dovecot - Jul 2022 - Trouble configuring managesive plugin for roundcube

On July 10, 2022 5:01:02 PM GMT+02:00, Austin Witmer 
<austin96 at emypeople.net> wrote:
> When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf 
> file, I get the log line below from mail.log on my mail server.
> 
> Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth 
> attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS 
> handshaking: SSL_accept() failed: error:1408F10B:SSL 
> routines:ssl3_get_record:wrong version number, 
> session=<PoXYpnTjLN0KdAAD>
> 
> I?m not smart enough with ssl stuff to know what the root cause of that 
> error is. Can somebody help me out?
You current dovecot config as below requires you to use tls:// prefix in 
the managesieve configuration. I just tried it with my server and it 
worked. Use:
$config['managesieve_host'] = 'tls://10.116.0.2';

You have debug logging enabled in your roundcube managesieve config, the 
output should be in your roundcube logging. Look at that logging during 
a connection attempt, this helped me allot identifying a certificate 
name mismatch.

> Thanks!
> 
> Austin Witmer
> 
>> On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96 at
emypeople.net>
>> wrote:
>> 
>> So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
>> 
>> ## Dovecot configuration file
>> 
>> # Enable installed protocols
>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>> 
>> dict {
>>  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
>>  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
>> }
>> 
>> !include conf.d/*.conf
>> 
>> !include_try local.conf
>> 
>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>> 
>> listen = *
>> 
>> disable_plaintext_auth = yes
>> mail_privileged_group = mail
>> 
>> passdb {
>>  args = /etc/dovecot/dovecot-sql.conf
>>  driver = sql
>> }
>> protocols = imap lmtp pop3
>> 
>> namespace inbox {
>>  inbox = yes
>> 
>>  mailbox Trash {
>>    auto = subscribe # autocreate and autosubscribe the Trash mailbox
>>    special_use = \Trash
>>  }
>>  mailbox Sent {
>>    auto = subscribe # autocreate and autosubscribe the Sent mailbox
>>    special_use = \Sent
>>  }
>>  mailbox Spam {
>>    auto = subscribe # autocreate and autosubscribe the Spam mailbox
>>  }
>> }
>> 
>> service auth {
>>  unix_listener /var/spool/postfix/private/auth {
>>    group = postfix
>>    mode = 0660
>>    user = postfix
>>  }
>> }
>> service imap-login {
>>  inet_listener imap {
>>    port = 0
>>  }
>>  inet_listener imaps {
>>    port = 993
>>  }
>> }
>> 
>> service lmtp {
>>    unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>      group = postfix
>>      mode = 0600
>>      user = postfix
>>    }
>> }
>> protocol lmtp {
>>    postmaster_address=postmaster at mydomain.com
>>    hostname=mail.mydomain.com
>> }
>> 
>> ssl = required # Enable installed protocols
>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>> 
>> listen = *
>> 
>> disable_plaintext_auth = yes
>> mail_privileged_group = mail
>> 
>> passdb {
>>  args = /etc/dovecot/dovecot-sql.conf
>>  driver = sql
>> }
>> 
>> namespace inbox {
>>  inbox = yes
>> 
>>  mailbox Trash {
>>    auto = subscribe # autocreate and autosubscribe the Trash mailbox
>>    special_use = \Trash
>>  }
>>  mailbox Sent {
>>    auto = subscribe # autocreate and autosubscribe the Sent mailbox
>>    special_use = \Sent
>>  }
>> }
>> 
>> service auth {
>>  unix_listener /var/spool/postfix/private/auth {
>>    group = postfix
>>    mode = 0660
>>    user = postfix
>>  }
>> }
>> service imap-login {
>>  inet_listener imap {
>>    port = 0
>>  }
>>  inet_listener imaps {
>>    port = 993
>>  }
>> }
>> 
>> service lmtp {
>>    unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>      group = postfix
>>      mode = 0600
>>      user = postfix
>>    }
>> }
>> protocol lmtp {
>>    postmaster_address=postmaster at mydomain.com
>>    hostname=mail.mydomain.com
>> }
>> 
>> ssl = required
>> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>> ssl_prefer_server_ciphers = yes
>> 
>> 
>> userdb {
>>  driver = prefetch
>> }
>> 
>> userdb {
>>  driver = sql
>>  args = /etc/dovecot/dovecot-sql.conf
>> }
>> 
>> ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>> #ssl_dh_parameters_length = 4096
>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>> ssl_prefer_server_ciphers = yes
>> #ssl_protocols = !SSLv3
>> 
>> userdb {
>>  driver = prefetch
>> }
>> 
>> userdb {
>>  driver = sql
>>  args = /etc/dovecot/dovecot-sql.conf
>> }
>> 
>> And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I tried 
>> enabling ssl = yes in the config below but it still didn?t work.
