colin at colinlikesfood.com
2022-Nov-23 19:54 UTC
Can't figure out why managesieve (pigeonhole) can't connect
thank you again. it seems you have seen my paste of config.inc.php. I
do not have a config.php:
my_user at some_host:/usr/local/www/roundcube/config # ls -l
total 67
-rw-r--r-- 1 root wheel 164 Jul 23 15:17 .htaccess
-rw-r--r-- 1 root wheel 1867 Nov 22 15:12 config.inc.php
-rw-r--r-- 1 root wheel 2943 Jul 23 15:17 config.inc.php.sample
-rw-r--r-- 1 root wheel 63790 Oct 29 20:24 defaults.inc.php
-rw-r--r-- 1 root wheel 2806 Jul 23 15:17 mimetypes.php
my_user at some_host:/usr/local/www/roundcube/config #
I have tried changing tls:// to ssl:// and back again (in the line
$config['managesieve_host'] = 'tls://obfuscated.domain';) but
the error
remains the same:
roundcube: PHP Error: Connection refused (GET
/index.php?_task=settings&_action=plugin.managesieve)
roundcube: PHP Error: Unable to connect to managesieve on
obfuscated.domain:4190 in
/usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
on line 221 (GET /index.php?_task=settings&_action=plugin.managesieve)
roundcube: PHP Error: Not currently in AUTHORISATION state (GET
/index.php?_task=settings&_action=plugin.managesieve)
php: PHP Error: Not currently connected (GET
/index.php?_task=settings&_action=plugin.managesieve)
roundcube: PHP Error: Connection refused (GET
/index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide)
roundcube: PHP Error: Unable to connect to managesieve on
obfuscated.domain:4190 in
/usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
on line 221 (GET
/index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide)
php: PHP Error: Not currently connected (GET
/index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide)
roundcube: PHP Error: Connection refused (POST
/?_task=settings&_action=plugin.managesieve-save)
roundcube: PHP Error: Unable to connect to managesieve on
obfuscated.domain:4190 in
/usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
on line 221 (POST /?_task=settings&_action=plugin.managesieve-save)
i don't understand why it can't connect, this seems to work fine:
# gnutls-cli --tofu --starttls -p 4190 10.0.0.91
Processed 142 CA certificate(s).
Resolving '10.0.0.91:4190'...
Connecting to '10.0.0.91:4190'...
- Simple Client Mode:
"IMPLEMENTATION" "dovecot"
"SIEVE" "fileinto reject envelope encoded-character vacation
subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" "CRAM-MD5"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."
STARTTLS
OK "Begin TLS negotiation now."
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=obfuscated.domain.com', issuer `CN=R3,O=Let's
Encrypt,C=US', serial xxxxxxxxxxxxxxxxxxxxxx, RSA key 2048 bits, signed
using RSA-SHA256, activated `yyyy-mm-dd 17:48:15 UTC', expires
`yyyy-mm-dd 17:48:14 UTC', pin-sha256="xxxxxxxxxxxxxxxxxxxxxx"
Public Key ID:
sha1:xxxxxxxxxxxxxxxxxxxxxx
sha256:xxxxxxxxxxxxxxxxxxxxxx
Public Key PIN:
pin-sha256:xxxxxxxxxxxxxxxxxxxxxx
- Certificate[1] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root
X1,O=Internet Security Research Group,C=US', serial
xxxxxxxxxxxxxxxxxxxxxx, RSA key 2048 bits, signed using RSA-SHA256,
activated `yyyy-mm-dd 00:00:00 UTC', expires `yyyy-mm-dd 16:00:00 UTC',
pin-sha256="xxxxxxxxxxxxxxxxxxxxxx"
- Certificate[2] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
yyyy-mm-dd, RSA key 4096 bits, signed using RSA-SHA256, activated
`yyyy-mm-dd 19:14:03 UTC', expires `yyyy-mm-dd 18:14:03 UTC',
pin-sha256="xxxxxxxxxxxxxxxxxxxxxx"
- Status: The certificate is NOT trusted. The name in the certificate
does not match the expected.
*** PKI verification of server certificate failed...
Host 10.0.0.91 (sieve) has never been contacted before.
Its certificate is valid for 10.0.0.91.
Are you sure you want to trust it? (y/N): y
- Description:
(TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: xx:yy:xx:yy:xx:yy...
- Options:
"IMPLEMENTATION" "dovecot"
"SIEVE" "fileinto reject envelope encoded-character vacation
subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" "CRAM-MD5"
"VERSION" "1.0"
OK "TLS negotiation successful."
On 2022-11-23 13:35, Yassine Chaouche wrote:
> also make sure your are editing config.php and not config.inc.php
> (which you pasted)
>
> Yassine.
