tried configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate chains, but no dice. I am positive that the IMAP and SMTP servers (Dovecot and Postfix, respectively) are configured correctly, because MUAs like Thunderbird or iOS Mail connect successfully.
When I include the following workaround in config.inc.php Roundcube can connect to the IMAP server:
$config['default_host'] = 'ssl://imap.some.domain'; $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, ), );
Does anybody here know how to debug and fix this? Other people seem to have this problem as well, but disabling peer verification was the only recommendation I could find so far, and for obvious reasons I would like to avoid that.
-Ralph _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
On 11-08-2017 12:28:23, Ralph Seichter wrote:
I had had to install FreeBSD's ca_root_nss port [1] as well. Do you have those root certificates in place at your host running roundcube?
The Gentoo equivalent package is app-misc/ca-certificates, and yes, it is installed. Additionally, I manually placed certs for my own CA and for Let's Encrypt CAs into /usr/local/share/ca-certificates, which is Gentoo's recommended method of providing additional CA information. My php.ini contains
openssl.cafile=/etc/ssl/certs/ca-certificates.crt
which is generated by Gentoo and contains all certs in one big file (See "man update-ca-certificates").
If I add new certificates to my repository, in /etc/ssl/certs in my case, I have to remember to run openssls 'c_rehash'. Perhaps this is your problem? It's possible that it's not, as I'm used to Ubuntu.
What I have done today is to rebuild OpenSSL, PHP and even Apache, in that order. It seemed a long shot, but I had run out of ideas. Lo and behold, rebuilding has done the trick! A simple
My guess would be that this runs 'c_rehash' as part of the build process.
Maarten.
-
Davide Perini -
Maarten -
Maarten van Baarsel -
Michael Grimm -
Ralph Seichter