Using Roundcube (1.3.10) with Postfix (3.4.3) and Dovecot (2.2.36) on CentOS 7 VPS. I can login and receive emails, but I cannot send them. Trying to send mail results in "*Waiting for webmail.mydomain.com...*" in the bottom browser status bar, while Roundcube displays "*Sending message...*" for 2-3 minutes. What could be causing this behavior? I had the server working until I switched to "secure" ports/services. But even after (exhaustively) reading the Postfix/Dovecot documentation, I'm still as confused as I was when I started. Note: I am also using Nginx/PostfixAdmin/MariaDB if that matters at all. /var/log/maillog displays the following. Code: Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: initializing the server-side TLS engine Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: connect from localhost[127.0.0.1] Oct 6 20:13:10 hwsrv-579344 opendmarc[1060]: ignoring connection from localhost Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: setting up TLS connection from localhost[127.0.0.1] Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:before/accept initialization Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE90] (11 bytes => 6 (0x6)) Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 52 53 45 54 0d 0a RSET.. Oct 6 20:13:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: read from 5557740F7890 [5557740FEE96] (5 bytes => 5 (0x5)) Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: 0000 51 55 49 54 0d QUIT. Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept:error in SSLv2/v3 read client hello A Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: SSL_accept error from localhost[127.0.0.1]: -1 Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: lost connection after STARTTLS from localhost[127.0.0.1] Oct 6 20:14:10 hwsrv-579344 postfix/submission/smtpd[23868]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2 Oct 6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: initializing the server-side TLS engine Oct 6 20:15:34 hwsrv-579344 postfix/smtpd[24014]: connect from unknown[4.5.6.7] Oct 6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: lost connection after AUTH from unknown[4.5.6.7] Oct 6 20:15:35 hwsrv-579344 postfix/smtpd[24014]: disconnect from unknown[4.5.6.7] ehlo=1 auth=0/1 commands=1/2 Below are my configuration settings for Postfix, Dovecot and Roundcube: postconf -n Code: alias_database = $alias_maps alias_maps = hash:/etc/postfix/aliases biff = no broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix milter_default_action = accept milter_protocol = 2 mydestination = $myhostname, localhost.$mydomain, localhost newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = unix:/var/run/opendkim/opendkim.socket, unix:/var/run/opendmarc/opendmarc.socket, unix:/var/run/spamass-milter/spamass-milter.socket queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = * sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = no smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_use_tls = yes smtpd_milters = unix:/var/run/opendkim/opendkim.socket, unix:/var/run/opendmarc/opendmarc.socket, unix:/var/run/spamass-milter/spamass-milter.socket smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = /var/run/dovecot/auth-client smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/private/vmail.crt smtpd_tls_key_file = /etc/ssl/private/vmail.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/sql/virtual_alias_maps.cf virtual_gid_maps = static:2000 virtual_mailbox_base = /var/www/mail/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/virtual_mailbox_maps.cf virtual_minimum_uid = 2000 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:2000 /etc/postfix/master.cf Code: smtp inet n - n - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=spamassassin argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} submission inet n - n - - smtpd -o smtpd_tls_wrappermode=no -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_sasl_security_options=noanonymous #-o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING dovecot.conf Code: auth_mechanisms = plain login disable_plaintext_auth = yes default_login_user = vmail first_valid_uid = 2000 first_valid_gid = 2000 listen = * mail_access_groups = vmail mail_location = maildir:/var/www/mail/vmail/%d/%n protocols = imap lmtp pop3 verbose_ssl = yes namespace inbox { type = private separator = / prefix = inbox = yes } namespace inbox { mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } mailbox Sent { auto = subscribe special_use = \Sent } } passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf } userdb { driver = static args = /etc/dovecot/dovecot-sql.conf } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service auth { unix_listener auth-client { group = postfix mode = 0660 user = postfix } user = root } service imap-login { inet_listener imaps { port = 993 } process_min_avail = 1 user = vmail } service pop3-login { inet_listener pop3s { port = 995 } process_min_avail = 1 user = vmail } ssl = required ssl_cert = </etc/ssl/private/vmail.crt ssl_key = </etc/ssl/private/vmail.key roundcubemail-1.3.10/config/config.inc.php (see next post, post is too large with it included) Thanks in advance for any time and effort on my behalf, Sam
