So, I changed the $config['managesieve_host'] = 'tls://mail.mydomain.com?; to the fqdn of my mail server instead of the internal IP address and now it works! Why would using the fqdn work, but not the internal LAN IP address? As a side note, I am now remembering that in my main Roundcube config, I had to use the fqdn for the imap and smtp server instead of the internal LAN IP address. Is it because it needs to connect to a host with the same hostname that the certificate returns? Would it work to add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com <http://mail.mydomain.com/>?? I should be able to use the internal IP addresses, right? Are there downsides to using the fqdn? I may have some questions about configuring sieve rules later, but I can start a new thread for that. Austin Witmer> On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot at valo.at> wrote: > >> I added ?login? to my auth_mechanisms line in >> /etc/dovecot/conf.d/10-auth.conf. That line already looked like >> auth_mechanisms = plain >> This is what the line looks like now: auth_mechanisms = plain login >> I restarted dovecot and it still is not advertising anything after >> ?SASL? in the sieve log file. See below: >> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" >> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" >> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" >> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" >> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) ready." >> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS >> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS negotiation now." >> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT >> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >> ????Y8h#u??Lu?u?V2??N[???+)u?????F?'{??G??r?iS??p???D}????? >> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?>??0??SxfXC%]c?|?y?"w???K_????N >> ?.?c? ??_D?r?????r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j >> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >> ?.e???i8p?{Ur"???3GZ?C???7??U)s?;,c?6????HY??B??B.g=TtAk?dq???nV?i >> ?BG2D???7?h?QTl?)G??9??W?????M?^?? >> ??D&??rQ???2E?pn?Ez???????i? @1???iC???=???W?M\ >> `?]?}?D$`?:???^?/K???5?aB?c??ar)?l at C??X???!J???k??"/1?r???w?_??@?p??w >> )R?d??o????k*?*????? >> i?O?i%S?l^?o2?H >> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >> 5?7?x??w?z"??hu4?E??:?/?F(d?;???i??"??5??G,5????E?C?MS???? >> L???*??*???LO?D?? J?l????? >> ??IN??v?fR?5t?:???SG?>{mY??D??????t?Rj?w?# >> ??n??[?S? >> V4O?z?=.????uA??????9?????c??oE?;LBOg??Ql'w?>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: ?&???C/_??*??????|.??$O?~? >> ??5?"??????? >> ?r??0~?+~????B >> ??5)]cZ?Z??t??D??????-?dZ??M?z??2T?Op?q?o?T?3?`'????g??6 >> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? >> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >> And once again the line from my mail.log file. >> Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no auth >> attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, >> session=<7VswBnvjXuIKdAAD> >> Any further suggestions? Why do you suppose that the auth mechanisms >> are not being advertised? > The auth mechanisms are not shown because you access from a remote host, have STARTTLS available and "disable_plaintext_auth = yes" set. The auth mechanisms will be shown after STARTTLS. > This is described here https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting > > > > One more thing comes to mind regarding the ssl options in the managesieve plugin config. Do you use a self signed cert in dovecot? > > One more thing you could try, in your managesieve plugin config.inc.php > > remove this section: > $config['managesieve_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => false, > 'allow_self_signed' => true, > ), > ); > > add this section: > $config['managesieve_conn_options'] = [ > 'ssl' => [ > 'verify_peer' => false, > 'peer_name' => 'change to the hostname from dovecots ssl certificate', > ], > ]; > > add in there, when using self-signed cert > 'allow_self_signed' => true, > > -- > Christian Kivalo-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220712/f9affdf1/attachment.htm>
Christian Kivalo
2022-Jul-12 15:13 UTC
Trouble configuring managesive plugin for roundcube