>> 
>> ##
>> ## ManageSieve specific settings
>> ##
>> 
>> # Uncomment to enable managesieve protocol:
>> protocols = $protocols sieve
>> 
>> # Service definitions
>> 
>> service managesieve-login {
>>  inet_listener sieve {
>>    port = 4190
>> #    ssl = yes
>>  }
>> 
>>  #inet_listener sieve_deprecated {
>>  #  port = 2000
>>  #}
>> 
>>  # Number of connections to handle before starting a new process. 
>> Typically
>>  # the only useful values are 0 (unlimited) or 1. 1 is more secure, 
>> but 0
>>  # is faster. <doc/wiki/LoginProcess.txt>
>>  #service_count = 1
>> 
>>  # Number of processes to always keep waiting for more connections.
>>  #process_min_avail = 0
>> 
>>  # If you set service_count=0, you probably need to grow this.
>>  #vsz_limit = 64M
>> }
>> 
>> #service managesieve {
>>  # Max. number of ManageSieve processes (connections)
>>  #process_limit = 1024
>> #}
>> 
>> # Service configuration
>> 
>> protocol sieve {
>>  # Maximum ManageSieve command line length in bytes. ManageSieve 
>> usually does
>>  # not involve overly long command lines, so this setting will not 
>> normally
>>  # need adjustment
>>  #managesieve_max_line_length = 65536
>> 
>>  # Maximum number of ManageSieve connections allowed for a user from 
>> each IP
>>  # address.
>>  # NOTE: The username is compared case-sensitively.
>>  #mail_max_userip_connections = 10
>> 
>>  # Space separated list of plugins to load (none known to be useful so 
>> far).
>>  # Do NOT try to load IMAP plugins here.
>>  #mail_plugins >> 
>>  # MANAGESIEVE logout format string:
>>  #  %i - total number of bytes read from client
>>  #  %o - total number of bytes sent to client
>>  #  %{put_bytes} - Number of bytes saved using PUTSCRIPT command
>>  #  %{put_count} - Number of scripts saved using PUTSCRIPT command
>>  #  %{get_bytes} - Number of bytes read using GETCRIPT command
>>  #  %{get_count} - Number of scripts read using GETSCRIPT command
>>  #  %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
>>  #  %{get_count} - Number of scripts checked using CHECKSCRIPT command
>>  #  %{deleted_count} - Number of scripts deleted using DELETESCRIPT 
>> command
>>  #  %{renamed_count} - Number of scripts renamed using RENAMESCRIPT 
>> command
>>  #managesieve_logout_format = bytes=%i/%o
>> 
>>  # To fool ManageSieve clients that are focused on CMU's timesieved
>> you can
>>  # specify the IMPLEMENTATION capability that Dovecot reports to 
>> clients.
>>  # For example: 'Cyrus timsieved v2.2.13'
>>  #managesieve_implementation_string = Dovecot Pigeonhole
>> 
>>  # Explicitly specify the SIEVE and NOTIFY capability reported by the 
>> server
>>  # before login. If left unassigned these will be reported dynamically
>>  # according to what the Sieve interpreter supports by default (after 
>> login
>>  # this may differ depending on the user).
>>  #managesieve_sieve_capability >>  #managesieve_notify_capability
>>
>>  # The maximum number of compile errors that are returned to the 
>> client upon
>>  # script upload or script verification.
>>  #managesieve_max_compile_errors = 5
>> 
>>  # Refer to 90-sieve.conf for script quota configuration and 
>> configuration of
>>  # Sieve execution limits.
>> }
>> 
>> Here is the output of testing with openssl from the roundcube server.
>> 
>> I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null
>> 
>> And got this:
>> 
>> CONNECTED(00000003)
>> 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong 
>> version number:../ssl/record/ssl3_record.c:331:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 5 bytes and written 283 bytes
>> Verification: OK
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>> ?
