Christian Kivalo
2022-Jul-12 15:13 UTC
Trouble configuring managesive plugin for roundcube
On 2022-07-12 16:19, Austin Witmer wrote:> So, I changed the $config['managesieve_host'] > 'tls://mail.mydomain.com?; to the fqdn of my mail server instead of > the internal IP address and now it works!Good to hear it works now :)> Why would using the fqdn work, but not the internal LAN IP address?The client, here php / roundcube checks if the presented certificate contains the address it connected to and ip addresses are very seldomly added as hosts to certificates.> As a side note, I am now remembering that in my main Roundcube config, > I had to use the fqdn for the imap and smtp server instead of the > internal LAN IP address. Is it because it needs to connect to a host > with the same hostname that the certificate returns? Would it work to > add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com > [1]?? I should be able to use the internal IP addresses, right? Are > there downsides to using the fqdn?The hosts file entry would help with name resolution but not with certificate verification. But you can make php think it connects to the correct hostname with the ssl connection options $config['managesieve_conn_options'] = [ 'ssl' => [ 'verify_peer' => false, 'peer_name' => 'FQDN of mailserver', ], ]; This probably even works without the "verify_peer" line, haven't tested.> I may have some questions about configuring sieve rules later, but I > can start a new thread for that. > > Austin Witmer > >> On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot at valo.at> >> wrote: >> >>> I added ?login? to my auth_mechanisms line in >>> /etc/dovecot/conf.d/10-auth.conf. That line already looked like >>> auth_mechanisms = plain >>> This is what the line looks like now: auth_mechanisms = plain >>> login >>> I restarted dovecot and it still is not advertising anything after >>> ?SASL? in the sieve log file. See below: >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) >>> ready." >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS >>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS >>> negotiation now." >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> ????Y8h#u??Lu?u?V2??N[???+)u?????F?'{??G??r?iS??p???D}????? >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> ?>??0??SxfXC%]c?|?y?"w???K_????N >>> ?.?c? >>> ??_D?r?????r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> >> ?.e???i8p?{Ur"???3GZ?C???7??U)s?;,c?6????HY??B??B.g=TtAk?dq???nV?i >>> ?BG2D???7?h?QTl?)G??9??W?????M?^?? >>> ??D&??rQ???2E?pn?Ez???????i? >>> @1???iC???=???W?M\ >>> >> > `?]?}?D$`?:???^?/K???5?aB?c??ar)?l at C??X???!J???k??"/1?r???w?_??@?p??w >>> )R?d??o????k*?*????? >>> i?O?i%S?l^?o2?H >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> 5?7?x??w?z"??hu4?E??:?/?F(d?;???i??"??5??G,5????E?C?MS???? >>> L???*??*???LO?D?? J?l????? >>> ??IN??v?fR?5t?:???SG?>{mY??D??????t?Rj?w?# >>> ??n??[?S? >>> >>> V4O?z?=.????uA??????9?????c??oE?;LBOg??Ql'w?>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> ?&???C/_??*??????|.??$O?~? >>> ??5?"??????? >>> ?r??0~?+~????B >>> >>> ??5)]cZ?Z??t??D??????-?dZ??M?z??2T?Op?q?o?T?3?`'????g??6 >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? >>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> And once again the line from my mail.log file. >>> Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no >>> auth >>> attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, >>> session=<7VswBnvjXuIKdAAD> >>> Any further suggestions? Why do you suppose that the auth >>> mechanisms >>> are not being advertised? >> The auth mechanisms are not shown because you access from a remote >> host, have STARTTLS available and "disable_plaintext_auth = yes" >> set. The auth mechanisms will be shown after STARTTLS. >> This is described here >> https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting >> >> One more thing comes to mind regarding the ssl options in the >> managesieve plugin config. Do you use a self signed cert in dovecot? >> >> One more thing you could try, in your managesieve plugin >> config.inc.php >> >> remove this section: >> $config['managesieve_conn_options'] = array( >> 'ssl' => array( >> 'verify_peer' => false, >> 'allow_self_signed' => true, >> ), >> ); >> >> add this section: >> $config['managesieve_conn_options'] = [ >> 'ssl' => [ >> 'verify_peer' => false, >> 'peer_name' => 'change to the hostname from dovecots ssl >> certificate', >> ], >> ]; >> >> add in there, when using self-signed cert >> 'allow_self_signed' => true, >> >> -- >> Christian Kivalo > > > > Links: > ------ > [1] http://mail.mydomain.com-- Christian Kivalo
