I have tried all the suggestions up till now but the error message is still
there.
I have tried this configuaration for roundcube:
$config['imap_conn_options'] = array(
'ssl' => array(
'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>',
'verify_peer' => true,
'verify_depth' => 3,
// 'cafile' => '/dont/need/to/set/this/option',
),
);
and this one:
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
and this one too:
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
'verify_depth' => 3,
'cafile' =>
'/path/to/my/self/signed/certificate.pem',
),
);
I'm at a loss :-(
On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte
wrote:> Solution: Set 'peer_name' in the SSL stream context to the FQDN of
the
> server certificate(s):
>
> // IMAP socket context options
> // See http://php.net/manual/en/context.ssl.php
> $config['imap_conn_options'] = array(
> 'ssl' => array(
> 'peer_name' =>
'<FQDN_OF_DOVECOT_CERTIFICATE>',
> 'verify_peer' => true,
> 'verify_depth' => 3,
> #'cafile' => '/dont/need/to/set/this/option',
> ),
> );
>
> // SMTP socket context options
> // See http://php.net/manual/en/context.ssl.php
> $config['smtp_conn_options'] = array(
> 'ssl' => array(
> 'peer_name' =>
'<FQDN_OF_POSTFIX_CERTIFICATE>',
> 'verify_peer' => true,
> 'verify_depth' => 3,
> #'cafile' => '/dont/need/to/set/this/option',
> ),
> );
>
> Works for me.
>
> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote:
> >I think that you are right when you say that the problem may be the
> >certificate recognition.
> >
> >As for Roundcube, I've inserted the uncommented php code that you
provided
> >in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file
for
> >/config/defaults.inc.php. Unfortunately Roundcube doesn't login and
> >replies
> > with the message "connection to storage server failed". And
the log file
> >of dovecot gives the reason: unknown certificate.
> >
> >In order to solve this problem do you think that I should look into the
> >configuration file of Squirrelmail/Roundcube or in the config file of
> >Dovecot?
> >
> >
> >On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote:
> >>On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote:
> >>> Hi,
> >>>
> >>> I have set up a mail server with postfix+dovecot 2.2.13 on my
raspberry pi
> >>> running Raspbian Jassie OS.
> >>>
> >>> Now I would like to add an on-line e-mail client like
Squirrelmail or
> >>> Roundcube. I was able to start up these two clients but when I
try to login
> >>> I get this error message in the dovecot log:
> >>>
> >>> tlsv1 alert unknown ca: SSL alert number 48
> >>>
> >>> But I have inserted the self-signed certificate and key in
> >>> /etc/dovecot/conf.d/10-master.conf
> >>>
> >>> Moreover, I can send and receive e-mails from/to my server,
and I can login
> >>> successfully to dovecot IMAP with Thunderbird.
> >>>
> >>> Can somebody give me a clue on how to solve this problem? Any
help would me much
> >>> appreciated.
> >>>
> >>> Regards,
> >>> Maurizio
> >>
> >>This could mean that the client has indicated it was unable to
verify
> >>the server's certificate.
> >>
> >>With regards to Roundcube, see this in config/defaults.inc.php:
> >>
> >>//$config['imap_conn_options'] = array(
> >>// 'ssl' => array(
> >>// 'verify_peer' => true,
> >>// 'verify_depth' => 3,
> >>// 'cafile' =>
'/etc/openssl/certs/ca.crt',
> >>// ),
> >>// );
> >>
> >>
What version of Roundcube are you using? On 06/17/2016 04:14 PM, Maurizio Dall'Acqua wrote:> I have tried all the suggestions up till now but the error message is still > there. > > I have tried this configuaration for roundcube: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>', > 'verify_peer' => true, > 'verify_depth' => 3, > // 'cafile' => '/dont/need/to/set/this/option', > ), > ); > > and this one: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => false, > 'verify_peer_name' => false, > ), > ); > > and this one too: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => true, > 'verify_depth' => 3, > 'cafile' => '/path/to/my/self/signed/certificate.pem', > ), > ); > > I'm at a loss :-( > > > > > > On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote: >> Solution: Set 'peer_name' in the SSL stream context to the FQDN of the >> server certificate(s): >> >> // IMAP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['imap_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> // SMTP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['smtp_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '<FQDN_OF_POSTFIX_CERTIFICATE>', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> Works for me. >> >> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: >>> I think that you are right when you say that the problem may be the >>> certificate recognition. >>> >>> As for Roundcube, I've inserted the uncommented php code that you provided >>> in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for >>> /config/defaults.inc.php. Unfortunately Roundcube doesn't login and >>> replies >>> with the message "connection to storage server failed". And the log file >>> of dovecot gives the reason: unknown certificate. >>> >>> In order to solve this problem do you think that I should look into the >>> configuration file of Squirrelmail/Roundcube or in the config file of >>> Dovecot? >>> >>> >>> On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >>>> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >>>>> Hi, >>>>> >>>>> I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi >>>>> running Raspbian Jassie OS. >>>>> >>>>> Now I would like to add an on-line e-mail client like Squirrelmail or >>>>> Roundcube. I was able to start up these two clients but when I try to login >>>>> I get this error message in the dovecot log: >>>>> >>>>> tlsv1 alert unknown ca: SSL alert number 48 >>>>> >>>>> But I have inserted the self-signed certificate and key in >>>>> /etc/dovecot/conf.d/10-master.conf >>>>> >>>>> Moreover, I can send and receive e-mails from/to my server, and I can login >>>>> successfully to dovecot IMAP with Thunderbird. >>>>> >>>>> Can somebody give me a clue on how to solve this problem? Any help would me much >>>>> appreciated. >>>>> >>>>> Regards, >>>>> Maurizio >>>> This could mean that the client has indicated it was unable to verify >>>> the server's certificate. >>>> >>>> With regards to Roundcube, see this in config/defaults.inc.php: >>>> >>>> //$config['imap_conn_options'] = array( >>>> // 'ssl' => array( >>>> // 'verify_peer' => true, >>>> // 'verify_depth' => 3, >>>> // 'cafile' => '/etc/openssl/certs/ca.crt', >>>> // ), >>>> // ); >>>> >>>>
What does openssl say when you connect to your dovecot server?