>> 
>> Is the second line in the output above the problem?
>> 
>> Thanks to all of you for your help so far!
>> 
>> Austin Witmer
>> 
>>> On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot at
tocc.cz>
>>> wrote:
>>> 
>>> I can't see your dovecot conf, but anyway -- roundcube side has
to be
>>> aligned with dovecot's, i.e. if you use ssl on roundcube side,
make
>>> sure you have it enabled on dovecot side too, something like:
>>> 
>>> service managesieve-login {
>>> inet_listener sieve {
>>>   port = 4190
>>>   ssl = yes
>>> }
>>> 
>>> or just use tls, i.e. no "ssl=yes" in dovecot conf, but 
>>> tls://10.116.0.2 in roundcube conf
>>> This seems to be the same case: 
>>> https://github.com/roundcube/roundcubemail/issues/7127
>>> 
>>> Tomas
>>> 
>>> 
>>> On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:
>>>>  Hello all!
>>>>  I?ve got a bit of a problem that I would like some help with.
So, I
>>>> have
>>>>  two servers, one is my mail server running postfix, dovecot
etc. I
>>>> have a
>>>>  second server setup as my roundcube server. Both servers are 
>>>> running on
>>>>  the same LAN network.
>>>>  I have sieve scripts setup in dovecot in my mail server and
they
>>>> are
>>>>  working great! My trouble is that I can?t seem to make my
roundcube
>>>> talk
>>>>  correctly to managesieve on my mail server.
>>>>  Here is the mail.log file from the mail server when I try to
create
>>>> a
>>>>  sievescript from roundcube webmail:
>>>>  Jul 10 04:11:45 mail dovecot: managesieve-login: Disconnected:
Too
>>>> many
>>>>  invalid commands. (no auth attempts in 0 secs): user=<>,
>>>> rip=10.116.0.3,
>>>>  lip=10.116.0.2, session=<cZMzomvjyNgKdAAD>
>>>>  And here is my managesieve configuration from my roundcube
server.
>>>>  /var/www/roundcube/plugins/managesieve/config.inc.php
>>>>  <?php
>>>>  $config['managesieve_port'] = 4190;
>>>>  $config['managesieve_host'] =
'[1]ssl://10.116.0.2';
>>>>  $config['managesieve_auth_type'] = null;
>>>>  $config['managesieve_auth_cid'] = null;
>>>>  $config['managesieve_auth_pw'] = null;
>>>>  $config['managesieve_usetls'] = false;
>>>>  $config['managesieve_conn_options'] = array(
>>>>          'ssl' => array(
>>>>              'verify_peer'       => false,
>>>>              'allow_self_signed' => true,
>>>>          ),
>>>>      );
>>>>  $config['managesieve_default'] = 
>>>> 'var/lib/dovecot/sieve/default.sieve';
>>>>  $config['managesieve_script_name'] =
'default.sieve';
>>>>  $config['managesieve_mbox_encoding'] =
'UTF-8';
>>>>  $config['managesieve_replace_delimiter'] = '';
>>>>  $config['managesieve_disabled_extensions'] = [];
>>>>  $config['managesieve_debug'] = true;
>>>>  $config['managesieve_kolab_master'] = false;
>>>>  $config['managesieve_filename_extension'] =
'.sieve';
>>>>  $config['managesieve_filename_exceptions'] = [];
>>>>  $config['managesieve_domains'] = [];
>>>>  $config['managesieve_default_headers'] =
['Subject', 'From', 'To'];
>>>>  $config['managesieve_vacation'] = 0;
>>>>  $config['managesieve_forward'] = 0;
>>>>  $config['managesieve_vacation_interval'] = 0;
>>>>  $config['managesieve_vacation_addresses_init'] =
false;
>>>>  $config['managesieve_vacation_from_init'] = false;
>>>>  $config['managesieve_notify_methods'] =
['mailto'];
>>>>  $config['managesieve_raw_editor'] = true;
>>>>  $config['managesieve_disabled_actions'] = [];
>>>>  $config['managesieve_allowed_hosts'] = null;
>>>>  Does anybody have any clue why roundcube isn?t able to login
in to
>>>>  managesieve on my mail server?
