So, here is my dovecot configuration. /etc/dovecot/dovecot.conf ## Dovecot configuration file # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext } !include conf.d/*.conf !include_try local.conf !include_try /usr/share/dovecot/protocols.d/*.protocol listen = * disable_plaintext_auth = yes mail_privileged_group = mail passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocols = imap lmtp pop3 namespace inbox { inbox = yes mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } mailbox Spam { auto = subscribe # autocreate and autosubscribe the Spam mailbox } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster at mydomain.com hostname=mail.mydomain.com } ssl = required # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol listen = * disable_plaintext_auth = yes mail_privileged_group = mail passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } namespace inbox { inbox = yes mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } protocol lmtp { postmaster_address=postmaster at mydomain.com hostname=mail.mydomain.com } ssl = required ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes userdb { driver = prefetch } userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf } ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem ssl_cipher_list = AES128+EECDH:AES128+EDH #ssl_dh_parameters_length = 4096 ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem ssl_prefer_server_ciphers = yes #ssl_protocols = !SSLv3 userdb { driver = prefetch } userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf } And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn?t work. ## ## ManageSieve specific settings ## # Uncomment to enable managesieve protocol: protocols = $protocols sieve # Service definitions service managesieve-login { inet_listener sieve { port = 4190 # ssl = yes } #inet_listener sieve_deprecated { # port = 2000 #} # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. <doc/wiki/LoginProcess.txt> #service_count = 1 # Number of processes to always keep waiting for more connections. #process_min_avail = 0 # If you set service_count=0, you probably need to grow this. #vsz_limit = 64M } #service managesieve { # Max. number of ManageSieve processes (connections) #process_limit = 1024 #} # Service configuration protocol sieve { # Maximum ManageSieve command line length in bytes. ManageSieve usually does # not involve overly long command lines, so this setting will not normally # need adjustment #managesieve_max_line_length = 65536 # Maximum number of ManageSieve connections allowed for a user from each IP # address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 # Space separated list of plugins to load (none known to be useful so far). # Do NOT try to load IMAP plugins here. #mail_plugins # MANAGESIEVE logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client # %{put_bytes} - Number of bytes saved using PUTSCRIPT command # %{put_count} - Number of scripts saved using PUTSCRIPT command # %{get_bytes} - Number of bytes read using GETCRIPT command # %{get_count} - Number of scripts read using GETSCRIPT command # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command # %{get_count} - Number of scripts checked using CHECKSCRIPT command # %{deleted_count} - Number of scripts deleted using DELETESCRIPT command # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command #managesieve_logout_format = bytes=%i/%o # To fool ManageSieve clients that are focused on CMU's timesieved you can # specify the IMPLEMENTATION capability that Dovecot reports to clients. # For example: 'Cyrus timsieved v2.2.13' #managesieve_implementation_string = Dovecot Pigeonhole # Explicitly specify the SIEVE and NOTIFY capability reported by the server # before login. If left unassigned these will be reported dynamically # according to what the Sieve interpreter supports by default (after login # this may differ depending on the user). #managesieve_sieve_capability #managesieve_notify_capability # The maximum number of compile errors that are returned to the client upon # script upload or script verification. #managesieve_max_compile_errors = 5 # Refer to 90-sieve.conf for script quota configuration and configuration of # Sieve execution limits. } Here is the output of testing with openssl from the roundcube server. I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null And got this: CONNECTED(00000003) 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 