Author Topic: [SOLVED] Unable to use starttls for imap and smtp  (Read 9075 times)

Offline lbm_

  • Newbie
  • *
  • Posts: 4
[SOLVED] Unable to use starttls for imap and smtp
« on: October 04, 2017, 04:13:27 AM »
I have issues with getting starttls to work using an letsencrypt certificate, on debian with roundcube version 1.2.3 and php 7.
I found this, http://www.roundcubeforum.net/index.php?topic=22035.0 , but its not working unless I specify verify_peer = false.

"mail.mydomain.com" is replacing my real fqdn.
caBundle.crt contains the letsencrypt private key and public certificate. I've copied the cafile to /etc/ssl/certs/

Code: [Select]
$config['imap_conn_options'] = array(
   'ssl' => array(
          'peer_name'   => 'mail.mydomain.com',
          'verify_peer_name'    => true,
          'capath'      => '/etc/ssl/certs/',
          'local_cert'   => '/etc/roundcube/caBundle.crt',
          'verify_peer'            => true,
    ),
);

On the mailserver itself, I (still) get this error.
Code: [Select]
dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.25, lip=192.168.10.21, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<70O/7LNahp/AqAoZ>

SSL for dovecot imap is configured like so
Code: [Select]
grep -P '^ssl' conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/dovecot/mail_mydomain.crt
ssl_key = </etc/dovecot/private/insecure_ca.key
ssl_ca = </etc/dovecot/ca.crt
ssl_dh_parameters_length = 4096
ssl_protocols = TLSv1.1 TLSv1.2
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

For smtp, I get this error, with same config as above, but ofcourse changed to "$config['smtp_conn_options'] " from $config['imap_conn_options'] = array(
Code: [Select]
postfix/submission/smtpd[25198]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:

In the error log from roundcube I get this..
Code: [Select]
PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 1017
[04-Oct-2017 11:04:51 +0200]: <kefunb8f> IMAP Error: Login failed for xxxx from 192.168.10.24(X-Real-IP: x.x.x.x,X-Forwarded-For: x.x.x.x). Unable to negotiate TLS in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)
« Last Edit: October 04, 2017, 05:43:29 AM by lbm_ »

Offline lbm_

  • Newbie
  • *
  • Posts: 4
Re: Unable to use starttls for imap and smtp
« Reply #1 on: October 04, 2017, 05:40:08 AM »
Hah... Fixed it.

Code: [Select]
apt-get install ca-certificates
mv ca.crt /usr/local/share/ca-certificates #must be .crt extension
update-ca-certificates # which will create an symlink to/usr/local/share/ca-certificates/ca.crt