Re: Trouble configuring managesive plugin for roundcube
So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
Dovecot configuration file
Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext }
!include conf.d/*.conf
!include_try local.conf
!include_try /usr/share/dovecot/protocols.d/*.protocol
listen = *
disable_plaintext_auth = yes mail_privileged_group = mail
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocols = imap lmtp pop3
namespace inbox { inbox = yes
mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } mailbox Spam { auto = subscribe # autocreate and autosubscribe the Spam mailbox } }
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } }
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com }
ssl = required # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol
listen = *
disable_plaintext_auth = yes mail_privileged_group = mail
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql }
namespace inbox { inbox = yes
mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } }
service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } }
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com }
ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes
userdb { driver = prefetch }
userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf }
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH #ssl_dh_parameters_length = 4096 ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes #ssl_protocols = !SSLv3
userdb { driver = prefetch }
userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf }
And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn’t work.
ManageSieve specific settings
Uncomment to enable managesieve protocol:
protocols = $protocols sieve
Service definitions
service managesieve-login { inet_listener sieve { port = 4190
ssl = yes
}
#inet_listener sieve_deprecated {
port = 2000
#}
Number of connections to handle before starting a new process. Typically
the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
Number of processes to always keep waiting for more connections.
#process_min_avail = 0
If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M }
#service managesieve {
Max. number of ManageSieve processes (connections)
#process_limit = 1024 #}
Service configuration
protocol sieve {
Maximum ManageSieve command line length in bytes. ManageSieve usually does
not involve overly long command lines, so this setting will not normally
need adjustment
#managesieve_max_line_length = 65536
Maximum number of ManageSieve connections allowed for a user from each IP
address.
NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
Space separated list of plugins to load (none known to be useful so far).
Do NOT try to load IMAP plugins here.
#mail_plugins =
MANAGESIEVE logout format string:
%i - total number of bytes read from client
%o - total number of bytes sent to client
%{put_bytes} - Number of bytes saved using PUTSCRIPT command
%{put_count} - Number of scripts saved using PUTSCRIPT command
%{get_bytes} - Number of bytes read using GETCRIPT command
%{get_count} - Number of scripts read using GETSCRIPT command
%{get_bytes} - Number of bytes processed using CHECKSCRIPT command
%{get_count} - Number of scripts checked using CHECKSCRIPT command
%{deleted_count} - Number of scripts deleted using DELETESCRIPT command
%{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
#managesieve_logout_format = bytes=%i/%o
To fool ManageSieve clients that are focused on CMU's timesieved you can
specify the IMPLEMENTATION capability that Dovecot reports to clients.
For example: 'Cyrus timsieved v2.2.13'
#managesieve_implementation_string = Dovecot Pigeonhole
Explicitly specify the SIEVE and NOTIFY capability reported by the server
before login. If left unassigned these will be reported dynamically
according to what the Sieve interpreter supports by default (after login
this may differ depending on the user).
#managesieve_sieve_capability = #managesieve_notify_capability =
The maximum number of compile errors that are returned to the client upon
script upload or script verification.
#managesieve_max_compile_errors = 5
Refer to 90-sieve.conf for script quota configuration and configuration of
Sieve execution limits.
}
Here is the output of testing with openssl from the roundcube server.
I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null
And got this:
CONNECTED(00000003) 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 5 bytes and written 283 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) —
Is the second line in the output above the problem?
Thanks to all of you for your help so far!
Austin Witmer
When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf file, I get the log line below from mail.log on my mail server.
Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD>
I’m not smart enough with ssl stuff to know what the root cause of that error is. Can somebody help me out?
Thanks!
Austin Witmer
On July 10, 2022 5:01:02 PM GMT+02:00, Austin Witmer <austin96@emypeople.net> wrote:
You current dovecot config as below requires you to use tls:// prefix in the managesieve configuration. I just tried it with my server and it worked. Use: $config['managesieve_host'] = 'tls://10.116.0.2';
You have debug logging enabled in your roundcube managesieve config, the output should be in your roundcube logging. Look at that logging during a connection attempt, this helped me allot identifying a certificate name mismatch.
