Wouter Berkepeis
2013-Oct-06 23:01 UTC
[Dovecot] smartsieve managesieve-login failure with dovecot 2.1.7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I just subscribed to the mailing list because I am stuck trying to solve
a problem getting smartsieve to work with a new version of dovecot.
But let me first explain the situation shortly. I am running a mail
server at home for personal use, and for fun. At this moment this is an
old, slow machine running Debian Squeeze, Dovecot 1.2.15 and Exim 4.72.
Authentication is done with LDAP, running OpenLDAP 2.4.23. For managing
mail filtering I use Smartsieve 1.0.0-RC2 in conjunction with Dovecot's
Managesieve plugin. It's all working properly. But because this machine
is slow, I'm now busy upgrading building a new machine running Debian
Wheezy, Dovecot 2.1.7 and Exim 4.80. I've got it all running and working
now (that is: locally in my lan): imap with dovecot, smtp with exim,
Dovecot's sieve plugin working properly, authentication done through
LDAP backend.
But what I can't get to work is Smartsieve. Looking at the logs on my
server I can tell managesieve-login is not working well with Smartsieve.
As far as I understand authentication is always done over a secure
connection using TLS. Here is some logged output, Dovecot as well as
Smartsieve.
dovecot-info.log:
2013-10-06 21:16:20 managesieve-login: Info: Disconnected (no auth
attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS
handshaking: SSL_accept() failed: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure: SSL alert number
40, session=<NkXdXhfodwB/AAAB>
syslog:
Oct 6 21:51:40 jingo smartsieve[12168]: getCryptLib: using rc4
Oct 6 21:51:40 jingo smartsieve[12168]: getCryptLib: using rc4
Oct 6 21:51:40 jingo smartsieve[12168]: FAILED LOGIN: jingo
[192.168.2.12] {Private Lotus}: starttls: TLS initialization failed:
socket timed out while reading server response: #002
Oct 6 21:51:40 jingo smartsieve[12168]:
2Z#027#015141003200542Z0??1#0130#011#006#003U#004#006#023#002NL1#0230#021#006#003U#004#010#014#012Overijssel1#0200#016#006#003U#004#007#014#007Hengelo1#0!#006#003U#004#012#014#032Private
Lotus Organization1#0230#021#006#003U#004#013#014#012Jingo
Mail1&0$#006#003U#004#003#014#035jingo.private-lotus.no-ip.net1&0$#006#011*?H??#015#001#011#001#026#027amigo
at private-lotus.org0?#001"0#015#006#011*?H??#015#001#001#001#005
Oct 6 21:51:40 jingo smartsieve[12168]: #003#001
Oct 6 21:51:40 jingo smartsieve[12168]:
?m?N?gH??t#021???#011$?f+?#013?#021??#013?y?Zd#032??}??#012??#003xP?
What is clear is that somehow no user information is being negotiated.
Issuing a manual TLS login give the following results:
root at amigos:~# gnutls-cli --starttls -p 4190 jingo.private-lotus.no-ip.net
Resolving 'jingo.private-lotus.no-ip.net'...
Connecting to '82.161.181.183:4190'...
- - Simple Client Mode:
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation
subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."
STARTTLS
OK "Begin TLS negotiation now."
*** Starting TLS handshake
- - Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1022 bits
- Peer's public key: 1024 bits
- - Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=NL,ST=Overijssel,L=Hengelo,O=Private Lotus
Organization,OU=Jingo
Mail,CN=jingo.private-lotus.no-ip.net,EMAIL=amigo at private-lotus.org',
issuer `C=NL,ST=Overijssel,L=Hengelo,O=Private Lotus
Organization,OU=Private Lotus Certificate
Authority,CN=private-lotus.no-ip.net,EMAIL=amigo at private-lotus.org', RSA
key 2048 bits, signed using RSA-SHA, activated `2013-10-03 20:05:42
UTC', expires `2014-10-03 20:05:42 UTC', SHA-1 fingerprint
`85ff6b5846a53e7eb5d46c3c4ebfd7beb253ba15'
- - The hostname in the certificate matches
'jingo.private-lotus.no-ip.net'.
- - Peer's certificate issuer is unknown
- - Peer's certificate is NOT trusted
- - Version: TLS1.1
- - Key Exchange: DHE-RSA
- - Cipher: AES-128-CBC
- - MAC: SHA1
- - Compression: NULL
Everything OK I guess. Especially the first part of the output is
interesting: "IMPLEMENTATION" "Dovecot Pigeonhole"
This is what Smartsieve is looking at. With the former version the
string was 'dovecot', so I changed this in the 'Managesieve.php'
file.