openssl s_client -starttls imap -connect <ip>:143
With my previous setup (Roundcube 1.1.3; PHP 5.6) I was successfully
using only "verify_peer" and "verify_peer_name", both set to
false, when
connecting to a very old Courier-IMAP server using a self-signed
certificate.
E.g.
$config['default_host'] = array(
'tls://<ip>:143' => 'implicit STARTTLS',
'ssl://<ip>:993' => 'explicit SSL',
);
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
/Tobias
On 2016-06-18 13:34, Gedalya wrote:> What version of Roundcube are you using?
>
> On 06/17/2016 04:14 PM, Maurizio Dall'Acqua wrote:
>> I have tried all the suggestions up till now but the error message is
>> still
>> there.
>>
>> I have tried this configuaration for roundcube:
>>
>> $config['imap_conn_options'] = array(
>> 'ssl' => array(
>> 'peer_name' =>
'<FQDN_OF_DOVECOT_CERTIFICATE>',
>> 'verify_peer' => true,
>> 'verify_depth' => 3,
>> // 'cafile' => '/dont/need/to/set/this/option',
>> ),
>> );
>>
>> and this one:
>>
>> $config['imap_conn_options'] = array(
>> 'ssl' => array(
>> 'verify_peer' => false,
>> 'verify_peer_name' => false,
>> ),
>> );
>>
>> and this one too:
>>
>> $config['imap_conn_options'] = array(
>> 'ssl' => array(
>> 'verify_peer' => true,
>> 'verify_depth' => 3,
>> 'cafile' =>
'/path/to/my/self/signed/certificate.pem',
>> ),
>> );
>>
>> I'm at a loss :-(
>>
>>
>>
>>
>>
>> On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote:
>>> Solution: Set 'peer_name' in the SSL stream context to the
FQDN of
>>> the
>>> server certificate(s):
>>>
>>> // IMAP socket context options
>>> // See http://php.net/manual/en/context.ssl.php
>>> $config['imap_conn_options'] = array(
>>> 'ssl' => array(
>>> 'peer_name' =>
'<FQDN_OF_DOVECOT_CERTIFICATE>',
>>> 'verify_peer' => true,
>>> 'verify_depth' => 3,
>>> #'cafile' =>
'/dont/need/to/set/this/option',
>>> ),
>>> );
>>>
>>> // SMTP socket context options
>>> // See http://php.net/manual/en/context.ssl.php
>>> $config['smtp_conn_options'] = array(
>>> 'ssl' => array(
>>> 'peer_name' =>
'<FQDN_OF_POSTFIX_CERTIFICATE>',
>>> 'verify_peer' => true,
>>> 'verify_depth' => 3,
>>> #'cafile' =>
'/dont/need/to/set/this/option',
>>> ),
>>> );
>>>
>>> Works for me.
>>>
>>> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote:
>>>> I think that you are right when you say that the problem may be
the
>>>> certificate recognition.
>>>>
>>>> As for Roundcube, I've inserted the uncommented php code
that you
>>>> provided
>>>> in /usr/share/roundcube/main.inc.php.dist, which is the
Raspbian
>>>> file for
>>>> /config/defaults.inc.php. Unfortunately Roundcube doesn't
login and
>>>> replies
>>>> with the message "connection to storage server
failed". And the log
>>>> file
>>>> of dovecot gives the reason: unknown certificate.