-- Christian Kivalo
Ok, I changed to $config['managesieve_host'] = 'tls://10.116.0.2’; and the below is the log from /var/www/roundcube/logs/sieve.log during a connection attempt. Does this log give you any clues?
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "IMPLEMENTATION" "Dovecot (Ubuntu) Pigeonhole"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "NOTIFY" "mailto"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SASL" ""
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "STARTTLS"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "VERSION" "1.0"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Dovecot (Ubuntu) ready."
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> C: STARTTLS
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Begin TLS negotiation now."
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> C: LOGOUT
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?=?C-ɓH????(??̸?.?2
[S?w??K???:?&Bn3v?*?z[??'K?x?@??W??T-?q?\?o?Tub.Nr?)*??j?ב??= ?P^??.mr???+?5e.ُ?q?.$????/????uݚ?B~?f+>?????.ܮ?.?=ʑ? [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?A?\???F???X? c+ԩ???!???{?-??\?]?????7H1+v?y?5?G-6c0???av?_1?5n??i7˃U??L@?AH??O?N???Ie?r?F??weqfR???Y???b????? ??kT+?.??S?u????ԕ?Тc?Z'݀?nTȣȆ?m???????(6?~&WC??B?m???Z?1?????R?3??i@??R???=VHf?5??1??}????u9m [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ? ??*}??OG?C??,????.ä?Cg??R????M?? ?Kiq? [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: W?qWN?]ۿ?8??dց?=?&?H8????y??"?6?D?!*?ޒ?K??????$eV??.O????n???M???h??C???A????U?G2?O,????E?C\*?~,?ќ?$?{????W0w??B?E??X
?!VH???k+??????e???Ero̎0ȭ???&????2?&????I?^D?;??f?4????Zn%Y_û?/s1hj??;???ujt?d?H?vܓt3"?Wm0`???? z???AU?QRE?Ƽ\Bz-V??W???,?bp???e?D???0m?-?
?8?%???4??V?\?'MR[?O1?ި4 ?
4Z?X
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S:
And here is the log from the mail server during the same connection attempt.
Jul 10 20:59:48 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<d9tCt3njVuEKdAAD>
And here is the output of doveconf -n
austin@mail:~$ doveconf -n
2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
Pigeonhole version 0.5.7.2 ()
OS: Linux 5.4.0-121-generic x86_64 Ubuntu 20.04.4 LTS
Hostname: mail.mydomain.com
listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = /mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { hostname = mail.mydomain.com mail_plugins = " sieve" postmaster_address = postmaster@mydomain.com } protocol lda { mail_plugins = " sieve" }
What am I missing???? Thanks so much to all of you for helping me along! This is why I like the Open-source community!
Austin Witmer
On 2022-07-10 23:10, Austin Witmer wrote:
No auth mechanisms are advertised.
Client disconnect immediately after starttls.
ssl_client_ca_dir = /etc/ssl/certs drop this one too
I have set in /etc/dovecot/conf.d/10-auth.conf auth_mechanisms = plain login
and at connection attempt before starttls shows
Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve" "NOTIFY" "mailto" "SASL" "PLAIN LOGIN" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready."
-- Christian Kivalo
See below.
I added “login” to my auth_mechanisms line in /etc/dovecot/conf.d/10-auth.conf. That line already looked like auth_mechanisms = plain
This is what the line looks like now: auth_mechanisms = plain login
I restarted dovecot and it still is not advertising anything after “SASL” in the sieve log file. See below:
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto"
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" ""
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS"
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0"
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) ready."
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS
[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS negotiation now."
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ????Y8h#u??Lu?u?V2??N[?˴?+)u?????F?'{ֺ?G?r?iS??pݥ??D}?????
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?>??0??SxfXC%]c?|?y?"w???K_ޕ???N
?.?c? ??_D?r???ǿ?r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?.e???i8p?{Ur"???3GZ?C??7??U)s?;,c?6????HY??B?ڑB.g=TtAk?dq???nV?i
?BG2D???7?hܖQTl?)G??9??W?????M^??