Thanks so much Christian Kivalo! See below.> On Jul 12, 2022, at 9:13 AM, Christian Kivalo <ml+dovecot at valo.at> wrote: > > On 2022-07-12 16:19, Austin Witmer wrote: >> So, I changed the $config['managesieve_host'] >> 'tls://mail.mydomain.com?; to the fqdn of my mail server instead of >> the internal IP address and now it works! > Good to hear it works now :) > >> Why would using the fqdn work, but not the internal LAN IP address? > The client, here php / roundcube checks if the presented certificate contains the address it connected to and ip addresses are very seldomly added as hosts to certificates. > >> As a side note, I am now remembering that in my main Roundcube config, >> I had to use the fqdn for the imap and smtp server instead of the >> internal LAN IP address. Is it because it needs to connect to a host >> with the same hostname that the certificate returns? Would it work to >> add an entry in my hosts file that says "10.116.0.2 mail.mydomain.com >> [1]?? I should be able to use the internal IP addresses, right? Are >> there downsides to using the fqdn? > > The hosts file entry would help with name resolution but not with certificate verification. > > But you can make php think it connects to the correct hostname with the ssl connection options > > $config['managesieve_conn_options'] = [ > 'ssl' => [ > 'verify_peer' => false, > 'peer_name' => 'FQDN of mailserver', > ], > ]; > > This probably even works without the "verify_peer" line, haven't tested. >I added the block above to my managesieve configuration in Roundcube and now connected to an internal IP address works beautifully! Now I just need to figure out how to accomplish the same thing for the imap and smtp server that Roundcube is using. Is there a block similar to the one above that I could add to my Roundcube config.inc.php file to enable me to use internal addresses for my imap and smtp servers?> >> I may have some questions about configuring sieve rules later, but I >> can start a new thread for that. >> Austin Witmer >>> On Jul 11, 2022, at 1:06 PM, Christian Kivalo <ml+dovecot at valo.at> >>> wrote: >>>> I added ?login? to my auth_mechanisms line in >>>> /etc/dovecot/conf.d/10-auth.conf. That line already looked like >>>> auth_mechanisms = plain >>>> This is what the line looks like now: auth_mechanisms = plain >>>> login >>>> I restarted dovecot and it still is not advertising anything after >>>> ?SASL? in the sieve log file. See below: >>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "NOTIFY" "mailto" >>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "SASL" "" >>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "STARTTLS" >>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: "VERSION" "1.0" >>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Dovecot (Ubuntu) >>>> ready." >>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> C: STARTTLS >>>> [10-Jul-2022 16:33:27 -0600]: <4d9b66la> S: OK "Begin TLS >>>> negotiation now." >>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> C: LOGOUT >>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>>> ????Y8h#u??Lu?u?V2??N[???+)u?????F?'{??G??r?iS??p???D}????? >>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>>> ?>??0??SxfXC%]c?|?y?"w???K_????N >>>> ?.?c? >>>> ??_D?r?????r??w??#?/j?l/Wu?=.I^????~??y??(-n?6]!a??;?E?l??qn?j >>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>> ?.e???i8p?{Ur"???3GZ?C???7??U)s?;,c?6????HY??B??B.g=TtAk?dq???nV?i >>>> ?BG2D???7?h?QTl?)G??9??W?????M?^?? >>>> ??D&??rQ???2E?pn?Ez???????i? >>>> @1???iC???=???W?M\ >> `?]?}?D$`?:???^?/K???5?aB?c??ar)?l at C??X???!J???k??"/1?r???w?_??@?p??w >>>> )R?d??o????k*?*????? >>>> i?O?i%S?l^?o2?H >>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>>> 5?7?x??w?z"??hu4?E??:?/?F(d?;???i??"??5??G,5????E?C?MS???? >>>> L???*??*???LO?D?? J?l????? >>>> ??IN??v?fR?5t?:???SG?>{mY??D??????t?Rj?w?# >>>> ??n??[?S? >>>> V4O?z?=.????uA??????9?????c??oE?;LBOg??Ql'w?>>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>>> ?&???C/_??*??????|.??$O?~? >>>> ??5?"??????? >>>> ?r??0~?+~????B >>>> ??5)]cZ?Z??t??D??????-?dZ??M?z??2T?Op?q?o?T?3?`'????g??6 >>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: m??]~5??? >>>> [10-Jul-2022 16:33:30 -0600]: <4d9b66la> S: >>>> And once again the line from my mail.log file. >>>> Jul 10 22:33:27 mail dovecot: managesieve-login: Disconnected (no >>>> auth >>>> attempts in 0 secs): user=<>, rip=10.116.0.3, lip=10.116.0.2, TLS, >>>> session=<7VswBnvjXuIKdAAD> >>>> Any further suggestions? Why do you suppose that the auth >>>> mechanisms >>>> are not being advertised? >>> The auth mechanisms are not shown because you access from a remote >>> host, have STARTTLS available and "disable_plaintext_auth = yes" >>> set. The auth mechanisms will be shown after STARTTLS. >>> This is described here >>> https://wiki.dovecot.org/Pigeonhole/ManageSieve/Troubleshooting >>> One more thing comes to mind regarding the ssl options in the >>> managesieve plugin config. Do you use a self signed cert in dovecot? >>> One more thing you could try, in your managesieve plugin >>> config.inc.php >>> remove this section: >>> $config['managesieve_conn_options'] = array( >>> 'ssl' => array( >>> 'verify_peer' => false, >>> 'allow_self_signed' => true, >>> ), >>> ); >>> add this section: >>> $config['managesieve_conn_options'] = [ >>> 'ssl' => [ >>> 'verify_peer' => false, >>> 'peer_name' => 'change to the hostname from dovecots ssl >>> certificate', >>> ], >>> ]; >>> add in there, when using self-signed cert >>> 'allow_self_signed' => true, >>> -- >>> Christian Kivalo >> Links: >> ------ >> [1] http://mail.mydomain.com > > -- > Christian KivaloThanks again for everyone?s help! Much appreciated! Austin Witmer -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220713/c880d116/attachment.htm>