>>>>
>>>> In order to solve this problem do you think that I should look
into
>>>> the
>>>> configuration file of Squirrelmail/Roundcube or in the config
file
>>>> of
>>>> Dovecot?
>>>>
>>>>
>>>> On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote:
>>>>> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have set up a mail server with postfix+dovecot 2.2.13
on my
>>>>>> raspberry pi
>>>>>> running Raspbian Jassie OS.
>>>>>>
>>>>>> Now I would like to add an on-line e-mail client like
Squirrelmail
>>>>>> or
>>>>>> Roundcube. I was able to start up these two clients but
when I try
>>>>>> to login
>>>>>> I get this error message in the dovecot log:
>>>>>>
>>>>>> tlsv1 alert unknown ca: SSL alert number 48
>>>>>>
>>>>>> But I have inserted the self-signed certificate and key
in
>>>>>> /etc/dovecot/conf.d/10-master.conf
>>>>>>
>>>>>> Moreover, I can send and receive e-mails from/to my
server, and I
>>>>>> can login
>>>>>> successfully to dovecot IMAP with Thunderbird.
>>>>>>
>>>>>> Can somebody give me a clue on how to solve this
problem? Any help
>>>>>> would me much
>>>>>> appreciated.
>>>>>>
>>>>>> Regards,
>>>>>> Maurizio
>>>>> This could mean that the client has indicated it was unable
to
>>>>> verify
>>>>> the server's certificate.
>>>>>
>>>>> With regards to Roundcube, see this in
config/defaults.inc.php:
>>>>>
>>>>> //$config['imap_conn_options'] = array(
>>>>> // 'ssl' => array(
>>>>> // 'verify_peer' => true,
>>>>> // 'verify_depth' => 3,
>>>>> // 'cafile' =>
'/etc/openssl/certs/ca.crt',
>>>>> // ),
>>>>> // );
>>>>>
>>>>>
OK, what if you try to set 'peer_name' to the FQDN in the self-signed cert AND 'cafile' to your CA file? What exactly do the debug logs for Roundcube, Dovecot say? openssl connect output would be helpful, too, as others pointed out as well. On 2016-06-17 22:14, Maurizio Dall'Acqua wrote:> I have tried all the suggestions up till now but the error message is > still > there. > > I have tried this configuaration for roundcube: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>', > 'verify_peer' => true, > 'verify_depth' => 3, > // 'cafile' => '/dont/need/to/set/this/option', > ), > ); > > and this one: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => false, > 'verify_peer_name' => false, > ), > ); > > and this one too: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => true, > 'verify_depth' => 3, > 'cafile' => '/path/to/my/self/signed/certificate.pem', > ), > ); > > I'm at a loss :-( > > > > > > On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote: >> Solution: Set 'peer_name' in the SSL stream context to the FQDN of the >> server certificate(s): >> >> // IMAP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['imap_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> // SMTP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['smtp_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '<FQDN_OF_POSTFIX_CERTIFICATE>', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> Works for me. >> >> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: >> >I think that you are right when you say that the problem may be the >> >certificate recognition. >> > >> >As for Roundcube, I've inserted the uncommented php code that you provided >> >in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for >> >/config/defaults.inc.php. Unfortunately Roundcube doesn't login and >> >replies >> > with the message "connection to storage server failed". And the log file >> >of dovecot gives the reason: unknown certificate. >> > >> >In order to solve this problem do you think that I should look into the >> >configuration file of Squirrelmail/Roundcube or in the config file of >> >Dovecot? >> > >> > >> >On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >> >>On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >> >>> Hi, >> >>> >> >>> I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi >> >>> running Raspbian Jassie OS. >> >>> >> >>> Now I would like to add an on-line e-mail client like Squirrelmail or >> >>> Roundcube. I was able to start up these two clients but when I try to login >> >>> I get this error message in the dovecot log: >> >>> >> >>> tlsv1 alert unknown ca: SSL alert number 48 >> >>> >> >>> But I have inserted the self-signed certificate and key in >> >>> /etc/dovecot/conf.d/10-master.conf >> >>> >> >>> Moreover, I can send and receive e-mails from/to my server, and I can login >> >>> successfully to dovecot IMAP with Thunderbird. >> >>> >> >>> Can somebody give me a clue on how to solve this problem? Any help would me much >> >>> appreciated. >> >>> >> >>> Regards, >> >>> Maurizio >> >> >> >>This could mean that the client has indicated it was unable to verify >> >>the server's certificate. >> >> >> >>With regards to Roundcube, see this in config/defaults.inc.php: >> >> >> >>//$config['imap_conn_options'] = array( >> >>// 'ssl' => array( >> >>// 'verify_peer' => true, >> >>// 'verify_depth' => 3, >> >>// 'cafile' => '/etc/openssl/certs/ca.crt', >> >>// ), >> >>// ); >> >> >> >>