>>>>  Are there more logs/configs you would like to see?
>>>>  Thanks in advance for your help and suggestions!
>>>>  Austin Witmer
>>>> 
>>>> References
>>>> 
>>>>  Visible links
>>>>  1. file:///tmp/ssl:/10.116.0.2
> 
-- 
  Christian Kivalo

Ok, I changed to $config['managesieve_host'] = 'tls://10.116.0.2?;
and the below is the log from /var/www/roundcube/logs/sieve.log during a
connection attempt. Does this log give you any clues?

[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "IMPLEMENTATION"
"Dovecot (Ubuntu) Pigeonhole"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SIEVE"
"fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include variables
body enotify environment mailbox date index ihave duplicate mime foreverypart
extracttext"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "NOTIFY"
"mailto"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "SASL" ""
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "STARTTLS"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: "VERSION"
"1.0"
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Dovecot (Ubuntu)
ready."
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> C: STARTTLS
[10-Jul-2022 14:59:48 -0600]: <mhtmgoqb> S: OK "Begin TLS negotiation
now."
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> C: LOGOUT
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?=?C-?H????(????.?2
                                                             
[`S?w??K???:?&Bn3v?*?z[??'K?x?@??W??T-?q?\?o?Tub.Nr?)*??j????           
?P^??.mr???+?5e.??q?.$????/????u??B~?f+>?????.??.?=??
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?A?\???F???X?
c+????!???{?-??\?]?????7H1+v?y?5?G-6c0????av?_1?5n??i7?U??L@?AH??O?N???Ie?r?F??weqfR???Y???b?????
??kT?+?.??S?u???????c?Z'??nT???m???????(6?~&WC??B?m???Z?1?????R?3??i@??R???=VHf?5??1??}????u9m
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: ?
                                             ??*}??OG?C??,????.??Cg??R????M??
?Kiq?
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S:
W?qWN?]??8??d??=?&?H8????y??"?6?D?!*???K??????$eV??.O????n???M???h??C???A????U?G2?O,????E?C\*?~,???$?{????W0w??B?E??X`?!VH???k+??????e???Ero?0????&????2?&????I?^D?;??f?4????Zn%Y_??/s1hj??;???ujt?d?H?v?t3"?Wm0`????
z???AU?QRE??\Bz-V??W???,?bp???e?D???0m?-?
                              ?8?%???4??V?\?'MR[?O1??4 ?
                                                       4Z?X
[10-Jul-2022 14:59:50 -0600]: <mhtmgoqb> S: 

And here is the log from the mail server during the same connection attempt.

Jul 10 20:59:48 mail dovecot: managesieve-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS,
session=<d9tCt3njVuEKdAAD>

And here is the output of doveconf -n

austin at mail:~$ doveconf -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-121-generic x86_64 Ubuntu 20.04.4 LTS 
# Hostname: mail.mydomain.com
listen = *
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  sieve = /mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve
  sieve_global_dir = /var/lib/dovecot/sieve/
  sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  sieve_user_log =
file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log
}
protocols = imap lmtp pop3 imap lmtp sieve pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  service_count = 1
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  driver = passwd
}
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocol lmtp {
  hostname = mail.mydomain.com
  mail_plugins = " sieve"
  postmaster_address = postmaster at mydomain.com
}
protocol lda {
  mail_plugins = " sieve"
}

What am I missing???? Thanks so much to all of you for helping me along! This is
why I like the Open-source community!

Austin Witmer
> On Jul 10, 2022, at 9:49 AM, Christian Kivalo <ml+dovecot at valo.at>
wrote:
> 
> 
> On July 10, 2022 5:01:02 PM GMT+02:00, Austin Witmer <austin96 at
emypeople.net> wrote:
>> When I enable ssl = yes in my /etc/dovecot/conf.d/20-managesieve.conf
file, I get the log line below from mail.log on my mail server.
>> Jul 10 14:57:18 mail dovecot: managesieve-login: Disconnected (no auth
attempts in 62 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS
handshaking: SSL_accept() failed: error:1408F10B:SSL
routines:ssl3_get_record:wrong version number, session=<PoXYpnTjLN0KdAAD>
>> I?m not smart enough with ssl stuff to know what the root cause of that
error is. Can somebody help me out?
