Ok, I changed to $config['managesieve_host'] = 'tls://10.116.0.2’; and the below is the log from /var/www/roundcube/logs/sieve.log during a connection attempt. Does this log give you any clues?

[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "IMPLEMENTATION" "Dovecot (Ubuntu) Pigeonhole" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "NOTIFY" "mailto" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SASL" "" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "STARTTLS" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "VERSION" "1.0" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Dovecot (Ubuntu) ready." [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> C: STARTTLS [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Begin TLS negotiation now." [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> C: LOGOUT [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?=?C-ɓH????(??̸?.?2 [S?w??K???:?&Bn3v?*?z[??'K?x?@??W??T-?q?\?o?Tub.Nr?)*??j?ב??= ?P^??.mr???+?5e.ُ?q?.$????/????uݚ?B~?f+>?????.ܮ?.?=ʑ? [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?A?\???F???X? c+ԩ???!???{?-??\?]?????7H1+v?y?5?G-6c0???av?_1?5n??i7˃U??L@?AH??O?N???Ie?r?F??weqfR???Y???b????? ??kT‰+?.??S?u????ԕ?Тc?Z'݀?nTȣȆ?m???????(6?~&WC??B?m???Z?1?????R?3??i@??R???=VHf?5??1??}????u9m [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ? ??*}??OG?C??,????.ä?Cg??R????M?? ?Kiq? [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: W?qWN?]ۿ?8??dց?=?&?H8????y??"?6?D?!*?ޒ?K??????$eV??.O????n???M???h??C???A????U?G2?O,????E?C\*?~,?ќ?$?{????W0w??B?E??X?!VH???k+??????e???Ero̎0ȭ???&????2?&????I?^D?;??f?4????Zn%Y_û?/s1hj??;???ujt?d?H?vܓt3"?Wm0`???? z???AU?QRE?Ƽ\Bz-V??W???,?bp???e?D???0m?-? ?8?%???4??V?\?'MR[?O1?ި4 ? 4Z?X [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S:

And here is the log from the mail server during the same connection attempt.

Jul 10 20:59:48 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<d9tCt3njVuEKdAAD>

And here is the output of doveconf -n

austin@mail:~$ doveconf -n

2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf

Pigeonhole version 0.5.7.2 ()

OS: Linux 5.4.0-121-generic x86_64 Ubuntu 20.04.4 LTS

Hostname: mail.mydomain.com

listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = /mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { hostname = mail.mydomain.com mail_plugins = " sieve" postmaster_address = postmaster@mydomain.com } protocol lda { mail_plugins = " sieve" }

What am I missing???? Thanks so much to all of you for helping me along! This is why I like the Open-source community!

Austin Witmer

On Jul 10, 2022, at 9:49 AM, Christian Kivalo <ml+dovecot@valo.at> wrote:

On July 10, 2022 5:01:02 PM GMT+02:00, Austin Witmer <austin96@emypeople.net> wrote:

...

When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf file, I get the log line below from mail.log on my mail server. Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD> I’m not smart enough with ssl stuff to know what the root cause of that error is. Can somebody help me out?

You current dovecot config as below requires you to use tls:// prefix in the managesieve configuration. I just tried it with my server and it worked. Use: $config['managesieve_host'] = 'tls://10.116.0.2';

You have debug logging enabled in your roundcube managesieve config, the output should be in your roundcube logging. Look at that logging during a connection attempt, this helped me allot identifying a certificate name mismatch.

...

Thanks! Austin Witmer

...

On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96@emypeople.net> wrote: So, here is my dovecot configuration. /etc/dovecot/dovecot.conf

Dovecot configuration file

Enable installed protocols

!include_try /usr/share/dovecot/protocols.d/*.protocol dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext } !include conf.d/*.conf !include_try local.conf !include_try /usr/share/dovecot/protocols.d/*.protocol listen = * disable_plaintext_auth = yes mail_privileged_group = mail passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocols = imap lmtp pop3 namespace inbox { inbox = yes mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } mailbox Spam { auto = subscribe # autocreate and autosubscribe the Spam mailbox } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com } ssl = required # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol listen = * disable_plaintext_auth = yes mail_privileged_group = mail passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } namespace inbox { inbox = yes mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster@mydomain.com hostname=mail.mydomain.com } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes userdb { driver = prefetch } userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf } ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH #ssl_dh_parameters_length = 4096 ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes #ssl_protocols = !SSLv3 userdb { driver = prefetch } userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf } And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn’t work.