??D&?䢀rQ???2E?pn?Ez?????䉉i? @1??փiC???=???W?M
?]?}?D$
?:???^?/K???5?aB?c??ar)?l@C??X?ٹ?!J???k??"/1?r???w?_??@?p??w )R?d??o????k*?*?????
i?O?i%S?l^?o2?H
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: 5?7?x??w?z"??hu4?E??:?/?F(d?;??i??"??5??G,5????E?C?MS???? L???*??*???LO?D?? J?l???ځ?
??IN??v?fR?5t?:???SG?>{mY??D?˱????t?Rj?w?#
??n??[?S?
V4O?z?=.ܰې??uA?ھ????9?τ???c??oE?;LBOg??Ql'w?=
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?&???C/_??*??????|.??$O?~?
??5?"????縉?? ?r??0~?+~????B
??5)]cZ?Z?t??D??????-?dZ??M?z??2TɉOp?q?o?T?3?`'????g??6
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5???
[10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:
And once again the line from my mail.log file.
Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<7VswBnvjXuIKdAAD>
Any further suggestions? Why do you suppose that the auth mechanisms are not being advertised?
Austin Witmer
On 2022-07-11 00:38, Austin Witmer wrote:
roundcube send no user login to dovecot managesived, thats why it fails now imho
what are the managesieve config in roundcube, try disable tls, tls is overkill for rfc1918 ips, why not 127.0.0.1 ?
chrooted something ?
i am not an expert, but it works for me on gentoo :)
On Jul 10, 2022, at 5:34 PM, Benny Pedersen <me@junc.eu> wrote:
That’s what I’m thinking to, but I don’t have a clue how to remedy that.
what are the managesieve config in roundcube, try disable tls, tls is overkill for rfc1918 ips, why not 127.0.0.1 ?
I posted my managesieve earlier in this thread. I have tried disabling tls in the managesieve config in roundcube but that doesn’t work either.
Roundcube is running on a different server than dovecot so I don’t see how I could use 127.0.0.1 in my managesieve config in roundcube.
chrooted something ?
i am not an expert, but it works for me on gentoo :)
Are your running dovecot and roundcube on the same server?
Austin Witmer
One more thing comes to mind regarding the ssl options in the managesieve plugin config. Do you use a self signed cert in dovecot?
One more thing you could try, in your managesieve plugin config.inc.php
remove this section: $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'allow_self_signed' => true, ), );
add this section: $config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'change to the hostname from dovecots ssl certificate', ], ];
add in there, when using self-signed cert 'allow_self_signed' => true,
-- Christian Kivalo
So, I changed the $config['managesieve_host'] = 'tls://mail.mydomain.com’; to the fqdn of my mail server instead of the internal IP address and now it works!
Why would using the fqdn work, but not the internal LAN IP address?
As a side note, I am now remembering that in my main Roundcube config, I had to use the fqdn for the imap and smtp server instead of the internal LAN IP address. Is it because it needs to connect to a host with the same hostname that the certificate returns? Would it work to add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com <http://mail.mydomain.com/>”? I should be able to use the internal IP addresses, right? Are there downsides to using the fqdn?
I may have some questions about configuring sieve rules later, but I can start a new thread for that.
Austin Witmer
On 2022-07-12 16:19, Austin Witmer wrote:
The hosts file entry would help with name resolution but not with certificate verification.
But you can make php think it connects to the correct hostname with the ssl connection options
$config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'FQDN of mailserver', ], ];
This probably even works without the "verify_peer" line, haven't tested.
-- Christian Kivalo
Thanks so much Christian Kivalo!
See below.
I added the block above to my managesieve configuration in Roundcube and now connected to an internal IP address works beautifully!
Now I just need to figure out how to accomplish the same thing for the imap and smtp server that Roundcube is using. Is there a block similar to the one above that I could add to my Roundcube config.inc.php file to enable me to use internal addresses for my imap and smtp servers?
Thanks again for everyone’s help! Much appreciated!
Austin Witmer
Hi yes the same ssl connection config should work in roundcube config.inc.php just use ['imap_conn_options'] and ['smtp_conn_options'] respectively. There are examples in roundcubes default.inc.php file
-- Christian Kivalo
participants (3)
-
Austin Witmer
-
Benny Pedersen
-
Christian Kivalo