> 
> You current dovecot config as below requires you to use tls:// prefix in
the managesieve configuration. I just tried it with my server and it worked.
Use:
> $config['managesieve_host'] = 'tls://10.116.0.2';
> 
> You have debug logging enabled in your roundcube managesieve config, the
output should be in your roundcube logging. Look at that logging during a
connection attempt, this helped me allot identifying a certificate name
mismatch.
> 
> 
>> Thanks!
>> Austin Witmer
>>> On Jul 10, 2022, at 8:52 AM, Austin Witmer <austin96 at
emypeople.net> wrote:
>>> So, here is my dovecot configuration. /etc/dovecot/dovecot.conf
>>> ## Dovecot configuration file
>>> # Enable installed protocols
>>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>> dict {
>>> #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
>>> #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
>>> }
>>> !include conf.d/*.conf
>>> !include_try local.conf
>>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>> listen = *
>>> disable_plaintext_auth = yes
>>> mail_privileged_group = mail
>>> passdb {
>>> args = /etc/dovecot/dovecot-sql.conf
>>> driver = sql
>>> }
>>> protocols = imap lmtp pop3
>>> namespace inbox {
>>> inbox = yes
>>> mailbox Trash {
>>>   auto = subscribe # autocreate and autosubscribe the Trash mailbox
>>>   special_use = \Trash
>>> }
>>> mailbox Sent {
>>>   auto = subscribe # autocreate and autosubscribe the Sent mailbox
>>>   special_use = \Sent
>>> }
>>> mailbox Spam {
>>>   auto = subscribe # autocreate and autosubscribe the Spam mailbox
>>> }
>>> }
>>> service auth {
>>> unix_listener /var/spool/postfix/private/auth {
>>>   group = postfix
>>>   mode = 0660
>>>   user = postfix
>>> }
>>> }
>>> service imap-login {
>>> inet_listener imap {
>>>   port = 0
>>> }
>>> inet_listener imaps {
>>>   port = 993
>>> }
>>> }
>>> service lmtp {
>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>     group = postfix
>>>     mode = 0600
>>>     user = postfix
>>>   }
>>> }
>>> protocol lmtp {
>>>   postmaster_address=postmaster at mydomain.com
>>>   hostname=mail.mydomain.com
>>> }
>>> ssl = required # Enable installed protocols
>>> !include_try /usr/share/dovecot/protocols.d/*.protocol
>>> listen = *
>>> disable_plaintext_auth = yes
>>> mail_privileged_group = mail
>>> passdb {
>>> args = /etc/dovecot/dovecot-sql.conf
>>> driver = sql
>>> }
>>> namespace inbox {
>>> inbox = yes
>>> mailbox Trash {
>>>   auto = subscribe # autocreate and autosubscribe the Trash mailbox
>>>   special_use = \Trash
>>> }
>>> mailbox Sent {
>>>   auto = subscribe # autocreate and autosubscribe the Sent mailbox
>>>   special_use = \Sent
>>> }
>>> }
>>> service auth {
>>> unix_listener /var/spool/postfix/private/auth {
>>>   group = postfix
>>>   mode = 0660
>>>   user = postfix
>>> }
>>> }
>>> service imap-login {
>>> inet_listener imap {
>>>   port = 0
>>> }
>>> inet_listener imaps {
>>>   port = 993
>>> }
>>> }
>>> service lmtp {
>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>     group = postfix
>>>     mode = 0600
>>>     user = postfix
>>>   }
>>> }
>>> protocol lmtp {
>>>   postmaster_address=postmaster at mydomain.com
>>>   hostname=mail.mydomain.com
>>> }
>>> ssl = required
>>> ssl_cert =
</etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>>> ssl_prefer_server_ciphers = yes
>>> userdb {
>>> driver = prefetch
>>> }
>>> userdb {
>>> driver = sql
>>> args = /etc/dovecot/dovecot-sql.conf
>>> }
>>> ssl_cert =
</etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
>>> ssl_cipher_list = AES128+EECDH:AES128+EDH
>>> #ssl_dh_parameters_length = 4096
>>> ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
>>> ssl_prefer_server_ciphers = yes
>>> #ssl_protocols = !SSLv3
>>> userdb {
>>> driver = prefetch
>>> }
>>> userdb {
>>> driver = sql
>>> args = /etc/dovecot/dovecot-sql.conf
>>> }
>>> And here is the /etc/dovecot/conf.d/20-managesieve.conf file. I
tried enabling ssl = yes in the config below but it still didn?t work.