ManageSieve specific settings

Uncomment to enable managesieve protocol:

protocols = $protocols sieve

Service definitions

service managesieve-login { inet_listener sieve { port = 4190

ssl = yes

} #inet_listener sieve_deprecated {

port = 2000

#}

Number of connections to handle before starting a new process. Typically

the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0

is faster. <doc/wiki/LoginProcess.txt>

#service_count = 1

Number of processes to always keep waiting for more connections.

#process_min_avail = 0

If you set service_count=0, you probably need to grow this.

#vsz_limit = 64M } #service managesieve {

Max. number of ManageSieve processes (connections)

#process_limit = 1024 #}

Service configuration

protocol sieve {

Maximum ManageSieve command line length in bytes. ManageSieve usually does

not involve overly long command lines, so this setting will not normally

need adjustment

#managesieve_max_line_length = 65536

Maximum number of ManageSieve connections allowed for a user from each IP

address.

NOTE: The username is compared case-sensitively.

#mail_max_userip_connections = 10

Space separated list of plugins to load (none known to be useful so far).

Do NOT try to load IMAP plugins here.

#mail_plugins =

MANAGESIEVE logout format string:

%i - total number of bytes read from client

%o - total number of bytes sent to client

%{put_bytes} - Number of bytes saved using PUTSCRIPT command

%{put_count} - Number of scripts saved using PUTSCRIPT command

%{get_bytes} - Number of bytes read using GETCRIPT command

%{get_count} - Number of scripts read using GETSCRIPT command

%{get_bytes} - Number of bytes processed using CHECKSCRIPT command

%{get_count} - Number of scripts checked using CHECKSCRIPT command

%{deleted_count} - Number of scripts deleted using DELETESCRIPT command

%{renamed_count} - Number of scripts renamed using RENAMESCRIPT command

#managesieve_logout_format = bytes=%i/%o

To fool ManageSieve clients that are focused on CMU's timesieved you can

specify the IMPLEMENTATION capability that Dovecot reports to clients.

For example: 'Cyrus timsieved v2.2.13'

#managesieve_implementation_string = Dovecot Pigeonhole

Explicitly specify the SIEVE and NOTIFY capability reported by the server

before login. If left unassigned these will be reported dynamically

according to what the Sieve interpreter supports by default (after login

this may differ depending on the user).

#managesieve_sieve_capability = #managesieve_notify_capability =

The maximum number of compile errors that are returned to the client upon

script upload or script verification.

#managesieve_max_compile_errors = 5

Refer to 90-sieve.conf for script quota configuration and configuration of

Sieve execution limits.

} Here is the output of testing with openssl from the roundcube server. I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null And got this: CONNECTED(00000003) 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 5 bytes and written 283 bytes Verification: OK

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) — Is the second line in the output above the problem? Thanks to all of you for your help so far! Austin Witmer

...

On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot@tocc.cz> wrote: I can't see your dovecot conf, but anyway -- roundcube side has to be aligned with dovecot's, i.e. if you use ssl on roundcube side, make sure you have it enabled on dovecot side too, something like: service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } or just use tls, i.e. no "ssl=yes" in dovecot conf, but tls://10.116.0.2 in roundcube conf This seems to be the same case: https://github.com/roundcube/roundcubemail/issues/7127 Tomas On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:

...