>
> Le 23 novembre 2022 8:30:36 PM GMT+01:00, Yassine Chaouche
> <a.chaouche at algerian-radio.dz> a ?crit :
>
>> good. we have established that the problem shouldn't be on
dovecot's
>> side. i suspect roundcube is misconfigured or can't connect for
some
>> reason. I believe someone mentioned SSL and TLS support problem in RC
>> for a specific version? can you try without? also can you paste RC
>> config?
>>
>> Yassine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20221123/792d1718/attachment.htm>
PGNet Dev
2022-Nov-23 20:49 UTC
Can't figure out why managesieve (pigeonhole) can't connect
> i don't understand why it can't connect, this seems to work fine:fine ? you're manually overriding at least one problem with your certs/config> ... > - Status: The certificate is NOT trusted. The name in the certificate does not match the expected. > *** PKI verification of server certificate failed... > Host 10.0.0.91 (sieve) has never been contacted before. > Its certificate is valid for 10.0.0.91. > Are you sure you want to trust it? (y/N): y > ...it appears that you're using a self-signed cert? are your trusted certs defined and correctly chained? if not explicitly defined, did you correctly add you certs to system ssl dirs, and ensure hashes are correct? demonstrate first that you can connect to dovecot over tls with a cmd line client, without ignoring or overriding your cert problems including any client/server cert verification requirements you've turned on in dovecot config once you've passed the correct certs, then demonstrate that you can authenticate in the same session with any password/credentials you've set once that all works, make sure you've got those certs correctly set up in your rc config
Yassine Chaouche
2022-Nov-27 14:48 UTC
Can't figure out why managesieve (pigeonhole) can't connect
An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221127/e5e67aa4/attachment.htm>
colin at colinlikesfood.com
2022-Dec-14 20:48 UTC
Can't figure out why managesieve (pigeonhole) can't connect
Thank you for this. I am not using self-signed, I am using letsencrypt as a CA, the certs are installed where certbot put them. I tried the example from https://wiki2.dovecot.org/TestInstallation, using openssl s_client, and I achieved the following (lots of data replaced with "...") I have not changed anything else since your last reply, I am honestly not sure what rc config has to do with certs (google has not given me a result that seems to apply). Does the below help confirm my certs are properly installed and that i can connect to dovecot over tls and pass my credentials? ----- root at mc:~ # openssl s_client -connect mydomain.com:143 -starttls imap CONNECTED(00000004) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mydomain.com verify return:1 --- Certificate chain ... --- Server certificate -----BEGIN CERTIFICATE----- .. -----END CERTIFICATE----- .. --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4922 bytes and written 426 bytes Verification: OK --- .. .. .. --- read R BLOCK a login me at mydomain.com MyPass * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE a OK Logged in a OK Logged in b select inbox * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted. * 35 EXISTS * 0 RECENT * OK [UNSEEN 18] First unseen. * OK [UIDVALIDITY 1669149589] UIDs valid * OK [UIDNEXT 255] Predicted next UID * OK [HIGHESTMODSEQ 615] Highest b OK [READ-WRITE] Select completed (0.001 + 0.000 secs). c list "" * * LIST (\HasNoChildren \Marked \Trash) "/" Trash * LIST (\HasNoChildren \UnMarked \Junk) "/" Junk * LIST (\HasNoChildren \Marked \Sent) "/" Sent * LIST (\HasNoChildren \Drafts) "/" Drafts * LIST (\HasNoChildren \UnMarked) "/" INBOX/email-reports * LIST (\HasNoChildren \UnMarked) "/" INBOX/NAS-Alerts * LIST (\HasChildren) "/" INBOX c OK List completed (0.001 + 0.000 secs). On 2022-11-23 14:49, PGNet Dev wrote:>> i don't understand why it can't connect, this seems to work fine: > > fine ? > > you're manually overriding at least one problem with your certs/config > >> ... >> - Status: The certificate is NOT trusted. The name in the certificate >> does not match the expected. >> *** PKI verification of server certificate failed... >> Host 10.0.0.91 (sieve) has never been contacted before. >> Its certificate is valid for 10.0.0.91. >> Are you sure you want to trust it? (y/N): y >> ... > > it appears that you're using a self-signed cert? are your trusted > certs defined and correctly chained? if not explicitly defined, did > you correctly add you certs to system ssl dirs, and ensure hashes are > correct? > > demonstrate first that you can connect to dovecot over tls with a cmd > line client, without ignoring or overriding your cert problems > > including any client/server cert verification requirements you've > turned on in dovecot config > > once you've passed the correct certs, then demonstrate that you can > authenticate in the same session with any password/credentials you've > set > > once that all works, make sure you've got those certs correctly set up > in your rc config-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221214/4dc23b28/attachment.htm>