What exactly was changed? Can you not undo those changes? The mail.log you posted shows postrix producing SSL_accept:error so i guess something about SSL is not working on your host. Further testing of certificate is possible with tools on websites, use Internet Search Engines with ssl testing as search words. Those tools usually test the website, when testing certificates the e-mail server has, search with ssl testing mail server
Roundcube didn't go through for some reason... roundcubemail-1.3.10/config/config.inc.php Code: // SQL DATABASE $config['db_dsnw'] = 'mysql://roundcube:myassword@localhost/roundcubemail_db'; // IMAP $config['default_host'] = 'imaps://mydomain.com/'; $config['default_port'] = 993; //SMTP $config['smtp_server'] = 'tls://localhost/'; $config['smtp_port'] = 587; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; $config['support_url'] = '[email protected]'; $config['smtp_auth_type'] = 'PLAIN'; $config['smtp_auth_cid'] = null; $config['smtp_auth_pw'] = null; $config['smtp_helo_host'] = ''; $config['smtp_timeout'] = 0; $config['smtp_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => true, 'verify_peer_name' => false, 'verify_depth' => 3, 'cafile' => '/etc/letsencrypt/live/mydomain.com/fullchain.pem', ), ); //PLUGINS $config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'enigma', 'help', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'password', 'subscriptions_option', 'vcard_attachments', 'zipdownload'); $config['language'] = 'en_US'; $config['spellcheck_engine'] = 'pspell'; $config['draft_autosave'] = 60;
@Taleman Maybe I'm getting somewhere... only one protocol is enabled. I'm using Let's Encrypt certs, if that matters. From SSLLabs SSL test (see attachments for screencap): Code: Protocols TLS 1.3 No TLS 1.2 Yes TLS 1.1 No TLS 1.0 No SSL 3 No SSL 2 No For TLS 1.3 tests, we only support RFC 8446. Cipher Suites # TLS 1.2 (server has no preference) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp521r1 (eq. 15360 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS I also used Immuniweb (can't post link) mydomain.com:443 HTTPS SSL Security Test Everything was good except (from "Test for Compliance with HIPAA guidelines" section): Code: SERVER DOES NOT SUPPORT OCSP STAPLING The server does not support OCSP stapling for its RSA certificate. Its support allows better verification of the certificate validation status.Non-compliant with HIPAA guidance and from the "Test for Industry-Best Practices" section: Code: DNSCAA This domain does not have a Certification Authority Authorization (CAA) record. Information CERTIFICATES DO NOT PROVIDE EV The RSA certificate provided is NOT an Extended Validation (EV) certificate. Information NO SUPPORT OF TLSv1.3 The server does not support TLSv1.3 which is the only version of TLS that currently has no known flaws or exploitable weaknesses. Misconfiguration or weakness SERVER DOES NOT HAVE CIPHER PREFERENCE The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher suites selected. Misconfiguration or weakness SERVER DOES NOT PROVIDE HSTS The server does not enforce HTTP Strict Transport Security. We advise to enable it to enforce the user to browse the website in HTTPS. Misconfiguration or weakness SERVER DOES NOT PROVIDE HPKP The server does not enforce HTTP Public Key Pinning that helps preventing man-in-the-middle attacks. Information ALWAYS-ON SSL The HTTP version of the website redirects to the HTTPS version. Good configuration SERVER DOES NOT SUPPORT CLIENT-INITIATED SECURE RENEGOTIATION The server does not support client-initiated secure renegotiation. Good configuration SERVER-INITIATED SECURE RENEGOTIATION The server supports secure server-initiated renegotiation. Good configuration SERVER DOES NOT SUPPORT TLS COMPRESSION TLS compression is not supported by the server. Good configuration So I'm guessing that not having TLSv1.3 is what the problem is. If it is, do I just update/renew my certs with certbot to get TLSv1.3 enabled? Or is it a config file setting?
Roundcube does not require TLS1.3. Your SSL certificate has nothing to do with your protocol. Your webserver has nothing to do with your mail server. You are mixing up things here (the tests you have shown are for webserver). In your roundcube config, use the same server address, that your ssl certificate is for to avoid problems ( $config['smtp_server'] = 'tls://domain.in.your.certificatefile/'; ) Verify that this is actually your letsencrypt certificate, you want to use: Code: smtpd_tls_cert_file = /etc/ssl/private/vmail.crt smtpd_tls_key_file = /etc/ssl/private/vmail.key These should be copies of your letsencrypt files, or symlinks to them. Remove all the other entries in your roundcube config (standard should be fine). UNLESS, you know what they do and that you want/need them! Code: // SQL DATABASE $config['db_dsnw'] = 'mysql://roundcube:myassword@localhost/roundcubemail_db'; // IMAP $config['default_host'] = 'imaps://mydomain.com/'; $config['default_port'] = 993; //SMTP $config['smtp_server'] = 'tls://domain.in.your.certificatefile/'; //PLUGINS $config['plugins'] = array('archive', 'attachment_reminder', 'autologon', 'emoticons', 'enigma', 'help', 'identicon', 'jqueryui', 'managesieve', 'markasjunk', 'password', 'subscriptions_option', 'vcard_attachments', 'zipdownload');
Thank you very much! It worked perfectly; amazing how out of everything I tried, using the base default did not occur to me. I will post my config once I get the reset password plugin working (which I think requires a few more lines). Again, you are a lifesaver. I cannot tell you how many hours I spent giving myself an aneurysm over this.
