3

I am trying to get roundcube, dovecot, postfix, and certificates from letsencrypt to all work together on Debian 9.

I installed roundcube using the apt-get command.

When trying to log into roundcube it takes a long time where it says "Loading..." but then does not log me in. The onscreen error says Connection to storage server failed. Lookingin the roundcube error logs I get the following error:

IMAP Error: Login failed for user@example.com from 192.0.2.10. Empty startup greeting (localhost:143) in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login&_action=login)

Running /etc/init.d/dovecot status I get the following:

dovecot[29431]: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() syscall failed: Success, session=<azgn6uptGtgAAAAAAAAAAAAAAAAAAAAB>

I have the following in my config.inc.php:

$config['default_host'] = 'tls://localhost';

and

$config['imap_conn_options'] = array(
   'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name' => false,
    ),
);

$config['username_domain'] = '%d';

and the following specified in my dovecot 10-ssl.conf file:

ssl = required

ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem

I also have the following in my 10-master.conf file:

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 143
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

If I do telnet localhost 143 I get:

Trying ::1...
Connected to localhost.
Escape character is '^]'.

I am not sure if I should be getting any more than that.

Frankly, I am not sure where my problem lies or what else to look into. Why am I not able to log into roundcube and where else should I be checking to pinpoint my problem?

kojow7
  • 421
  • 5
  • 14

3 Answers3

4

TL;DR: You cannot do a customized port configuration and expected standard client settings to work

Explainations

By setting the folowing configuration you have configured dovecot to listen using IMAPS protocol on the IMAP port:

I also have the following in my 10-master.conf file:

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 143
    ssl = yes
  }
}

=> this block disable the clear-text (and TLS upgradable) "imap" protocol (port = 0) and enable an "imaps" port with forced initial SSL/TLS handshake on port 143.

Port 143 is however the IANA-assigned port for IMAP protocol, IMAPS should be on 993 (see /etc/services for ports references).

It should be possible to keep this configuration and make dovecot happy, but you will need to tweak all your clients configurations as nobody expect this, default settings for IMAP port (143) is to allow clear-text communication and optional TLS upgrade when advertised.

For roundcube to work with this you will need something like this:

$config['default_host'] = 'ssl://fqdn.of.server:143'

or 

$config['default_host'] = 'tls://fqdn.of.server:143'

This will instruct roundcube that your imap service expect pre-crypted connection over the standard plain-text (143) port.

As for telnet localhost 143 well you can't use this to test an SSL connection, you will need something like openssl s_client -servername fqdn.of.server -connect localhost:143

Please note that SSL/TLS work with certificates and thoses certificates works with hostnames, so you can't do an SSL connection over localhost without having some certificates issues.

Recommendations:

While it is possible to tweak port for every application, many systems (firewalls, defaults settings, ..) rely on the fact that each application was allocated a specific port.

Working with an imap server using IMAPS on port 143 is possible, but you will encounter various issues dependings on clients / networks.

Personnally i would recommend against modifying the default operating mode of dovecot and removing any tweak on the default inet listener configuration in 10-master.conf.

To enable secure communications for imap/pop the only needed changes in the default dovecot configuration is the one you made over 10-ssl.conf (ssl = required + cert/key).

Reference: https://wiki.dovecot.org/SSL/DovecotConfiguration

Additionnally SSL communication on loopback channels (localhost) isn't really usefull, this is why by default, even with "ssl=required" or "disable_plaintext_auth" active, dovecot consider any connection on the loopback network (ip 127.0.0.1 or client ip identical to server ip) to be secure even without ssl/tls.

So if your roundcube service is on the same host than your dovecot server the configuration only need to be :

$config['default_host'] = 'localhost'
silmaril
  • 471
  • 3
  • 9
  • Thank you for your answer. However, your explanation is unclear on the following points. 1) How am I doing a customized port configuration? 2) How have I configured IMAPS on the IMAP port? Why is this bad, and what would be the better approach? 3) How am I performing SSL communication on loopback channels and what should I be doing instead? Adding these explanations to your answer will help me understand what you are saying and will encourage other people to upvote your answer. – kojow7 Jun 06 '18 at 15:34
  • Also, for default host I have: `$config['default_host'] = 'tls://localhost';` – kojow7 Jun 06 '18 at 15:54
1

To get this working I had to change the following:

$config['default_host'] = 'tls://localhost';

to 

$config['default_host'] = 'imaps://localhost';

However, I am not sure why this works as it does not seem to be documented anywhere.

In case it helps someone else this is the rest of my configuration:

/etc/dovecot/conf.d/10-master.conf:

service imap-login {
  inet_listener imap {
    #port = 143
    port = 0
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

}

service pop3-login {
  inet_listener pop3 {
    #port = 110
    port = 0
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

In my roundcube/config/config.inc.php I have:

$config['default_host'] = 'imaps://localhost';
$config['username_domain'] = '%d';


$config['imap_conn_options'] = array(
     'ssl' => array(
       'verify_peer'       => true,
       'allow_self_signed' => false,
       'ssl_cert' => '/etc/letsencrypt/live/example.com/fullchain.pem',
       'ssl_key'  => '/etc/letsencrypt/live/example.com/privkey.pem',
       'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
       'peer_name'         => 'mail.example.com',
     ),
);

$config['smtp_conn_options'] = array(
     'ssl' => array(
       'verify_peer'       => true,
       'allow_self_signed' => false,
       'ssl_cert' => '/etc/letsencrypt/live/example.com/fullchain.pem',
       'ssl_key'  => '/etc/letsencrypt/live/example.com/privkey.pem',
       'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
       'peer_name'         => 'mail.example.com',
     ),
);

To help diagnose this, I enabled logging also in my roundcube/config/config.inc.php file:

// Log successful/failed logins to <log_dir>/userlogins or to syslog
$config['log_logins'] = true;

// Log session authentication errors to <log_dir>/session or to syslog
$config['log_session'] = true;

// Log SQL queries to <log_dir>/sql or to syslog
$config['sql_debug'] = true;

// Log IMAP conversation to <log_dir>/imap or to syslog
$config['imap_debug'] = true;

// Log LDAP conversation to <log_dir>/ldap or to syslog
$config['ldap_debug'] = true;

// Log SMTP conversation to <log_dir>/smtp or to syslog
$config['smtp_debug'] = true;

Logs were saved in the roundcube/logs installation directory.

kojow7
  • 421
  • 5
  • 14
-1

There's no such parameter like "ssl_cert" nor "ssl_key" in Roundcube. This configuration (kojow7’s) just seems to be correct because there's no "cacert" in this conf and that implies "verify_peer" set to false.

The correct solution is as follows (at least in Ubuntu 22.04):

'cafile' => '/etc/ssl/certs/ISRG_Root_X1.pem',

instead of "ssl_cert" and "ssl_key".

Thank you for your attention.

mrupio
  • 1
  • 1