Hello all! I’ve got a bit of a problem that I would like some help with. So, I have two servers, one is my mail server running postfix, dovecot etc. I have a second server setup as my roundcube server. Both servers are running on the same LAN network. I have sieve scripts setup in dovecot in my mail server and they are working great! My trouble is that I can’t seem to make my roundcube talk correctly to managesieve on my mail server. Here is the mail.log file from the mail server when I try to create a sievescript from roundcube webmail: Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, session=<cZMzomvjyNgKdAAD> And here is my managesieve configuration from my roundcube server. /var/www/roundcube/plugins/managesieve/config.inc.php <?php $config['managesieve_port'] = 4190; $config['managesieve_host'] = '[1]ssl://10.116.0.2'; $config['managesieve_auth_type'] = null; $config['managesieve_auth_cid'] = null; $config['managesieve_auth_pw'] = null; $config['managesieve_usetls'] = false; $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'allow_self_signed' => true, ), ); $config['managesieve_default'] = 'var/lib/dovecot/sieve/default.sieve'; $config['managesieve_script_name'] = 'default.sieve'; $config['managesieve_mbox_encoding'] = 'UTF-8'; $config['managesieve_replace_delimiter'] = ''; $config['managesieve_disabled_extensions'] = []; $config['managesieve_debug'] = true; $config['managesieve_kolab_master'] = false; $config['managesieve_filename_extension'] = '.sieve'; $config['managesieve_filename_exceptions'] = []; $config['managesieve_domains'] = []; $config['managesieve_default_headers'] = ['Subject', 'From', 'To']; $config['managesieve_vacation'] = 0; $config['managesieve_forward'] = 0; $config['managesieve_vacation_interval'] = 0; $config['managesieve_vacation_addresses_init'] = false; $config['managesieve_vacation_from_init'] = false; $config['managesieve_notify_methods'] = ['mailto']; $config['managesieve_raw_editor'] = true; $config['managesieve_disabled_actions'] = []; $config['managesieve_allowed_hosts'] = null; Does anybody have any clue why roundcube isn’t able to login in to managesieve on my mail server? Are there more logs/configs you would like to see? Thanks in advance for your help and suggestions! Austin Witmer References Visible links

1. file:///tmp/ssl:/10.116.0.2

-- Christian Kivalo

See below.

On Jul 10, 2022, at 4:03 PM, Christian Kivalo <ml+dovecot@valo.at> wrote:

On 2022-07-10 23:10, Austin Witmer wrote:

...

Ok, I changed to $config['managesieve_host'] = 'tls://10.116.0.2’; and the below is the log from /var/www/roundcube/logs/sieve.log during a connection attempt. Does this log give you any clues? [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "IMPLEMENTATION" "Dovecot (Ubuntu) Pigeonhole" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "NOTIFY" "mailto" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SASL" ""

No auth mechanisms are advertised.

...

[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "STARTTLS" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "VERSION" "1.0" [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Dovecot (Ubuntu) ready." [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> C: STARTTLS [10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Begin TLS negotiation now." [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> C: LOGOUT

Client disconnect immediately after starttls.

...

[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?=?C-ɓH????(??̸?.?2 [S?w??K???:?&Bn3v?*?z[??'K?x?@??W??T-?q?\?o?Tub.Nr?)*??j?ב??= ?P^??.mr???+?5e.ُ?q?.$????/????uݚ?B~?f+>?????.ܮ?.?=ʑ? [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?A?\???F???X? c+ԩ???!???{?-??\?]?????7H1+v?y?5?G-6c0???av?_1?5n??i7˃U??L@?AH??O?N???Ie?r?F??weqfR???Y???b????? ??kT‰+?.??S?u????ԕ?Тc?Z'݀?nTȣȆ?m???????(6?~&WC??B?m???Z?1?????R?3??i@??R???=VHf?5??1??}????u9m [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ? ??*}??OG?C??,????.ä?Cg??R????M?? ?Kiq? [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: W?qWN?]ۿ?8??dց?=?&?H8????y??"?6?D?!*?ޒ?K??????$eV??.O????n???M???h??C???A????U?G2?O,????E?C\*?~,?ќ?$?{????W0w??B?E??X?!VH???k+??????e???Ero̎0ȭ???&????2?&????I?^D?;??f?4????Zn%Y_û?/s1hj??;???ujt?d?H?vܓt3"?Wm0`???? z???AU?QRE?Ƽ\Bz-V??W???,?bp???e?D???0m?-? ?8?%???4??V?\?'MR[?O1?ި4 ? 4Z?X [10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: And here is the log from the mail server during the same connection attempt. Jul 10 20:59:48 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<d9tCt3njVuEKdAAD> And here is the output of doveconf -n

...

austin@mail:~$ doveconf -n

2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf

Pigeonhole version 0.5.7.2 ()

OS: Linux 5.4.0-121-generic x86_64 Ubuntu 20.04.4 LTS

Hostname: mail.mydomain.com

listen = * mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve = /mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve sieve_global_dir = /var/lib/dovecot/sieve/ sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_user_log = file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log } protocols = imap lmtp pop3 imap lmtp sieve pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 1 } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH drop this setting, the default is good.

