5

I'm trying to get a roundcube/dovecot/postfix on a debian box on amazon running. I can log in and receive emails, but I cannot send. I get an error in roundcube, smtp authentication error (220) Authentication failed.

Roundcube error logs:

[24-Sep-2020 08:47:24 +0000]: <a83d4mll> PHP Error: STARTTLS failed (POST /?_task=mail&_unlock=loading1600937244456&_framed=1&_lang=en_US&_action=send)
[24-Sep-2020 08:47:24 +0000]: <a83d4mll> PHP Error: Invalid response code received from server (POST /?_task=mail&_unlock=loading1600937244456&_framed=1&_lang=en_US&_action=send)
[24-Sep-2020 08:47:24 +0000]: <a83d4mll> SMTP Error: Authentication failure: STARTTLS failed (Code: ) in /opt/bitnami/apps/roundcube/htdocs/program/lib/Roundcube/rcube.php on line 1702 (POST /?_task=mail&_unlock=loading1600937244456&_framed=1&_lang=en_US&_action=send)

roundcube SMTP log:

[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Connecting to tls://webmail.theomnihealthgroup.com:587...
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 220 mail.theomnihealthgroup.com ESMTP Postfix (Debian/GNU)
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Send: EHLO webmail.theomnihealthgroup.com
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-mail.theomnihealthgroup.com
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-PIPELINING
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-SIZE 10240000
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-VRFY
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-ETRN
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-STARTTLS
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-ENHANCEDSTATUSCODES
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-8BITMIME
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-DSN
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250-SMTPUTF8
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 250 CHUNKING
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Send: STARTTLS
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: 220 2.0.0 Ready to start TLS
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Send: QUIT
[24-Sep-2020 08:52:08 +0000]: <a83d4mll> Recv: ^V^C^C^A,^L^@^A(^C^@^] <80>ÄS<96>ñrgY(v^P¿<97>Åjò<¬<9e>ò^U­')gÔ<86>hG|¦^P^H^D^A^@Dv(RV<92>Tíìãô^HÂè<9c>è<98>ûÐU§­Ð^Bfã<87><9a>4BNPÙ<82>GÏs¬

I'm pretty sure this has to do with the certs but I'm not sure how to fix it.

postfix main.cf:

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
stmpd_tls_security_level = may
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_tls_cert_file=/opt/bitnami/letsencrypt/certificates/webmail.theomnihealthgroup.com.crt
#smtpd_tls_key_file=/opt/bitnami/letsencrypt/certificates/webmail.theomnihealthgroup.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.theomnihealthgroup.com
#myhostname = theomnihealthgroup.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = theomnihealthgroup.com
mydomain = theomnihealthgroup.com
mydestination = $myhostname, ip-172-30-0-246.ec2.internal, localhost.ec2.internal, localhost, $mydomain, localhost.$mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

dovecot config:

mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  unix_listener auth-userdb {
    mode = 0666
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}

roundcube config.inc.php

$config = array();
$config['debug_level'] = 1;
$config['smtp_debug'] = true;

// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://bn_roundcube:22223abcde@localhost:3306/bitnami_roundcube';

// The IMAP host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
$config['default_host'] = 'mail.theomnihealthgroup.com';

// SMTP server host (for sending mails).
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld

# Also tried: $config['smtp_server'] = 'tls://theomnihealthgroup.com';
$config['smtp_server'] = 'tls://webmail.theomnihealthgroup.com';

// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)
$config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = '';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = 'https://community.bitnami.com/';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'Omni Mail';

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = 'KJDKJIJEIKDJ';

// List of active plugins (in plugins/ directory)
$config['plugins'] = array(
    'archive',
    'zipdownload',
);

// skin name: folder from skins/
$config['skin'] = 'elastic';
$config['default_port'] = 143;
$config['mime_param_folding'] = 0;
StevieD
  • 474
  • 5
  • 17

1 Answers1

3

When you set $config['smtp_server'] with an URL that starts with tls://, you're setting up a PHP SSL context. As suggested by the default roundcube config, you may need to set options on the context.

In my case, I had to provide:

  • peer_name, the mail server's domain name.
  • cafile, the CA file path.

You can put the following in your Roundcube config.inc.php file:

$config['smtp_conn_options'] = [
  'ssl' => [
    'peer_name' => 'mail.example.com',
    'cafile' => '/etc/ssl/certs/ca-certificates.crt'
  ],
];