283 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ? Is the second line in the output above the problem? Thanks to all of you for your help so far! Austin Witmer> On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot at tocc.cz> wrote: > > I can't see your dovecot conf, but anyway -- roundcube side has to be aligned with dovecot's, i.e. if you use ssl on roundcube side, make sure you have it enabled on dovecot side too, something like: > > service managesieve-login { > inet_listener sieve { > port = 4190 > ssl = yes > } > > or just use tls, i.e. no "ssl=yes" in dovecot conf, but tls://10.116.0.2 in roundcube conf > This seems to be the same case: https://github.com/roundcube/roundcubemail/issues/7127 > > Tomas > > > On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote: >> Hello all! >> I?ve got a bit of a problem that I would like some help with. So, I have >> two servers, one is my mail server running postfix, dovecot etc. I have a >> second server setup as my roundcube server. Both servers are running on >> the same LAN network. >> I have sieve scripts setup in dovecot in my mail server and they are >> working great! My trouble is that I can?t seem to make my roundcube talk >> correctly to managesieve on my mail server. >> Here is the mail.log file from the mail server when I try to create a >> sievescript from roundcube webmail: >> Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too many >> invalid commands. (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, >> lip=10.116.0.2, session=<cZMzomvjyNgKdAAD> >> And here is my managesieve configuration from my roundcube server. >> /var/www/roundcube/plugins/managesieve/config.inc.php >> <?php >> $config['managesieve_port'] = 4190; >> $config['managesieve_host'] = '[1]ssl://10.116.0.2'; >> $config['managesieve_auth_type'] = null; >> $config['managesieve_auth_cid'] = null; >> $config['managesieve_auth_pw'] = null; >> $config['managesieve_usetls'] = false; >> $config['managesieve_conn_options'] = array( >> 'ssl' => array( >> 'verify_peer' => false, >> 'allow_self_signed' => true, >> ), >> ); >> $config['managesieve_default'] = 'var/lib/dovecot/sieve/default.sieve'; >> $config['managesieve_script_name'] = 'default.sieve'; >> $config['managesieve_mbox_encoding'] = 'UTF-8'; >> $config['managesieve_replace_delimiter'] = ''; >> $config['managesieve_disabled_extensions'] = []; >> $config['managesieve_debug'] = true; >> $config['managesieve_kolab_master'] = false; >> $config['managesieve_filename_extension'] = '.sieve'; >> $config['managesieve_filename_exceptions'] = []; >> $config['managesieve_domains'] = []; >> $config['managesieve_default_headers'] = ['Subject', 'From', 'To']; >> $config['managesieve_vacation'] = 0; >> $config['managesieve_forward'] = 0; >> $config['managesieve_vacation_interval'] = 0; >> $config['managesieve_vacation_addresses_init'] = false; >> $config['managesieve_vacation_from_init'] = false; >> $config['managesieve_notify_methods'] = ['mailto']; >> $config['managesieve_raw_editor'] = true; >> $config['managesieve_disabled_actions'] = []; >> $config['managesieve_allowed_hosts'] = null; >> Does anybody have any clue why roundcube isn?t able to login in to >> managesieve on my mail server? >> Are there more logs/configs you would like to see? >> Thanks in advance for your help and suggestions! >> Austin Witmer >> >> References >> >> Visible links >> 1. file:///tmp/ssl:/10.116.0.2
Austin Witmer
2022-Jul-10 15:01 UTC
POSSIBLE SPAM: Re: Trouble configuring managesive plugin for roundcube
When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf file, I get the log line below from mail.log on my mail server. Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD> I?m not smart enough with ssl stuff to know what the root cause of that error is. Can somebody help me out? Thanks! Austin Witmer> On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96 at emypeople.net> wrote: > > So, here is my dovecot configuration. /etc/dovecot/dovecot.conf > > ## Dovecot configuration file > > # Enable installed protocols > !include_try /usr/share/dovecot/protocols.d/*.protocol > > dict { > #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext > #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext > } > > !include conf.d/*.conf > > !include_try local.conf > > !include_try /usr/share/dovecot/protocols.d/*.protocol > > listen = * > > disable_plaintext_auth = yes > mail_privileged_group = mail > > passdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > protocols = imap lmtp pop3 > > namespace inbox { > inbox = yes > > mailbox Trash { > auto = subscribe # autocreate and autosubscribe the Trash mailbox > special_use = \Trash > } > mailbox Sent { > auto = subscribe # autocreate and autosubscribe the Sent mailbox > special_use = \Sent > } > mailbox Spam { > auto = subscribe # autocreate and autosubscribe the Spam mailbox > } > } > > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > protocol lmtp { > postmaster_address=postmaster at mydomain.com > hostname=mail.mydomain.com > } > > ssl = required # Enable installed protocols > !include_try /usr/share/dovecot/protocols.d/*.protocol > > listen = * > > disable_plaintext_auth = yes > mail_privileged_group = mail > > passdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > > namespace inbox { > inbox = yes > > mailbox Trash { > auto = subscribe # autocreate and autosubscribe the Trash mailbox > special_use = \Trash > } > mailbox Sent { > auto = subscribe # autocreate and autosubscribe the Sent mailbox > special_use = \Sent > } > } > > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > protocol lmtp { > postmaster_address=postmaster at mydomain.com > hostname=mail.mydomain.com > } > > ssl = required > ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > ssl_cipher_list = AES128+EECDH:AES128+EDH > ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem > ssl_prefer_server_ciphers = yes > > > userdb { > driver = prefetch > } > > userdb { > driver = sql > args = /etc/dovecot/dovecot-sql.conf > } > > ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > ssl_cipher_list = AES128+EECDH:AES128+EDH > #ssl_dh_parameters_length = 4096 > ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem > ssl_prefer_server_ciphers = yes > #ssl_protocols = !SSLv3 > > userdb { > driver = prefetch > } > > userdb { > driver = sql > args = /etc/dovecot/dovecot-sql.conf > } > > And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried enabling ssl = yes in the config below but it still didn?t work. > > ## > ## ManageSieve specific settings > ## > > # Uncomment to enable managesieve protocol: > protocols = $protocols sieve > > # Service definitions > > service managesieve-login { > inet_listener sieve { > port = 4190 > # ssl = yes > } > > #inet_listener sieve_deprecated { > # port = 2000 > #} > > # Number of connections to handle before starting a new process. Typically > # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 > # is faster. <doc/wiki/LoginProcess.txt> > #service_count = 1 > > # Number of processes to always keep waiting for more connections. > #process_min_avail = 0 > > # If you set service_count=0, you probably need to grow this. > #vsz_limit = 64M > } > > #service managesieve { > # Max. number of ManageSieve processes (connections) > #process_limit = 1024 > #} > > # Service configuration > > protocol sieve { > # Maximum ManageSieve command line length in bytes. ManageSieve usually does > # not involve overly long command lines, so this setting will not normally > # need adjustment > #managesieve_max_line_length = 65536 > > # Maximum number of ManageSieve connections allowed for a user from each IP > # address. > # NOTE: The username is compared case-sensitively. > #mail_max_userip_connections = 10 > > # Space separated list of plugins to load (none known to be useful so far). > # Do NOT try to load IMAP plugins here. > #mail_plugins > > # MANAGESIEVE logout format string: > # %i - total number of bytes read from client > # %o - total number of bytes sent to client > # %{put_bytes} - Number of bytes saved using PUTSCRIPT command > # %{put_count} - Number of scripts saved using PUTSCRIPT command > # %{get_bytes} - Number of bytes read using GETCRIPT command > # %{get_count} - Number of scripts read using GETSCRIPT command > # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command > # %{get_count} - Number of scripts checked using CHECKSCRIPT command > # %{deleted_count} - Number of scripts deleted using DELETESCRIPT command > # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command > #managesieve_logout_format = bytes=%i/%o > > # To fool ManageSieve clients that are focused on CMU's timesieved you can > # specify the IMPLEMENTATION capability that Dovecot reports to clients. > # For example: 'Cyrus timsieved v2.2.13' > #managesieve_implementation_string = Dovecot Pigeonhole > > # Explicitly specify the SIEVE and NOTIFY capability reported by the server > # before login. If left unassigned these will be reported dynamically > # according to what the Sieve interpreter supports by default (after login > # this may differ depending on the user). > #managesieve_sieve_capability > #managesieve_notify_capability > > # The maximum number of compile errors that are returned to the client upon > # script upload or script verification. > #managesieve_max_compile_errors = 5 > > # Refer to 90-sieve.conf for script quota configuration and configuration of > # Sieve execution limits. > } > > Here is the output of testing with openssl from the roundcube server. > > I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null > > And got this: > > CONNECTED(00000003) > 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 5 bytes and written 283 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > ? > > Is the second line in the output above the problem? > > Thanks to all of you for your help so far! > > Austin Witmer > >> On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot at tocc.cz> wrote: >> >> I can't see your dovecot conf, but anyway -- roundcube side has to be aligned with dovecot's, i.e. if you use ssl on roundcube side, make sure you have it enabled on dovecot side too, something like: >> >> service managesieve-login { >> inet_listener sieve { >> port = 4190 >> ssl = yes >> } >> >> or just use tls, i.e. no "ssl=yes" in dovecot conf, but tls://10.116.0.2 in roundcube conf >> This seems to be the same case: https://github.com/roundcube/roundcubemail/issues/7127 >> >> Tomas >> >> >> On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote: >>> Hello all! >>> I?ve got a bit of a problem that I would like some help with. So, I have >>> two servers, one is my mail server running postfix, dovecot etc. I have a >>> second server setup as my roundcube server. Both servers are running on >>> the same LAN network. >>> I have sieve scripts setup in dovecot in my mail server and they are >>> working great! My trouble is that I can?t seem to make my roundcube talk >>> correctly to managesieve on my mail server. >>> Here is the mail.log file from the mail server when I try to create a >>> sievescript from roundcube webmail: >>> Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected: Too many >>> invalid commands. (no auth attempts in 0 secs): user=<>, rip=10.116.0.3, >>> lip=10.116.0.2, session=<cZMzomvjyNgKdAAD> >>> And here is my managesieve configuration from my roundcube server. >>> /var/www/roundcube/plugins/managesieve/config.inc.php >>> <?php >>> $config['managesieve_port'] = 4190; >>> $config['managesieve_host'] = '[1]ssl://10.116.0.2'; >>> $config['managesieve_auth_type'] = null; >>> $config['managesieve_auth_cid'] = null; >>> $config['managesieve_auth_pw'] = null; >>> $config['managesieve_usetls'] = false; >>> $config['managesieve_conn_options'] = array( >>> 'ssl' => array( >>> 'verify_peer' => false, >>> 'allow_self_signed' => true, >>> ), >>> ); >>> $config['managesieve_default'] = 'var/lib/dovecot/sieve/default.sieve'; >>> $config['managesieve_script_name'] = 'default.sieve'; >>> $config['managesieve_mbox_encoding'] = 'UTF-8'; >>> $config['managesieve_replace_delimiter'] = ''; >>> $config['managesieve_disabled_extensions'] = []; >>> $config['managesieve_debug'] = true; >>> $config['managesieve_kolab_master'] = false; >>> $config['managesieve_filename_extension'] = '.sieve'; >>> $config['managesieve_filename_exceptions'] = []; >>> $config['managesieve_domains'] = []; >>> $config['managesieve_default_headers'] = ['Subject', 'From', 'To']; >>> $config['managesieve_vacation'] = 0; >>> $config['managesieve_forward'] = 0; >>> $config['managesieve_vacation_interval'] = 0; >>> $config['managesieve_vacation_addresses_init'] = false; >>> $config['managesieve_vacation_from_init'] = false; >>> $config['managesieve_notify_methods'] = ['mailto']; >>> $config['managesieve_raw_editor'] = true; >>> $config['managesieve_disabled_actions'] = []; >>> $config['managesieve_allowed_hosts'] = null; >>> Does anybody have any clue why roundcube isn?t able to login in to >>> managesieve on my mail server? >>> Are there more logs/configs you would like to see? >>> Thanks in advance for your help and suggestions! >>> Austin Witmer >>> >>> References >>> >>> Visible links >>> 1. file:///tmp/ssl:/10.116.0.2