...

ssl_client_ca_dir = /etc/ssl/certs drop this one too

...

ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { hostname = mail.mydomain.com mail_plugins = " sieve" postmaster_address = postmaster@mydomain.com } protocol lda { mail_plugins = " sieve" } What am I missing???? Thanks so much to all of you for helping me along! This is why I like the Open-source community!

I have set in /etc/dovecot/conf.d/10-auth.conf auth_mechanisms = plain login

I added “login” to my auth_mechanisms line in /etc/dovecot/conf.d/10-auth.conf. That line already looked like auth_mechanisms = plain

This is what the line looks like now: auth_mechanisms = plain login

I restarted dovecot and it still is not advertising anything after “SASL” in the sieve log file. See below:

[10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) ready." [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS negotiation now." [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ????Y8h#u??Lu?u?V2??N[?˴?+)u?????F?'{ֺ?G?r?iS??pݥ??D}????? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?>??0??SxfXC%]c?|?y?"w???K_ޕ???N ?.?c? ??_D?r???ǿ?r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?.e???i8p?{Ur"???3GZ?Cž??7??U)s?;,c?6????HY??B?ڑB.g=TtAk?dq???nV?i ?BG2D???7?hܖQTl?)G??9??W?????M›^?? ??D&?䢀rQ???2E?pn?Ez?????䉉i? @1??փiC???=???W?M
?]?}?D$?:???^?/K???5?aB?c??ar)?l@C??X?ٹ?!J???k??"/1?r???w?_??@?p??w )R?d??o????k*?*????? i?O?i%S?l^?o2?H [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: 5?7?x??w?z"??hu4?E??:?/?F(d?;?򵂒?i??"??5??G,5????E?C?MS???? L???*??*???LO?D?? J?l???ځ? ??IN??v?fR?5t?:???SG?>{mY??D?˱????t?Rj?w?# ??n??[?S? V4O?z?=.ܰې??uA?ھ????9?τ???c??oE?;LBOg??Ql'w?= [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?&???C/_??*??????|.??$O?~? ??5?"????縉?? ?r??0~?+~????B ??5)]cZ?Z?򔠛t??D??????-?dZ??M?z??2TɉOp?q?o?T?3?`'????g??6 [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S:

And once again the line from my mail.log file.

Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<7VswBnvjXuIKdAAD>

Any further suggestions? Why do you suppose that the auth mechanisms are not being advertised?

Austin Witmer

and at connection attempt before starttls shows

Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve" "NOTIFY" "mailto" "SASL" "PLAIN LOGIN" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready."

-- Christian Kivalo

On Jul 10, 2022, at 5:34 PM, Benny Pedersen <me@junc.eu> wrote:

On 2022-07-11 00:38, Austin Witmer wrote:

...

Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<7VswBnvjXuIKdAAD>

roundcube send no user login to dovecot managesived, thats why it fails now imho

That’s what I’m thinking to, but I don’t have a clue how to remedy that.

what are the managesieve config in roundcube, try disable tls, tls is overkill for rfc1918 ips, why not 127.0.0.1 ?

I posted my managesieve earlier in this thread. I have tried disabling tls in the managesieve config in roundcube but that doesn’t work either.

Roundcube is running on a different server than dovecot so I don’t see how I could use 127.0.0.1 in my managesieve config in roundcube.

chrooted something ?

i am not an expert, but it works for me on gentoo :)

Are your running dovecot and roundcube on the same server?

Austin Witmer

So, I changed the $config['managesieve_host'] = 'tls://mail.mydomain.com’; to the fqdn of my mail server instead of the internal IP address and now it works!