>>> ##
>>> ## ManageSieve specific settings
>>> ##
>>> # Uncomment to enable managesieve protocol:
>>> protocols = $protocols sieve
>>> # Service definitions
>>> service managesieve-login {
>>> inet_listener sieve {
>>>   port = 4190
>>> #    ssl = yes
>>> }
>>> #inet_listener sieve_deprecated {
>>> #  port = 2000
>>> #}
>>> # Number of connections to handle before starting a new process.
Typically
>>> # the only useful values are 0 (unlimited) or 1. 1 is more secure,
but 0
>>> # is faster. <doc/wiki/LoginProcess.txt>
>>> #service_count = 1
>>> # Number of processes to always keep waiting for more connections.
>>> #process_min_avail = 0
>>> # If you set service_count=0, you probably need to grow this.
>>> #vsz_limit = 64M
>>> }
>>> #service managesieve {
>>> # Max. number of ManageSieve processes (connections)
>>> #process_limit = 1024
>>> #}
>>> # Service configuration
>>> protocol sieve {
>>> # Maximum ManageSieve command line length in bytes. ManageSieve
usually does
>>> # not involve overly long command lines, so this setting will not
normally
>>> # need adjustment
>>> #managesieve_max_line_length = 65536
>>> # Maximum number of ManageSieve connections allowed for a user from
each IP
>>> # address.
>>> # NOTE: The username is compared case-sensitively.
>>> #mail_max_userip_connections = 10
>>> # Space separated list of plugins to load (none known to be useful
so far).
>>> # Do NOT try to load IMAP plugins here.
>>> #mail_plugins >>> # MANAGESIEVE logout format string:
>>> #  %i - total number of bytes read from client
>>> #  %o - total number of bytes sent to client
>>> #  %{put_bytes} - Number of bytes saved using PUTSCRIPT command
>>> #  %{put_count} - Number of scripts saved using PUTSCRIPT command
>>> #  %{get_bytes} - Number of bytes read using GETCRIPT command
>>> #  %{get_count} - Number of scripts read using GETSCRIPT command
>>> #  %{get_bytes} - Number of bytes processed using CHECKSCRIPT
command
>>> #  %{get_count} - Number of scripts checked using CHECKSCRIPT
command
>>> #  %{deleted_count} - Number of scripts deleted using DELETESCRIPT
command
>>> #  %{renamed_count} - Number of scripts renamed using RENAMESCRIPT
command
>>> #managesieve_logout_format = bytes=%i/%o
>>> # To fool ManageSieve clients that are focused on CMU's
timesieved you can
>>> # specify the IMPLEMENTATION capability that Dovecot reports to
clients.
>>> # For example: 'Cyrus timsieved v2.2.13'
>>> #managesieve_implementation_string = Dovecot Pigeonhole
>>> # Explicitly specify the SIEVE and NOTIFY capability reported by
the server
>>> # before login. If left unassigned these will be reported
dynamically
>>> # according to what the Sieve interpreter supports by default
(after login
>>> # this may differ depending on the user).
>>> #managesieve_sieve_capability >>>
#managesieve_notify_capability >>> # The maximum number of compile
errors that are returned to the client upon
>>> # script upload or script verification.
>>> #managesieve_max_compile_errors = 5
>>> # Refer to 90-sieve.conf for script quota configuration and
configuration of
>>> # Sieve execution limits.
>>> }
>>> Here is the output of testing with openssl from the roundcube
server.
>>> I ran this: openssl s_client -connect 10.116.0.2:4190 </dev/null
>>> And got this:
>>> CONNECTED(00000003)
>>> 139804327073088:error:1408F10B:SSL routines:ssl3_get_record:wrong
version number:../ssl/record/ssl3_record.c:331:
>>> ---
>>> no peer certificate available
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 5 bytes and written 283 bytes
>>> Verification: OK
>>> ---
>>> New, (NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>> No ALPN negotiated
>>> Early data was not sent
>>> Verify return code: 0 (ok)
>>> ?
>>> Is the second line in the output above the problem?
>>> Thanks to all of you for your help so far!