This file was already patched as stated on the site. Furthermore I
changed everything referring to port 2000 to port 4190.
But it still ain't working. Am I doing something wrong? Or is Smartsieve
just becoming too outdated to work with newer versions of Dovecot?
To get the picture complete, hereby my used config of Dovecot, generated
with 'dovecot -n' :
root at jingo:~# dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-686-pae i686 Debian 7.1
info_log_path = /var/log/dovecot/dovecot-info.log
log_path = /var/log/dovecot/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
mail_log_fields = uid box msgid size flags
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir = /etc/dovecot/sieve/
}
protocols = " imap sieve"
service auth-worker {
user = $default_internal_user
}
service imap-login {
inet_listener imap {
address = *
port = 143
}
inet_listener imaps {
address = *
port = 993
}
}
service managesieve-login {
executable = /usr/lib/dovecot/managesieve-login
inet_listener sieve {
port = 4190
}
}
service managesieve {
executable = /usr/lib/dovecot/managesieve
}
ssl_cert = </etc/pki_jingo/private-lotus_CA/certs/server.crt
ssl_cipher_list = HIGH:+TLSv1:+SSLv3:!LOW:!SSLv2:!EXP:!aNULL
ssl_key = </etc/pki_jingo/private-lotus_CA/private/server.key
ssl_protocols = !SSLv2 SSLv3
userdb {
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
driver = ldap
}
protocol lda {
info_log_path = /var/log/dovecot/deliver.log
log_path = /var/log/dovecot/deliver-errors.log
mail_plugin_dir = /usr/lib/dovecot/modules
mail_plugins = sieve
postmaster_address = amigo at private-lotus.org
}
protocol imap {
mail_max_userip_connections = 50
}
protocol sieve {
mail_debug = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
}
Any help would be appreciated.
Thanks in advance.
Greetings Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSUeueAAoJEHmiGeisoomH6LEH/irXWxa7kRDB1Gy929Z7E1p6
sZR7pk3tfDPz5PUPNVro+8AG5a+mjUhlVVsxi7pHfadgqGmXZmbbpQLBKQcAbtHI
WzY//0t6Dvnn/ywBloWIarWO10SGFRrMBKEBJp/5glUJu0XMnB1PLEZjpFKobwuo
WBHjynIEs9fzPjPk7/Kc74LysbtQ931OSeKFsLfqMfP3/Iem75CLGgNg8QFuzZj3
yTv/Kk2D8gMkvSNsP1dmZ8i2B3p75kV6hTvbU9Z8fS2P1rqi3DpbRilKXxw0wMdi
gRE3r8yfcRCOhA7vjRe6o63DbadeDm0ZTepIcf8cjFtd9Bsq3cdS9TqUH//jMPI=Rv4p
-----END PGP SIGNATURE-----
Stephan Bosch
2013-Oct-07 06:54 UTC
[Dovecot] smartsieve managesieve-login failure with dovecot 2.1.7
On 10/7/2013 1:01 AM, Wouter Berkepeis wrote:> > Everything OK I guess. Especially the first part of the output is > interesting: "IMPLEMENTATION" "Dovecot Pigeonhole" > This is what Smartsieve is looking at. With the former version the > string was 'dovecot', so I changed this in the 'Managesieve.php' file. > This file was already patched as stated on the site. Furthermore I > changed everything referring to port 2000 to port 4190.That should work. I used the patch mentioned here: http://www.mail-archive.com/dovecot at dovecot.org/msg21862.html And modified it for the new situation. I'm assuming this is very similar to what you're doing and here it works. You could try to obtain more information by logging the protocol exchange: http://wiki2.dovecot.org/Debugging/Rawlog Alternatively you can debug Smartsieve by adding more logging into the source code. And yes, SmartSieve is unmaintained, so I would not recommend using it anymore. Regards, Stephan.
Benny Pedersen
2013-Oct-07 10:06 UTC
[Dovecot] smartsieve managesieve-login failure with dovecot 2.1.7
Wouter Berkepeis skrev den 2013-10-07 01:01:> dovecot-info.log: > 2013-10-06 21:16:20 managesieve-login: Info: Disconnected (no auth > attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS > handshaking: SSL_accept() failed: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure: SSL alert > number > 40, session=<NkXdXhfodwB/AAAB> > syslog:setup smartsieve to disable tls, then it works edit in servers.php