Why would using the fqdn work, but not the internal LAN IP address?

As a side note, I am now remembering that in my main Roundcube config, I had to use the fqdn for the imap and smtp server instead of the internal LAN IP address. Is it because it needs to connect to a host with the same hostname that the certificate returns? Would it work to add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com <http://mail.mydomain.com/>”? I should be able to use the internal IP addresses, right? Are there downsides to using the fqdn?

I may have some questions about configuring sieve rules later, but I can start a new thread for that.

Austin Witmer

On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot@valo.at> wrote:

...

I added “login” to my auth_mechanisms line in /etc/dovecot/conf.d/10-auth.conf. That line already looked like auth_mechanisms = plain This is what the line looks like now: auth_mechanisms = plain login I restarted dovecot and it still is not advertising anything after “SASL” in the sieve log file. See below: [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) ready." [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS negotiation now." [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ????Y8h#u??Lu?u?V2??N[?˴?+)u?????F?'{ֺ?G?r?iS??pݥ??D}????? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?>??0??SxfXC%]c?|?y?"w???K_ޕ???N ?.?c? ??_D?r???ǿ?r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?.e???i8p?{Ur"???3GZ?Cž??7??U)s?;,c?6????HY??B?ڑB.g=TtAk?dq???nV?i ?BG2D???7?hܖQTl?)G??9??W?????M›^?? ??D&?䢀rQ???2E?pn?Ez?????䉉i? @1??փiC???=???W?M
?]?}?D$?:???^?/K???5?aB?c??ar)?l@C??X?ٹ?!J???k??"/1?r???w?_??@?p??w )R?d??o????k*?*????? i?O?i%S?l^?o2?H [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: 5?7?x??w?z"??hu4?E??:?/?F(d?;?򵂒?i??"??5??G,5????E?C?MS???? L???*??*???LO?D?? J?l???ځ? ??IN??v?fR?5t?:???SG?>{mY??D?˱????t?Rj?w?# ??n??[?S? V4O?z?=.ܰې??uA?ھ????9?τ???c??oE?;LBOg??Ql'w?= [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?&???C/_??*??????|.??$O?~? ??5?"????縉?? ?r??0~?+~????B ??5)]cZ?Z?򔠛t??D??????-?dZ??M?z??2TɉOp?q?o?T?3?`'????g??6 [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: And once again the line from my mail.log file. Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<7VswBnvjXuIKdAAD> Any further suggestions? Why do you suppose that the auth mechanisms are not being advertised? The auth mechanisms are not shown because you access from a remote host, have STARTTLS available and "disable_plaintext_auth = yes" set. The auth mechanisms will be shown after STARTTLS. This is described here https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting

One more thing comes to mind regarding the ssl options in the managesieve plugin config. Do you use a self signed cert in dovecot?

One more thing you could try, in your managesieve plugin config.inc.php

remove this section: $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'allow_self_signed' => true, ), );

add this section: $config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'change to the hostname from dovecots ssl certificate', ], ];

add in there, when using self-signed cert 'allow_self_signed' => true,

-- Christian Kivalo

Thanks so much Christian Kivalo!

See below.

On Jul 12, 2022, at 9:13 AM, Christian Kivalo <ml+dovecot@valo.at> wrote:

On 2022-07-12 16:19, Austin Witmer wrote:

...

So, I changed the $config['managesieve_host'] = 'tls://mail.mydomain.com’; to the fqdn of my mail server instead of the internal IP address and now it works! Good to hear it works now :)

...

Why would using the fqdn work, but not the internal LAN IP address? The client, here php / roundcube checks if the presented certificate contains the address it connected to and ip addresses are very seldomly added as hosts to certificates.

...

As a side note, I am now remembering that in my main Roundcube config, I had to use the fqdn for the imap and smtp server instead of the internal LAN IP address. Is it because it needs to connect to a host with the same hostname that the certificate returns? Would it work to add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com [1]”? I should be able to use the internal IP addresses, right? Are there downsides to using the fqdn?

The hosts file entry would help with name resolution but not with certificate verification.