On 2022-07-12 16:19, Austin Witmer wrote:> So, I changed the $config['managesieve_host'] > 'tls://mail.mydomain.com?; to the fqdn of my mail server instead of > the internal IP address and now it works!Good to hear it works now :)> Why would using the fqdn work, but not the internal LAN IP address?The client, here php / roundcube checks if the presented certificate contains the address it connected to and ip addresses are very seldomly added as hosts to certificates.> As a side note, I am now remembering that in my main Roundcube config, > I had to use the fqdn for the imap and smtp server instead of the > internal LAN IP address. Is it because it needs to connect to a host > with the same hostname that the certificate returns? Would it work to > add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com > [1]?? I should be able to use the internal IP addresses, right? Are > there downsides to using the fqdn?The hosts file entry would help with name resolution but not with certificate verification. But you can make php think it connects to the correct hostname with the ssl connection options $config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'FQDN of mailserver', ], ]; This probably even works without the "verify_peer" line, haven't tested.> I may have some questions about configuring sieve rules later, but I > can start a new thread for that. > > Austin Witmer > >> On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot at valo.at> >> wrote: >> >>> I added ?login? to my auth_mechanisms line in >>> /etc/dovecot/conf.d/10-auth.conf. That line already looked like >>> auth_mechanisms = plain >>> This is what the line looks like now: auth_mechanisms = plain >>> login >>> I restarted dovecot and it still is not advertising anything after >>> ?SASL? in the sieve log file. See below: >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) >>> ready." >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS >>> negotiation now." >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> ????Y8h#u??Lu?u?V2??N[???+)u?????F?'{??G??r?iS??p???D}????? >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> ?>??0??SxfXC%]c?|?y?"w???K_????N >>> ?.?c? >>> ??_D?r?????r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> >> ?.e???i8p?{Ur"???3GZ?C???7??U)s?;,c?6????HY??B??B.g=TtAk?dq???nV?i >>> ?BG2D???7?h?QTl?)G??9??W?????M?^?? >>> ??D&??rQ???2E?pn?Ez???????i? >>> @1???iC???=???W?M\ >>> >> > `?]?}?D$`?:???^?/K???5?aB?c??ar)?l at C??X???!J???k??"/1?r???w?_??@?p??w >>> )R?d??o????k*?*????? >>> i?O?i%S?l^?o2?H >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> 5?7?x??w?z"??hu4?E??:?/?F(d?;???i??"??5??G,5????E?C?MS???? >>> L???*??*???LO?D?? J?l????? >>> ??IN??v?fR?5t?:???SG?>{mY??D??????t?Rj?w?# >>> ??n??[?S? >>> >>> V4O?z?=.????uA??????9?????c??oE?;LBOg??Ql'w?>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> ?&???C/_??*??????|.??$O?~? >>> ??5?"??????? >>> ?r??0~?+~????B >>> >>> ??5)]cZ?Z??t??D??????-?dZ??M?z??2T?Op?q?o?T?3?`'????g??6 >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> And once again the line from my mail.log file. >>> Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no >>> auth >>> attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, >>> session=<7VswBnvjXuIKdAAD> >>> Any further suggestions? Why do you suppose that the auth >>> mechanisms >>> are not being advertised? >> The auth mechanisms are not shown because you access from a remote >> host, have STARTTLS available and "disable_plaintext_auth = yes" >> set. The auth mechanisms will be shown after STARTTLS. >> This is described here >> https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting >> >> One more thing comes to mind regarding the ssl options in the >> managesieve plugin config. Do you use a self signed cert in dovecot? >> >> One more thing you could try, in your managesieve plugin >> config.inc.php >> >> remove this section: >> $config['managesieve_conn_options'] = array( >> 'ssl' => array( >> 'verify_peer' => false, >> 'allow_self_signed' => true, >> ), >> ); >> >> add this section: >> $config['managesieve_conn_options'] = [ >> 'ssl' => [ >> 'verify_peer' => false, >> 'peer_name' => 'change to the hostname from dovecots ssl >> certificate', >> ], >> ]; >> >> add in there, when using self-signed cert >> 'allow_self_signed' => true, >> >> -- >> Christian Kivalo > > > > Links: > ------ > [1] http://mail.mydomain.com-- Christian Kivalo