>>> Austin Witmer
>>>> On Jul 10, 2022, at 2:17 AM, Tomas Habarta <lists+dovecot at
tocc.cz> wrote:
>>>> I can't see your dovecot conf, but anyway -- roundcube side
has to be aligned with dovecot's, i.e. if you use ssl on roundcube side,
make sure you have it enabled on dovecot side too, something like:
>>>> service managesieve-login {
>>>> inet_listener sieve {
>>>>  port = 4190
>>>>  ssl = yes
>>>> }
>>>> or just use tls, i.e. no "ssl=yes" in dovecot conf,
but tls://10.116.0.2 in roundcube conf
>>>> This seems to be the same case:
https://github.com/roundcube/roundcubemail/issues/7127
>>>> Tomas
>>>> On Sat, Jul 09, 2022 at 10:31:04PM -0600, Austin Witmer wrote:
>>>>> Hello all!
>>>>> I?ve got a bit of a problem that I would like some help
with. So, I have
>>>>> two servers, one is my mail server running postfix, dovecot
etc. I have a
>>>>> second server setup as my roundcube server. Both servers
are running on
>>>>> the same LAN network.
>>>>> I have sieve scripts setup in dovecot in my mail server and
they are
>>>>> working great! My trouble is that I can?t seem to make my
roundcube talk
>>>>> correctly to managesieve on my mail server.
>>>>> Here is the mail.log file from the mail server when I try
to create a
>>>>> sievescript from roundcube webmail:
>>>>> Jul 10 04:11:45 mail dovecot: managesieve-login:
Disconnected: Too many
>>>>> invalid commands. (no auth attempts in 0 secs):
user=<>, rip=10.116.0.3,
>>>>> lip=10.116.0.2, session=<cZMzomvjyNgKdAAD>
>>>>> And here is my managesieve configuration from my roundcube
server.
>>>>> /var/www/roundcube/plugins/managesieve/config.inc.php
>>>>> <?php
>>>>> $config['managesieve_port'] = 4190;
>>>>> $config['managesieve_host'] =
'[1]ssl://10.116.0.2';
>>>>> $config['managesieve_auth_type'] = null;
>>>>> $config['managesieve_auth_cid'] = null;
>>>>> $config['managesieve_auth_pw'] = null;
>>>>> $config['managesieve_usetls'] = false;
>>>>> $config['managesieve_conn_options'] = array(
>>>>>         'ssl' => array(
>>>>>             'verify_peer'       => false,
>>>>>             'allow_self_signed' => true,
>>>>>         ),
>>>>>     );
>>>>> $config['managesieve_default'] =
'var/lib/dovecot/sieve/default.sieve';
>>>>> $config['managesieve_script_name'] =
'default.sieve';
>>>>> $config['managesieve_mbox_encoding'] =
'UTF-8';
>>>>> $config['managesieve_replace_delimiter'] =
'';
>>>>> $config['managesieve_disabled_extensions'] = [];
>>>>> $config['managesieve_debug'] = true;
>>>>> $config['managesieve_kolab_master'] = false;
>>>>> $config['managesieve_filename_extension'] =
'.sieve';
>>>>> $config['managesieve_filename_exceptions'] = [];
>>>>> $config['managesieve_domains'] = [];
>>>>> $config['managesieve_default_headers'] =
['Subject', 'From', 'To'];
>>>>> $config['managesieve_vacation'] = 0;
>>>>> $config['managesieve_forward'] = 0;
>>>>> $config['managesieve_vacation_interval'] = 0;
>>>>> $config['managesieve_vacation_addresses_init'] =
false;
>>>>> $config['managesieve_vacation_from_init'] = false;
>>>>> $config['managesieve_notify_methods'] =
['mailto'];
>>>>> $config['managesieve_raw_editor'] = true;
>>>>> $config['managesieve_disabled_actions'] = [];
>>>>> $config['managesieve_allowed_hosts'] = null;
>>>>> Does anybody have any clue why roundcube isn?t able to
login in to
>>>>> managesieve on my mail server?
>>>>> Are there more logs/configs you would like to see?
>>>>> Thanks in advance for your help and suggestions!
>>>>> Austin Witmer
>>>>> References
>>>>> Visible links
>>>>> 1. file:///tmp/ssl:/10.116.0.2
> 
> -- 
> Christian Kivalo