But you can make php think it connects to the correct hostname with the ssl connection options

$config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'FQDN of mailserver', ], ];

This probably even works without the "verify_peer" line, haven't tested.

I added the block above to my managesieve configuration in Roundcube and now connected to an internal IP address works beautifully!

Now I just need to figure out how to accomplish the same thing for the imap and smtp server that Roundcube is using. Is there a block similar to the one above that I could add to my Roundcube config.inc.php file to enable me to use internal addresses for my imap and smtp servers?

...

I may have some questions about configuring sieve rules later, but I can start a new thread for that. Austin Witmer

...

On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot@valo.at> wrote:

...

I added “login” to my auth_mechanisms line in /etc/dovecot/conf.d/10-auth.conf. That line already looked like auth_mechanisms = plain This is what the line looks like now: auth_mechanisms = plain login I restarted dovecot and it still is not advertising anything after “SASL” in the sieve log file. See below: [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) ready." [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS negotiation now." [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ????Y8h#u??Lu?u?V2??N[?˴?+)u?????F?'{ֺ?G?r?iS??pݥ??D}????? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?>??0??SxfXC%]c?|?y?"w???K_ޕ???N ?.?c? ??_D?r???ǿ?r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?.e???i8p?{Ur"???3GZ?Cž??7??U)s?;,c?6????HY??B?ڑB.g=TtAk?dq???nV?i ?BG2D???7?hܖQTl?)G??9??W?????M›^?? ??D&?䢀rQ???2E?pn?Ez?????䉉i? @1??փiC???=???W?M
?]?}?D$?:???^?/K???5?aB?c??ar)?l@C??X?ٹ?!J???k??"/1?r???w?_??@?p??w )R?d??o????k*?*????? i?O?i%S?l^?o2?H [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: 5?7?x??w?z"??hu4?E??:?/?F(d?;?򵂒?i??"??5??G,5????E?C?MS???? L???*??*???LO?D?? J?l???ځ? ??IN??v?fR?5t?:???SG?>{mY??D?˱????t?Rj?w?# ??n??[?S? V4O?z?=.ܰې??uA?ھ????9?τ???c??oE?;LBOg??Ql'w?= [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?&???C/_??*??????|.??$O?~? ??5?"????縉?? ?r??0~?+~????B ??5)]cZ?Z?򔠛t??D??????-?dZ??M?z??2TɉOp?q?o?T?3?`'????g??6 [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: And once again the line from my mail.log file. Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, session=<7VswBnvjXuIKdAAD> Any further suggestions? Why do you suppose that the auth mechanisms are not being advertised? The auth mechanisms are not shown because you access from a remote host, have STARTTLS available and "disable_plaintext_auth = yes" set. The auth mechanisms will be shown after STARTTLS. This is described here https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting One more thing comes to mind regarding the ssl options in the managesieve plugin config. Do you use a self signed cert in dovecot? One more thing you could try, in your managesieve plugin config.inc.php remove this section: $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'allow_self_signed' => true, ), ); add this section: $config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'change to the hostname from dovecots ssl certificate', ], ]; add in there, when using self-signed cert 'allow_self_signed' => true,

Christian Kivalo Links:

---

[1] http://mail.mydomain.com

-- Christian Kivalo

Thanks again for everyone’s help! Much appreciated!

Austin Witmer

That seems to have done it! Thanks again!

Austin Witmer

On Jul 14, 2022, at 2:00 AM, Christian Kivalo <ml+dovecot@valo.at> wrote:

...

...

But you can make php think it connects to the correct hostname with the ssl connection options

$config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'FQDN of mailserver', ], ];

This probably even works without the "verify_peer" line, haven't tested.

I added the block above to my managesieve configuration in Roundcube and now connected to an internal IP address works beautifully!

Now I just need to figure out how to accomplish the same thing for the imap and smtp server that Roundcube is using. Is there a block similar to the one above that I could add to my Roundcube config.inc.php file to enable me to use internal addresses for my imap and smtp servers?

Hi yes the same ssl connection config should work in roundcube config.inc.php just use ['imap_conn_options'] and ['smtp_conn_options'] respectively. There are examples in roundcubes default.inc.php file

-- Christian Kivalo