Roundcube & Postfix SMTP: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c

Question

I have a Postfix / Dovecot / Roundcube setup that I use personally, as well as provide to other users. I am attempting to transfer this entire setup to a new box, but having some issues.

Mail receiving is working fine, (only tested internally, domain isn't transferred yet.) as well as external IMAP & SMTP working great using TLS/SSL (Thunderbird, for example)

The problem is with my roundcube setup, which can use IMAP to 127.0.0.1, and displays user's email wonderfully, but cannot send e-mail, simply claiming: "SMTP Error (220): Authentication failed."

Oddly, with the same Postfix/Dovecot config that I used on my current server, Roundcube can no longer access it on my new server. Here is the relevant roundcube config:

$config['smtp_server'] = 'tls://localhost';

// Log SMTP conversation to <log_dir>/smtp or to syslog
$config['smtp_debug'] = true;

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

Roundcube's logs/errors log simply says:

[02-Jan-2015 16:55:49 America/New_York] STARTTLS failed (): 
[02-Jan-2015 16:55:49 -0500]: SMTP Error: SMTP error: Authentication failure: STARTTLS failed (Code: ) in /var/wwwmail/program/lib/Roundcube/rcube.php on line 1505 (POST /?_task=mail&_unlock=loading1420235752730&_lang=undefined&_framed=1?_task=mail&_action=send)

While Roundcube's logs/smtp log shows:

[02-Jan-2015 17:50:01 -0500]: Recv: 220 example.net ESMTP Postfix
[02-Jan-2015 17:50:01 -0500]: Send: EHLO example.net
[02-Jan-2015 17:50:01 -0500]: Recv: 250-example.net
[02-Jan-2015 17:50:01 -0500]: Recv: 250-PIPELINING
[02-Jan-2015 17:50:01 -0500]: Recv: 250-SIZE 104857600
[02-Jan-2015 17:50:01 -0500]: Recv: 250-VRFY
[02-Jan-2015 17:50:01 -0500]: Recv: 250-ETRN
[02-Jan-2015 17:50:01 -0500]: Recv: 250-STARTTLS
[02-Jan-2015 17:50:01 -0500]: Recv: 250-ENHANCEDSTATUSCODES
[02-Jan-2015 17:50:01 -0500]: Recv: 250-8BITMIME
[02-Jan-2015 17:50:01 -0500]: Recv: 250 DSN
[02-Jan-2015 17:50:01 -0500]: Send: STARTTLS
[02-Jan-2015 17:50:01 -0500]: Recv: 220 2.0.0 Ready to start TLS
[02-Jan-2015 17:50:01 -0500]: Send: RSET
[02-Jan-2015 17:50:01 -0500]: Recv: M I A…"qhçR¸
[02-Jan-2015 17:50:01 -0500]: Send: QUIT

Here are the relevant snippets of my postfix config from /etc/postfix/main.cf

# TLS parameters for SMTP service
smtpd_tls_security_level    = may
smtpd_tls_cert_file         = /etc/ssl/private/example.net/example.net.crt
smtpd_tls_key_file          = /etc/ssl/private/example.net/example.net.key
smtpd_tls_auth_only         = yes

Here are the relevant snippets of my postfix config from /etc/postfix/master.cf

smtp      inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin
submission inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o cleanup_service_name=cleanup_submit
smtps     inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Postfix log /var/log/mail.log reports the following errors:

Jan  2 17:50:01 example postfix/submission/smtpd[19959]: connect from localhost.localdomain[127.0.0.1]
Jan  2 17:50:01 example postfix/submission/smtpd[19959]: SSL_accept error from localhost.localdomain[127.0.0.1]: 0
Jan  2 17:50:01 example postfix/submission/smtpd[19959]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1292:SSL alert number 48:
Jan  2 17:50:01 example postfix/submission/smtpd[19959]: lost connection after STARTTLS from localhost.localdomain[127.0.0.1]
Jan  2 17:50:01 example postfix/submission/smtpd[19959]: disconnect from localhost.localdomain[127.0.0.1]

I've read a few other questions with similar error codes, but they all appear to be using either self-signed certificates, or adding a link to the certificate's hash from /etc/ssl/certs/, which I have tried, though I may have miss-understood, and linked the wrong certificate.

Roundcube is updated to 1.0.4, which was supposed to fix an issue with php version incompatibility due to openssl. I'm all out of ideas, anyone have any ideas?

Answer 1

Error message above looks like a client (PHP script invoked by roundcube) fails to verify peer certificate because unknown CA. There are many reasons why this error happened.

Regarding openssl, Roundcube version 1.0-RC and later shipped with SSL connection option. Parameter smtp_conn_options and imap_conn_options was added in version 1.0-RC and 1.0.3 respectively. By default, the value of both parameters was null. The snippet below was taken from roundcube file config/defaults.inc.php. You can refers to PHP manual to get complete description of this parameter.

// SMTP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation, and
// requires 'smtp_timeout' to be non zero.
// $config['smtp_conn_options'] = array(
//   'ssl'         => array(
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ),
// );
$config['smtp_conn_options'] = null;

In many systems who using self signed certificate, the default value works for PHP 5.5 and earlier. By default, PHP 5.6 will verify peer certificate against installed CA and verify the peer name.

Now, looks like Debian jessie also shipped with default PHP version 5.6. Apparently PHP fails to verify postfix certificate. The possible reasons, PHP fails in verify_peer_name (because you specify localhost in hostname) or in verify_peer (because CA was unknown)

---

Similar case was also happened to Arch Linux user. The solution was either:

• Install CA certificate in openssl cert directory
• In roundcube smtp_server option, change localhost to Postfix FQDN (solution from OP)
• Disable verify_peer and/or verify_peer_name in smtp_conn_options

Answer 2

PHP 5.6 does SSL peer verification, meaning that it checks the certificate of the SMTP server whether its a known CA.

The smtp_server option must match the certificate's CN field! (Common Name)

So don't put localhost in there, put the full qualified domain name in there that matches your certificate.

Credits to: https://www.blogobramje.nl/posts/Roundcube_sending_mail_broken_with_PHP_5.6_-_STARTTLS_failed/

Answer 3

because I use dovecot my solution was to add the ca to the /etc/dovecot/dovecot.conf

ssl_ca = </etc/ssl/ca.pem

Answer 4

I had the same error. Fix it adding the CA file in postfix main.cf file. The location in may be at /etc/postfix/main.cf.

smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/foo-cert.pem
smtpd_tls_key_file = /etc/postfix/foo-key.pem

Answer 5

same problem! Quick an dirty workaround: change in config/defaults.inc.php verify_peer to false.

$config['smtp_conn_options'] = array(
   'ssl'         => array(
     'verify_peer'  => false,
     'verify_depth' => 3,
     'cafile'       => '/etc/openssl/certs/ca.crt',
   ),
);

WARNING ONLY for Testing ; NOT FOR PRODUCTION Environments